New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GSOC] Post-exploitation API improvements and pseudo_shell (metashell) module added #10119

Merged
merged 24 commits into from Jan 24, 2019

Conversation

Projects
None yet
6 participants
@AlbertoCoding
Copy link
Contributor

AlbertoCoding commented May 31, 2018

Description

Post-Exploitation API improvements integrated in already existing libraries and the pseudo-shell module added to the project.

This is a first version of the pseudo-shell module. It will use only available commands in the device. If you need to use a specific command (such as cat, ls, whoami,…) and it does not exist in this specific limited shell, it will try to simulate it with simpler native Linux commands available (for example, with the echo command and processing the data obtained in our machine with ruby).

Verification

List of steps needed to make sure this thing works

  • Start msfconsole
  • Get a valid remote shell session
  • Load the pseudo_shell post-exploitation module:
    use post/linux/manage/pseudo_shell
  • Set session id (set SESSION 1)
  • Review and set module options and run
  • Verify the thing does what it should

Example

msfconsole
use auxiliary/scanner/ssh/ssh_login
set RHOST 192.168.1.1
set USERNAME admin
set PASSWORD admin
run
use post/linux/manage/pseudo_shell
set SESSION 1
run

@AlbertoCoding AlbertoCoding changed the title Initial upload of Vulnerateca Post-Exploitation Framework (VPEF) [GSOC] Initial upload of Vulnerateca Post-Exploitation Framework (VPEF) May 31, 2018

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented May 31, 2018

Can we name this something other than "Vulnerateca Post-Exploitation Framework (VPEF)?" That name is too obscure, already trademarked, turned into an acronym, and exists within a greater framework already.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented May 31, 2018

Unless I guess Vulnerateca is your company. But this is really a contribution toward Metasploit Framework's post exploitation capabilities, so a generic name will suffice!

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented May 31, 2018

Please note: "Metasploit requires spaces instead of hard tabs"

See https://github.com/rapid7/metasploit-framework/wiki/Style-Tips

Travis tests are failing early due to \t.

@AlbertoCoding

This comment has been minimized.

Copy link
Contributor Author

AlbertoCoding commented May 31, 2018

Ok, thank you very much for the feedback!
I agree with you so I'm going to work on changing these things now.
By the way, do I need to create a new PR once I have all changes done on my repository, or if I just push to my branch [ AlbertoCoding: vpef ], changes will be shown here automatically?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented May 31, 2018

You can push to your branch. The PR will be updated accordingly.

root

@AlbertoCoding AlbertoCoding changed the title [GSOC] Initial upload of Vulnerateca Post-Exploitation Framework (VPEF) [GSOC] Post-Exploitation Panel (PEPA) Jun 1, 2018

@sempervictus
Copy link
Contributor

sempervictus left a comment

Cool stuff, thank you. We need to ween off specific binaries for more generic and quiet functionality.
The lib code might be better off integrated to the current library calls for access mechanisms so its used by all consumers - the framework is neat that way, you can shim in functionality for tons of existing code underneath.
Far as the modules go, they're not really collecting anything so much as displaying it... Storing loot, creds, notes, and any relevant named model properties is paramount for other modules to use this information down the line.
Agree with others that the naming piece is a bit much. Leave the company name in the email, and keep the code as close to existing standards as possible. There's free marketing enough from building cool things people use, branding doesn't belong in code outside a copyright header.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jun 2, 2018

+1 for removing pepa from namespace
+1 for integrating this functionality into existing post libs

@bcoles bcoles added the library label Jun 4, 2018

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 4, 2018

Yep, agree with @sempervictus and @bcoles about working within the Post API.

That's the point I was trying to make in previous conversations. The API was designed to be portable, but then the code diverged from that. Make it right again. :)

Also, yeah, modules shouldn't be written for primitives, IMHO. You should add or enhance primitives in the library code, then write modules to use them. In your case, you'll be writing an interface.

@AlbertoCoding AlbertoCoding changed the title [GSOC] Post-Exploitation Panel (PEPA) [GSOC] Post-exploitation API improvements and pseudo_shell module added Jun 19, 2018

Show resolved Hide resolved lib/msf/core/post/linux/priv.rb Outdated
@AlbertoCoding

This comment has been minimized.

Copy link
Contributor Author

AlbertoCoding commented Jun 19, 2018

Thank you everyone for all the suggestions and comments.
All the suggested fixes and changes have been already applied.

AlbertoCoding added some commits Jun 21, 2018

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jun 25, 2018

Has this PR been rebased with master? It looks like it nukes the changes made to lib/msf/core/post/common.rb in 9eb5700.

Show resolved Hide resolved lib/msf/core/post/file.rb
Show resolved Hide resolved lib/msf/core/post/file.rb
Show resolved Hide resolved lib/msf/core/post/linux/system.rb Outdated
Show resolved Hide resolved lib/msf/core/post/linux/system.rb Outdated
Show resolved Hide resolved lib/msf/core/post/linux/system.rb Outdated
Show resolved Hide resolved lib/msf/core/post/linux/system.rb Outdated
Show resolved Hide resolved lib/msf/core/post/linux/system.rb Outdated
Show resolved Hide resolved lib/msf/core/post/linux/system.rb Outdated
Show resolved Hide resolved lib/msf/core/post/unix.rb Outdated
Show resolved Hide resolved modules/post/linux/manage/pseudo_shell.rb Outdated
Show resolved Hide resolved modules/post/linux/manage/iptables_removal.rb Outdated
Show resolved Hide resolved modules/post/linux/manage/iptables_removal.rb Outdated
Show resolved Hide resolved modules/post/linux/manage/iptables_removal.rb Outdated

AlbertoCoding added some commits Aug 14, 2018

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Nov 11, 2018

@sempervictus
Copy link
Contributor

sempervictus left a comment

I'll check if this works under grsec, but if not, we may wanna check perms before we try a read, or we will be logged.

@wvu-r7 wvu-r7 force-pushed the AlbertoCoding:vpef branch from dc79616 to 06de16a Jan 16, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 18, 2019

Merging master again to pass the build.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 24, 2019

whoami and missing username in prompt fixed.

@wvu-r7 wvu-r7 changed the title [GSOC] Post-exploitation API improvements and pseudo_shell module added [GSOC] Post-exploitation API improvements and pseudo_shell (metashell) module added Jan 24, 2019

wvu-r7 added some commits Jan 24, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 24, 2019

Privilege-specific prompt character added. SessionTypes updated to include Meterpreter.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 24, 2019

meterpreter > run post/linux/manage/pseudo_shell
root@ubuntu-xenial:/vagrant# help

Commands Help
==============

	Command             Description
	-------             -----------
	?                   Show current help
	cat                 Show file contents
	cd                  Change current directory
	clear               Clear screen
	exit                Exit the Pseudo-shell
	groups              Show list of groups
	help                Show current help
	hostname            Show current Hostname
	interfaces          Show list of network interfaces
	ips                 Show list of current IP addresses
	isroot?             Show if current user has root permisions
	ls                  List files and folders in a directory
	macs                Show list of MAC addresses
	path                Show current directories included in $PATH enviroment variable
	pwd                 Show current PATH
	shell               Show current SHELL
	tcp_ports           Show list of listen TCP ports
	udp_ports           Show list of listen UDP ports
	users               Show list of users
	whoami              Show current user

root@ubuntu-xenial:/vagrant# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
root@ubuntu-xenial:/vagrant# cd /
root@ubuntu-xenial:/# groups
{:name=>"root", :gid=>"0", :users=>nil}
{:name=>"daemon", :gid=>"1", :users=>nil}
{:name=>"bin", :gid=>"2", :users=>nil}
{:name=>"sys", :gid=>"3", :users=>nil}
{:name=>"adm", :gid=>"4", :users=>"syslog,ubuntu"}
{:name=>"tty", :gid=>"5", :users=>nil}
{:name=>"disk", :gid=>"6", :users=>nil}
{:name=>"lp", :gid=>"7", :users=>nil}
{:name=>"mail", :gid=>"8", :users=>nil}
{:name=>"news", :gid=>"9", :users=>nil}
{:name=>"uucp", :gid=>"10", :users=>nil}
{:name=>"man", :gid=>"12", :users=>nil}
{:name=>"proxy", :gid=>"13", :users=>nil}
{:name=>"kmem", :gid=>"15", :users=>nil}
{:name=>"dialout", :gid=>"20", :users=>"ubuntu"}
{:name=>"fax", :gid=>"21", :users=>nil}
{:name=>"voice", :gid=>"22", :users=>nil}
{:name=>"cdrom", :gid=>"24", :users=>"ubuntu"}
{:name=>"floppy", :gid=>"25", :users=>"ubuntu"}
{:name=>"tape", :gid=>"26", :users=>nil}
{:name=>"sudo", :gid=>"27", :users=>"ubuntu"}
{:name=>"audio", :gid=>"29", :users=>"ubuntu"}
{:name=>"dip", :gid=>"30", :users=>"ubuntu"}
{:name=>"www-data", :gid=>"33", :users=>nil}
{:name=>"backup", :gid=>"34", :users=>nil}
{:name=>"operator", :gid=>"37", :users=>nil}
{:name=>"list", :gid=>"38", :users=>nil}
{:name=>"irc", :gid=>"39", :users=>nil}
{:name=>"src", :gid=>"40", :users=>nil}
{:name=>"gnats", :gid=>"41", :users=>nil}
{:name=>"shadow", :gid=>"42", :users=>nil}
{:name=>"utmp", :gid=>"43", :users=>nil}
{:name=>"video", :gid=>"44", :users=>"ubuntu"}
{:name=>"sasl", :gid=>"45", :users=>nil}
{:name=>"plugdev", :gid=>"46", :users=>"ubuntu"}
{:name=>"staff", :gid=>"50", :users=>nil}
{:name=>"games", :gid=>"60", :users=>nil}
{:name=>"users", :gid=>"100", :users=>nil}
{:name=>"nogroup", :gid=>"65534", :users=>nil}
{:name=>"systemd-journal", :gid=>"101", :users=>nil}
{:name=>"systemd-timesync", :gid=>"102", :users=>nil}
{:name=>"systemd-network", :gid=>"103", :users=>nil}
{:name=>"systemd-resolve", :gid=>"104", :users=>nil}
{:name=>"systemd-bus-proxy", :gid=>"105", :users=>nil}
{:name=>"input", :gid=>"106", :users=>nil}
{:name=>"crontab", :gid=>"107", :users=>nil}
{:name=>"syslog", :gid=>"108", :users=>nil}
{:name=>"netdev", :gid=>"109", :users=>"ubuntu"}
{:name=>"lxd", :gid=>"110", :users=>"ubuntu"}
{:name=>"messagebus", :gid=>"111", :users=>nil}
{:name=>"uuidd", :gid=>"112", :users=>nil}
{:name=>"ssh", :gid=>"113", :users=>nil}
{:name=>"mlocate", :gid=>"114", :users=>nil}
{:name=>"admin", :gid=>"115", :users=>nil}
{:name=>"vboxsf", :gid=>"116", :users=>nil}
{:name=>"vagrant", :gid=>"1000", :users=>nil}
{:name=>"ubuntu", :gid=>"1001", :users=>nil}
{:name=>"docker", :gid=>"117", :users=>nil}
root@ubuntu-xenial:/# hostname
ubuntu-xenial
root@ubuntu-xenial:/# interfaces
docker0
enp0s3
enp0s8
lo
vethd58216e
root@ubuntu-xenial:/# ips
10.0.2.15
127.0.0.1
172.17.0.1
172.28.128.3
root@ubuntu-xenial:/# isroot?
true
root@ubuntu-xenial:/# ls
bin
boot
dev
etc
home
initrd.img
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
vagrant
var
vmlinuz
root@ubuntu-xenial:/# macs
02:42:8b:1a:9c:2e
02:6c:72:8e:02:ff
08:00:27:1b:1a:e3
00:00:00:00:00:00
82:f5:3c:5b:05:ff
root@ubuntu-xenial:/# path
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
root@ubuntu-xenial:/# shell
sh
root@ubuntu-xenial:/# tcp_ports
22
root@ubuntu-xenial:/# udp_ports
68
root@ubuntu-xenial:/# users
{:name=>"root", :uid=>"0", :gid=>"0", :info=>"root", :dir=>"/root", :shell=>"/bin/bash"}
{:name=>"daemon", :uid=>"1", :gid=>"1", :info=>"daemon", :dir=>"/usr/sbin", :shell=>"/usr/sbin/nologin"}
{:name=>"bin", :uid=>"2", :gid=>"2", :info=>"bin", :dir=>"/bin", :shell=>"/usr/sbin/nologin"}
{:name=>"sys", :uid=>"3", :gid=>"3", :info=>"sys", :dir=>"/dev", :shell=>"/usr/sbin/nologin"}
{:name=>"sync", :uid=>"4", :gid=>"65534", :info=>"sync", :dir=>"/bin", :shell=>"/bin/sync"}
{:name=>"games", :uid=>"5", :gid=>"60", :info=>"games", :dir=>"/usr/games", :shell=>"/usr/sbin/nologin"}
{:name=>"man", :uid=>"6", :gid=>"12", :info=>"man", :dir=>"/var/cache/man", :shell=>"/usr/sbin/nologin"}
{:name=>"lp", :uid=>"7", :gid=>"7", :info=>"lp", :dir=>"/var/spool/lpd", :shell=>"/usr/sbin/nologin"}
{:name=>"mail", :uid=>"8", :gid=>"8", :info=>"mail", :dir=>"/var/mail", :shell=>"/usr/sbin/nologin"}
{:name=>"news", :uid=>"9", :gid=>"9", :info=>"news", :dir=>"/var/spool/news", :shell=>"/usr/sbin/nologin"}
{:name=>"uucp", :uid=>"10", :gid=>"10", :info=>"uucp", :dir=>"/var/spool/uucp", :shell=>"/usr/sbin/nologin"}
{:name=>"proxy", :uid=>"13", :gid=>"13", :info=>"proxy", :dir=>"/bin", :shell=>"/usr/sbin/nologin"}
{:name=>"www-data", :uid=>"33", :gid=>"33", :info=>"www-data", :dir=>"/var/www", :shell=>"/usr/sbin/nologin"}
{:name=>"backup", :uid=>"34", :gid=>"34", :info=>"backup", :dir=>"/var/backups", :shell=>"/usr/sbin/nologin"}
{:name=>"list", :uid=>"38", :gid=>"38", :info=>"Mailing List Manager", :dir=>"/var/list", :shell=>"/usr/sbin/nologin"}
{:name=>"irc", :uid=>"39", :gid=>"39", :info=>"ircd", :dir=>"/var/run/ircd", :shell=>"/usr/sbin/nologin"}
{:name=>"gnats", :uid=>"41", :gid=>"41", :info=>"Gnats Bug-Reporting System (admin)", :dir=>"/var/lib/gnats", :shell=>"/usr/sbin/nologin"}
{:name=>"nobody", :uid=>"65534", :gid=>"65534", :info=>"nobody", :dir=>"/nonexistent", :shell=>"/usr/sbin/nologin"}
{:name=>"systemd-timesync", :uid=>"100", :gid=>"102", :info=>"systemd Time Synchronization,,,", :dir=>"/run/systemd", :shell=>"/bin/false"}
{:name=>"systemd-network", :uid=>"101", :gid=>"103", :info=>"systemd Network Management,,,", :dir=>"/run/systemd/netif", :shell=>"/bin/false"}
{:name=>"systemd-resolve", :uid=>"102", :gid=>"104", :info=>"systemd Resolver,,,", :dir=>"/run/systemd/resolve", :shell=>"/bin/false"}
{:name=>"systemd-bus-proxy", :uid=>"103", :gid=>"105", :info=>"systemd Bus Proxy,,,", :dir=>"/run/systemd", :shell=>"/bin/false"}
{:name=>"syslog", :uid=>"104", :gid=>"108", :info=>"", :dir=>"/home/syslog", :shell=>"/bin/false"}
{:name=>"_apt", :uid=>"105", :gid=>"65534", :info=>"", :dir=>"/nonexistent", :shell=>"/bin/false"}
{:name=>"lxd", :uid=>"106", :gid=>"65534", :info=>"", :dir=>"/var/lib/lxd/", :shell=>"/bin/false"}
{:name=>"messagebus", :uid=>"107", :gid=>"111", :info=>"", :dir=>"/var/run/dbus", :shell=>"/bin/false"}
{:name=>"uuidd", :uid=>"108", :gid=>"112", :info=>"", :dir=>"/run/uuidd", :shell=>"/bin/false"}
{:name=>"dnsmasq", :uid=>"109", :gid=>"65534", :info=>"dnsmasq,,,", :dir=>"/var/lib/misc", :shell=>"/bin/false"}
{:name=>"sshd", :uid=>"110", :gid=>"65534", :info=>"", :dir=>"/var/run/sshd", :shell=>"/usr/sbin/nologin"}
{:name=>"pollinate", :uid=>"111", :gid=>"1", :info=>"", :dir=>"/var/cache/pollinate", :shell=>"/bin/false"}
{:name=>"vagrant", :uid=>"1000", :gid=>"1000", :info=>",,,", :dir=>"/home/vagrant", :shell=>"/bin/bash"}
{:name=>"ubuntu", :uid=>"1001", :gid=>"1001", :info=>"Ubuntu", :dir=>"/home/ubuntu", :shell=>"/bin/bash"}
root@ubuntu-xenial:/# whoami
root
root@ubuntu-xenial:/# exit
meterpreter >

@wvu-r7 wvu-r7 merged commit 8cdcba8 into rapid7:master Jan 24, 2019

1 of 3 checks passed

Metasploit Automation - Sanity Test Execution Build triggered for merge commit.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wvu-r7 added a commit that referenced this pull request Jan 24, 2019

msjenkins-r7 added a commit that referenced this pull request Jan 24, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 24, 2019

Release Notes

This adds a metashell (pseudoshell) focused on post-exploitation against Linux targets. Users can run the post/linux/manage/pseudo_shell module to enable this feature against a session.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment