Get the Target
You first have to know your target to perform the PAM degration attack. We will connect to our system. We will use password 1234abc.
passwd
sshd
~ $ ssh user@localhost
Getting Around
It wouldn't be that easy to running alot of command manual commands like find / -perm /4000 2>/dev/null. That will be a total waste of time and slow which is not a good hacker ethics. Instead there's an automated framework called PEASS-NG. This is a tool built by carlospolop and framework in system reconnaissance, by finding system misconfiguration, exposed sensitive path and permission omission and so many more.
git clone https://github.com/carlospolop/PEASS-ng
Degration Attack
Now we have to know what we want to get and have the look for a misconfiguration. Now what we are trying to do is that, there is a directory called pamala that can only be access by root users that has the password of the computer. But since we don't have the root password so we can't get our hands on the file in the pamala folder. To bypass this, we will move a directory where the pam instructions are kepts. These are modules kept for what to do when a user trys to view a restricted directory, change to root, etc.
cd /usr/lib/x86-64-lib/security/
You must be wondering how we got this information of the directory. We use the PEASS-NG tool and it told us that user(which is us) has the permission to write and delete any pam file in the security folder. To run PEASS-NG in Linux go to it's directory PEASS-ng/linPEAS/builder and make file linpeas_base.sh executable by typing chmod +x linpeas_base.sh. Then execute it by typing ./linpeas_base.sh
PAM degration
In thee above image, you will notice that the security folder is owned by the user. This is the PAM degration. The developer of Linux did not configure the permission properly so it makes it open. Also, you will see different .so files. And you will see a pam_permit.so file and a pam_deny.so file. What you will do is to delete the pam_deny.so file(because we have permission to do so) and copy the pam_permit.so file to pam_deny.so . Now here's what happened:
- When we delete the pam_deny.so and copy pam_permit.so back into it. It does the same action.
- So even when we get the password wrong it will still give us root access because what it will do permitted users, it will also do to restricted users. How cool is that.
Now we switch to superuser:
user@kali:~$ sudo su
Password:
Now, you can do any process can be done. From changing of
password, removal of the highest root users to even use of password.
PAM Degration Defense
PAM Degration is a process where by users take advantage of improper system permission of PAM Modules to manipulate the system permission architect. PAM Degration it mostly common in old system which has permission misconfiguration.The best way of prevention pam degration is updating your system regularly and making sure permission a re well set to prevent hackers from getting through.
