Pulogalamu ya ProHoster > Blog > Ulamuliro > Ndine muzu. Kumvetsetsa Linux OS Mwayi Escalation

Ndine muzu. Kumvetsetsa Linux OS Mwayi Escalation

Ndidakhala kotala yoyamba ya 2020 ndikukonzekera mayeso a OSCP. Kusaka zambiri pa Google komanso kuyesa "kwakhungu" zambiri kunanditengera nthawi yanga yonse yaulere. Zinali zovuta kwambiri kumvetsetsa njira zowonjezerera mwayi. Maphunziro a PWK amapereka chidwi kwambiri pamutuwu, koma zida zophunzitsira sizokwanira. Pali zolemba zambiri pa intaneti zomwe zili ndi malamulo othandiza, koma sindine wokonda kutsatira mosalabadira malingaliro osamvetsetsa zomwe zidzatsogolera.

Ndikufuna kugawana nanu zomwe ndidaphunzira pokonzekera ndikupambana mayeso (kuphatikiza nthawi ndi nthawi kuthyolako Bokosi). Ndinamva chiyamikiro champhamvu pachidziwitso chilichonse chomwe chinandithandiza kuyenda munjira ya Try Harder mozindikira, ino ndi nthawi yanga yobwereranso kwa anthu ammudzi.

Ndikufuna kukupatsani bukhu la momwe mungakulitsire mwayi mu OS Linux, womwe umaphatikizapo kusanthula ma vector omwe amapezeka kwambiri ndi zina zomwe zingakuthandizeni. Nthawi zambiri njira zowonjezerera mwayi pawokha zimakhala zosavuta, zovuta zimabuka pokonza ndi kusanthula zambiri. Choncho, ndinaganiza zoyamba ndi β€œulendo wokaona malo” ndiyeno n’kulingalira vekitala iliyonse m’nkhani ina. Ndikukhulupirira ndikupulumutsani nthawi mukufufuza mutuwo.

Ndine muzu. Kumvetsetsa Linux OS Mwayi Escalation

Nanga bwanji kukwera kwamwayiko kuli kotheka mu 2020 ngati njirazo zadziwika kwa nthawi yayitali kwambiri? M'malo mwake, ngati wogwiritsa ntchitoyo akugwira bwino ntchitoyo, sikungatheke kuwonjezera mwayi momwemo. Vuto lalikulu lapadziko lonse lapansi lomwe limabweretsa mwayi wotero ndi kasinthidwe kosatetezeka. Kukhalapo kwa matembenuzidwe achikale a mapulogalamu omwe ali ndi zovuta mu dongosololi ndi vuto lapadera la kasinthidwe kosatetezedwa.

Kuchulukitsa kwamwayi kudzera pakusintha kosatetezeka

Choyamba, tiyeni tithane ndi kasinthidwe kosatetezeka. Tiyeni tiyambe ndi Akatswiri a IT nthawi zambiri amagwiritsa ntchito zolemba ndi zothandizira monga stackoverflow, zambiri zomwe zimakhala ndi malamulo osatetezeka komanso zosintha. Chitsanzo chochititsa chidwi - nkhani kuti code yomwe idakopedwa kwambiri kuchokera ku stackoverflow inali ndi cholakwika. Woyang'anira wodziwa bwino adzawona jamb, koma ili m'dziko labwino. Ngakhale akatswiri aluso kuchuluka kwa ntchito wokhoza kulakwitsa. Tangoganizani kuti woyang'anira akukonzekera ndi kugwirizanitsa zolemba za tender yotsatira, panthawi imodzimodziyo akuyang'ana mu teknoloji yatsopano yomwe iyenera kukhazikitsidwa mu gawo lotsatira, ndikuthetsa nthawi ndi nthawi zovuta zothandizira ogwiritsa ntchito. Kenako amapatsidwa ntchito yokhazikitsa mwachangu makina angapo owoneka bwino ndikutulutsa ntchito pa iwo. Mukuganiza kuti pali mwayi wotani kuti admin sangazindikire vuto? Kenako akatswiri amasintha, koma ndodo zimakhalabe, pomwe makampani nthawi zonse amayesetsa kuchepetsa ndalama, kuphatikiza antchito a IT.

