Samurai Skills Update #2

I’ve now had a few days to ‘play’ with the Samurai Skills course online hacking lab and I wanted to post some early thoughts.

I’ve found the labs both awesome and frustrating. Awesome because it’s nice to have a network to test all of my new-found ethical hacking knowledge on. Frustrating because my knowledge isn’t where I want it to be yet so I found myself spinning my wheels for a few hours this afternoon trying to get various privilege escalations running on a Linux box.

My first act upon receiving access to the “student network” (the easiest of the three networks in the lab) was to run an Nmap scan. The scan showed about two dozen machines running a mix of operating systems.

My next step was to run a Nessus scan to look for vulnerabilities on the machines Nmap found. There were quite a few exploits found on some of the systems so I picked a juicy looking windows box and decided it would be target number one.

I combed through the Nessus report on that box looking for vulnerabilities which had exploits available in Metasploit. I tried a few different exploits which all failed but finally hit on one which after a few seconds popped up the prompt every penetration tester dreams of, meterpreter.

For those new to ethical hacking & penetration testing, meterpreter is a payload in Metasploit which gives you a ton of great options (dumping password hashes in Windows, obtaining shell etc.). My first meterpreter command was dumping the password hashes on the target machine and then firing up John the Ripper on my computer while I obtained shell on the target machine and poked around.

My first hacking session ended on an incredible high note.

Last night I decided to target a Linux box. After trying (and failing) to get several exploits to work I finally picked one which targeted a vulnerable web application hosted on the machine and was able to get meterpreter running on that machine. All was well in hacking land, or so I thought…..

My first act was grabbing the contents of the “passwd” file. The file showed quite a few accounts. I didn’t expect to be able to view the contents of the shadow file but I had to try. That didn’t work. Why? The application I exploited wasn’t running as root so when broke out of that application and into shell, I was running as that user and not root. I went to bed last night figuring I would wake up in the morning and get my privilege escalation on.

After a nice breakfast out with my wife I came back to watch football and try to get root on that Linux box. While I was half paying attention to the football games on TV, I was also going through and trying to find some privilege escalation code (mostly c) which I could get running on the machine. I tried around a dozen different attacks, all appropriate for the kernel version my target machine was running but I couldn’t get any of them to work.

A few wouldn’t compile, a few needed services which weren’t on the target machine and a few just plain didn’t work. It was very frustrating to spend several hours trying to accomplish something and finally stop (due to other obligations, not frustration) without having made any progress.

The only good thing about my experience this afternoon was that I knew exactly what needed to be done, I researched correctly, had no problems getting the code onto my target machine, was able to compile several of the exploits (no small achievement for a lifelong Windows guy).

While I take all of this for granted now, I would have had no idea what to do several months ago. I feel like I’ve learned so much and I’m only getting started. Still, I’m in the same situation I was in last night. I have a funny feeling I may be skipping ahead to the privilege exploitation video of the course very soon 🙂