ProHoster > Блог > Gudanarwa > Ni tushen Fahimtar Ƙarfafa Gatan Linux OS

Ni tushen Fahimtar Ƙarfafa Gatan Linux OS

Na kashe farkon kwata na 2020 ina shirye-shiryen jarrabawar OSCP. Neman bayanai akan Google da yunƙurin "makafi" da yawa sun ɗauki duk lokacin kyauta na. Ya zama mai wahala musamman fahimtar hanyoyin haɓaka gata. Tsarin PWK yana ba da kulawa sosai ga wannan batu, amma kayan aikin koyaushe ba su isa ba. Akwai litattafai da yawa akan Intanet tare da umarni masu amfani, amma ni ba mai goyon bayan bin shawarwarin a makance ba ne ba tare da fahimtar inda hakan zai kai ba.

Ina so in gaya muku abin da na samu na koyo a lokacin shirye-shiryen da nasarar cin jarabawar (ciki har da hare-hare na lokaci-lokaci akan Hack The Box). Na ji zurfin godiya ga kowane ɗan bayanin da ya taimake ni in bi hanyar Gwada Harder da hankali, yanzu ne lokacina don mayar wa al'umma.

Ina so in ba ku jagora don haɓaka gata a cikin OS Linux, wanda ya haɗa da nazarin abubuwan da suka fi dacewa da abubuwan da ke da alaƙa waɗanda za ku buƙaci shakka. Yawancin lokaci, hanyoyin haɓaka gata da kansu suna da sauƙi, matsaloli suna tasowa lokacin tsarawa da nazarin bayanai. Saboda haka, na yanke shawarar fara da "yawon shakatawa na gani" sa'an nan kuma la'akari da kowane vector a cikin wani labarin dabam. Ina fatan zan ba ku lokaci don nazarin batun.

Ni tushen Fahimtar Ƙarfafa Gatan Linux OS

Don haka, me yasa haɓaka gata har ma zai yiwu a cikin 2020 idan hanyoyin sun shahara sosai na dogon lokaci? A gaskiya ma, idan mai amfani ya kula da tsarin daidai, ba zai yiwu a ƙara yawan gata a ciki ba. Babban matsalar duniya da ke haifar da irin wannan dama ita ce m sanyi. Kasancewar tsoffin juzu'in software masu ɗauke da lahani a cikin tsarin kuma lamari ne na musamman na ƙayyadaddun tsari mara aminci.

Haɓaka gata ta hanyar tsari mara tsaro

Da farko, bari mu magance yanayin rashin tsaro. Mu fara da Kwararrun IT sukan yi amfani da litattafai da albarkatu kamar tashe-tashen hankula, da yawa daga cikinsu sun ƙunshi umarni da tsarawa marasa aminci. Misali mai ban mamaki shine labarai cewa lambar da aka fi kwafi daga stackoverflow ta ƙunshi kuskure. Gogaggen admin zai ga jamb, amma wannan yana cikin kyakkyawar duniya. Ko da kwararrun kwararru ƙara yawan aiki mai iya yin kuskure. Ka yi tunanin cewa mai gudanarwa yana shiryawa da amincewa da takardun shaida don ƙaddamarwa na gaba, a lokaci guda yana zurfafa cikin sabuwar fasahar da za a gabatar da ita a cikin kwata na gaba, yayin da lokaci-lokaci ke warware ayyukan tallafin mai amfani. Sannan kuma an ba shi aikin da ya yi gaggawar tayar da wasu injina guda biyu tare da fitar da ayyuka a kansu. Me kuke tunani, menene yiwuwar admin kawai ba ya lura da jamb? Sa'an nan ƙwararrun ƙwararrun sun canza, amma crutches sun kasance, yayin da kamfanoni ke ƙoƙarin rage farashi, gami da na kwararrun IT.

