I-ProHoster > Блог > Ukuphatha > Mina ngiyimpande. Ukuqonda i-Linux OS Privilege Escalation

Mina ngiyimpande. Ukuqonda i-Linux OS Privilege Escalation

Ngichithe ikota yokuqala ka-2020 ngilungiselela ukuhlolwa kwe-OSCP. Ukusesha ulwazi ku-Google kanye nemizamo eminingi “eyimpumputhe” kuthathe sonke isikhathi sami samahhala. Kwakunzima kakhulu ukuqonda izindlela zokwandisa amalungelo. Isifundo se-PWK sinaka kakhulu lesi sihloko, kodwa izinto zokufundisa azanele. Kunamabhukwana amaningi ku-inthanethi anemiyalo ewusizo, kodwa angiyena umlandeli wokulandela izincomo ngokunganaki ngaphandle kokuqonda ukuthi kuzoholela ini.

Ngithanda ukwabelana nawe ngalokho engikufundile ngesikhathi ngilungiselela nokuphasa ngempumelelo ukuhlolwa (okuhlanganisa nokungena ngezikhathi ezithile ku-Hack The Box). Ngezwa umuzwa onamandla wokubonga ngalo lonke ulwazi olungisizile ukuba ngihambe indlela ye-Zama Harder ngokucophelela, manje isikhathi sami sokubuyisela emphakathini.

Ngifuna ukukunikeza imanuwali yokuthi ungakhuphula kanjani amalungelo ku-OS Linux, okuhlanganisa nokuhlaziywa kwama-vector ajwayelekile nezici ezihlobene ezizoba wusizo kuwena. Imvamisa izindlela zokukhuphula amalungelo ngokwazo zilula kakhulu; kuvela ubunzima lapho kuhlelwa futhi kuhlaziywa ulwazi. Ngakho-ke, nginqume ukuqala “ngohambo lokubona indawo” bese ngicabangela i-vector ngayinye esihlokweni esihlukile. Ngithemba ukuthi ngizokusindisa isikhathi ucwaninga isihloko.

Mina ngiyimpande. Ukuqonda i-Linux OS Privilege Escalation

Manje kungani ukwanda kwelungelo kungenzeka ngo-2020 uma izindlela zaziwa isikhathi eside kakhulu? Eqinisweni, uma umsebenzisi ephatha uhlelo ngendlela efanele, ngeke kwenzeke ngempela ukwandisa amalungelo kulo. Inkinga enkulu yomhlaba wonke eyenza amathuba anjena ukucushwa okungavikelekile. Ukuba khona kwezinguqulo zesofthiwe eziphelelwe yisikhathi eziqukethe ubungozi kusistimu nakho kuyisimo esikhethekile sokucushwa okungaphephile.

Ukwenyuka kwelungelo ngokucushwa okungavikelekile

Okokuqala, ake sibhekane nokucushwa okungavikelekile. Ake siqale Ochwepheshe be-IT bavame ukusebenzisa imanyuwali nezinsiza ezifana ne-stackoverflow, eminingi yayo equkethe imiyalo nezilungiselelo ezingaphephile. Isibonelo esimangalisayo - izindaba ukuthi ikhodi ekopishwe kakhulu ku-stackoverflow iqukethe iphutha. Umlawuli onesipiliyoni uzobona i-jamb, kodwa lokhu kusemhlabeni okahle. Ngisho nongoti abanekhono ukwanda komsebenzi ekwazi ukwenza amaphutha. Cabanga ukuthi umlawuli ulungisa futhi uxhumanisa imibhalo yethenda elandelayo, ngesikhathi esifanayo ecubungula ubuchwepheshe obusha obuzosetshenziswa kwikota elandelayo, kuyilapho exazulula izinkinga zokusekelwa kwabasebenzisi ngezikhathi ezithile. Bese enikezwa umsebenzi wokumisa ngokushesha imishini embalwa ebonakalayo futhi akhiphe izinsizakalo kuyo. Ucabanga ukuthi yimaphi amathuba okuthi umlawuli angayiboni inkinga? Bese ochwepheshe bayashintsha, kodwa izinduku zihlala, kuyilapho izinkampani zihlala zilwela ukunciphisa izindleko, okuhlanganisa nabasebenzi bakwa-IT.

Igobolondo le-pseudo kanye ne-jailbreak

Igobolondo lesistimu elitholwe ngesikhathi sokuxhashazwa ngokuvamile lilinganiselwe, ikakhulukazi uma ulithole ngokugebenga umsebenzisi weseva yewebhu. Isibonelo, imikhawulo yegobolondo ingakuvimbela ekusebenziseni umyalo we-sudo, ikhiqize iphutha:

sudo: no tty present and no askpass program specified

Uma usunegobolondo, ngincoma ukuthi udale i-terminal egcwele ngokugcwele, isibonelo usebenzisa i-Python.

python -c 'import pty;pty.spawn("/bin/bash")'

Ungase ubuze: “Kungani ngidinga imiyalo eyinkulungwane uma ngingasebenzisa owodwa, ngokwesibonelo, ukudlulisa amafayela?” Iqiniso liwukuthi amasistimu ahlelwa ngendlela ehlukile; umsingathi onikeziwe angase angabi nayo iPython efakiwe, kodwa angase abe ne-Perl. Ikhono liwukukwazi ukwenza izinto ezijwayelekile ohlelweni ngaphandle kwamathuluzi ajwayelekile. Uhlu oluphelele lwezici lungatholakala lapha.

Igobolondo elinelungelo eliphansi lingatholakala ngokusebenzisa amaqembu 1 и amaqembu 2 (ngokumangazayo, ngisho ne-GIMP).

Buka umlando womyalo

I-Linux iqoqa umlando wayo yonke imiyalo ekhishiwe efayeleni ~ / .bash_history. Uma iseva isetshenziswa ngokuqhubekayo futhi umlando wayo ungasulwa, maningi amathuba okuthi uthole izifakazelo kuleli fayela. Ukususa umlando akulula. Uma umlawuli ephoqeleka ukuthi akhethe imiyalo yezindaba eziyishumi ngokusebenzisa , kunjalo, kuzoba lula kakhulu kuye ukuthi ashayele lo myalo kusuka emlandweni kunokuwufaka futhi. Futhi, abantu abaningi abazi ngalokhu "kugebenga". Uma kukhona amanye amagobolondo afana ne-Zsh noma i-Fish ohlelweni, anomlando wawo. Ukuze ubonise umlando wemiyalo kunoma yiliphi igobolondo, vele uthayiphe umlando womyalo. 

cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history
cat ~/.php_history
cat ~/.atftp_history

Kukhona ukusingathwa okwabiwe, lapho iseva isetshenziselwa ukusingatha amawebhusayithi amaningana. Ngokuvamile, ngalokhu kumisa, insiza ngayinye inomsebenzisi wayo onohla lwemibhalo lwasekhaya oluhlukile kanye nomsingathi obonakalayo. Ngakho-ke, uma ilungiselelwe ngokungalungile, ungathola ifayela elithi .bash_history kumkhombandlela wezimpande wensiza yewebhu.

Isesha amagama ayimfihlo ohlelweni lwamafayela kanye nokuhlaselwa kwamasistimu aseduze

Amafayela okumisa amasevisi ahlukahlukene angase afundeke umsebenzisi wakho wamanje. Kuzo ungathola imininingwane embhalweni ocacile - amaphasiwedi okufinyelela kusizindalwazi noma amasevisi ahlobene. Iphasiwedi efanayo ingasetshenziswa kokubili ukufinyelela kusizindalwazi kanye nokugunyaza umsebenzisi wezimpande (umsebenzi wokuqinisekisa).
Kuyenzeka ukuthi izifakazelo ezitholakele zingezezinsizakalo zabanye abasingathi. Ukuthuthukisa ukuhlaselwa kwengqalasizinda ngokusebenzisa umsingathi osengozini akukubi njengokuxhaphaza abanye ababungazi. Amasistimu aseduze nawo angatholwa ngokubheka amakheli e-IP ohlelweni lwefayela. 

grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq #Find string password (no cs) in those directories
grep -a -R -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' /var/log/ 2>/dev/null | sort -u | uniq #IPs inside logs

Uma umsingathi osengozini enohlelo lwewebhu olufinyeleleka ku-inthanethi, kungcono ukungafaki amalogi akhe ekusesheni amakheli e-IP. Amakheli abasebenzisi bezinsiza avela ku-inthanethi cishe ngeke abe wusizo kithi, kodwa amakheli enethiwekhi yangaphakathi (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8) nalapho aya khona, ukwahlulela ngamalogi. , kungase kube nesithakazelo.

Sudo

Umyalo we-sudo unikeza umsebenzisi amandla okukhipha umyalo kumongo wempande esebenzisa iphasiwedi yakhe noma ngaphandle kokusebenzisa igama-mfihlo nhlobo. Imisebenzi eminingi ku-Linux idinga amalungelo ezimpande, kodwa ukusebenza njengempande kuthathwa njengomkhuba omubi kakhulu. Kunalokho, kungcono ukusebenzisa imvume ekhethiwe ukuze wenze imiyalo kumsuka wokuqukethwe. Kodwa-ke, amathuluzi amaningi e-Linux, okuhlanganisa ajwayelekile afana ne-vi, angasetshenziswa ukukhulisa amalungelo ngezindlela ezisemthethweni. Ukuze uthole indlela efanelekile, ngincoma ukubheka lapha.

Into yokuqala okudingeka uyenze lapho uthola ukufinyelela ohlelweni ukusebenzisa umyalo we-sudo -l. Izobonisa imvume yokusebenzisa umyalo we-sudo. Uma umsebenzisi ongenalo igama-mfihlo etholwa (njenge-apache noma www-data), ilungelo lokukhuphuka ivektha nge-sudo mancane amathuba okuba. Uma usebenzisa i-sudo, uhlelo luzocela iphasiwedi. Ngeke ukwazi ukusetha iphasiwedi usebenzisa umyalo we-passwd futhi; izocela iphasiwedi yamanje yomsebenzisi. Kepha uma i-sudo isatholakala, empeleni udinga ukubheka:

  • noma yibaphi otolika, noma ubani angaveza igobolondo (PHP, Python, Perl);
  • noma yibaphi abahleli bombhalo (vim, vi, nano);
  • noma yiziphi izibukeli (ezincane, ngaphezulu);
  • noma yiliphi ikhono lokusebenza nohlelo lwefayela (cp, mv);
  • Amathuluzi anomphumela ku-bash, interactive noma njengomyalo osebenzisekayo (awk, thola, nmap, tcpdump, man, vi, vim, ansible).

I-Suid/Sgid

Kunamanyuwali amaningi ku-inthanethi aluleka ngokuqoqa yonke imiyalo ye-suid/sgid, kodwa i-athikili eyivelakancane inikeza imininingwane yokuthi yini okufanele yenziwe ngalezi zinhlelo. Izinketho zamalungelo akhulayo ezinganaki ukusetshenziswa kwezenzo zingatholakala lapha. Futhi, inani lamafayela asebenzisekayo anobungozi obuthile benguqulo ye-OS, isibonelo.

Emhlabeni okahle, ungasebenzisa wonke amaphakheji afakiwe okungenani nge-searchsploit. Empeleni, lokhu kufanele kwenziwe ngezinhlelo ezidume kakhulu njenge-sudo. Kukhona futhi inketho yokusebenzisa nokusekela ukuthuthukiswa kwamathuluzi azenzakalelayo azogqamisa okuthakazelisayo, ngokombono wokukhuphuka kwamalungelo, amafayela asebenzisekayo anesethi yamabhithi e-suid/sgid. Ngizohlinzeka ngohlu lwamathuluzi anjalo esigabeni esihambisanayo se-athikili.

Imibhalo ebhalekayo eqhutshwa yi-Cron noma i-Init kumongo we-Root

Imisebenzi ye-Cron ingaqhutshwa ngaphansi kwezimo ezihlukene zabasebenzisi, okuhlanganisa impande. Uma umsebenzi we-cron usethiwe ngesixhumanisi sefayela elisebenzisekayo, futhi utholakala ukuthi ubhale, ungashintshwa kalula ngomunye onobungozi kanye nokwenyuka kwelungelo. Nokho, ngokuzenzakalelayo, amafayela anemisebenzi ye-cron afundeka inoma yimuphi umsebenzisi.

ls -la /etc/cron.d  # show cron jobs

Isimo siyefana nange-init. Umehluko ukuthi imisebenzi ku-cron yenziwa ngezikhathi ezithile, futhi ku-init - ekuqaleni kwesistimu. Ukusebenza kuzodinga ukuqaliswa kabusha kwesistimu, futhi ezinye izinsizakalo zingase zingaqali (uma bezingakabhaliswa ekuqaleni).

ls -la /etc/init.d/  # show init scripts

Ungakwazi futhi ukucinga amafayela abhalwe yinoma yimuphi umsebenzisi.

find / -perm -2 -type f 2>/dev/null # find world writable files

Indlela yaziwa kahle; abaphathi besistimu abanolwazi basebenzisa ngokucophelela umyalo we-chmod. Nokho, ku-inthanethi, iningi lamabhukwana lichaza ukusetha amalungelo aphezulu. Indlela "yenza isebenze" yabaphathi besistimu abangenalwazi idala amathuba okukhula kwamalungelo ngokomgomo. Uma kungenzeka, kungcono ukubheka emlandweni womyalo wokusetshenziswa okungaphephile kwe-chmod. 

chmod +w /path 
chmod 777 /path

Ukuthola ukufinyelela kwegobolondo kwabanye abasebenzisi

Sibheka uhlu lwabasebenzisi ku-/etc/passwd. Sinaka abanegobolondo. Ungabaphatha ngesihluku laba basebenzisi - kungenzeka ukuthi ngokusebenzisa umsebenzisi ovelayo ekugcineni kuzokwazi ukwandisa amalungelo.

