This blog will share how to configure your own Linux server with the vulnerabilities shown in the “Linux Hacking Case Studies” blog series. That way you can practice building and breaking at home. Similar to the rest of the series, this blog is really intended for people who are new to penetration testing, but hopefully there is a little something for everyone. Enjoy!
Below are links to the first four blogs in the series:
This section briefly summarizes the lab scenarios that you’ll be building which are based on this blog series.
Excessive privileges configured on a Rsync Server
Excessive privileges configured on a Rsync server. Specifically, the server is configured to run as root.
Create a new privileged user by adding lines to the shadow, passwd, groups, and sudoers files.
Excessive privileges configured on a NFS Export
Insecure setuid binary that allows arbitrary code execution as root.
Review setuid binaries and determine which ones have the direct or indirect capability to execute arbitrary code as root.
Weak password configured for phpMyAdmin
Excessive privileges configured on a script that is executed by a root cron job. Specifically, the script file is world writable.
Write a command to the world writable script that starts a netcat listener. When the root cron job executes the script the netcat listener will start as root. Then its possible to connect to the netcat listeners remotely to obtain root access.
Insecure sudoers configurations that allows arbitrary code execution as root through sudo applications.
Review sudo applications to determine which ones have the direct or indirect capability to execute arbitrary code as root. Examples include sh, VI, python, netcat, and the use of a custom nmap module.
Kali VM and Install Dependencies
For this lab, we’ll be building our vulnerable services on a standard Kali image. If you don’t already have a Kali VM, you can download from their site website to get you setup. Once your Kali VM is ready to go you’ll want to install some package that will be required for setting up the scenarios in the lab. Make sure to sign as root, you’ll need those privilege to setup the lab.
In this section we’ll cover how to configure an insecure instance of phpMyAdmin, a root cron job, and a script that’s world writable. Once you’re logged in as root execute the commands below.
Reset the root Password (this is mostly for existing MySQL instances)
We’ll start by resetting the root password on the local MySQL instance. MySQL should be installed by default in Kali, but if it’s not on your build you’ll have to install it first.
# Stop mysql
# Start MySQL in safe mode and log in as root
# Select the database to use
# Reset the root password
update user set password=PASSWORD("password") where User='root';
# Restart the server
# Confirm update by logging in with new password
mysql -u root -p
Alrighty, time to install phpMyAdmin.
apt-get install phpmyadmin
Eventually you will be presented with a GUI. Follow the instructions below.
Choose apache2 for the web server. Warning: When the first prompt appears, apache2 is highlighted, but not selected. If you do not hit Space to select Apache, the installer will not move the necessary files during installation. Hit Space, Tab, and then Enter to select Apache.
Select yes when asked whether to use dbconfig-common to set up the database.
You will be prompted for your database administrator’s password, which should be set to “password” to match the lab.
After the installation we still have a few things to do. Let’s create a soft link in the webroot to phpmyadmin.
ln -s /usr/share/phpmyadmin/ /var/www/phpmyadmin
Then, let’s restart the required services:
service apache2 restart
service mysql restart
Next, let’s add the admin user we’ll be guessing later.
mysql -u root
CREATE USER 'admin'@'%' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;
Finally, configure excessive privileges in the webroot just for fun:
chown -R www-data *
chmod -R 777 *
Web it’s all done you should be able to verify the setup by logging into http://127.0.0.1/phymyadmin as the “admin” user with a password of “password”.
Create a World Writable Script
Next up, let’s make a world writable script that will be executed by a cron job.
Create Encrypted Password
The command below will allow you create create an encrypted password for generating test users. I originally found this guidance from https://askubuntu.com/questions/94060/run-adduser-non-interactively.
openssl passwd -crypt test
Next you can add new users using the generate password below. This is not required, but handy for scripting out environments.
When its all done you can log in as the previously created test user to verify the sudo application are available:
In this blog we covered how to configure your own vulnerable Linux server, so you can learn in a safe environment. Hopefully the Linux Hacking Case Studies blog series was useful for those of you who are new the security community. Stay safe and hack responsibly!
PTaaS is NetSPI’s delivery model for penetration testing. It enables customers to simplify the scoping of new engagements, view their testing results in real time, orchestrate faster remediation, perform always-on continuous testing, and more - all through the Resolve™ vulnerability management and orchestration platform.
We help organizations defend against adversaries by being the best at simulating real-world, sophisticated adversaries with the products, services, and training we provide. We know how attackers think and operate, allowing us to help our customers better defend against the threats they face daily.
At NetSPI, we believe that there is simply no replacement for human-led manual deep dive testing. Our Resolve platform delivers automation to ensure our people spend time looking for the critical vulnerabilities that tools miss. We provide automated and manual testing of all aspects of an organization’s entire attack surface, including external and internal network, application, cloud, and physical security.
Our proven methodology ensures that the client experience and our findings aren’t only as good as the latest tester assigned to your project. That consistency gives our customers assurance that if vulnerabilities exist, we will find them.