Getting passwords of logged in users
Once you have root on a server the game is over.
The hardest part of hacking a system is the external perimeter, once you break that down and manage to gain access to a internal system, the game is pretty much over. All you then need to do is escalate your priveleges to root.
an Attacker can read clear text passwords of other users.
You may think this is not possible, but it is quite easy to read passwords of users that are logged in. especially if they are logged in via SSH.
Let me guide you through such an attack which you could call moving laterally. I have access to one syste, but can I gain access to another.
Scenario Setup:
a Guild has 5 servers running their operations and 4 employees that have access to those servers.
Each employee gains access to all servers using their password and private keys.
A hacker manages to exploit a hole in the organisations webserver and escalates their priveleges to root.
Later that day an Employee called Andre logs into the organisation webserver.
Andre performs some actions which require sudo.
In this example we phave created a dummy user called Andre with password Loop19278fhtht
Even though the attacker has root, he can't read Andre's password from /etc/passwd as this is all encrypted.
Let me introduce you to Gcore.
A core file or core dump is a file that records the memory image of a running process and its process status.
There are the steps an attacker can take to see Andre's password in clear text.
He installs gdb (which contais the gcore utility)
Looks for SSH processes using ps.
3. Attacker identifies user Andre is logged on with PID 29503 and runs gcore.
4. Read the core dump using strings and passing grep to look for the SUDO command. (strings pulls out clear text from binary files). Important tool for a hacker
And as you can see the password is listed in the core dump on line 22 right after the command sudo ls
So what is the main take away here.
The main take away from this exercise is to show you how easy it is for an attacker to move laterally once he has a foot in the door. He can do so by not just gainng access to your other servers, but also very easily start harvesting the credentials of other users.
And now that he has access to the Andre's password he can sudo into Andre's account and look at all his previous bash history too.
So make sure your systems are secure, because once they are in, its GAME OVER.
Last updated