A Beginner’s Guide to Kali Linux: Getting Started
A Beginner’s Guide to Kali Linux: Getting Started
| certifications | security - Matt McClure

A Beginner's Guide to Kali Linux: Getting Started

Welcome to the next part in what has become our epic series of articles around penetration testing and Kali Linux! If you’re behind, feel free to catch up with these posts around the OSCP certification, installing Kali on anything, and some of the top Kali tools.

Today, we’re going to get into the meat of it and do some actual hacking! But don’t worry, this probably won’t get you arrested and/or extradited. We’re going to work on a target known as a boot-to-root machine. These are virtual machines that you run in your own network that are built to look like a normal production box. They can run apps like web servers, databases, FTP servers, and so on.

These machines, however, are built to be intentionally vulnerable by the author as a means for you to practice your pen test skills in a simulated setting.

It’s all about getting your hands dirty, running tools against a real target, seeing what works and what fails, and getting into the pentester mindset. To help, we’re going to walk through a popular boot-to-root machine known as Mr. Robot (like the TV show!). This VM is a WordPress server. We’ll brute force our way into the admin console, get a reverse shell, then escalate our privileges to another Linux user before ending up as the root user, with full pwnage of the machine. Let’s go!

SCARY LEGAL WARNING: As with any pen testing exercise, make sure you never run any scans or tools against systems that you do not own without explicit permission!

Boot the Machine

The first step with any boot-to-root is to download and boot it up, so head here to download the image. You’ll end up with a file in OVA format, which is a VMware machine image. The file will import easily into any VMware product or Virtual Box. If you are using Parallels or Hyper-V you’ll need to follow a few extra steps to convert it. Once it’s imported into your hypervisor, compare the network settings of it and your Kali box to make sure they are on the same virtual network, then boot it up.

The next step: What IP address did it get? First find Kali’s by running ifconfig, the address after eth0 is what you’re after:

Kali’s IP is 10.0.9.6. Next let’s use Nmap to ping the entire subnet and find other live machines:

We know that 10.0.9.1 and .2 are virtual network devices used by Parallels (our hypervisor in this case) and .6 is Kali, so .5 must be Mr. Robot!

Enumeration

The next step is to run a basic Nmap scan to find open ports:

Port 22 is reported as closed, that means that the TCP request to that port was explicitly answered with a “go away, no one’s answering here!” instead of the lack of response that came from every other port. However, 80 and 443 are open! If you remember from your Network+ training, those ports are typically for HTTP and HTTPS. So, let’s try accessing the IP with Firefox. We get an interesting response:

Definitely a web site, kinda odd, but if you’ve seen the Mr. Robot TV show then you should be picking up on the theme this machine was built around. Standard web enumeration procedure. Let’s take a look at the source code. There’s some cute ASCII art, a call to some Javascript, but not much else interesting:

Moving on to HTTPS, it’s the same site, just encrypted, nothing new. The page gives us no links to follow. Is there anything else interesting about the server we could discover? Try scanning it with Nikto:

Two very interesting things immediately stand out: it’s an Apache web server, and it’s a WordPress site. Trying the login page redirects us here, which confirms it is indeed WordPress:

We could try to scan the page with WPScan to enumerate for vulnerable plug-ins, but take a step back first. One tenet of pentesting is to enumerate wide and shallow first — and then start deep diving. Understand your target more fully first, otherwise you can easily deep dive into rabbit holes and waste time. Let’s try enumerating the web server further with GoBuster. GoBuster uses a given wordlist to search for directories on the server, like so:

This command is pointing to the location of a standard wordlist that is including with Kali, and using it against our web server to discover directories. One interesting result that comes back is the directory /robots, let’s try that in the browser:

A-ha! The first of three keys! All VM exercises like this one have keys or flags that you find, proofs that you obtained a certain level of access to the machine. Generally they will have certain file permissions set; soon you’ll see how we find the second key but can’t yet read the file.

Breaking Into WordPress

Also on that robots page is a filename, fsociety.dic. We can download that file from 10.0.9.5/fsociety.dic, and opening it reveals an odd list of random words:

Maybe a list of passwords? Not sure, let’s keep it in mind and move along. So far, we have a WordPress login page and a wordlist. Let’s assume the wordlist is passwords, but what’s our username? One trick with WordPress is, based on how it’s set up, it will clue you into whether a particular username exists or not:

See the different error? Long story short, the username that you are supposed to use is “elliot” (like the character from the show). How were you supposed to know this? Here’s a lesson about boot-to-root machines. Sometimes they are cheap and trolly.

Normally, you could use WPScan to enumerate WordPress users, but in this case it’s no help, because there are no posts on the site to pull an author name from.

Okay, we have a username and password list, let’s combine them with WPScan and do some brute forcing:

After a few minutes, we have valid credentials for WordPress, elliot and ER28-0652. Logging in brings us to the WordPress dashboard, where we can check user permissions and find we are a WP admin, w00t! So the next thought of a pentester is “how can I leverage this access to get a shell?”

Spawning a Shell

Lucky for us, WordPress is very conducive to running code against the OS after gaining admin access. There are lots of ways to do this, this is but one simple example. Let’s navigate to the Appearance tab, then the Editor:

There’s a list of files on the right side, all a part of the applied WordPress template, Twenty Fifteen in this case:

If we click the 404 Template, we see the code that’s displayed anytime a user either goes to a nonexistent page, or even just goes to 10.0.9.5/404.php. PHP, while used in this case to run server side code to generate the page on the fly, can also be bent to our wills. Let’s use the msfvenom command back in Kali to generate some nefarious PHP code:

This command will generate PHP code that uses the Meterpreter PHP payload to connect a shell back to our Kali host at 10.0.9.6 on port 9009. It will output the code when finished. Copy that, delete the contents of 404.php back in WordPress, paste in our new code, and save the changes.

Now, we need a listener to catch the payload when it calls back to Kali. We chose a Meterpreter payload earlier, which is a part of Metasploit, so let’s crank that up:

After launching Metasploit, we chose our multi-handler exploit, set the payload, listening host IP and port, then started the exploit, which is now listening on port 9009. If we go back to the browser and load 10.0.9.6/404.php we get this in Kali:

Congrats, you just got your first reverse shell! This is a command line for the Mr. Robot machine, connected to Kali. We can now run commands as if we are logged into Mr. Robot. You can see the “whois” command, which shows we are the user called “daemon,” and the pwd shows shows we’re currently in the WordPress doc directory. Ifconfig proves we’re on Mr. Robot per the matching IP address.

It does look a little weird though, as there’s no actual prompt, this is normal with reverse shells. One common fix is to run python -c ‘import pty; pty.spawn(“/bin/bash”)’, this loads some shell bits that give us a normal looking prompt.

Escalating Privileges

So we’re in! Let’s poke around a bit, starting with the home directories to see if we can find anything interesting in the user home directories:

We found a user called robot. While we are logged in as daemon, we can still look at the contents of robot’s home directory. We found key No. 2, but can’t read the file. Another interesting file we can read; it looks like credentials but is a bit gibberishy. It might be a hash, but what kind?

We can use the hash-identifier tool to figure this out, but sometimes a quick Google search can tell us even more. Googling this hash shows several pages like this one that have already decrypted the hash as “abcdefghijklmnopqrstuvwxyz.” Is this robot’s password? One way to find out, try using su to switch users:

It worked! We are now logged in as robot and can read the second key! One more to go, there’s a good chance we’ll need to hit the jackpot and become root to find it.

Becoming Root

One common privilege-escalation technique to get to root is to look for SUID binaries. These are executable files that have a certain permission set that will allow us to run those files as if we are another user. Running the following command will search the machine for SUID binaries, specifically for ones with root as the user that we can execute them as:

Holy moly. That’s a lot of stuff, but very little of it will be helpful. Some files always have the SUID bit set as root for us to use them because of the way Linux permissions work. Passwd, for example, must run as root to edit the protected /etc/shadow file if we want to change our password, but it generally can’t be exploited.

Knowing at a glance what’s normal and what’s out of place when looking for SUID binaries will take time and experience. A common red flag is files in odd directories. In this list, /usr/local/bin/nmap might stick out. Further research shows that Nmap can be used quite easily to get a root shell when you run it in interactive mode, a handy mode that lets you run shell commands from within Nmap:

That !bash -p command simply means “gimmie a shell” and because it’s a SUID binary, that shell runs as root! This only works with older versions of Nmap, they patched it out in later ones, but in this case it led to us getting a root shell, finding the third flag, and completely pwning the machine!

Wrapping Up

Hopefully this deep dive into Mr. Robot has helped show both how to get through a typical boot-to-root or CTF-style machine and revealed some of the pentest process and mindset.

If you want more, VulnHub is a great source for downloading more boot-to-root machines, and HackTheBox is the cream of the crop for hosted hackable machines. Happy hacking!

Download

Download

Ultimate Security Cert Guide

I have read and understood the privacy policy, and am able to consent to it.

CBT Nuggets uses cookies to give you the best experience on our website. You can read more about our use of cookies, or just continue to use the site as you normally would if you agree.