Living off the Land (LOTL) involves the abuse of native tools and processes on systems, especially living off the land binaries, often referred to as LOLBins, to blend in with normal system activities and operate discreetly with a lower likelihood of being detected or blocked because these tools are already deployed and trusted in the environment.
0x01. Living off the Land
Living off the Land,按照信达雅的翻译可以理解为“靠山吃山,靠水吃水” :P
几个收集此类信息的网站如下:
- Unix - https://gtfobins.github.io/
- Windows - https://lolbas-project.github.io/
- macOS - https://www.loobins.io/
- Windows Drivers - https://www.loldrivers.io/
最后一个(Windows 驱动)和 BYOVD 是一个意思,即 Bring Your Own Vulnerable Driver,目前恶意软件常用的提权方式之一。DefCon 27 上有个专门讲怎么挖掘和利用第三方驱动程序漏洞的议题《Defcon 27: Get off the Kernel if you can’t Drive》。
CISA (Cybersecurity and Infrastructure Security Agency) 防御指引:
- Identifying and Mitigating Living Off the Land Techniques
- Identifying and Mitigating Living Off the Land Techniques - PDF
0x02. ssh-keygen 提权案例
参考:Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)
并不是说 ssh-keygen
本身存在提权问题,而是说在可以以 root
权限运行该程序的场景下(比如 sudoers
配置、SUID 设置等),可以利用该程序来加载指定的动态库(-D
选项)。
$ man ssh-keygen |
原文提到了两种思路:
- 在目标机器上搜索一个可以
exec /bin/sh
的候选动态库,然后通过十六进制编辑器、反汇编器(Ghidra 或 IDA)、patchelf 等,对其进行 Patch 操作 - 自己写一个(只需要写一个
constructor
函数即可),本地交叉编译后上传