Network IG RPT, Network AP RPT, Remote Exploits & Privilege Escalation

This unit presents the initial steps to use Core Impact in the Core Impact on-premises Lab, and then will present an overview of basic pen testing features of the product through the Rapid Penetration Testing modules.

tip

A full getting started guide is available here.

Features

• Create workspace for a pen test session
• Scan network hosts and do service identification
• Launch remote exploits on network hosts
• Launch identity verifiers on network hosts
• Obtain local information from compromised hosts
• Escalate privileges
• Perform cleanup of deployed OS Agents
• Generate report of found vulnerabilities

Highlighted Modules

• Network Information Gathering RPT
• Network Attack and Penetration RPT
• Network Local Information Gathering RPT
• Network Privilege Escalation RPT
• Network Clean Up RPT
• Network Report Generation RPT
• Shell
• File Browser
• Samba Pipe dlopen Remote Code Execution Exploit
• SSH Identity Verifier
• Distcc Remote Code Execution Exploit

References

• Samba Pipe dlopen Remote Code Execution Exploit
  • Vulnerability: CVE-2017-7494
  • Samba Vulnerability CVE-2017-7494
• Distcc Remote Code Execution Exploit
  • Vulnerability: CVE-2004-2687

Hosts

• Samba Pipe dlopen Remote Code Execution Exploit
  • Hostname: Ubuntu
• Distcc Remote Code Execution Exploit
  • Hostname: Metasploitable

Create Workspace

All pentesting tasks and results in Core Impact are performed in workspaces that can be used to separate pen testing sessions and review results at a later time.

1. From the Core Impact dashboard, go to Workspaces on the left menu, click Create Workspace and click Blank Workspace.

2. Enter a workspace name and passphrase (which must be at least 8 characters long)

3. Click Finish.
   • A new and empty workspace is opened.

Network Information Gathering

1. From the RPT Pane, select and click Network Information Gathering RPT to discover hosts on the network.

2. Click Next.

3. Click Next.

4. Click Next.

5. Click Next.

note

The network range will be initialized to the local network of the currently selected network interface of Core Impact's localagent.

6. Select Fast and click Finish.
7. Wait for Network IG RPT to complete gathering information about the network.

Network Attack and Penetration With Remote Exploits

1. From the RPT Pane, drag & drop Network Attack and Penetration RPT on the Ubuntu and Mutillidae host.

2. Click Next.

3. Click Next.

4. Click Next.
   • At this point we're only going to launch remote exploits.

5. Click Next.
   • The Stop launching new modules on a target after an OS Agent is deployed is intended to reduce execution time if the goal is just to compromise a host.
   • If the goal is to be exhaustive in detecting (and trying to exploit) vulnerabilities on a host, this option should be unchecked.

5. Click Finish.
6. Wait for Network Attack and Penetration RPT to complete.
   • Exploit Samba Pipe dlopen Remote Code Execution Exploit should have been succesful in detecting and exploiting the CVE-2017-7494 vulnerability, and an OS Agent should have been deployed on the Ubuntu host.
   • Exploit Distcc Remote Code Execution Exploit should have been succesful in detecting and exploiting the CVE-2004-2687 vulnerability, and an OS Agent should have been deployed on the Mutillidae host.

Interacting With Deployed OS Agent

Control of a compromised host is now possible through the deployed OS Agent. This agent has capabilities to explore the local filesystem, launch programs and create new network connections from the host.

In order to explore the compromised host, Core Impact provides shells and file browsing capabilities.

1. Right-click on the OS Agent deployed on the Ubuntu host, and select Shell.
2. You can execute commands to explore the filesystem and launch programs on the host.

3. Close the Shell window (or execute the exit command to close it).
4. Right-click again on the OS Agent and select Browse Files.

• The file browser is launched to interactively explore the host's filesystem, which has capabilities to download/upload files from the host.

In addition to these modules, Core Impact has modules to retrieve local information from a host were an OS Agent has been deployed, which you can find in the: Information Gathering/Local category of the Modules pane.

Network Local Information Gathering

For convenience, several local modules that perform information gathering on a host can be launched through the Network Local Information Gathering RPT module.

1. From the RPT Pane, select Network Local Information Gathering RPT and drag & drop it on the OS Agent deployed on the Ubuntu host.

2. Click Next.

3. Click Next.

note

The OS Agent is already selected because the module has been dragged & dropped on it. Alternatively, you could have just clicked on the RPT module and in this step used the ellipsis (...) button to select it (or configured the module to run on all available OS Agents).

4. Uncheck all categories except OS/Environment Information to retrieve basic information about the compromised host.

note

Other available categories can be used to launch modules to detect other issues that the host may be vulnerable to, try to extract credentials from the operating system and or browser/email programs, etc.

5. Click Finish.

The Local Information Gathering module will be executed, and several child modules can be seen after expanding it in the Executed Modules pane, each of which will provide output and log associated to the task they perform.

Network Privilege Escalation

Once again, the OS Agent can be leveraged to try and obtain information on the compromised host using local modules, as previously shown.

The OS Agent deployed through the found identity, however, is that of a standard/limited user on the host. We can try and see whether we can elevate privileges on the system by exploiting an unpatched privilege escalation vulnerability.

1. From the RPT Pane, select and click Network Privilege Escalation RPT and drag & drop it on the OS Agent deployed on the Mutillidae host.

2. Click Next.

3. Click Next.

4. Click Next.

5. Click Finish.

The Privilege Escalation RPT module is launched, which starts launching exploits to try to detect and leverage available vulnerabilities to deploy an OS Agent with additional privileges.

After a while you can see that this is achived with the Distcc Remote Code Execution Exploit module.

Clean Up

When the pen testing session is complete, OS Agents deployed on the compromised hosts can be uninstalled to remove running processes and connections to those hosts through Network Clean Up RPT.

1. From the RPT Pane, select and click Network Clean Up RPT.

2. Click Next.

3. Click Finish.

You will see that the OS Agents deployed in the session have been uninstalled.

Generate report of vulnerabilities

Finally, we'll generate a Vulnerability Report to show the vulnerabilities identified and leveraged in the workspace.

1. From the RPT Pane, select and click Network Report Generation RPT.

2. Click Next.

3. Select Network Vulnerability Report and click Next.

4. Click Finish.

The Network Report Generation RPT module will generate the report and open it using the program associated to open Excel spreadsheets.

Though not shown here, Excel-based reports in Core Impact allow them to be customized after they're generated. Additionally, the user can also customize an existing Excel-based report before it's filled with the workspace's results, so that these customizations can be applied every time the duplicated report is generated. The user can update branding images, introductory texts, show/remove sections, and customize result tables and graphs.