The Linux Exploit Suggester – Next Generation (NES-NG) is a more modern implementation of the above script.Īdditionally, the Exploit Suggester Metasploit module can be used to carry out this task, by selecting the module, setting the session and running it: Compiling the Exploit The Linux Exploit Suggester script can be used on the target machine to identify available Kernel Exploits They can then be mirrored with SearchSploit using the following syntax: searchsploit -m path/to/exploit/xxxx.cĪ simple Google search can often do the job: Automated enumeration SearchSploit can be used to find kernel exploits, the syntax is as follows: searchsploit linux kernel x.x.x.x searchsploit The next step is to find out whether there are any known exploits available that affect the kernel version used by the machine. Automated enumerationĪutomated enumeration scripts such as LinPEAS can be used to enumerate operating system and kernel information as well: Finding Available Kernel Exploits The following command can be used to manually enumerate kernel info: uname -a lsb_release -a cat /proc/version /etc/issue /etc/*-release hostnamectl | grep KernelĪs seen from the example above, the current system is running Ubuntu and is using the Linux 5.8.0-38-generic kernel. The first step required is to enumerate the current operating system and kernel information, in order to find any available kernel exploits. Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to root. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise. this may not be the case, Linux servers may be highly managed, but in my experience in “general” business verticals they are often not highly monitored.The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Obviously for software development companies, cloud services providers etc. They are often not monitored and largely left alone. In mainstay business environments often linux servers are black boxes or appliances. So, the time could range from minutes to hours to days (or longer) per server, so bear that in mind, it’s not always going to scream out at you (or even be possible everwhere) Summary You also must consider if a custom exploit chain is required! Lastly, there is also the other option. The thing I’m trying to explain here is that it could take hours or even days to progress (that could be because of complexity, or simply you don’t “spot” the route). Privilege Escalation enumeration and analysis is often not a two-minute activity, it’s not just running a script (although it can be). Now largely linux machines aren’t monitored for process execution in enterprises, they are largely free zones you can roam around in, so much so that if you are in a windows environment with EDR you might want to pivot to a linux host if you can for evasion. There’s a host of great resources in this space (they are basically famous resources in this space now!) Can you tap the network traffic to find credentials?.Are you in a container and need to break out?.Are you in a jail and need to break out?.Can you abuse applications to escalate?.Are there network adjacent services that can be abused?.Are there local services that are only accessibly via loopback?.Are there local services that can be abused?.Are SUID/SGID bits set that can be exploited?.Are there cron jobs that are running in an insecure manner that can be hijacked?.Are SSH Keys stored in an insecure manner?.Are there known software vulnerabilities e.g., Kernel Exploits?.Are there insecurely stored passwords you can access?.Are overly permissive root/sudo/admin/sa rights assigned?.Are you already admin or have you got admin like privs?.If so there’s a range of questions we should be asking ourselves: You also may need to move from a www-data user to a named user account or get to root level of access. You may be trying to obtain data and access might already be possible using the context you have assumed. It should be noted that the objective may NOT require elevation. You will be looking for a range of elements to support progressing an objective. When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |