Living Off the Land Techniques

Posted on | In

Living off the Land (LOTL) involves the abuse of native tools and processes on systems, especially living off the land binaries, often referred to as LOLBins, to blend in with normal system activities and operate discreetly with a lower likelihood of being detected or blocked because these tools are already deployed and trusted in the environment.

0x01. Living off the Land

Living off the Land,按照信达雅的翻译可以理解为“靠山吃山,靠水吃水” :P

几个收集此类信息的网站如下:

  1. Unix - https://gtfobins.github.io/
  2. Windows - https://lolbas-project.github.io/
  3. macOS - https://www.loobins.io/
  4. Windows Drivers - https://www.loldrivers.io/

最后一个(Windows 驱动)和 BYOVD 是一个意思,即 Bring Your Own Vulnerable Driver,目前恶意软件常用的提权方式之一。DefCon 27 上有个专门讲怎么挖掘和利用第三方驱动程序漏洞的议题《Defcon 27: Get off the Kernel if you can’t Drive》。

Defcon 27: Get off the Kernel if you can't Drive

CISA (Cybersecurity and Infrastructure Security Agency) 防御指引:

  1. Identifying and Mitigating Living Off the Land Techniques
  2. Identifying and Mitigating Living Off the Land Techniques - PDF

0x02. ssh-keygen 提权案例

参考:Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)

并不是说 ssh-keygen 本身存在提权问题,而是说在可以以 root 权限运行该程序的场景下(比如 sudoers 配置、SUID 设置等),可以利用该程序来加载指定的动态库(-D 选项)。

$ man ssh-keygen
SSH-KEYGEN(1)             BSD General Commands Manual               SSH-KEYGEN(1)

NAME
     ssh-keygen — OpenSSH authentication key utility

SYNOPSIS
[...]
     ssh-keygen -D pkcs11
[...]
     -D pkcs11
             Download the public keys provided by the PKCS#11 shared library pkcs11.
             When used in combination with -s, this option indicates that a CA key
             resides in a PKCS#11 token (see the CERTIFICATES section for details).
[...]

原文提到了两种思路:

  1. 在目标机器上搜索一个可以 exec /bin/sh 的候选动态库,然后通过十六进制编辑器、反汇编器(Ghidra 或 IDA)、patchelf 等,对其进行 Patch 操作
  2. 自己写一个(只需要写一个 constructor 函数即可),本地交叉编译后上传
请作者喝杯咖啡☕