GNU/Linux is a free and open source operating system, combination of the Linux kernel and the GNU toolkit software collection, developed by Richard Stallman.
- Linux kernel is the core of the O.S.
- Linux distributions are variants of the same O.S.
- Typically deployed as a server O.S.
- Linux server services and protocols can provide with an access vector that an attacker can use
Protocol/Service | Ports | Purpose |
---|---|---|
Apache Web Server | TCP 80 /443 |
Open source cross-platform web server |
SSH (Secure Shell) | TCP 22 |
Cryptographic remote access protocol, used for operating network services securely over an unsecured network. Secure successor of telnet |
FTP (File Transfer Protocol) | TCP 21 |
Communication protocol used for file sharing between a server and a client, over TCP |
SAMBA | TCP 445 |
Open source implementation of the SMB protocol. Enabled Unix machines to communicate with Windows machines in a network |
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.
Bash
shell since v.1.3- The
Bash
mistakenly exectutes trailing commands after a series of characters- Apache web servers that run CGI or
.sh
scripts are also vulnerable
🗒️ Bash - *Nix shell part of the GNU project and default shell for most Linux distros.
🗒️ CGI (Commond Gateway Interface) - Apache executes arbitrary commands on the Linux system and the output displayed on the web server.
- Locate a script or input vector (legitimate Apache CGI scripts) to communicate with Bash
- Input special characters within the HTTP headers (e.g.
user-agent
) - When CGI is executed, the web server will run it with Bash in a new process
The exploitation can be done manually and automatically.
🔬 Check the Bash - ShellShock Lab here
🗒️ FTP (File Transfer Protocol) - facilitate file sharing between a server and clients. Used for transfering files to and from a web server (e.g.
CPanel or FTP credentials).
- Port:
21
(TCP) - default - User Authentication -
username
&password
- anonymous access may be configured on FTP - no credentials needed
- Credentials can be brute-forced on the FTP server
- Exploit inherent vulnerability within FTP service
🔬 Check the FTP Brute force Lab here
🗒️ SSH (Secure Shell) - cryptographic remote administration protocol, tipically used for servers remote access
- Port:
22
(TCP) - default - SSH Authentication:
- User Authentication -
username
&password
Key
based, 2 key pairs (public and private keys) - no username and password
- User Authentication -
- Credentials can be brute-forced on the SSH
- With SSH legitimate credentials the attacker gain access to a full shell, with the utilized user account's privileges
🔬 Check the SSH Brute force Lab here
🗒️ SAMBA - network file sharing protocol, for file and peripherals sharing on a LAN. It is the Linux implementation of SMB
- Port:
445
(TCP) - Not pre-packed, not a common running service
- User Authentication -
username
&password
- Credentials can be brute-forced
- Use SMBMap or
smbclient
to retrieve information
🔬 Check the SAMBA Brute force Lab here
❗ Targeting Kernel can cause system crashes, data loss, kernel panics etc ❗
Linux kernel vulnerabilities can be targetted to execute arbitrary code and obtain privileged system shell.
- Kernel version and distribution is important
The Linux Privilege Exploitation process consists of:
- Identify kernel vulnerabilities (
Linux Exploit Suggester
) - Download, compile, transfer kernel exploits onto the target system
Linux-Exploit-Suggester - a tool designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine.
- Assessing kernel exposure on publicly known exploits
- Verifying state of kernel hardening security measures
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
- Very useful to get Kernel version, possible Exploits with detailed information on the CVEs
🗒️ Cron - a time-based daemon/service, scheduler of applications, scripts and commands. It executed non-interactive jobs.
- Tasks scheduled in
cron
are called cron jobse.g.
backups, o.s. upgrades, patches, scripts, commands etc
- Default cron table/configuration file is
/etc/crontab
- Cron Jobs can be run as any user
- The attacker will target
root
's privileged Cron Jobs - Find and identify cron jobs scheduled by the
root
user or the files processed by te cron job.
🔬 Check the Cron Jobs Lab here
🗒️ SUID (Set owner User ID) - is a type of special access permission given to a file. A file with SUID always executes as its the owner, regardless of the user passing the command.
- Allows unprivileged users to run scripts or binaries with
root
permissions, and it's limited to the execution of that specific binary. - This is not privilege escalation, but can be used to obtain an elevated session
e.g.
thesudo
binary
- The exploitation of SUID binaries to get privesc depends on:
- the owner of the SUID file -
e.g.
look forroot
user's SUID binaries - access permissions -
x
executable permissions are required to execute the SUID binary
- the owner of the SUID file -
🔬 Check the SUID Lab here
All the Linux accounts' information is stored in the passwd
file stored in /etc/
directory.
Linux has multi-user support, this can increase the overall risk of a server.
cat /etc/passwd
Passwords cannot be viewed because they are encrypted and stored in the shadow
file in the /etc/
directory.
- 📌 Only
root
account can accessshadow
file
sudo cat /etc/shadow
The hashed password have a prefix $id
value that indicates the type of hashing algorithm that is being used, e.g.
:
Value | Hashing Algorithm |
---|---|
$1 | MD5 (easy to crack) |
$2 | Blowfish (easy to crack) |
$5 | SHA-256 (difficult to crack) |
$6 | SHA-512 (difficult to crack) |
$y | yescrypt |
🔬 Check the Dumping Linux Hashes Lab here