Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

In this module, we take a look at exploits launched from Metasploitable that can result in establishing a shell connection as root on the target host. This is referred to as a "reverse" shell and can be initiated against both Linux and Windows hosts. We begin this module by demonstrating the preparation, installation, and launching of a reverse shell exploit on a Linux system. For this example, we download and modify the built-in XBomb game to be repackaged with the reverse shell payload. Once installed on a victim machine, it's then possible to gain full control of the remote host.

Video Transcription

00:04
Hello, everyone. Welcome to the latest installment
00:08
of the medicine like class will be doing everything you're seeing here on Cyber Eri
00:14
this module four minutes point. We're going to be discussing clients side attacks. In this case, we're going to be
00:20
trying to get a reverse shell on a limb ICS system and then we'll do another demonstration for a window system
00:28
in particular. What I'm gonna do is show how you can take a regular limits package.
00:35
In this case, we're gonna be using the ex bomb game, which is a cover mine sweeper Mind Sweeper clone. It's a free game. You can play analytics systems
00:44
and we're going to change some of these scripts and files that are included with the package to install our medicine ploy payload,
00:53
which will be the reverse TCP shell.
00:55
It's pretty neat idea, because once the victim
00:58
installs this software on their machine, they have to do this as route by the way.
01:03
Then we'll be able to get a root shell back to the attacker system, which is very powerful because now
01:08
if I've gotta root shell on the victim's system, I can make any changes to the system that I want. I can install software. I can remove software.
01:15
I can make configuration changes. I can try to install the back door
01:19
to return, but to the system at a later time.
01:22
So that's obviously something that's worth exploring.
01:26
All right, so first things first,
01:32
go ahead and open a command show
01:37
and let's see what my I P addresses. Okay? I did
01:42
already pre download the X bomb
01:44
package,
01:47
and since I've done that, I've switched my virtual machines back to host on Lee mode,
01:52
which is definitely the best safest thing to do when you're using vulnerable machines. You don't wanna expose those to your network, so it's safer to keep everything within your same host.
02:02
And you can do this by
02:05
going to your settings
02:08
and looking at your network adapter. The other options are bridged when you wanna have an address with everything else with your host, for instance, on the same network, Manning will also allow you to get to the same network using sharing the hosts I p address
02:23
London at mode, allowing to get to the Internet,
02:25
whereas host only does not.
02:29
So I'm gonna stay within my host for the remainder of this demonstration.
02:36
I also need to get the I P address from my victim machine. In this case, it's ah, Debbie and eight. So I've set up another virtual machine for this purpose,
02:45
and I could see that one is 1 28
02:51
So I've got 26 1 28 and 26 1 29
02:58
All right.
03:00
In my, uh,
03:02
I'll show you where I got the ex bomb package here real quick.
03:08
I really bookmark this.
03:10
Not It's on the packages dot debian dot or ge
03:15
website slash risi slash I 3 86 lash out bomb download.
03:20
I'm I know that my Debbie in
03:23
victim machine is a intel architecture.
03:27
You might want to download the AMG architecture of this package as well
03:32
of to have that as another option
03:35
in case your victim machine is running on the other virtual hardware architecture.
03:42
Okay, so that package gets, uh,
03:45
saved in my downloads directory,
03:47
as you would imagine. And there it is.
03:51
Ex bomb to dutch too, eh?
03:57
Okay, So
03:59
when the first things I need to do is get the package into my temporary work directory,
04:04
So
04:05
I'm going to make a directory here that was gonna call this back door since
04:13
that's kind of what I'm doing. I'm I'm getting a reverse shell
04:16
to the victim's system.
04:21
And what I want to do now is
04:26
copy
04:29
the ex bomb
04:31
package too.
04:33
My back door
04:35
folder.
04:40
Oops.
04:45
I also need a couple of files.
04:48
One of these files and I'm copy.
04:51
I'll actually just do a
05:00
when the father called Control. And this is gonna be part of the package Will move this into place
05:04
a little bit later.
05:06
The control file just contains some information about the package. It's got the name, the version number,
05:13
which section it belongs to, and some other parameters. Like the architecture who maintains it and a description.
05:18
And so I've just created this,
05:21
uh,
05:23
actually took this from the real control file, but I changed description made a little bit shorter. As I said, it's a free mind sweeper game. This file is used during the package installation process, so the system can see some parameters
05:35
that are needed to categorize this this software correctly
05:40
and we also have a post installation script.
05:45
And what this does is just runs a few commands and simple, huh?
05:50
Show
05:51
so far that we have here and what I'm doing is changing the permissions on the scores file
06:01
and in a couple of different locations,
06:04
and that I'm trying to suit you to run the actual game itself.
06:09
We'll see where this figures in a little bit later,
06:11
Uh,
06:13
but these these two files are needed in order to
06:16
install or bundle in rather the payload with the package and then to get it to install when the user tries to run the installation script for the for the package itself.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor