ç§ã¯ 2020 幎ã®ç¬¬ XNUMX ååæã OSCP è©Šéšã®æºåã«è²»ãããŸããã Google ã§æ å ±ãæ€çŽ¢ããããå€ãã®ãç²ç®çãªãè©Šã¿ã«èªç±æéããã¹ãŠå¥ªãããŸããã ç¹æš©ãææ Œãããã¡ã«ããºã ãç解ããã®ãç¹ã«é£ããããšãå€æããŸããã PWK ã³ãŒã¹ã§ã¯ãã®ãããã¯ã«çŽ°å¿ã®æ³šæãæã£ãŠããŸãããæ¹æ³è«çãªææã ãã§ã¯åžžã«ååã§ã¯ãããŸããã ã€ã³ã¿ãŒãããäžã«ã¯äŸ¿å©ãªã³ãã³ããèšèŒããããã¥ã¢ã«ããããããããŸãããæçµçãªçµæãç解ããã«æšå¥šäºé ã«ç²ç®çã«åŸãããšã¯ç§ã¯æ¯æããŸããã
è©Šéšã®æºåãšåæ Œã«æåãããŸã§ã«ïŒHack The Box ãžã®å®æçãªã¬ã€ããå«ãïŒãªããšãåŠãã ããšãçãããšå ±æããããšæããŸãã Try Harder ã®éãããæèçã«æ©ãã®ã«åœ¹ç«ã£ãŠãããããããæ å ±ã«æ·±ãæè¬ã®æ°æã¡ãæããŸãããä»ããã³ãã¥ããã£ã«æ©è¿ãããããšãã§ãã
ããã§ã¯ãOS Linux ã§ã®ç¹æš©ææ Œã®ã¬ã€ããæäŸããããšæããŸããããã«ã¯ãæãäžè¬çãªãã¯ã¿ãŒãšå¿ ãå¿ èŠã«ãªãé¢é£æ©èœã®åæãå«ãŸããŸãã å€ãã®å Žåãæš©éææ Œã¡ã«ããºã èªäœã¯éåžžã«åçŽã§ãããæ å ±ãæ§é åããŠåæãããšãã«åé¡ãçºçããŸãã ããã§ã芳å ãã¢ãŒãããã¹ã¿ãŒãããŠãããããã®ãã¯ãã«ãå¥èšäºã§èå¯ããããšã«ããŸããã ãã®ãããã¯ãå匷ããæéãç¯çŽã§ããããšãé¡ã£ãŠããŸãã
ã§ã¯ããã®ææ³ãéåžžã«é·ãéããç¥ãããŠããã®ã«ããªãæš©éææ Œã 2020 幎ã«ãªã£ãŠãå¯èœãªã®ã§ãããã? å®éããŠãŒã¶ãŒãã·ã¹ãã ãæ£ããæ±ãã°ããã®ã·ã¹ãã ã®ç¹æš©ãå¢ããããšã¯å®éã«ã¯äžå¯èœã§ãã ãã®ãããªæ©äŒãçã¿åºãäž»ãªäžççåé¡ã¯ã å®å šã§ãªãæ§æã ã·ã¹ãã å ã«è匱æ§ãå«ãå€ããœãããŠã§ã¢ ããŒãžã§ã³ãååšããããšããå®å šã§ãªãæ§æã®ç¹æ®ãªã±ãŒã¹ã§ãã
å®å šã§ãªãæ§æã«ããæš©éææ Œ
ãŸãæåã«ãå®å
šã§ãªãæ§æã«å¯ŸåŠããŸãããã ãŸãã¯å§ããŸããã IT ãããã§ãã·ã§ãã«ã¯ãã¹ã¿ãã¯ãªãŒããŒãããŒãªã©ã®ããã¥ã¢ã«ããªãœãŒã¹ããã䜿çšããŸããããã®å€ãã«ã¯å®å
šã§ãªãã³ãã³ããèšå®ãå«ãŸããŠããŸãã é¡èãªäŸã¯ã
æ¬äŒŒã·ã§ã«ãšãžã§ã€ã«ãã¬ã€ã¯
éçšæ®µéã§ååŸããã·ã¹ãã ã·ã§ã«ã¯ãç¹ã« Web ãµãŒã㌠ãŠãŒã¶ãŒããããã³ã°ããŠååŸããå Žåã¯å¶éãããããšããããããŸãã ããšãã°ãã·ã§ã«ã®å¶éã«ããããšã©ãŒãçºçã㊠sudo ã³ãã³ãã䜿çšã§ããªãå ŽåããããŸãã
sudo: no tty present and no askpass program specified
ã·ã§ã«ãååŸããããPython ãªã©ã䜿çšããŠæ¬æ Œçãªã¿ãŒããã«ãäœæããããšããå§ãããŸãã
python -c 'import pty;pty.spawn("/bin/bash")'
ãããšãã°ããã¡ã€ã«è»¢éã« XNUMX ã€ã®ã³ãã³ãã䜿çšã§ããã®ã«ããªã XNUMX ãã®ã³ãã³ããå¿
èŠãªã®ã§ãããã?ã å®éã«ã¯ãã·ã¹ãã ã®æ§æãç°ãªã£ãŠããã次ã®ãã¹ãã§ã¯ Python ã¯ã€ã³ã¹ããŒã«ãããªãå¯èœæ§ããããŸãããPerl ã¯å©çšå¯èœã§ãã ã¹ãã«ãšã¯ã䜿ãæ
£ããããŒã«ã䜿ããã«ã·ã¹ãã å
ã§äœ¿ãæ
£ããæäœãå®è¡ã§ããããšã§ãã æ©èœã®å®å
šãªãªã¹ããèŠã€ããããšãã§ããŸã
æš©éã®äœãã·ã§ã«ã¯ã次ã®ã³ãã³ãã䜿çšããŠååŸã§ããŸãã
ã³ãã³ãå±¥æŽã®è¡šç€º
Linux ã¯å®è¡ããããã¹ãŠã®ã³ãã³ãã®å±¥æŽããã¡ã€ã«ã«åéããŸã ã/ .bash_historyã ãµãŒããŒãã¢ã¯ãã£ãã«äœ¿çšãããŠããããã®å±¥æŽãã¯ãªã¢ãããŠããªãå Žåãè³æ Œæ å ±ããã®ãã¡ã€ã«ã§èŠã€ããå¯èœæ§ãé«ããªããŸãã å±¥æŽãæ¶å»ããã®ã¯éåžžã«äžäŸ¿ã§ãã 管çè ã ãä»ã㊠XNUMX ã¬ãã«ã®ã³ãã³ããéžæããããšã匷å¶ãããå Žåããã¡ããããã®ã³ãã³ããååºŠå ¥åãããããå±¥æŽãããã®ã³ãã³ããåŒã³åºãæ¹ã䟿å©ã§ãã ããã«ãå€ãã®äººã¯ãã®ãããã¯ãã«ã€ããŠç¥ããŸããã ã·ã¹ãã å ã« Zsh ã Fish ãªã©ã®ä»£æ¿ã·ã§ã«ãããå Žåããããã«ã¯ç¬èªã®æŽå²ããããŸãã ä»»æã®ã·ã§ã«ã§ã³ãã³ãã®å±¥æŽã衚瀺ããã«ã¯ãhistory ã³ãã³ããå ¥åããã ãã§ãã
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history
cat ~/.php_history
cat ~/.atftp_history
ãµãŒããŒãè€æ°ã®ãµã€ãããã¹ãããããã«äœ¿çšãããå ±æãã¹ãã£ã³ã°ããããŸãã éåžžããã®æ§æã§ã¯ãåãªãœãŒã¹ã«åå¥ã®ããŒã ãã£ã¬ã¯ããªãšä»®æ³ãã¹ããæã€ç¬èªã®ãŠãŒã¶ãŒãååšããŸãã ãããã£ãŠãæ§æãæ£ãããªãå Žåã¯ãWeb ãªãœãŒã¹ã®ã«ãŒã ãã£ã¬ã¯ããªã§ .bash_history ãã¡ã€ã«ãèŠã€ããããšãã§ããŸãã
ãã¡ã€ã«ã·ã¹ãã å ã®ãã¹ã¯ãŒãã®æ€çŽ¢ãšé£æ¥ããã·ã¹ãã ãžã®æ»æ
ããŸããŸãªãµãŒãã¹ã®æ§æãã¡ã€ã«ã¯ãçŸåšã®ãŠãŒã¶ãŒãèªã¿åãããšãã§ããå ŽåããããŸãã ãã®äžã«ã¯ãããŒã¿ããŒã¹ãŸãã¯é¢é£ãµãŒãã¹ã«ã¢ã¯ã»ã¹ããããã®ãã¹ã¯ãŒãã§ããèªèšŒæ
å ±ãã¯ãªã¢ ããã¹ãã§å«ãŸããŠããŸãã åããã¹ã¯ãŒããããŒã¿ããŒã¹ãžã®ã¢ã¯ã»ã¹ãš root ãŠãŒã¶ãŒã®èªå¯ (è³æ Œæ
å ±ã¹ã¿ããã£ã³ã°) ã®äž¡æ¹ã«äœ¿çšã§ããŸãã
èŠã€ãã£ãè³æ Œæ
å ±ãä»ã®ãã¹ãäžã®ãµãŒãã¹ã«å±ããŠããå ŽåããããŸãã 䟵害ããããã¹ããä»ããã€ã³ãã©ã¹ãã©ã¯ãã£ãžã®æ»æã®å±éã¯ãä»ã®ãã¹ãã®æªçšãšäœãå€ãããŸããã ãã¡ã€ã« ã·ã¹ãã 㧠IP ã¢ãã¬ã¹ãæ€çŽ¢ããããšã«ãã£ãŠãé£æ¥ããã·ã¹ãã ãèŠã€ããããšãã§ããŸãã
grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq #Find string password (no cs) in those directories
grep -a -R -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' /var/log/ 2>/dev/null | sort -u | uniq #IPs inside logs
䟵害ããããã¹ãã«ã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹ã§ãã Web ã¢ããªã±ãŒã·ã§ã³ãããå Žåã¯ããã®ãã°ã IP ã¢ãã¬ã¹ã®æ€çŽ¢ããé€å€ããããšããå§ãããŸãã ã€ã³ã¿ãŒãããããã®ãªãœãŒã¹ ãŠãŒã¶ãŒã®ã¢ãã¬ã¹ã¯åœ¹ã«ç«ã¡ããã«ãããŸããããå éšãããã¯ãŒã¯ã®ã¢ãã¬ã¹ (172.16.0.0/12ã192.168.0.0/16ã10.0.0.0/8) ãšãã®å®å ã¯ããã°ãèå³æ·±ããããããŸããã
æ°ç¬
sudo ã³ãã³ãã䜿çšãããšããŠãŒã¶ãŒã¯èªåã®ãã¹ã¯ãŒãã䜿çšããŠããŸãã¯ãã¹ã¯ãŒãããŸã£ãã䜿çšããã« root ã®ã³ã³ããã¹ãã§ã³ãã³ããå®è¡ã§ããŸãã Linux ã§ã®å€ãã®æäœã«ã¯ root æš©éãå¿
èŠã§ãããroot ãšããŠå®è¡ããããšã¯éåžžã«æªãç¿æ
£ã§ãããšèããããŠããŸãã 代ããã«ãã«ãŒã ã³ã³ããã¹ãã§ã³ãã³ããå®è¡ããããã®éžæçãªã¢ã¯ã»ã¹èš±å¯ãé©çšããããšããå§ãããŸãã ãã ããvi ãªã©ã®æšæºããŒã«ãå«ãå€ãã® Linux ããŒã«ã¯ãæ£åœãªæ¹æ³ã§æš©éãææ Œããããã«äœ¿çšã§ããŸãã æ£ããæ¹æ³ãèŠã€ããã«ã¯ã以äžãåç
§ããããšããå§ãããŸã
ã·ã¹ãã ã«ã¢ã¯ã»ã¹ããåŸã«æåã«è¡ãããšã¯ãsudo -l ã³ãã³ããå®è¡ããããšã§ãã sudoã³ãã³ãã®äœ¿çšèš±å¯ã衚瀺ãããŸãã ãã¹ã¯ãŒããæããªããŠãŒã¶ãŒ (Apache ã www-data ãªã©) ãååŸããå Žåãsudo ç¹æš©ææ Œãã¯ãã«ã¯èããããŸããã sudo ã䜿çšãããšãã·ã¹ãã ã¯ãã¹ã¯ãŒããèŠæ±ããŸãã passwd ã³ãã³ãã䜿çšããŠãã¹ã¯ãŒããèšå®ããŠãæ©èœãããçŸåšã®ãŠãŒã¶ãŒ ãã¹ã¯ãŒããèŠæ±ãããŸãã ãã ããsudo ããŸã å©çšå¯èœãªå Žåã¯ãå®éã«ã¯æ¬¡ã®ãã®ãæ¢ãå¿ èŠããããŸãã
- ã€ã³ã¿ãŒããªã¿ãŒã§ããã°èª°ã§ãã·ã§ã« (PHPãPythonãPerl) ãçæã§ããŸãã
- ä»»æã®ããã¹ã ãšãã£ã¿ (vimãviãnano)ã
- ä»»æã®èŠèŽè (å°ãªããŠãå€ããŠã);
- ãã¡ã€ã« ã·ã¹ãã (cpãmv) ãæäœããå¯èœæ§ã
- ã€ã³ã¿ã©ã¯ãã£ããŸãã¯å®è¡å¯èœã³ãã³ã (awkãfindãnmapãtcpdumpãmanãviãvimãansible) ãšã㊠bash ã§åºåãæã€ããŒã«ã
ã¹ã€ã/ã·ãžãã
ã€ã³ã¿ãŒãããäžã«ã¯ããã¹ãŠã® suid / sgid ã³ãã³ãã®æ§ç¯ãã¢ããã€ã¹ããããã¥ã¢ã«ãæ°å€ããããŸããããããã®ããã°ã©ã ã®äœ¿çšæ¹æ³ã«ã€ããŠè©³çŽ°ã«èª¬æããŠããèšäºã¯çšã§ãã ãšã¯ã¹ããã€ãã®äœ¿çšãèæ
®ããªãæš©éææ Œãªãã·ã§ã³ãèŠã€ãããŸãã
çæ³çã«ã¯ãã€ã³ã¹ããŒã«ãããŠãããã¹ãŠã®ããã±ãŒãžãå°ãªããšã searchsploit ãéããŠå®è¡ããå¿ èŠããããŸãã å®éã«ã¯ããã㯠sudo ãªã©ã®æãäžè¬çãªããã°ã©ã ã§è¡ãå¿ èŠããããŸãã ãŸããç¹æš©ææ Œã®èŠ³ç¹ããèå³æ·±ããsuid/sgid ããããèšå®ãããå®è¡å¯èœãã¡ã€ã«ã匷調衚瀺ããèªåããŒã«ã®éçºã䜿çšããã³ãµããŒãããããšãåžžã«ãªãã·ã§ã³ã§ãã ãã®ãããªããŒã«ã®ãªã¹ãã¯ãèšäºã®å¯Ÿå¿ããã»ã¯ã·ã§ã³ã§èª¬æããŸãã
Root ã³ã³ããã¹ã㧠Cron ãŸã㯠Init ã«ãã£ãŠå®è¡ãããæžã蟌ã¿å¯èœãªã¹ã¯ãªãã
Cron ãžã§ãã¯ãroot ãå«ãããŸããŸãªãŠãŒã¶ãŒã®ã³ã³ããã¹ãã§å®è¡ã§ããŸãã cron ã«å®è¡å¯èœãã¡ã€ã«ãžã®ãªã³ã¯ãå«ãã¿ã¹ã¯ãããããã®ã¿ã¹ã¯ãæžã蟌ãããšãã§ããå Žåããããæªæã®ããã¿ã¹ã¯ã«ç°¡åã«çœ®ãæããŠãæš©éææ Œãå®è¡ã§ããŸãã åæã«ãããã©ã«ãã§ã¯ãcron ã¿ã¹ã¯ãå«ããã¡ã€ã«ã¯ãã¹ãŠã®ãŠãŒã¶ãŒãèªã¿åãããšãã§ããŸãã
ls -la /etc/cron.d # show cron jobs
init ã®å Žåãåæ§ã§ãã éãã¯ãcron ã®ã¿ã¹ã¯ã¯å®æçã«å®è¡ãããinit ã®ã¿ã¹ã¯ã¯ã·ã¹ãã èµ·åæã«å®è¡ãããããšã§ãã æäœããã«ã¯ã·ã¹ãã ãåèµ·åããå¿ èŠããããŸãããäžéšã®ãµãŒãã¹ã¯èµ·åããªãå¯èœæ§ããããŸã (èªåããŒãã«ç»é²ãããŠããªãå Žå)ã
ls -la /etc/init.d/ # show init scripts
ä»»æã®ãŠãŒã¶ãŒãæžã蟌ã¿å¯èœãªãã¡ã€ã«ãæ€çŽ¢ããããšãã§ããŸãã
find / -perm -2 -type f 2>/dev/null # find world writable files
ãã®æ¹æ³ã¯éåžžã«ããç¥ãããŠãããçµéšè±å¯ãªã·ã¹ãã 管çè 㯠chmod ã³ãã³ããæ éã«äœ¿çšããŸãã ãã ããWeb ã§ã¯ãã»ãšãã©ã®ããã¥ã¢ã«ã§æ倧暩éã®èšå®ã«ã€ããŠèª¬æãããŠããŸãã çµéšã®æµ ãã·ã¹ãã 管çè ã®ããšã«ããæ©èœãããããšããã¢ãããŒãã¯ãååãšããŠæš©éææ Œã®æ©äŒãçã¿åºããŸãã å¯èœã§ããã°ãã³ãã³ãå±¥æŽã§ chmod ã®å®å šã§ãªã䜿çšã確èªããããšããå§ãããŸãã
chmod +w /path
chmod 777 /path
ä»ã®ãŠãŒã¶ãŒã®ã·ã§ã«ã¢ã¯ã»ã¹æš©ã®ååŸ
/etc/passwd å ã®ãŠãŒã¶ãŒã®ãªã¹ãã確èªããŸãã æ®»ãæã£ãŠãã人ã«ã¯æ³šç®ã§ãã ãããã®ãŠãŒã¶ãŒãæ»æããããšãã§ããŸããçµæãšããŠåŸããããŠãŒã¶ãŒãéããŠãæçµçã«æš©éãå¢ããããšãã§ããå¯èœæ§ããããŸãã
ã»ãã¥ãªãã£ãåäžãããããã«ãåžžã«æå°ç¹æš©ã®ååã«åŸãããšããå§ãããŸãã ãŸãããã©ãã«ã·ã¥ãŒãã£ã³ã°åŸã«æ®ãå¯èœæ§ã®ããå®å šã§ãªãæ§æãæéããããŠãã§ãã¯ããããšãæå³ããããŸããããã¯ã·ã¹ãã 管çè ã®ãæè¡ç矩åãã§ãã
èªåã§æžããã³ãŒã
ãŠãŒã¶ãŒããã³ Web ãµãŒããŒã®ããŒã ãã£ã¬ã¯ã㪠(ç¹ã«æå®ããªãéãã/var/www/) å ã®å®è¡å¯èœãã¡ã€ã«ã詳ãã調ã¹ã䟡å€ããããŸãã ãããã®ãã¡ã€ã«ã¯å®å šã«å®å šã§ã¯ãªããœãªã¥ãŒã·ã§ã³ã§ããããšãå€æããä¿¡ããããªãã»ã©ã®æŸèæãå«ãŸããŠããå¯èœæ§ããããŸãã ãã¡ãããWeb ãµãŒã㌠ãã£ã¬ã¯ããªã«äœããã®ãã¬ãŒã ã¯ãŒã¯ãããå Žåããããã¬ãŒã·ã§ã³ ãã¹ãã®äžç°ãšããŠãã®ãã¬ãŒã ã¯ãŒã¯å ã§ãŒããã€ãæ€çŽ¢ããããšã¯æå³ããããŸããããã«ã¹ã¿ã ã®å€æŽããã©ã°ã€ã³ãããã³ã³ã³ããŒãã³ããèŠã€ããŠèª¿æ»ããããšããå§ãããŸãã
ã»ãã¥ãªãã£ã匷åããã«ã¯ãå¯èœã§ããã°ãèªåã§äœæããã¹ã¯ãªããã§è³æ Œæ å ±ã䜿çšãããã/etc/shadow ã®èªã¿åãã id_rsa ã®æäœãªã©ã®æœåšçã«å±éºãªæ©èœã®äœ¿çšãé¿ããããšããå§ãããŸãã
è匱æ§ã®æªçšã«ããç¹æš©ã®ææ Œ
æªçšãéããŠæš©éã®ææ Œãè©Šã¿ãåã«ã次ã®ããšãç解ããŠããããšãéèŠã§ãã ã¿ãŒã²ãããã¹ããžã®ãã¡ã€ã«ã®è»¢éã sshãftpãhttp (wgetãcurl) ãªã©ã®éåžžã®ããŒã«ã«å ããŠã
ã·ã¹ãã ã®ã»ãã¥ãªãã£ãåäžãããã«ã¯ãå®æçã«ææ°ã®ãã®ã«æŽæ°ããŠãã ããã å®å® ããŒãžã§ã³ãå€æŽãããšã³ã¿ãŒãã©ã€ãºåãã«èšèšããããã£ã¹ããªãã¥ãŒã·ã§ã³ã䜿çšããŠã¿ãŠãã ããã ããããªããšããŸãã«ãé©åãªã¢ããã°ã¬ãŒãã«ãã£ãŠã·ã¹ãã ã䜿çšã§ããªããªãå ŽåããããŸãã
root ãŠãŒã¶ãŒã®ã³ã³ããã¹ãã§å®è¡ãããŠãããµãŒãã¹ã®æªçš
äžéšã® Linux ãµãŒãã¹ã¯ãç¹æš©ãŠãŒã¶ãŒ root ãšããŠå®è¡ãããŸãã ãããã¯ãps aux | ã䜿çšããŠèŠã€ããããšãã§ããŸãã grep ã«ãŒãã ãã®å ŽåããµãŒãã¹ã¯ Web äžã§çºè¡šããããããŒã«ã«ã§å©çšå¯èœã«ãªãå¯èœæ§ããããŸãã å ¬éãšã¯ã¹ããã€ããããå Žåã¯ãå®å šã«äœ¿çšã§ããŸããé害ãçºçããå Žåã®ãµãŒãã¹ã®ã¯ã©ãã·ã¥ã¯ãOS ã®ã¯ã©ãã·ã¥ãããã¯ããã«é倧ã§ã¯ãããŸããã
ps -aux | grep root # Linux
æãæåããã±ãŒã¹ã¯ãroot ãŠãŒã¶ãŒã®ã³ã³ããã¹ãã§ãããã³ã°ããããµãŒãã¹ã®æäœã§ãããšèããããŸãã SMB ãµãŒãã¹ãæäœãããšãWindows ã·ã¹ãã äžã§ SYSTEM ç¹æš©ã¢ã¯ã»ã¹ãèš±å¯ãããŸã (äŸ: ms17-010 çµç±)ã ãã ãããã㯠Linux ã·ã¹ãã ã§ã¯äžè¬çã§ã¯ãªããããæš©éã®ææ Œã«å€ãã®æéãè²»ããå¯èœæ§ããããŸãã
Linux ã«ãŒãã«ã®è匱æ§ã®æªçš
ãããæåŸã«åãã¹ãéã§ãã æäœã倱æãããšã·ã¹ãã ãã¯ã©ãã·ã¥ããå¯èœæ§ããããåèµ·åãããšäžéšã®ãµãŒãã¹ (å
ã®ã·ã§ã«ãååŸã§ãããµãŒãã¹ãå«ã) ãèµ·åããªããªãå¯èœæ§ããããŸãã 管çè
ã systemctl Enable ã³ãã³ãã䜿çšããã®ãåã«å¿ããŠããå¯èœæ§ããããŸãã ããã«ãæŸåã«åæããŠããªãå Žåãããªãã®ä»äºã«å€ãã®äžæºãçããã§ãããã
Exploitdb ã®ãœãŒã¹ã䜿çšããå Žåã¯ãã¹ã¯ãªããã®å
é ã«ããã³ã¡ã³ããå¿
ãèªãã§ãã ããã ãšããããéåžžããã®ãšã¯ã¹ããã€ããæ£ããã³ã³ãã€ã«ããæ¹æ³ãèšèŒãããŠããŸãã ããŸãã«ãæ ããŠããããç· ãåãã®ããã«ãæšæ¥ããå¿
èŠã ã£ãå Žåã¯ããã§ã«ã³ã³ãã€ã«ããããšã¯ã¹ããã€ããå«ãŸãããªããžããªãæ¢ãããšãã§ããŸãã
cat /proc/version
uname -a
searchsploit "Linux Kernel"
Metasploit
æ¥ç¶ããã£ããããŠåŠçããã«ã¯ãexploit/multi/handler ã¢ãžã¥ãŒã«ã䜿çšããããšããå§ãããŸãã äž»ãªããšã¯ãæ£ãããã€ããŒã (generic/shell/reverce_tcp ã generic/shell/bind_tcp ãªã©) ãèšå®ããããšã§ãã Metasploit ã§ååŸããã·ã§ã«ã¯ãpost/multi/manage/shell_to_meterpreter ã¢ãžã¥ãŒã«ã䜿çšã㊠Meterpreter ã«ã¢ããã°ã¬ãŒãã§ããŸãã Meterpreter ã䜿çšãããšãæªçšåŸã®ããã»ã¹ãèªååã§ããŸãã ããšãã°ãpost/multi/recon/local_exploit_suggester ã¢ãžã¥ãŒã«ã¯ããã©ãããã©ãŒã ãã¢ãŒããã¯ãã£ãæªçšå¯èœãªãšã³ãã£ãã£ããã§ãã¯ããã¿ãŒã²ãã ã·ã¹ãã ã§ã®æš©éææ Œã®ããã® Metasploit ã¢ãžã¥ãŒã«ãææ¡ããŸãã Meterpreter ã®ãããã§ãæš©éææ Œã¯é©åãªã¢ãžã¥ãŒã«ãå®è¡ããããšã«ãã£ãŠè¡ãããããšããããŸãããå éšã§äœãèµ·ãã£ãŠããããç解ããã«ãããã³ã°ããããšã¯çå®ã§ã¯ãããŸãã (ããã§ãã¬ããŒããæžãå¿ èŠããããŸã)ã
ããŒã«
ããŒã«ã«ã§ã®æ å ±åéãèªååããããŒã«ã¯ãå€ãã®åŽåãšæéãç¯çŽããŸãããããèªäœã§ã¯ãç¹ã«ã«ãŒãã«ã®è匱æ§ãæªçšããå Žåã«ãç¹æš©ææ Œãã¹ãå®å šã«ç¹å®ããããšãã§ããŸããã èªååããŒã«ã¯ãã·ã¹ãã ã«é¢ããæ å ±ãåéããããã«å¿ èŠãªã³ãã³ãããã¹ãŠå®è¡ããŸããã次ã®ããšãã§ããããšãéèŠã§ãã åæãã åä¿¡ããããŒã¿ã ç§ã®èšäºããã®ç¹ã§åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã ãã¡ããã以äžã«ãªã¹ããã以å€ã«ãå€ãã®ããŒã«ããããŸããããããã¯ãã¹ãŠã»ãŒåãããšãè¡ããããã©ã¡ãããšãããšå¥œã¿ã®åé¡ã§ãã
ãªã³ããŒã¹
ããªãæ°ããããŒã«ã§ãæåã®ã³ãããã®æ¥ä»ã¯ 2019 幎 XNUMX æã§ãã ä»ã®ãšããäžçªå¥œããªæ¥œåšã èå¿ãªã®ã¯ãæãèå³æ·±ãç¹æš©ææ Œãã¯ãã«ã匷調ããŠãããšããããšã§ãã åæããŸããã¢ããªã·ãã¯ãªçããŒã¿ã解æãããããããã®ã¬ãã«ã§å°é家ã®è©äŸ¡ãåããæ¹ã䟿å©ã§ãã
LineEnum
ç§ã® XNUMX çªç®ã«ãæ°ã«å ¥ãã®ããŒã«ã¯ãããŒã«ã«åæã®çµæãšããŠåä¿¡ããããŒã¿ãåéããŠæŽçããããšãã§ããŸãã
linux-exploit-suggester (1,2)
ãã®ãšã¯ã¹ããã€ãã¯ããšã¯ã¹ããã€ãã«é©ããæ¡ä»¶ã«ã€ããŠã·ã¹ãã ãåæããŸãã å®éããã㯠Metasploit local_exploit_suggester ã¢ãžã¥ãŒã«ãšåããžã§ããå®è¡ããŸãããMetasploit ã¢ãžã¥ãŒã«ã§ã¯ãªããexploit-db ãœãŒã¹ ã³ãŒããžã®ãªã³ã¯ãæäŸããŸãã
Linuxprivchecker
ãã®ã¹ã¯ãªããã¯ãæš©éææ Œãã¯ãã«ã®åœ¢æã«åœ¹ç«ã€å€§éã®æ å ±ãåéããã»ã¯ã·ã§ã³ããšã«æŽçããŸãã
ãŸãä»åºŠè©³ãã説æããŸã
åºæïŒ habr.com