Pseudo-chipolopolo ndi jailbreak

Dongosolo lachipolopolo lomwe limapezedwa panthawi yomwe anthu amadyera masuku pamutu nthawi zambiri amakhala ochepa, makamaka ngati mudalipeza pozembera wogwiritsa ntchito pa intaneti. Mwachitsanzo, zoletsa zipolopolo zingakulepheretseni kuyendetsa sudo lamulo, kutulutsa cholakwika:

sudo: no tty present and no askpass program specified

Mukakhala ndi chipolopolo, ndikupangira kuti mupange terminal yodzaza, mwachitsanzo pogwiritsa ntchito Python.

python -c 'import pty;pty.spawn("/bin/bash")'

Mutha kufunsa kuti: "N'chifukwa chiyani ndikufunika malamulo chikwi ngati nditha kugwiritsa ntchito limodzi, mwachitsanzo, kusamutsa mafayilo?" Chowonadi ndi chakuti machitidwe amakonzedwa mosiyana; wolandirayo sangakhale ndi Python, koma akhoza kukhala ndi Perl. Luso ndikutha kuchita zinthu zodziwika bwino m'dongosolo popanda zida zodziwika bwino. Mndandanda wathunthu wazinthu ungapezeke apa.

Chigoba chochepa kwambiri chikhoza kupezeka pogwiritsa ntchito timu 1 ΠΈ timu 2 (zodabwitsa, ngakhale GIMP).

Onani mbiri yamalamulo

Linux imasonkhanitsa mbiri yakale ya malamulo onse omwe amachitidwa mufayilo ~ / .bash_mbiri. Ngati seva ikugwiritsidwa ntchito mwakhama ndipo mbiri yake sinachotsedwe, pali mwayi waukulu wopeza zizindikiro mu fayiloyi. Kuchotsa mbiri yakale ndikovuta. Ngati woyang'anira akukakamizika kusankha malamulo a nsanjika khumi kupyolera mu , ndithudi, zidzakhala zosavuta kuti ayitane lamulo ili kuchokera m'mbiri kusiyana ndi kulowanso. Komanso, anthu ambiri sadziwa za "kuthyolako" uku. Ngati pali zipolopolo zina monga Zsh kapena Nsomba mu dongosolo, ali ndi mbiri yawoyawo. Kuti muwonetse mbiri ya malamulo mu chipolopolo chilichonse, ingolembani mbiri yakale. 

cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history
cat ~/.php_history
cat ~/.atftp_history

Pali kuchititsa kogawana, komwe seva imagwiritsidwa ntchito kuchititsa mawebusayiti angapo. Kawirikawiri, ndi kasinthidwe kameneka, gwero lirilonse liri ndi wogwiritsa ntchito yake ndi bukhu lapadera lanyumba ndi wolandira. Chifukwa chake, ngati sichinasinthidwe molakwika, mutha kupeza fayilo ya .bash_history muzowongolera zapaintaneti.

Kusaka mapasiwedi mu fayilo yamafayilo ndikuwukira pamakina oyandikana nawo

Mafayilo osinthira azinthu zosiyanasiyana amatha kuwerengedwa ndi ogwiritsa ntchito pano. Mwa iwo mutha kupeza zidziwitso m'mawu omveka bwino - mapasiwedi olowera ku database kapena mautumiki ogwirizana. Mawu achinsinsi omwewo angagwiritsidwe ntchito pofikira ku database komanso kuvomereza wogwiritsa ntchito (credential staffing).
Zimachitika kuti zidziwitso zomwe zapezeka ndi za mautumiki pa olandila ena. Kupanga kuwukira kwa zomangamanga kudzera mwa anthu omwe ali pachiwopsezo sikuli koyipa kuposa kudyera masuku pamutu ena. Makina oyandikana nawo atha kupezekanso poyang'ana ma adilesi a IP pamafayilo. 

grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq #Find string password (no cs) in those directories
grep -a -R -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' /var/log/ 2>/dev/null | sort -u | uniq #IPs inside logs

Ngati wolandirayo ali ndi pulogalamu yapaintaneti yomwe imapezeka pa intaneti, ndikwabwino kusiya zipika zake pakufufuza ma adilesi a IP. Maadiresi a ogwiritsa ntchito pa intaneti sangakhale othandiza kwa ife, koma maadiresi a netiweki yamkati (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8) ndi komwe amapita, kuweruza ndi zipika. , zingakhale zosangalatsa.

sudo

Lamulo la sudo limapatsa wogwiritsa ntchito mwayi woti apereke lamulo pamizu yake pogwiritsa ntchito mawu achinsinsi kapena osagwiritsa ntchito mawu achinsinsi. Ntchito zambiri mu Linux zimafuna mwayi wokhala ndi mizu, koma kuthamanga ngati mizu kumaonedwa kuti ndi njira yoyipa kwambiri. M'malo mwake, ndi bwino kugwiritsa ntchito chilolezo chosankha kuti mupereke malamulo pamizu. Komabe, zida zambiri za Linux, kuphatikiza zokhazikika ngati vi, zitha kugwiritsidwa ntchito kukulitsa mwayi m'njira zovomerezeka. Kuti mupeze njira yoyenera, ndikupangira kuyang'ana apa.

Chinthu choyamba chimene muyenera kuchita mukapeza mwayi wolowera ku dongosolo ndikuyendetsa lamulo la sudo -l. Iwonetsa chilolezo chogwiritsa ntchito lamulo la sudo. Ngati wogwiritsa ntchito wopanda mawu achinsinsi atapezedwa (monga apache kapena www-data), mwayi wokweza mayendedwe kudzera pa sudo ndizosatheka. Mukamagwiritsa ntchito sudo, makinawo amafunsa mawu achinsinsi. Simungathe kuyika mawu achinsinsi pogwiritsa ntchito passwd command mwina; imafunsa achinsinsi omwe akugwiritsa ntchito. Koma ngati sudo ikupezekabe, ndiye kuti muyenera kuyang'ana:

  • otanthauzira aliwonse, aliyense akhoza kutulutsa chipolopolo (PHP, Python, Perl);
  • olemba malemba aliwonse (vim, vi, nano);
  • owonera aliwonse (ochepera, ochulukirapo);
  • luso lililonse logwira ntchito ndi fayilo (cp, mv);
  • Zida zomwe zili ndi zotuluka mu bash, zolumikizirana kapena ngati lamulo lomwe lingagwiritsidwe ntchito (awk, kupeza, nmap, tcpdump, man, vi, vim, ansible).

Suid/Sgid

Pali mabuku ambiri pa intaneti omwe amalangiza kusonkhanitsa malamulo onse a suid/sgid, koma nkhani yosowa ikupereka mwatsatanetsatane zoyenera kuchita ndi mapulogalamuwa. Zosankha za mwayi wochulukirachulukira zomwe sizimaganizira kugwiritsa ntchito zopambana zitha kupezeka apa. Komanso, mafayilo angapo omwe angathe kuchitidwa ali ndi zovuta zina za mtundu wa OS, Mwachitsanzo.

M'dziko labwino, mutha kuyendetsa mapaketi onse omwe adayikidwa kudzera pa searchsploit. M'malo mwake, izi ziyenera kuchitika ndi mapulogalamu otchuka monga sudo. Nthawi zonse pali mwayi wogwiritsa ntchito ndikuthandizira kupanga zida zodzipangira zokha zomwe zingawonetse chidwi, kuchokera pamalingaliro okweza mwayi, mafayilo otheka omwe ali ndi suid / sgid bits set. Ndipereka mndandanda wa zida zoterezi mu gawo lolingana la nkhaniyi.

Zolemba zolembedwa zoyendetsedwa ndi Cron kapena Init mu nkhani ya Root

Ntchito za Cron zitha kuyendetsedwa pamitundu yosiyanasiyana ya ogwiritsa ntchito, kuphatikiza mizu. Ngati ntchito ya cron yakhazikitsidwa ndi ulalo wa fayilo yomwe ingagwiritsidwe ntchito, ndipo ilipo kuti mulembe, imatha kusinthidwa mosavuta ndi yoyipa ndikukweza mwayi. Komabe, mwachisawawa, mafayilo okhala ndi cron ntchito amawerengedwa ndi wogwiritsa ntchito aliyense.

ls -la /etc/cron.d  # show cron jobs

Zinthu zilinso chimodzimodzi ndi init. Kusiyana kwake ndikuti ntchito mu cron zimachitidwa nthawi ndi nthawi, ndipo init - pakuyambitsa dongosolo. Kugwira ntchito kudzafunika kuyambiransoko, ndipo ntchito zina sizingayambe (ngati sizinalembedwe poyambira).

ls -la /etc/init.d/  # show init scripts

Mukhozanso kufufuza mafayilo omwe amalembedwa ndi wogwiritsa ntchito aliyense.