Ukuze uthuthukise ukuphepha, ngincoma ukuthi uhlale unamathela kumgomo wokungabi namalungelo amancane. Kunengqondo futhi ukuchitha isikhathi uhlola izilungiselelo ezingaphephile ezingase zisale ngemva kokuxazulula inkinga - lona “umsebenzi wobuchwepheshe” womlawuli wesistimu.

Ikhodi ezibhalile

Kuyafaneleka ukubhekisisa amafayela asebenzisekayo kumkhombandlela wasekhaya womsebenzisi neseva yewebhu (/var/www/, ngaphandle uma kuchazwe ngenye indlela). Lawa mafayela angase abe yisixazululo esingaphephile ngokuphelele futhi aqukathe izinduku ezinhle kakhulu. Yiqiniso, uma unolunye uhlobo lohlaka ohlwini lwemibhalo yeseva yewebhu, akwenzi mqondo ukubheka usuku lweziro kuyo njengengxenye yepentest, kodwa kuyanconywa ukuthola nokufunda ukuguqulwa kwangokwezifiso, ama-plugin kanye nezingxenye.

Ukuze kwandiswe ukuvikeleka, kungcono, uma kungenzeka, ukugwema ukusebenzisa izifakazelo emibhalweni ezibhalela yona, kanye nokusebenza okungaba yingozi, njengokufunda /etc/shadow noma ukukhohlisa id_rsa.

Ukuphakama kwamalungelo ngokusebenzisa ukuxhashazwa kobuthakathaka

Ngaphambi kokuzama ukukhulisa amalungelo ngokusebenzisa ukuxhashazwa, kubalulekile ukuqonda ukudlulisa amafayela kubasingathi okuqondiwe. Ngaphezu kwamathuluzi ajwayelekile afana ne-ssh, ftp, http (wget, curl) kukhona okuphelele "zoo" yamathuba.

Ukuze uthuthukise ukuvikeleka kwesistimu, ibuyekeze njalo iye kokwakamuva ezinzile izinguqulo, futhi uzame ukusebenzisa ukusabalalisa okuklanyelwe i-Enterprise. Uma kungenjalo, akuvamile kodwa kunezimo lapho ukuthuthukiswa okufanelekile kwenza uhlelo lungasebenzi.

Ukuxhaphaza amasevisi asebenza ngaphansi komongo womsebenzisi wempande

Ezinye izinsiza ze-Linux zisebenza njengempande. Angatholakala kusetshenziswa umyalo ps aux | grep impande. Kulokhu, isevisi ingase ingakhangiswa ku-inthanethi futhi itholakale endaweni. Uma inokuxhashazwa komphakathi, ingasetshenziswa ngokuphepha: ukuphahlazeka kwesevisi uma kwenzeka ukwehluleka kubaluleke kakhulu kunokuphahlazeka kwe-OS.

ps -aux | grep root # Linux

Icala eliphumelele kakhulu lingabhekwa njengokusebenza kwesevisi entshontshiwe kumongo womsebenzisi wempande. Ukusebenza kwesevisi ye-SMB kunikeza ukufinyelela kwe-SYSTEM okukhethekile ezinhlelweni ze-Windows (isibonelo, nge-ms17-010). Kodwa-ke, lokhu akuvamile ezinhlelweni ze-Linux, ngakho-ke ungasebenzisa isikhathi esiningi ukwandisa amalungelo.

Ukuxhaphaza Ubungozi be-Linux Kernel

Lena indlela okufanele uyithathe ekugcineni. Ukusebenza okungaphumeleli kungaholela ekuphahlazekeni kwesistimu, futhi uma kwenzeka ukuqalisa kabusha, ezinye izinsizakalo (kuhlanganise nalezo okutholwe ngazo igobolondo langempela) zingase zingaqali. Kwenzeka ukuthi umlawuli umane akhohlwe ukusebenzisa i-systemctl vumela umyalo. Futhi kuzodala ukunganeliseki okukhulu ngomsebenzi wakho uma ukusebenza kungavunyelwananga ngakho.
Uma unquma ukusebenzisa amakhodi omthombo asuka ku-exploitdb, qiniseka ukuthi ufunda amazwana ekuqaleni kweskripthi. Phakathi kwezinye izinto, ngokuvamile lisho indlela yokuhlanganisa kahle ukuxhashazwa okunikeziwe. Uma uvilapha kakhulu noma bekumele ukwenze “izolo” ngenxa yezinsuku eziwumnqamulajuqu, ungabheka amakhosombe anemisebenzi esele ehlanganisiwe, isibonelo. Kodwa-ke, kufanele uqonde ukuthi kulokhu uzothola ingulube ku-poke. Ngakolunye uhlangothi, uma umklami eqonda kuze kufike kubhayithi indlela ikhompiyutha esebenza ngayo nesofthiwe eyisebenzisayo, ubengeke abhale ngisho nomugqa owodwa wekhodi kukho konke ukuphila kwakhe. 

cat /proc/version
uname -a
searchsploit "Linux Kernel"

I-Metasploit

Ukuze ubambe futhi uphathe ukuxhumeka, kuhlala kungcono ukusebenzisa imojuli yokuxhaphaza/okuningi/isibambi. Into esemqoka ukusetha umthwalo okhokhelwayo olungile, isibonelo, i-generic/shell/reverse_tcp noma i-generic/shell/bind_tcp. Igobolondo elikhiqizwe i-Metasploit lingathuthukiswa libe yi-Meterpreter kusetshenziswa imojuli yokuposa/multi/manage/shell_to_meterpreter. Nge-Meterpreter, ungenza ngokuzenzakalelayo inqubo yangemuva kokuxhashazwa. Isibonelo, imojuli yeposi/multi/recon/local_exploit_suggester ihlola inkundla, izakhiwo nezinhlangano ezidingekayo ukuze zixhashazwe futhi iphakamise amamojula e-Metasploit ukuze akhulise amalungelo kusistimu eqondiwe. Ngenxa ye-Meterpreter, amalungelo akhulayo ngezinye izikhathi ehla ekuqaliseni imodyuli edingekayo, kodwa ukugebenga ngaphandle kokuqonda ukuthi kwenzekani ngaphansi kwe-hood akuyona "iqiniso" (kusafanele ubhale umbiko).

Amathuluzi

Amathuluzi okuzenzela ukuqoqwa kolwazi lwendawo azokongela umzamo omkhulu nesikhathi, kodwa ngokwawo awakwazi ukuhlonza ngokugcwele indlela eya ekukhuphukeni kwamalungelo, ikakhulukazi esimweni sokuxhashazwa kobuthakathaka be-kernel. Amathuluzi e-automation azokwenza yonke imiyalo edingekayo ukuze uqoqe ulwazi mayelana nesistimu, kodwa kubalulekile futhi ukwazi hlaziya idatha etholiwe. Ngithemba ukuthi isihloko sami sizoba usizo kuwe kulokhu. Vele, maningi amathuluzi engizowabala ngezansi, kodwa wonke enza cishe into efanayo - lokhu kuyindaba yokunambitha.

I-Linpeas

I-Tula yakamuva, isibophezelo sokuqala sisukela ngoJanuwari 2019. Ithuluzi engilithandayo okwamanje. Iphuzu ukuthi igqamisa ama-vector athakazelisa kakhulu okukhula kwelungelo. Ngiyavuma, kulula kakhulu ukuthola ukuhlolwa kochwepheshe kuleli zinga kunokuhlaziya idatha eluhlaza ye-monolithic.

I-LinEnum

Ithuluzi lami lesibili eliyintandokazi, libuye liqoqe futhi lihlele idatha etholwe ngenxa yokubala kwendawo.

I-Linux-exploit-suggester (1,2)

Lokhu kuxhashazwa kuzohlaziya isistimu ngezimo ezifanele zokuxhaphaza. Eqinisweni, izokwenza umsebenzi ofanayo nowemojula ye-Metasploit local_exploit_suggester, kodwa izohlinzeka ngezixhumanisi zokuxhaphaza amakhodi omthombo we-db kunamamojula e-Metasploit.

I-Linuxprivchecker

Lesi script sizoqoqa futhi sihlele ngezigaba inani elikhulu lolwazi olungaba usizo ekwenzeni i-vector yamalungelo akhulayo.

Kwesinye isikhathi ngizongena ngemininingwane ukuphakama kwamalungelo ku-Linux OS nge-suid/sgid.

Source: www.habr.com

Engeza amazwana