Part 1 - Intro
Video Activity
In this module, we take a look at exploits launched from Metasploitable that can result in establishing a shell connection as root on the target host. This is referred to as a "reverse" shell and can be initiated against both Linux and Windows hosts. We begin this module by demonstrating the preparation, installation, and launching of a reverse she...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
In this module, we take a look at exploits launched from Metasploitable that can result in establishing a shell connection as root on the target host. This is referred to as a "reverse" shell and can be initiated against both Linux and Windows hosts. We begin this module by demonstrating the preparation, installation, and launching of a reverse shell exploit on a Linux system. For this example, we download and modify the built-in XBomb game to be repackaged with the reverse shell payload. Once installed on a victim machine, it's then possible to gain full control of the remote host.
Video Transcription
00:03
>> Hello everyone. Welcome to
00:03
the latest installment of the Metasploit class.
00:03
Hope you're enjoying everything you're
00:03
seeing here on Cybrary.
00:03
This module for Metasploit,
00:03
we're going to be discussing client-side attacks.
00:03
In this case, we're going to be
00:03
trying to get a reverse shell on a Linux system,
00:03
and then we'll do another demonstration
00:03
for a Windows system.
00:03
In particular, what I'm going
00:03
to do is show how you can take
00:03
a regular Linux package, in this case,
00:03
we're going to be using the XBomb game which is
00:03
a Minesweeper clone,
00:03
it's a free game you can play on Linux systems,
00:03
and we're going to change some of
00:03
the scripts and files that
00:03
are included with the package to
00:03
install our Metasploit Payload,
00:03
which will be the reverse TCP shell.
00:03
It's a pretty neat idea because once the victim
00:03
installs the software on their machine,
00:03
they have to do this as root by the way.
00:03
Then we'll be able to get a root shell
00:03
back to the attacker system,
00:03
which is very powerful because
00:03
now if I've got a root shell on the victim's system,
00:03
I can make any changes to the system that I want.
00:03
I can install software,
00:03
I can remove software,
00:03
I can make configuration changes,
00:03
I can try to install a backdoor
00:03
to return to the system at a later time,
00:03
so that's obviously something that's worth exploring.
00:03
First things first,
00:03
let me go ahead and open a command shell,
00:03
and let's see what my IP address is.
00:03
I did already pre-download
00:03
the XBomb package and since I've done that,
00:03
I've switched my virtual machines
00:03
>> back to host only mode,
00:03
>> which is definitely the safest thing to do
00:03
when you're using vulnerable machines,
00:03
you don't want to expose those to your network so it's
00:03
safer to keep everything within your same host.
00:03
You can do this by going to
00:03
your settings and looking at your network adapter.
00:03
The other options are bridged when you want to
00:03
have an address with everything else with your host,
00:03
for instance, on the same network.
00:03
NAT will also allow you to get to the same network
00:03
sharing the host's IP address.
00:03
Bridged and NAT mode allow you to get to
00:03
the Internet whereas host only does not.
00:03
I'm going to stay within
00:03
my host for the remainder of this demonstration.
00:03
I also need to get the IP address
00:03
>> from my victim machine.
00:03
>> In this case, it's Debian 8,
00:03
so I've set up another virtual machine
00:03
>> for this purpose,
00:03
>> and I can see that one is a 128.
00:03
I've got 26, 128 and 26, 129.
00:03
I'll show you where I got
00:03
the XBomb package here real quick.
00:03
I already bookmarked this,
00:03
but it's on the
00:03
packages.debian.org/wheezy/i386/xbomb/download.
00:03
I know that my Debian victim machine
00:03
is an Intel architecture.
00:03
You might want to download the AMD architecture of
00:03
this package as well to have that as another option.
00:03
Occasional victim machine is
00:03
running on the other virtual hardware architecture.
00:03
That package gets saved in my Downloads directory,
00:03
as you would imagine and there it is.
00:03
XBomb2-2a. One of the first things
00:03
I need to do is get
00:03
the package into my temporary work directory.
00:03
I'm going to make a directory
00:03
here that was going to call this a backdoor,
00:03
since that's what I'm doing,
00:03
I'm getting a reverse shell to the victim system.
00:03
What I want to do now is copy
00:03
the XBomb package to my back door folder.
00:03
I also need a couple of files.
00:03
One of the files is called control,
00:03
and this is going to be part of the package,
00:03
we'll move this into place a little bit later.
00:03
The control file just contains
00:03
some information about the package.
00:03
It's got the name, the version number,
00:03
which section it belongs to,
00:03
and some other parameters like the architecture,
00:03
who maintains it and a description.
00:03
I've just created this,
00:03
actually took this from the real control file,
00:03
but I changed
00:03
the description, made it a little bit shorter.
00:03
As I said, it's a free Minesweeper game.
00:03
This file is used during
00:03
the package installation process so the system can see
00:03
some parameters that are needed
00:03
to categorize this software correctly.
00:03
We also have a post-installation script,
00:03
and what this does is just runs a few commands that
00:03
simple shell file that we have here,
00:03
and what I'm doing is I'm changing
00:03
the permissions on the scores
00:03
file in a couple of different locations.
00:03
Then I'm trying to sudo to run the actual game itself.
00:03
We'll see what those figures in a little bit later.
00:03
These two files are needed in order
00:03
to install or bundle in rather the payload
00:03
with the package and then to get it to install when
00:03
the user tries to run the installation script
00:03
for the package itself.
Up Next
Similar Content