Harsashi mai ƙima da karyawa

Harsashin tsarin da aka samu yayin lokacin samarwa galibi yana iyakancewa, musamman idan kun same shi ta hanyar kutse mai amfani da sabar yanar gizo. Misali, ƙuntatawar harsashi na iya hana ku yin amfani da umarnin sudo tare da kuskure:

sudo: no tty present and no askpass program specified

Bayan samun harsashi, ina ba da shawarar ƙirƙirar tasha mai cikakken aiki, misali tare da Python.

python -c 'import pty;pty.spawn("/bin/bash")'

Kuna tambaya: "Me yasa nake buƙatar umarni dubu, idan zan iya amfani da ɗaya, misali, don canja wurin fayiloli?" Gaskiyar ita ce, an saita tsarin daban-daban, a kan Python mai masauki na gaba bazai iya shigar da shi ba, amma ana iya samun Perl. Ƙwarewar ita ce samun damar yin abubuwan da aka sani a cikin tsarin ba tare da kayan aikin da aka saba ba. Ana iya samun cikakken jerin fasali a nan.

Za a iya samun ƙananan gata harsashi ta amfani da teams 1 и teams 2 (abin mamaki har da GIMP).

Duba tarihin umarni

Linux yana tattara tarihin duk umarnin da aka aiwatar a cikin fayil ~ / .bash_tarihi. Idan uwar garken yana cikin amfani mai aiki kuma ba a share tarihinsa ba, akwai kyakkyawan dama cewa ana samun takaddun shaida a cikin wannan fayil ɗin. Share tarihin ba shi da daɗi. Idan an tilasta mai gudanarwa ya zaɓi umarnin mataki goma ta hanyar , ba shakka, zai fi dacewa da shi don kiran wannan umarni daga tarihin fiye da shigar da shi kuma. Bugu da ƙari, da yawa ba su sani ba game da wannan "hack". Idan akwai madadin harsashi kamar Zsh ko Kifi a cikin tsarin, suna da tarihin kansu. Don nuna tarihin umarni a kowane harsashi, kawai rubuta tarihin umarni. 

cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history
cat ~/.php_history
cat ~/.atftp_history

Akwai sharing hosting, wanda a cikinsa ne ake amfani da uwar garken domin daukar nauyin rukunan da yawa. Yawanci, tare da wannan saitin, kowane albarkatun yana da nasa mai amfani tare da keɓantaccen littafin adireshi na gida da mai masaukin baki. Don haka, idan an daidaita shi ba daidai ba, zaku iya nemo fayil ɗin .bash_history a cikin tushen tushen albarkatun yanar gizon.

Neman kalmomin shiga cikin tsarin fayil da hare-hare akan tsarin da ke kusa

Fayilolin daidaitawa don ayyuka daban-daban na iya karantawa ta mai amfani na yanzu. A cikinsu, zaku iya samun takaddun shaida a cikin madaidaicin rubutu - kalmomin shiga don samun damar bayanai ko ayyuka masu alaƙa. Ana iya amfani da kalmar sirri iri ɗaya duka don samun damar bayanai da kuma ba da izini ga tushen mai amfani (ƙwararrun ma'aikata).
Yana faruwa cewa takaddun shaidar da aka samo na cikin sabis ne akan wasu runduna. Ci gaba da kai hari kan ababen more rayuwa ta hanyar da ba ta dace ba ba ta da muni fiye da amfani da sauran runduna. Hakanan ana iya samun tsarin kusa ta hanyar duba adiresoshin IP a cikin tsarin fayil. 

grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq #Find string password (no cs) in those directories
grep -a -R -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' /var/log/ 2>/dev/null | sort -u | uniq #IPs inside logs

Idan mai yin sulhu yana da aikace-aikacen yanar gizo da ake samun dama daga Intanet, yana da kyau a cire rajistan ayyukansa daga binciken adiresoshin IP. Adireshin masu amfani da kayan aiki daga Intanet ba zai yuwu su yi amfani da mu ba, amma adiresoshin cibiyar sadarwar cikin gida (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8) da kuma inda suka dosa, ana yin la'akari da su. rajistan ayyukan, na iya zama mai ban sha'awa.

