So You Got a Shell: SSH for Linux Post Exploitation

So you worked hard to find that cool web application exploit and got a shell on the box. Many people not so familiar with the Linux operating system, quickly find themselves throwing there hand in the air and saying; Now what do I do? By popular demand, this is a list of some of my favorite SSH for Linux Post Exploitation techniques that I’ve used over and over in past Cyber Defense competitions and my career.

Note: I’m assuming that you will likely exploit a service level account, such as ftpd, www-data, ldapadmin, squid, apache or syslog, and not immediately have root level access on the system.

One of my overall favorites is utilizing SSH for linux post exploitation,  as a mean of developing access to systems on the internal network and to maintain access. Almost all Linux distro’s come with openssh-client baked in and many also have openssh-server set to run at startup by default. Fortunately, openssh’s config files ship with fairly basic security measures in place and expect system administrators to utilize the many additional security features, that are available, to defend systems. Most simply don’t bother.  Additionally the permissions on the /etc/ssh/ssh_conf and /etc/ssh/sshd_conf files are world readable by default. So start by just checking them out.

User$ cat /etc/ssh/ssh.conf

User$ cat /etc/ssh/sshd.conf

Within /etc/ssh/sshd_conf the default configuration allows for public file authentication; with the following line.

PubkeyAuthentication yes

This line allows for a public key to be passed to the system in order to authenticate as a specified user. This is done by adding your public key to the .ssh/authorized_keys file; under the users home directory structure. Once added you can use the simply ssh to the system, using your private key, while specifying the username.

Note: Most default system service accounts ship with /bin/false or /sbin/nologin as their default, which means ssh wont allow you to login directly via ssh.

So you are looking issued the command cat /etc/passwd and she that your user has no login shell and you say Michael this whole maintaining access with public keys in the authorized_keys file is useless to me. So how about another user of SSH for linux post exploitation; using your user to port forward into the local network over ssh?

So you get a web shell using some fancy new wordpress vulnerability and then you cat out the wp-config.php file and see that the database isn’t hosted on the local system. Now you have to pop another box to access that database right? Wrong. You can create a local port forward the the mysql port with ssh. by using the following command.

ssh -R 9000:<mysql server ip>:3306 www-data@localhost

So now maybe people are thinking of great I have to have a shell again…but www-data has /sbin/nologin! Thats fine we dont need a shell. Just follow the steps above. Use your web shell from the wordpress vulnerability to use ssh-keygen to generate the www-data users keys and .ssh directly. Then simply cat your public key into the .ssh/authorized_keys file, to give you a means of local authentication. You may not be able to get a local shell, but you can still ssh port forward by telling ssh not to use interactive login or allocate a tty with the following command.

ssh -v -nNT -R 9000:<mysql server ip>:3306 www-data@localhost

This will create an ssh tunnel that will port forward all traffic from 9000 to the mysql server on its default port. So simply issue the mysql command to connect on port 9000 and use the credentials in the wp-config.php file.

mysql -u wordpress -p -h <web server ip> -p 9000

Profit!

If you have any questions or want to know more just leave a comment or hit me up on social media.

Ad-Play: Experiments to Better Understand Online Advertising

Some of my readers may have recently noticed the introduction of online advertising, being displayed at the top and bottom of all pages. Although some may not believe me, this is by no means a money making scheme. I have recently become intrigued by the online advertising and search engine optimization space. I want to try and better understand how search engines make decisions like page ranking, content trustworthiness, site indexing, and file parsing/usage. I hope to gain insight into these activities by leveraging heavy logging and analytics for this blog and my other sites. Over the next few months I hope to collect data related to several experiments with analytics services, ad services, and even testing the impact of factitious postings, malicious takeover, and even out of topic postings.

So in short, Yes, there are now adds on the site. No, I don’t make many really any money off of them. On a good day I may make a single penny. In fact, most of the experiments i’ve been conducting have caused quite a large decline in the pay per viewers (RPM/RPC). The advertising, analytics, and tracking are all just means to collect data to try and better understand the effects each of these experiments has on the overall operation of a standard website.

If you normally use adblock or other online advertising/tracking prevention mechanizes to stop those pesky ads or to maintain your privacy.  I formally request that you continue to due so, when interacting with this site, as its a valid aspect of this type of testing. However, please note that all requests sent to this site, and all data sent in response is being logged. There is no way to opt out of this type of logging. Although I would hate to lose reader because of these changes, I fully understand, and recommended checking social media for updates related to this logging being disabled.

Updates related to future experiments, supporting data, and findings will be posted in the future when time permits.

External IP Address Lookup Service

As a penetration testing having the ability to easily preform an internet facing or external IP address lookup is very important. Weather you end up on a box in a clients DMZ or you just need to set up that handler for your social engineering engagement, being able to quickly get the IP makes things a lot easier. I for one, like to do a great deal of automation and I’ve used several of these external IP address lookup services over the years. However, as I’m sure many people are aware, these services some and go like the wind.

One of my favorites that I’ve come to relay on over the years is ifconfig.me. Not only did this external ip address lookup service have some of the coolest domain names ever, but it also responded very quickly via the terminal with just the IP; while offering additionally information if you viewed the web page directly. Needless to say, I kinda just fell in love and mindlessly used its services for over a year.

Sadly ifconfig.me and several other external IP address lookup services have since slowed to a crawl or been shutdown. Likely because they begin to receive heavy traffic once they take off and generate little to no revenue for the host. Nevertheless, I’ve decided that instead of finding a new external ip address lookup service to fall in love with, I would just piggy back off my blog to release my own simple version of the site. My goal being, to maintain the external IP address lookup service, via the terminal, that I’ve come accustom to using for scripting and automation.

So without further a due I give you hackersvanguard.com/ip.php, your one stop stop for external ip address lookup. I know some people like be wondering why the heck they would ever trust me so I’ve included the complete source code bellow.

 

<?php
function getIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check to see if the ip is internal
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //check and to if the ip is being properly proxied
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR']; //else use the value given in the remote ip address header
}
return $ip;
}
?>