• 192 | Chapter 6: Owning Metasploit
    		•

    Learning Kali Linux




    Download 22,59 Mb.
    Pdf ko'rish
    bet177/225
    Sana14.05.2024
    Hajmi22,59 Mb.
    #232856
    1   ...   173   174   175   176   177   178   179   180   ...   225
    Bog'liq
    learningkalilinux

    Privilege Escalation
    Ultimately, you won’t be able to do much if you don’t have a high level of permissions.
    Ideally, services run with the absolute minimum number of permissions possible.
    There’s simply no reason to run services with a high level of rights. In a perfect world,
    programmers would follow the principle of least privilege and not require more per‐
    missions than are absolutely necessary. Let’s say that services are installed with a limi‐
    ted number of privileges, and you manage to compromise the service. This means
    you are logged in as a user that can’t get to anything. You are bound by whatever per‐
    missions are held by the user that owns the process you compromised. To do much of
    anything, you need to get a higher level of privileges.
    To get higher privileges, you need a way to compromise another process on the sys‐
    tem that is running as root. Otherwise, you may be able to just switch your user role.
    On a Unix-like system such as Kali, you could use the 
    su
    command to switch users.
    By default, this would give you root permissions unless you specify a particular user.
    However, you would need to use the root password to make that happen. You may be
    able to do that by compromising the root password. Also available on Linux systems
    is 
    sudo
    . This command gives temporary permissions to run a command. If I were to
    use 
    sudo mkdir /etc/directory
    , I would be making a directory under 
    /etc
    . Since that
    directory is owned by root, I need the right permissions. This is why I use 
    sudo
    .
    192 | Chapter 6: Owning Metasploit

    We’re going to run a privilege escalation attack without using passwords, 
    sudo
    or 
    su
    .
    For this, we’re going to use a local vulnerability. We’re going to target a Metasploitable
    2 system, which is based on an outdated version of Ubuntu Linux. We need to look
    for a local exploit that we can use after we have compromised the system. By identify‐
    ing the version of the kernel by exploiting it, we discover the Linux kernel is 2.6.24.
    We can find this by using 
    uname -a
    after we are on the system. An 
    nmap
    scan may
    also be able to identify the version. Knowing the kernel version, we can look for a
    vulnerability that attacks that version.
    Keep in mind that a local vulnerability is one that requires that you
    are already logged into the machine or you have some ability to
    execute commands on the machine.
    After identifying that a vulnerability is associated with 
    udev
    , a device manager that
    works with the Linux kernel, we can grab the source code. You can see in
    Example 6-15
     that I’ve used 
    searchsploit
    to identify 
    udev
    vulnerabilities. I know the
    one I’m looking for is 
    8572.c
    , based on some research I had done, so I can copy that
    file from where it sits to my home directory so I can compile it. Since I’m working
    from a 64-bit system, I had to install the 
    gcc-multilib
    package in order to compile to a
    32-binary (the architecture in use at my target). This is something I can identify by
    using 
    uname -a
    . After compiling the source code to an executable, the executable file
    has to be copied somewhere it can be accessed remotely. Sticking it into the root of
    my web server means I can get to it by using a protocol that isn’t commonly suspect.
    When you compile, you get to determine the filename that comes
    out of the compilation process. You do this using 
    -o
    and then pro‐
    viding the filename. In our example, I’ve used a filename that might
    not be suspect if found on the target system. You can use whatever
    filename makes you happy, as long as you remember the name so
    you can retrieve it later.
    Example 6-15. Staging the local exploit
    root@yazpistachio# searchsploit udev
    --------------------------------------- ----------------------------------------
    Exploit Title | Path

    (
    /usr/share/exploitdb/
    )
    --------------------------------------- ----------------------------------------
    Linux Kernel 2.6 
    (
    Debian 4.0 / Ubuntu | exploits/linux/local/8478.sh
    Linux Kernel 2.6 
    (
    Gentoo / Ubuntu 8.10 | exploits/linux/local/8572.c
    Linux Kernel 4.8.0 UDEV < 
    232
    - Local | exploits/linux/local/41886.c
    Linux Kernel UDEV < 1.4.1 - 
    'Netlink'
    | exploits/linux/local/21848.rb
    --------------------------------------- ----------------------------------------

    Download 22,59 Mb.
    1   ...   173   174   175   176   177   178   179   180   ...   225




    Download 22,59 Mb.
    Pdf ko'rish