Sudo

Umurnin sudo yana bawa mai amfani damar aiwatar da umarni a cikin mahallin tushen tare da kalmar sirrin kansu ko ba tare da amfani da shi kwata-kwata ba. Yawancin ayyuka a cikin Linux suna buƙatar tushen gata, amma ana ɗaukar aiki azaman tushen aiki mara kyau. Madadin haka, yana da kyau a yi amfani da izini na zaɓi don aiwatar da umarni a cikin tushen mahallin. Koyaya, yawancin kayan aikin Linux, gami da daidaitattun kamar vi, ana iya amfani da su don haɓaka gata ta hanyoyin halal. Don nemo hanyar da ta dace, ina ba da shawarar duba a nan.

Abu na farko da za a yi bayan samun damar shiga tsarin shine gudanar da umarnin sudo -l. Zai nuna izini don amfani da umarnin sudo. Idan an sami mai amfani ba tare da kalmar sirri ba (kamar apache ko www-data), mai yuwuwar haɓaka haɓakar gata sudo. Lokacin amfani da sudo, tsarin zai nemi kalmar sirri. Yin amfani da umarnin passwd don saita kalmar sirri shima ba zai yi aiki ba, zai nemi kalmar sirrin mai amfani na yanzu. Amma idan har yanzu sudo yana nan, to, a zahiri, kuna buƙatar neman:

  • kowane mai fassara, kowa zai iya haifar da harsashi (PHP, Python, Perl);
  • kowane editan rubutu (vim, vi, nano);
  • kowane mai kallo (ƙasa, ƙari);
  • kowane damar yin aiki tare da tsarin fayil (cp, mv);
  • kayan aikin da ke da fitarwa a cikin bash, ko dai ta hanyar mu'amala ko azaman umarni mai aiwatarwa (awk, find, nmap, tcpdump, man, vi, vim, ansible).

Suid/Sgid

Akwai littattafai da yawa akan Intanet waɗanda ke ba da shawarar gina duk umarnin suid / sgid, amma labarin da ba kasafai ba ya ba da takamaiman abin da za a yi da waɗannan shirye-shiryen. Za a iya samun zaɓuɓɓukan haɓaka gata waɗanda ba a la'akari da amfani da abubuwan amfani ba a nan. Hakanan, adadin fayilolin aiwatarwa suna da takamaiman lahani ga sigar OS, misali.

A cikin kyakkyawar duniya, yakamata ku gudanar da duk fakitin da aka shigar ta aƙalla searchsploit. A aikace, ya kamata a yi wannan tare da shahararrun shirye-shirye kamar sudo. Hakanan koyaushe zaɓi ne don amfani da goyan bayan haɓaka kayan aikin sarrafa kansa waɗanda zasu haskaka ban sha'awa, daga mahangar haɓaka gata, masu aiwatarwa tare da saita suid/sgid bits. Zan ba da jerin irin waɗannan kayan aikin a cikin sashin da ya dace na labarin.

Rubutun rubuce-rubucen da Cron ko Init ke gudanarwa a cikin mahallin Tushen

Ayyukan Cron na iya gudana a cikin mahallin masu amfani daban-daban, ciki har da tushen. Idan akwai ɗawainiya a cikin cron tare da hanyar haɗi zuwa fayil ɗin da za a iya aiwatarwa, kuma yana samuwa gare ku don rubutawa, zaku iya maye gurbinsa cikin sauƙi da ɓarna kuma kuyi haɓaka gata. A lokaci guda, ta tsohuwa, fayiloli tare da ayyukan cron suna samuwa don karantawa ta kowane mai amfani.

ls -la /etc/cron.d  # show cron jobs

Haka lamarin yake tare da init. Bambanci shine cewa ana aiwatar da ayyuka a cikin cron lokaci-lokaci, kuma a cikin init - a farawa tsarin. Don aiki, kuna buƙatar sake kunna tsarin, yayin da wasu ayyukan ƙila ba za su tashi ba (idan ba a yi rajistar su a cikin autoload ba).

ls -la /etc/init.d/  # show init scripts

Hakanan zaka iya nemo fayilolin da kowane mai amfani ya rubuta.

find / -perm -2 -type f 2>/dev/null # find world writable files

Hanyar sanannen sananne ne, ƙwararrun masu gudanar da tsarin suna amfani da umarnin chmod a hankali. Koyaya, akan Yanar gizo, mafi yawan litattafai suna bayyana saita iyakar haƙƙoƙin. Hanyar "kawai sanya shi aiki" na masu gudanar da tsarin marasa ƙwarewa yana haifar da dama don haɓaka gata bisa manufa. Idan zai yiwu, yana da kyau a duba tarihin umarni don amfani mara lafiya na chmod. 

chmod +w /path 
chmod 777 /path

Samun damar harsashi ga sauran masu amfani

Muna duba jerin masu amfani a /etc/passwd. Muna kula da wadanda ke da harsashi. Kuna iya lalata waɗannan masu amfani - yana yiwuwa ta hanyar mai amfani da sakamakon za ku sami damar haɓaka gata.

Don inganta tsaro, Ina ba da shawarar cewa koyaushe ku bi ƙa'idar mafi ƙarancin gata. Har ila yau, yana da ma'ana don ɗaukar lokaci don bincika ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun matsala waɗanda za su iya zama bayan matsala - wannan shine "ayyukan fasaha" na mai sarrafa tsarin.

Lambar da aka rubuta da kanta

Yana da kyau a kalli abubuwan aiwatarwa a cikin kundin adireshin gida na mai amfani da sabar yanar gizo (/var/www/ sai dai in an kayyade). Waɗannan fayilolin za su iya zama mafita mara tsaro gaba ɗaya kuma suna ƙunshe da sanduna masu ban mamaki. Tabbas, idan kuna da wasu tsari a cikin kundin adireshin sabar gidan yanar gizon ku, ba shi da ma'ana don bincika ranar sifili a ciki a matsayin wani ɓangare na pentest, amma ana ba da shawarar ku nemo da yin nazarin gyare-gyare na al'ada, plugins da abubuwan haɗin gwiwa.

Don haɓaka tsaro, yana da kyau a guji amfani da takaddun shaida a cikin rubutun da aka rubuta, da kuma ayyuka masu haɗari masu haɗari, kamar karanta /etc/shadow ko sarrafa id_rsa, idan zai yiwu.

Haɓaka gata ta hanyar amfani da rauni

Kafin yunƙurin ɗaukaka gata ta hanyar amfani, yana da mahimmanci a fahimci canja wurin fayiloli zuwa ga mai watsa shiri. Baya ga kayan aikin da aka saba kamar ssh, ftp, http (wget, curl), akwai gabaɗaya "Zoo" na yiwuwa.

Don inganta tsaro na tsarin ku, sabunta shi akai-akai zuwa sabo barga iri, da kuma ƙoƙarin amfani da rarrabawar da aka ƙera don Kasuwanci. In ba haka ba, da wuya, amma akwai yanayi lokacin da ingantaccen haɓaka ya sa tsarin mara amfani.

Amfani da Sabis na Gudu a cikin Yanayin Mai Amfani

Wasu ayyukan Linux suna gudana azaman tushen tushen mai amfani. Ana iya samun su ta amfani da ps aux | tushen grep. A wannan yanayin, ƙila ba za a sanar da sabis ɗin akan gidan yanar gizo ba kuma a samu a gida. Idan yana da fa'idodin jama'a, ana iya amfani da su cikin aminci: haɗarin sabis idan gazawar ba ta da mahimmanci fiye da haɗarin OS.

ps -aux | grep root # Linux

Za a iya la'akari da shari'ar da ta fi nasara aikin sabis na hacked a cikin mahallin tushen mai amfani. Yin aiki da sabis na SMB yana ba SYSTEM damar dama ga tsarin Windows (misali ta ms17-010). Koyaya, wannan ba kowa bane akan tsarin Linux, don haka zaku iya ciyar da lokaci mai yawa akan haɓaka gata.

Amfani da Linux Kernel Vulnerabilities

Wannan ita ce hanya ta karshe da za a bi. Ayyukan da ba su yi nasara ba na iya haifar da rushewar tsarin, kuma idan an sake yin aiki, wasu ayyuka (ciki har da waɗanda ta hanyar da za a iya samun ainihin harsashi) na iya tashi. Ya faru cewa mai gudanarwa kawai ya manta da amfani da tsarin ba da damar systemctl. Bugu da ƙari zai haifar da rashin gamsuwa da aikinku idan ba a yarda da cin gajiyar ba.
Idan kun yanke shawarar amfani da tushen daga exploitdb, tabbatar da karanta sharhi a farkon rubutun. Daga cikin wasu abubuwa, yawanci yakan faɗi yadda ake haɗa wannan amfani daidai. Idan kun kasance kasala sosai ko kuma kuna buƙatar “jiya” saboda ƙayyadaddun ƙayyadaddun lokaci, zaku iya nemo ma'ajiyar da aka riga aka tattara, misali. Duk da haka, ya kamata a fahimci cewa a cikin wannan yanayin za ku sami alade a cikin poke. A daya bangaren kuma, da mai manhaja ya fahimci byte yadda kwamfuta ke aiki da manhajojin da take amfani da su, da bai rubuta layin code a duk rayuwarsa ba. 

cat /proc/version
uname -a
searchsploit "Linux Kernel"

Metasploit

Domin kamawa da sarrafa haɗin gwiwa, yana da kyau koyaushe a yi amfani da tsarin amfani/multi/handler. Babban abu shine saita nauyin biyan kuɗi daidai, misali, janareta / harsashi / reverce_tcp ko jigon / harsashi / bind_tcp. Za a iya haɓaka harsashi da aka samu a Metasploit zuwa Meterpreter ta amfani da tsarin post/multi/manage/shell_to_meterpreter module. Tare da Meterpreter, zaku iya sarrafa tsarin bayan amfani. Misali, tsarin post/multi/recon/local_exploit_suggester yana duba dandamali, gine-gine, da abubuwan amfani kuma yana ba da shawarar samfuran Metasploit don haɓaka gata akan tsarin manufa. Godiya ga Meterpreter, haɓaka gata wani lokacin yana saukowa don gudanar da tsarin da ya dace, amma hacking ba tare da fahimtar abin da ke faruwa a ƙarƙashin hular ba gaskiya ba ne (har yanzu kuna rubuta rahoto).

Kayayyakin aiki,

Kayan aiki don sarrafa tarin bayanai na gida za su cece ku mai yawa ƙoƙari da lokaci, amma da kansu ba za su iya gano cikakkiyar hanyar haɓaka gata ba, musamman a yanayin amfani da raunin kwaya. Kayan aikin atomatik za su aiwatar da duk umarnin da ake buƙata don tattara bayanai game da tsarin, amma kuma yana da mahimmanci don samun damar. yi nazari data samu. Ina fatan labarina zai kasance da amfani a gare ku a cikin wannan. Tabbas, akwai kayan aikin da yawa fiye da zan lissafa a ƙasa, amma duk suna yin abu ɗaya ne - ya fi ɗanɗano.

Linpeas

Wani sabon kayan aiki, ƙaddamarwar farko ta kasance Janairu 2019. A halin yanzu kayan aikin da na fi so. Batun ƙasa shine yana haskaka mafi kyawun gata mai haɓakawa. Yarda, ya fi dacewa don samun ƙwararrun ƙwararrun ƙima a wannan matakin fiye da tantance ɗanyen bayanai na monolithic.

LineEnum

Kayan aiki na biyu na fi so, shi ma yana tattarawa da tsara bayanan da aka karɓa sakamakon ƙidayar gida.

linux-exploit-mai ba da shawara (1,2)

Wannan amfani zai bincika tsarin don yanayin da ya dace don cin nasara. A zahiri, zai yi aiki mai kama da tsarin Metasploit local_exploit_suggester, amma zai ba da hanyoyin haɗin kai don amfani da lambobin tushe-db maimakon samfuran Metasploit.

Linuxprivchecker

Wannan rubutun zai tattara kuma ya tsara ta sassan bayanai masu yawa waɗanda zasu iya zama masu amfani don samar da haɓakar gata.

Wani lokaci kuma zan yi karin bayani Haɓaka gata Linux ta hanyar suid/sgid.

source: www.habr.com

Add a comment