Root Access and Credential Exfiltration | jellybeansontoasties Home Lab

Summary

This stage continues directly from the Meterpreter session established in the Java RMI attack. The session was already running as root, meaning no additional privilege escalation was required — a direct violation of the principle of least privilege. From Meterpreter, the attack dropped into a native bash shell, confirmed uid=0(root), and exfiltrated /etc/shadow, which contained MD5-hashed passwords for 30+ system accounts. At this point the system was fully compromised: all data, all users, and all services are under attacker control.

Attack Technique Used

The technique is post-exploitation using Meterpreter. After confirming the session context with getuid, the attacker used the shell command to obtain an interactive system shell on Metasploitable. From that shell, standard Linux utilities were used to confirm privileges and exfiltrate sensitive credential data. The key actions were reading /etc/shadow to obtain password hashes for offline cracking and collecting basic system information (uname -a) to understand kernel age and exploitability.

Steps to Reproduce

Starting point: An active Meterpreter session from the Java RMI exploit (Attack 3).

meterpreter > getuid
Server username: root

meterpreter > shell
$ id
uid=0(root) gid=0(root) groups=0(root)
$ whoami
root
$ cat /etc/shadow
$ uname -a

Complete findings:

getuid reported Server username: root — no privilege escalation step was needed.
id confirmed uid=0(root) and gid=0(root), proving full root access.
whoami returned root, further confirming effective privileges.
uname -a showed Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 — an ~18-year-old kernel with many public exploits.
/etc/shadow was successfully dumped, exposing MD5 ( $1$ ) password hashes for 30+ accounts, including:
- root:$1$... — root account protected with legacy MD5 hashing.
- sys:$1$..., klog:$1$..., postgres:$1$..., user:$1$..., service:$1$... — additional system and service accounts.
- msfadmin:$1XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/ — same account compromised via Hydra in Attack 2, now with its hash available for offline cracking.
- Accounts such as wazuh and ossec present, indicating security/monitoring components also have credential material on the host.
All MD5 ( $1$ ) hashes are trivial to crack offline with tools like hashcat; the attacker can take the file away and recover passwords at leisure with no further contact with the victim.
With root-level shell access and credential material, the attacker has achieved complete system compromise and can pivot, maintain persistence, or tamper with logs at will.

Detection (Wazuh)

On a modern, supported Linux distribution with a Wazuh agent installed, access to /etc/shadow is a high-severity event. Wazuh's file integrity monitoring (FIM) capability monitors sensitive files like /etc/shadow by default and would generate a critical alert when the file is read or modified. In this lab, Metasploitable's age (Ubuntu 8.04 from 2008) prevented agent deployment, but in a real environment an agent would log both the file access and any suspicious processes spawned from Meterpreter. Network monitoring would also observe the exfiltration of the shadow file contents leaving the system over the Meterpreter channel.

Remediation

Never run exposed application services as root; always use dedicated, least-privilege service accounts to contain compromise.
Deploy file integrity monitoring on sensitive files such as /etc/shadow, /etc/passwd, and key configuration files, and ensure alerts are integrated into the SIEM.
Replace MD5 ( $1$ ) password hashing with modern algorithms such as SHA-512 ( $6$ ) or bcrypt ( $2b$ ), and enforce strong password policies.
Deploy an endpoint detection and response (EDR) solution capable of detecting Meterpreter-style post-exploitation behaviors.
Implement network segmentation and strict access controls to limit lateral movement opportunities after an initial compromise.
Maintain a robust patch management program; an 18-year-old kernel dramatically increases the risk of both remote and local exploitation.
Ensure a Wazuh agent (or equivalent) is installed on all monitored systems to provide real-time visibility into processes, file access, and network activity.

MITRE ATT&CK Mapping

T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow, T1078 Valid Accounts, TA0006 Credential Access, TA0009 Collection, T1005 Data from Local System.

Screenshots with captions

Meterpreter root shell on Metasploitable2 showing uid=0(root), /etc/shadow dump, and Linux 2.6.24 kernel from 2008 — Root shell confirmed — uid=0(root), full `/etc/shadow` dump showing MD5 hashed passwords for all 30+ system accounts, Linux kernel 2.6.24 from 2008.