find / -perm -2 -type f 2>/dev/null # find world writable files

Njirayi imadziwika bwino; oyang'anira machitidwe odziwa bwino amagwiritsa ntchito lamulo la chmod. Komabe, pa intaneti, mabuku ambiri amafotokoza za kukhazikitsa maufulu ambiri. "Ingopangitsani kuti izi zitheke" njira ya oyang'anira machitidwe osadziwa imapanga mwayi wokweza mwayi mwadongosolo. Ngati n'kotheka, ndi bwino kuyang'ana m'mbiri ya malamulo kuti mugwiritse ntchito chmod mosatetezeka. 

chmod +w /path 
chmod 777 /path

Kupeza mwayi wofikira kwa ogwiritsa ntchito ena

Timayang'ana mndandanda wa ogwiritsa ntchito /etc/passwd. Timatchera khutu kwa omwe ali ndi chipolopolo. Mutha kuchitira nkhanza ogwiritsa ntchito awa - ndizotheka kuti kudzera mwa wogwiritsa ntchitoyo pamapeto pake zidzatheka kuwonjezera mwayi.

Kupititsa patsogolo chitetezo, ndikupangira kuti nthawi zonse muzitsatira mfundo yamwayi wocheperako. Ndizomvekanso kuthera nthawi ndikuyang'ana masinthidwe osatetezeka omwe angakhalepo pambuyo pothetsa mavuto - iyi ndi "ntchito yaukadaulo" ya woyang'anira dongosolo.

Zolemba zokha

Ndikoyenera kuyang'anitsitsa mafayilo omwe angathe kuchitidwa mu bukhu la kunyumba la wosuta ndi seva ya intaneti (/ var/www/, pokhapokha atatchulidwa). Mafayilowa atha kukhala yankho lopanda chitetezo ndipo ali ndi ndodo zodabwitsa. Zoonadi, ngati muli ndi mtundu wina wa chimango mu bukhu la seva la intaneti, sizomveka kuyang'ana zero-day mmenemo ngati gawo la pentest, koma tikulimbikitsidwa kupeza ndi kuphunzira zosinthidwa, mapulagini ndi zigawo zikuluzikulu.

Kuti muwonjezere chitetezo, ndi bwino, ngati n'kotheka, kupewa kugwiritsa ntchito zizindikiro m'malemba odzilemba okha, komanso ntchito zomwe zingakhale zoopsa, monga kuwerenga /etc/shadow kapena manipulating id_rsa.

Kukwezedwa kwa mwayi mwa kugwiritsa ntchito zofooka

Musanayese kukulitsa mwayi mwa kudyera masuku pamutu, ndikofunikira kumvetsetsa kusamutsa mafayilo kwa omwe akutsata. Kuphatikiza pa zida zanthawi zonse monga ssh, ftp, http (wget, curl) pali zonse "zoo" za zotheka.

Kuti muwongolere chitetezo pamakina, zisinthireni pafupipafupi kuti zikhale zatsopano khola mitundu, komanso kuyesa kugwiritsa ntchito magawo opangira Enterprise. Kupanda kutero, ndizosowa koma pali nthawi zina pomwe kukweza kwabwino kumapangitsa kuti dongosololi lisagwire ntchito.

Kugwiritsa ntchito ntchito zomwe zikuyenda pansi pa mizu ya ogwiritsa ntchito

Ntchito zina za Linux zimayenda ngati mizu. Atha kupezeka pogwiritsa ntchito lamulo ps aux | grep mizu. Pamenepa, ntchitoyo siyingalengezedwe pa intaneti komanso kupezeka kwanuko. Ngati ili ndi zochitika zapagulu, zitha kugwiritsidwa ntchito motetezeka: kuwonongeka kwa ntchito ngati kulephera sikovuta kwambiri kuposa kuwonongeka kwa OS.

ps -aux | grep root # Linux

Mlandu wopambana kwambiri ukhoza kuganiziridwa ngati ntchito yautumiki wobedwa malinga ndi wogwiritsa ntchito mizu. Kugwira ntchito kwa ntchito ya SMB kumapereka mwayi wopeza SYSTEM pamakina a Windows (mwachitsanzo, kudzera ms17-010). Komabe, izi sizodziwika pamakina a Linux, kotero mutha kuthera nthawi yambiri mukukulitsa mwayi.

