Exploit Remote Service
ExploitRemoteService_cc4 exploits a service on a specific host to gain a user privileged shell. This action has a few other actions as prerequisities to run successfully. This tutorial will go over them briefly, but for more information on them, check their individual tutorial pages.
Here we will first find the known subnet, discover the hosts present on that subnet, choose a host and discover its services, then finally exploit remote services on that host.
Red Agent Preamble
First, we check Red's initial observations to find the subnet Red starts the scenario knowing.
Code Output
{'contractor_network_subnet_user_host_4': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'interface_name': 'eth0',
'ip_address': IPv4Address('10.0.96.73')}],
'Processes': [{'PID': 5753,
'username': 'ubuntu'}],
'Sessions': [{'PID': 5753,
'Type': <SessionType.RED_ABSTRACT_SESSION: 10>,
'agent': 'red_agent_0',
'session_id': 0,
'timeout': 0,
'username': 'ubuntu'}],
'System info': {'Architecture': <Architecture.x64: 2>,
'Hostname': 'contractor_network_subnet_user_host_4',
'OSDistribution': <OperatingSystemDistribution.KALI: 9>,
'OSType': <OperatingSystemType.LINUX: 3>,
'OSVersion': <OperatingSystemVersion.K2019_4: 11>,
'position': array([0., 0.])},
'User Info': [{'Groups': [{'GID': 0}],
'username': 'root'},
{'Groups': [{'GID': 1}],
'username': 'user'}]},
'success': <TernaryEnum.UNKNOWN: 2>}
Here, the subnet is 10.0.96.0/24.
We then execute DiscoverRemoteSystems to discover the other hosts present on the subnet.
| red_exploit_remote_service.py | |
|---|---|
Code Output
{'10.0.96.108': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.108')}]},
'10.0.96.119': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.119')}]},
'10.0.96.172': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.172')}]},
'10.0.96.177': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.177')}]},
'10.0.96.211': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.211')}]},
'10.0.96.252': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.252')}]},
'10.0.96.253': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.253')}]},
'10.0.96.254': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.254')}]},
'10.0.96.73': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.73')}]},
'action': DiscoverRemoteSystems 10.0.96.0/24,
'contractor_network_subnet_user_host_4': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.73')}],
'Sessions': [{'Type': <SessionType.RED_ABSTRACT_SESSION: 10>,
'agent': 'red_agent_0',
'session_id': 0,
'username': 'ubuntu'}],
'System info': {'Hostname': 'contractor_network_subnet_user_host_4'}},
'success': <TernaryEnum.TRUE: 1>}
These are: 10.0.96.108, 10.0.96.119, 10.0.96.172, 10.0.96.177, 10.0.96.211, 10.0.96.252, 10.0.96.253, 10.0.96.254, and 10.0.96.73.
Running ServiceDiscovery on a host is necessary for ExploitRemoteService_cc4 to work, as Red needs to know the services the host is running to exploit one of them to gain a user shell. Here, we are using AggressiveServiceDiscovery as stealth is not important for this demonstration. We are investigating the host 10.0.96.108, but this is an abitrary choice.
| red_exploit_remote_service.py | |
|---|---|
We are omitting the observation output here, as it is not necessary in this tutorial.
Exploit The Remote Service
We finally execute ExploitRemoteService_cc4 on the target host 10.0.96.108. This action takes three ticks, so we must wait.
Code Output
{'10.0.96.108': {'Interface': [{'ip_address': IPv4Address('10.0.96.108')}],
'Processes': [{'Connections': [{'Status': <ProcessState.OPEN: 2>,
'local_address': IPv4Address('10.0.96.108'),
'local_port': 22}],
'process_type': <ProcessType.SSH: 2>},
{'Connections': [{'local_address': IPv4Address('10.0.96.108'),
'local_port': 22,
'remote_address': IPv4Address('10.0.96.73'),
'remote_port': 54893}],
'process_type': <ProcessType.SSH: 2>}],
'Sessions': [{'Type': <SessionType.SSH: 2>,
'agent': 'red_agent_0',
'session_id': 1,
'username': 'user'}],
'System info': {'Hostname': 'contractor_network_subnet_user_host_5',
'OSType': <OperatingSystemType.LINUX: 3>}},
'10.0.96.73': {'Interface': [{'ip_address': IPv4Address('10.0.96.73')}],
'Processes': [{'Connections': [{'local_address': IPv4Address('10.0.96.73'),
'local_port': 54893,
'remote_address': IPv4Address('10.0.96.108'),
'remote_port': 22}]}]},
'action': ExploitRemoteService_cc4 10.0.96.108,
'contractor_network_subnet_user_host_4': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.73')}],
'Sessions': [{'Type': <SessionType.RED_ABSTRACT_SESSION: 10>,
'agent': 'red_agent_0',
'session_id': 0,
'username': 'ubuntu'}],
'System info': {'Hostname': 'contractor_network_subnet_user_host_4'}},
'contractor_network_subnet_user_host_5': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.108')}],
'Sessions': [{'Type': <SessionType.SSH: 2>,
'agent': 'red_agent_0',
'session_id': 1,
'username': 'user'}],
'System info': {'Hostname': 'contractor_network_subnet_user_host_5'}},
'success': <TernaryEnum.TRUE: 1>}
The key 10.0.96.108 in the results observation corresponds to some information about which service on that host was exploited and how.
Importantly, the observation also contains the key contractor_network_subnet_user_host_5, which is the hostname for the target host 10.0.96.108. As we can see, this has a red agent shell active on it with user privileges, so the exploit has been successful: