ProHoster > Blog > Utongi > ndiri mudzi. Kunzwisisa Linux OS Ropafadzo Escalation

ndiri mudzi. Kunzwisisa Linux OS Ropafadzo Escalation

Ndakapedza chikamu chekutanga cha2020 ndichigadzirira bvunzo dzeOSCP. Kutsvaga ruzivo paGoogle uye yakawanda ye "mapofu" kuedza kwakatora nguva yangu yese yemahara. Zvakanga zvakanyanya kuoma kunzwisisa nzira dzekuwedzera maropafadzo. Iyo PWK kosi inobhadhara zvakanyanya kunyaya iyi, asi zvekudzidzisa hazvina kumbokwana. Kune akawanda ezvinyorwa paInternet ane mirairo inobatsira, asi ini handisi munhu anofarira zvekutevera kurudziro nebofu ndisinganzwisise zvazvinozotungamira.

Ndinoda kugoverana nemi zvandakadzidza panguva yekugadzirira uye kubudirira kupasa kwebvunzo (kusanganisira nguva nenguva kupinda muHack The Box). Ndakanzwa pfungwa yakasimba yekutenda kune yega yega yeruzivo yakandibatsira kufamba nzira yeEdza Harder nekuziva, ino ndiyo nguva yangu yekudzorera kunharaunda.

Ini ndoda kukupa bhuku rekuti ungakwidziridze sei ropafadzo muOS Linux, iyo inosanganisira ongororo yeanonyanya kuzivikanwa mavheji uye ane hukama maficha anozonyatso batsira kwauri. Kazhinji nzira dzekuwedzera ropafadzo pachadzo dzakareruka; matambudziko anomuka pakuronga nekuongorora ruzivo. Naizvozvo, ndakasarudza kutanga ne β€œrwendo rwekuona nzvimbo” ndozofunga vhekita yega yega mune imwe nyaya. Ndinovimba ndinokuchengetedzai imwe nguva muchitsvagira nyaya.

ndiri mudzi. Kunzwisisa Linux OS Ropafadzo Escalation

Saka nei ropafadzo ichikwira kunyange ichigoneka muna 2020 kana nzira dzave dzichizivikanwa kwenguva yakareba? Muchokwadi, kana mushandisi akabata sisitimu nemazvo, hazvizogoneke kuwedzera maropafadzo mairi. Dambudziko guru repasi rose rinopa mikana yakadaro kusachengeteka kugadzirisa. Kuvapo kweshanduro dzechinyakare dzesoftware dzine kusasimba muhurongwa zvakare inyaya yakakosha yekugadziriswa kusina kuchengetedzeka.

Ropafadzo yekukwira kuburikidza nekusachengeteka gadziriso

Kutanga, ngatitarisei nekusachengeteka configuration. Ngatitangei nazvo Nyanzvi dzeIT dzinowanzoshandisa zvinyorwa uye zviwanikwa senge stackoverflow, mazhinji ayo ane mirairo isina kuchengetedzeka uye zvigadziriso. Muenzaniso unoshamisa - iyo nyaya kuti iyo kodhi yakanyanya kukopwa kubva ku stackoverflow ine chikanganiso. Ane ruzivo admin achaona jamb, asi iyi iri munyika yakanaka. Kunyange nyanzvi dzinokwanisa kuwedzera basa kukwanisa kukanganisa. Fungidzira kuti maneja ari kugadzirira uye kuronga zvinyorwa zvetenda inotevera, panguva imwe chete ichiongorora tekinoroji nyowani ichaitwa muchikamu chinotevera, uku nguva nenguva ichigadzirisa matambudziko ekutsigira mushandisi. Uye anobva apihwa basa rekukurumidza kumisikidza akati wandei machina uye kuburitsa masevhisi paari. Iwe unofunga ndeipi mukana wekuti admin angotadza kuona jamb? Ipapo nyanzvi dzinochinja, asi madondoro anoramba aripo, nepo makambani anogara achiedza kudzikisira mitengo, kusanganisira yevashandi veIT.

Pseudo-shell uye jailbreak

Iyo system shell inowanikwa panguva yekubata nhanho inowanzoganhurwa, kunyanya kana iwe wakaiwana kuburikidza nekubira mushandisi wewebhu server. Semuenzaniso, zvirambidzo zvegomba zvinogona kukudzivirira kubva pakumhanyisa sudo command, kugadzira chikanganiso:

sudo: no tty present and no askpass program specified

Paunenge uchinge uine goko, ini ndinokurudzira kugadzira yakazara-yakazara terminal, semuenzaniso uchishandisa Python.

python -c 'import pty;pty.spawn("/bin/bash")'

Iwe unogona kubvunza: "Sei ini ndichida mirairo ine chiuru kana ndikakwanisa kushandisa imwe, semuenzaniso, kuendesa mafaera?" Icho chokwadi ndechekuti masisitimu anogadziriswa zvakasiyana; akapihwa muenzi anogona kunge asina Python yakaiswa, asi anogona kunge aine Perl. Hunyanzvi hwekugona kuita zvinhu zvakajairika muhurongwa pasina maturusi akajairika. Rondedzero yakazara yezvimiro inogona kuwanikwa pano.

A yakaderera-ropafadzo shell inogona kuwanikwa uchishandisa zvikwata 1 ΠΈ zvikwata 2 (zvinoshamisa, kunyange GIMP).

Ona nhoroondo yekuraira

Linux inounganidza nhoroondo yemirairo yese yakaitwa mufaira ~ / .bash_history. Kana sevha ichinyatsoshandiswa uye nhoroondo yayo isina kucheneswa, pane mukana mukuru wekuwana magwaro mune iyi faira. Kubvisa nhoroondo kunongonetsa. Kana mutungamiri akamanikidzwa kusarudza mirairo yenyaya gumi kuburikidza, hongu, zvichava nyore kwaari kuti afonere murairo uyu kubva munhoroondo pane kuupinda zvakare. Uyezve, vanhu vazhinji havazivi nezve "hack" iyi. Kana paine mamwe mabhomba seZsh kana Hove muhurongwa, vane yavo nhoroondo. Kuti uratidze nhoroondo yemirairo mune chero shell, ingonyora nhoroondo yekuraira. 

cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history
cat ~/.php_history
cat ~/.atftp_history

Iko kune yakagovaniswa yekutambira, umo sevha inoshandiswa kubata akati wandei mawebhusaiti. Kazhinji, neiyi gadziriso, imwe neimwe sosi ine mushandisi wayo ine yakaparadzana imba dhairekitori uye chaiyo host. Saka, kana yakagadziriswa zvisiri izvo, unogona kuwana .bash_history faira mumudzi wedhairekitori rewebhu resource.

Kutsvaga mapassword mufaira system uye kurwisa kune ari padyo masisitimu

Mafaira ekugadzirisa emasevhisi akasiyana anogona kuverengeka nemushandisi wako iyezvino. Mavari iwe unogona kuwana humbowo mumavara akajeka - mapassword ekuwana dhatabhesi kana masevhisi ane hukama. Iyo pasiwedhi imwechete inogona kushandiswa zvese kuwana dhatabhesi uye kubvumidza mudzi mushandisi (credential staffing).
Zvinoitika kuti zvitupa zvakawanikwa ndezvesevhisi kune mamwe mauto. Kugadzira kurwiswa kwezvivakwa kuburikidza neakakanganisika mauto hakuna kuipa kupfuura kushandisa mamwe mauto. Masisitimu ari pedyo anogona kuwanikwawo nekutsvaga ma IP kero mufaira system. 

grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq #Find string password (no cs) in those directories
grep -a -R -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' /var/log/ 2>/dev/null | sort -u | uniq #IPs inside logs

Kana iyo yakakanganiswa host ine web application inowanikwa kubva paInternet, zviri nani kusabvisa matanda ayo kubva pakutsvaga IP kero. Kero dzevashandisi vezvishandiso kubva kuInternet hazvigoneke kutibatsira, asi kero dzemukati network (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8) uye kwavanoenda, kutonga nematanda. , zvingafarirwa.

Sudo

Murairo we sudo unopa mushandisi kugona kuita rairo mumudziyo wemukati uchishandisa yavo password kana pasina kushandisa password zvachose. Kushanda kwakawanda muLinux kunoda maropafadzo emidzi, asi kumhanya semudzi kunoonekwa setsika yakaipa kwazvo. Pane kudaro, zviri nani kushandisa mvumo yakasarudzika yekuita mirairo mumudziyo. Nekudaro, akawanda maLinux maturusi, kusanganisira akajairwa senge vi, anogona kushandiswa kukwidziridza maropafadzo munzira dziri pamutemo. Kuti uwane nzira yakakodzera, ndinokurudzira kutarisa pano.

Chinhu chekutanga chaunofanirwa kuita kana iwe uchinge wawana mukana kune system ndeyekumhanyisa iyo sudo -l command. Icharatidza mvumo yekushandisa iyo sudo command. Kana mushandisi asina password awanikwa (senge apache kana www-data), iro rombo rakanaka rekuwedzera vector kuburikidza ne sudo hazvigoneke. Paunenge uchishandisa sudo, sisitimu inobvunza password. Iwe hauzokwanisi kuseta password uchishandisa passwd command kana; ichabvunza iyo mushandisi password yazvino. Asi kana sudo ichiri kuwanikwa, saka zvakanyanya iwe unofanirwa kutsvaga:

  • chero vaturikiri, chero munhu anogona kuburitsa goko (PHP, Python, Perl);
  • chero zvinyorwa zvinyorwa (vim, vi, nano);
  • chero vataridzi (zvishoma, zvakawanda);
  • chero kugona kushanda nefaira system (cp, mv);
  • Zvishandiso zvine zvakabuda mubash, zvinopindirana kana semurairo unoitwa (awk, tsvaga, nmap, tcpdump, man, vi, vim, ansible).

Suid/Sgid

Kune akawanda manyorerwo paInternet anorayira kuunganidza ese suid/sgid mirairo, asi chinyorwa chisingawanzo chinopa chakanangana chekuti chii chekuita nezvirongwa izvi. Sarudzo dzeropafadzo dziri kuwedzera dzisingatarisi kushandiswa kwezvipo dzinogona kuwanikwa pano. Zvakare, akati wandei mafaera anogona kuitiswa ane chaiwo kusagadzikana kweiyo OS vhezheni, somuenzaniso.

Munyika yakanaka, iwe waizomhanyisa ese akaiswa mapakeji kuburikidza neinenge searchsploit. Mukuita, izvi zvinofanirwa kuitwa nezvirongwa zvakakurumbira senge sudo. Kune zvakare nguva dzose sarudzo yekushandisa uye kutsigira kuvandudzwa kwezvishandiso zveotomatiki izvo zvinoratidzira zvinonakidza, kubva padanho rekuona kwekukwira kweropafadzo, mafaera anozoitwa ane suid/sgid bits set. Ini ndichapa runyoro rwezvishandiso zvakadaro muchikamu chinoenderana chechinyorwa.

Manyoro anonyorwa anofambiswa naCron kana Init muchirevo cheMudzi

Cron mabasa anogona kuitwa pasi peakasiyana mushandisi mamiriro, kusanganisira mudzi. Kana basa recron rakagadzirirwa nekubatanidza kune faira rinoshandiswa, uye iripo kuti iwe unyore, inogona kutsiviwa nyore nyore neine hutsinye uye ropafadzo inowedzera. Nekudaro, nekusarudzika, mafaera ane cron mabasa anoverengwa nechero mushandisi.

ls -la /etc/cron.d  # show cron jobs

Mamiriro acho akafanana neinit. Musiyano ndewekuti mabasa ari mucron anoitwa nguva nenguva, uye init - pakutanga system. Kushanda kunoda system reboot, uye mamwe masevhisi anogona kusatanga (kana asina kunyoreswa mukutanga).

ls -la /etc/init.d/  # show init scripts

Iwe unogona zvakare kutsvaga mafaera anonyorwa nechero mushandisi.

find / -perm -2 -type f 2>/dev/null # find world writable files

Iyo nzira inozivikanwa kwazvo; vane ruzivo system administrator vanonyatsoshandisa iyo chmod command. Nekudaro, paInternet, mazhinji ezvinyorwa anotsanangura kumisikidza kodzero dzepamusoro. Iyo "ingoita kuti ishande" maitiro evasina ruzivo masisitimu manejimendi anogadzira mikana yekuwedzera kweropafadzo musimboti. Kana zvichibvira, zviri nani kutarisa munhoroondo yekuraira kwekushandisa zvisina kuchengeteka kwechmod. 

chmod +w /path 
chmod 777 /path

Kuwana shell yekuwana kune vamwe vashandisi

Isu tinotarisa rondedzero yevashandisi mukati /etc/passwd. Isu tinoteerera kune avo vane goko. Iwe unogona hutsinye vashandisi ava - zvinogoneka kuti kuburikidza nemushandisi anozopedzisira ave kugona kuwedzera maropafadzo.

Kuti uvandudze kuchengeteka, ini ndinokurudzira kuti iwe unogara uchiomerera kune musimboti weiyo rombo rombo. Zvine musorowo kushandisa nguva uchitarisa masisitimu asina kuchengetedzeka anogona kusara mushure mekugadzirisa dambudziko - iri ndiro "tekinoroji basa" remaneja system.

Kuzvinyora kodhi

Izvo zvakakosha kuti titarise zvakanyanya mafaera anogona kuitiswa mudhairekitori remusha remushandisi uye sevha yewebhu (/var/www/, kunze kwekunge zvataurwa neimwe nzira). Aya mafaera anogona kuve mhinduro isina kuchengetedzeka zvachose uye aine madondoro anoshamisa. Ehe, kana iwe uine imwe mhando yehurongwa muwebhu server dhairekitori, hazvina musoro kutarisa zero-zuva mukati mayo sechikamu chepentest, asi zvinokurudzirwa kuwana uye kudzidza kugadziridzwa kwetsika, plugins uye zvikamu.

Kuti uwedzere kuchengeteka, zviri nani, kana zvichibvira, kudzivisa kushandisa magwaro muzvinyorwa-zvakanyorwa, pamwe chete nekushanda kunogona kuva nengozi, zvakadai sekuverenga /etc/shadow kana manipulating id_rsa.

Kukwidziridzwa kweropafadzo kuburikidza nekushandiswa kwehudziviriro

Usati waedza kuwedzera maropafadzo kuburikidza nekushandiswa, zvakakosha kunzwisisa kuendesa mafaera kune inotarirwa host. Pamusoro pezvishandiso zvakajairika senge ssh, ftp, http (wget, curl) pane yakazara "zoo" yezvinogoneka.

Kuti uvandudze kuchengetedzeka kwehurongwa, gadziridza nguva nenguva kune ichangoburwa stable shanduro, uye zvakare edza kushandisa kugovera kwakagadzirirwa Enterprise. Zvikasadaro, hazviwanzo asi kune mamiriro ezvinhu apo apt kusimudzira inoita kuti sisitimu isashande.

Kushandisa masevhisi ari kushanda pasi pemudziyo wemushandisi

Mamwe masevhisi eLinux anomhanya semudzi. Ivo vanogona kuwanikwa vachishandisa murairo ps aux | grep mudzi. Muchiitiko ichi, sevhisi inogona kusashambadzirwa paInternet uye inowanikwa munharaunda. Kana iine mabasa eruzhinji, anogona kushandiswa zvakachengeteka: kuparara kwesevhisi kana kutadza kunonyanya kukosha pane kuparara kweOS.

ps -aux | grep root # Linux

Mhosva yakabudirira kwazvo inogona kutariswa kushanda kwesevhisi yakabiwa mumamiriro ezvinhu emudziyo mushandisi. Kushanda kweSMB sevhisi kunopa rombo rakanaka SYSTEM kuwana paWindows masisitimu (semuenzaniso, kuburikidza nems17-010). Nekudaro, izvi hazvina kujairika paLinux masisitimu, saka unogona kupedza nguva yakawanda uchiwedzera maropafadzo.

Kushandisa Linux Kernel Vulnerabilities

Iyi ndiyo nzira yaunofanira kutora kwekupedzisira. Kusabudirira kushanda kunogona kutungamira kune kuparara kwehurongwa, uye kana pakaitika reboot, mamwe masevhisi (kusanganisira ayo kuburikidza nawo iyo yekutanga shell yakawanikwa) anogona kusatanga. Zvinoitika kuti maneja angokanganwa kushandisa systemctl inogonesa kuraira. Uyezve zvinozokonzera kusagutsikana kwakawanda nebasa rako kana oparesheni isina kubvumirana.
Kana ukafunga kushandisa masource codes kubva exploitdb, iva nechokwadi chekuverenga zvakataurwa panotangira script. Pakati pezvimwe zvinhu, inowanzo taura nzira yekunyatso kuunganidza yakapihwa kushandiswa. Kana iwe uine usimbe zvakanyanya kana kuti waifanira kuzviita "nezuro" nekuda kwemazuva ekupedzisira, unogona kutsvaga repositori neyakatounganidzwa mabasa, somuenzaniso. Zvisinei, iwe unofanirwa kunzwisisa kuti munyaya iyi iwe uchawana nguruve muhombe. Ukuwo, kana mugadziri wepurogiramu akanzwisisa kusvika kubhayiti kuti kombiyuta inoshanda sei uye purogiramu yainoshandisa, aisazonyora mutsara mumwe chete wekodhi muupenyu hwake hwose. 

cat /proc/version
uname -a
searchsploit "Linux Kernel"

Metasploit

Kuti ubate uye ubate chinongedzo, zvinogara zvirinani kushandisa exploit/multi/handler module. Chinhu chikuru ndechokuisa mubhadharo chaiwo, semuenzaniso, generic/shell/reverse_tcp kana generic/shell/bind_tcp. Iyo shell inogadzirwa neMetasploit inogona kukwidziridzwa kuenda kuMeterpreter uchishandisa iyo post/multi/manage/shell_to_meterpreter module. NeMeterpreter, unogona kuita otomatiki iyo post-yekushandisa maitiro. Semuyenzaniso, iyo post/multi/recon/local_exploit_suggester module inotarisa papuratifomu, zvivakwa uye masangano anodiwa pakushandiswa uye inopa Metasploit modules kuti ikwidziridze ropafadzo pane inotangwa system. Kutenda kuMeterpreter, ropafadzo dzinowedzera dzimwe nguva dzinosvika pakutanga module inodiwa, asi kubira pasina kunzwisisa zviri kuitika pasi pehodhi haisi "yechokwadi" (iwe uchiri kunyora mushumo).

Tools

Zvishandiso zveotomatiki zvekuunganidza ruzivo rwemunharaunda zvinokuchengetera simba rakawanda uye nguva, asi ivo pachavo havakwanise kunyatsoona nzira yekukwira kweropafadzo, kunyanya kana iri nyaya yekushandiswa kwekusagadzikana kwekernel. Otomatiki maturusi achaita mirairo yese inodiwa kuti iwe utore ruzivo nezve system, asi zvakakoshawo kuti ugone kuongorora yakagamuchira data. Ndinovimba kuti chinyorwa changu chichabatsira kwauri munyaya iyi. Ehe, kune akawanda maturusi akawanda kupfuura andichanyora pazasi, asi ese anoita anenge chinhu chimwe chete - iyi inyaya yekuravira.

Linpeas

Yazvino Tula, yekutanga kuzvipira yakadzokera muna Ndira 2019. Chishandiso changu chandinofarira panguva ino. Iyo poindi ndeyokuti inosimbisa iyo inonyanya kunakidza mavheji ekukwira kweropafadzo. Bvumirana, zviri nyore kuwana ongororo yehunyanzvi pane ino nhanho pane kuparura monolithic mbishi data.

LineEnum

Chishandiso changu chechipiri chandinoda, chinounganidzawo nekuronga data rakawanikwa semhedzisiro yekuverengerwa kwenzvimbo.

Linux-exploit-suggester (1,2)

Kushandiswa uku kuchaongorora sisitimu yemamiriro ekushandisa akakodzera. Muchokwadi, ichaita basa rakafanana neMetasploit module local_exploit_suggester, asi ichapa zvinongedzo zvekushandisa-db source codes kwete Metasploit modules.

Linuxprivchecker

Iyi script ichaunganidza uye kuronga muzvikamu huwandu hwakawanda hweruzivo runogona kubatsira pakugadzira vheji yekuwedzera ropafadzo.

Imwe nguva ndichataura zvakadzama kukwidziridzwa kweropafadzo muLinux OS kuburikidza ne suid/sgid.

Source: www.habr.com

Voeg