Kugwiritsa Ntchito Zowopsa za Linux Kernel

Iyi ndi njira yomwe muyenera kuyenda momaliza. Kuchita kosatheka kungayambitse kuwonongeka kwa dongosolo, ndipo ngati kuyambiranso, ntchito zina (kuphatikiza zomwe chipolopolo choyamba chinapezedwa) sizingayambe. Zimachitika kuti woyang'anira anangoyiwala kugwiritsa ntchito systemctl enable command. Kuphatikiza apo, zingayambitse kusakhutira kwakukulu ndi ntchito yanu ngati ntchitoyo sinavomerezedwe.
Ngati mwaganiza zogwiritsa ntchito ma source code kuchokera ku exploitdb, onetsetsani kuti mwawerenga ndemanga kumayambiriro kwa script. Mwa zina, imanena momwe mungasankhire bwino zomwe mwapatsidwa. Ngati ndinu waulesi kwambiri kapena muyenera kuchita "dzulo" chifukwa cha nthawi yomaliza, mutha kuyang'ana nkhokwe zomwe zidapangidwa kale, Mwachitsanzo. Komabe, muyenera kumvetsetsa kuti mu nkhani iyi mudzapeza nkhumba mu poke. Kumbali ina, ngati wokonza mapulogalamu angamvetse bwino mmene kompyuta imagwirira ntchito ndi pulogalamu imene imagwiritsira ntchito, sangalembe mzere umodzi wa code m’moyo wake wonse. 

cat /proc/version
uname -a
searchsploit "Linux Kernel"

Maselo

Kuti mugwire ndikugwirizanitsa kulumikizana, nthawi zonse ndibwino kugwiritsa ntchito gawo la exploit/multi/handler. Chinthu chachikulu ndikuyika malipiro oyenera, mwachitsanzo, generic/shell/reverse_tcp kapena generic/shell/bind_tcp. Chipolopolo chopangidwa ndi Metasploit chikhoza kusinthidwa kukhala Meterpreter pogwiritsa ntchito positi/multi/manage/shell_to_meterpreter module. Ndi Meterpreter, mutha kusinthiratu njira yopezera masuku pamutu. Mwachitsanzo, positi/multi/recon/local_exploit_suggester module imayang'ana nsanja, zomanga ndi mabungwe ofunikira kuti agwiritsidwe ntchito ndikuwonetsa ma module a Metasploit kuti achulukitse mwayi pamakina omwe mukufuna. Chifukwa cha Meterpreter, mwayi wokulirapo nthawi zina umatsikira pakukhazikitsa gawo lofunikira, koma kubera osamvetsetsa zomwe zikuchitika pansi pa hood si "zowona" (muyenera kulemba lipoti).

zida

Zida zodzipangira zokha zosonkhanitsira zidziwitso zakumalo zimakupulumutsirani khama komanso nthawi yambiri, koma mwa iwo okha sangathe kuzindikira njira yopitira patsogolo mwayi, makamaka pakugwiritsa ntchito zovuta za kernel. Zida zodzichitira zokha zidzachita malamulo onse ofunikira kuti musonkhanitse zambiri zamakina, komanso ndikofunikira kuti muzitha pendani adalandira deta. Ndikukhulupirira kuti nkhani yanga idzakhala yothandiza kwa inu pankhaniyi. Zachidziwikire, pali zida zambiri kuposa zomwe ndikulemba pansipa, koma zonse zimangofanana - iyi ndi nkhani ya kukoma.

Linpeas

Tula waposachedwa, kudzipereka koyamba kudayamba mu Januware 2019. Chida chomwe ndimakonda kwambiri pakadali pano. Chowonadi ndi chakuti ikuwonetsa ma vector osangalatsa kwambiri okweza mwayi. Gwirizanani, ndikosavuta kupeza kuunika kwa akatswiri pamlingo uwu kusiyana ndi kusanthula deta yaiwisi ya monolithic.

LineEnum

Chida changa chachiwiri chomwe ndimakonda, chimasonkhanitsanso ndikukonza zomwe zapezeka chifukwa cha kuwerengera kwanuko.

Linux-exploit-suggester (1,2)

Kugwiritsiridwa ntchito uku kudzasanthula dongosolo kuti likhale loyenera kugwiritsa ntchito. M'malo mwake, igwira ntchito yofanana ndi gawo la Metasploit local_exploit_suggester, koma ipereka maulalo ogwiritsira ntchito ma code-db source m'malo mwa ma module a Metasploit.

Linuxprivchecker

Script iyi idzasonkhanitsa ndikusintha m'magawo zambiri zomwe zingakhale zothandiza popanga vekitala kuti muwonjezere mwayi.

Nthawi ina ndifotokozanso mwatsatanetsatane kukwera kwamwayi mu Linux OS kudzera pa suid/sgid.

Source: www.habr.com

Kuwonjezera ndemanga