Linux Privilege Escalation with MSF

Get Session on Target

The first thing we need to do is get a session with low privileges on the target. We can easily do this with Metasploit. Type msfconsole in the terminal to launch it.

~$ msfconsole

[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***

                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .

       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 >

Metasploitable contains a vulnerable service called distccd, which is used to distribute program compilation across multiple systems, speeding things up by taking advantage of combined processor power. Unfortunately, this version of the program allows a remote attacker to execute arbitrary commands on the server.

We can search for the exploit using the search command:

To load the module, type use followed by the full path of the module:

We can now see the available settings with the options command:

It looks like we only need to set the remote host address since the remote port is already set using the default port number. Use the set command to specify the appropriate IP address of the target:

Now we are ready to launch the exploit . Use the run command, which is just a shorter alias for exploit:

We can see that a command shell was opened, and running uname -a verifies we have compromised the target.

Step 2Upgrade to Meterpreter

To use Metasploit's local exploit suggester, we need to upgrade our basic Unix command shell to a Meterpreter session. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.

We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessions command:

The easiest way to upgrade a regular shell to a Meterpreter session is to use the -u flag followed by the session number to upgrade:

We can see the post module that runs and a new session is opened. We can again verify this with the sessions command:

And we can interact with our new Meterpreter session using the -i flag on the desired session:

Step 3Run Exploit Suggester

Metasploit post modules work by running on a background session, not directly in the session itself, so background session 2 (our Meterpreter shell) and return to the main prompt. We can then load the local exploit suggester using the following command:

When we take a look at the options, we only need to specify the session we want to run this on:

Simply set the session to number 2, which is our Meterpreter shell:

And type run to kick it off:

We can see the module checks a number of local exploits and returns a few that seem viable. Awesome.

Step 4Get Root

The final thing we need to do is use one of these exploits to get root on the system. We'll try the first one that was suggested to us. This exploit takes advantage of a vulnerability in the glibc dynamic linker, in which the LD_AUDIT environmental variable allows loading of a setuid object that ultimately runs with root privileges.

Looking at the options, we only need to set the session again — the default executable path will work for now:

Set the session just like before:

We can also set the payload to give us another Meterpreter session when the exploit completes:

And set the appropriate listening host (the IP address of our local machine) and port:

Finally, type run to launch the exploit:

We now have a new Meterpreter session on the target, and we can drop into a shell to verify we have obtained root access:

Wrapping Up

In this tutorial, we learned how to use Metasploit to get a shell on the target, upgrade that shell to a Meterpreter session, and use the local exploit suggester module to ultimately get root on the system. Metasploit not only makes initial exploitation easy but the post-exploitation phase as well. In the next article, we will explore some useful post modules to quickly gather information about the target.