this article about Intrusion Detection for file system changes like modification changing owner extra, for critical files or directories in our environment we using a software called AIDE Advanced Intrusion Detections Environment this software base on a library called mhash this lib used to calculate file hashes and AIDE save the file info inside DB […]
Google Drive & Gmail attachments Leak This part of Google bounty program [IDOR] exploit to allow the attacker to leak your Google Drive files and this mean attacker could leak Gmail attachments that uploaded to Google Drive, Photos you shared with Gmail or any other third party
privilege escalation Linux with flash disk removable media with setUID, setGID files could give privilege escalation example copy nice command to ur flash storage and ask ur friend to print files in his system then run the command nice like
|
1 |
nice whoami |
it will say root the problem occurs from a mounted partition without noexec,nosuid parameter […]
creating a encrypted disk with luks our Little problem here to mount a encrypted disk automatically on boot so no need to enter the pass for mounting but this risky if the machine theft happen because we will use a key inside the system and it will be leaked if our machine stolen so lets […]
Let’s assume u attacked machine with 2 nic cards our IP is 10.0.0.5 first, one ip is 10.0.0.10 that you reach it from and in ifconfig shows, the machine has a different IP 10.0.2.30 you can scan the network 10.0.2.x via meterpreter arp_scan
|
1 |
meterpreter > run arp_scan -r 10.0.2.1-255 |
we can connect to the RDP server of the machine 10.0.2.30 […]
Smash The Stack Level 6
|
1 2 |
level6@io:/levels$ ./level06 a b Hi a |
this app take 2 argument 1 – username 2- password it takes it then say hi also, it checks ur env language and change the msg
|
1 2 3 4 5 6 7 8 |
level6@io:/levels$ export LANG=fr level6@io:/levels$ ./level06 a b Bienvenue a level6@io:/levels$ export LANG=de level6@io:/levels$ ./level06 a b Willkommen a level6@io:/levels$ |
let’s make some love with gdb btw without change ur language, it will not overwrite the EIP
still smashing 😀
|
1 2 3 4 |
level5@io:/levels$ ./level05 level5@io:/levels$ ./level05 a a level5@io:/levels$ |
echo one 😀 let’s see the source code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
level5@io:/levels$ cat level05.c #include #include int main(int argc, char **argv) { char buf[128]; if(argc < 2) return 1; strcpy(buf, argv[1]); printf("%s\n", buf); return 0; } |
level 4 😀
|
1 2 3 4 5 6 7 |
level4@io:~$ cd /levels/ level4@io:/levels$ ./level04 Welcome level5 level4@io:/levels$ ./level04 d Welcome level5 level4@io:/levels$ ./level04 $(python -c "print 'A' * 1024") Welcome level5 |
so i will read the code
|
1 2 3 4 5 6 7 8 |
int main() { char username[1024]; FILE* f = popen("whoami","r"); fgets(username, sizeof(username), f); printf("Welcome %s", username); return 0; } |
popen to execute whoami
loaded the virtual machine and run netdiscover to get the machine IP
|
1 2 3 4 5 6 7 8 9 10 11 |
oot@n1x:~# netdiscover Currently scanning: 192.168.39.0/16 | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.1.1 e8:94:f6:5d:c6:3b 01 060 Unknown vendor 192.168.1.2 00:18:fe:6d:61:27 01 060 Hewlett Packard 192.168.1.100 6c:40:08:98:68:d4 01 060 Unknown vendor 192.168.1.112 00:0c:29:fb:62:53 01 060 VMware, Inc. |
x.112 is the target so let’s see what ports available
|
1 2 3 4 5 6 7 8 9 10 11 12 |
root@n1x:~# nmap -sSV -p1-9999 192.168.1.112 Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-01 02:49 EST Nmap scan report for 192.168.1.112 Host is up (0.00019s latency). Not shown: 9996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.22 ((Debian)) MAC Address: 00:0C:29:FB:62:53 (VMware) Service Info: Host: Underdist; OS: Linux; CPE: cpe:/o:linux:linux_kernel |
apache is on 😀 so let’s brute-force the directory in the server
pretty good level I learned a few new stuff so lets hit the game
|
1 2 3 4 |
level3@io:/levels$ ./level03 level3@io:/levels$ ./level03 9 level3@io:/levels$ ./level03 $(python -c "print 'a' * 10000 ") Segmentation fault |
fighting with the app till it crashes and hell yeah we start from fault 😀 so we need to see what’s going on
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
level3@io:/levels$ gdb ./level03 (gdb) disassemble main Dump of assembler code for function main: 0x080484c8 <+0>: push %ebp 0x080484c9 <+1>: mov %esp,%ebp 0x080484cb <+3>: sub $0x78,%esp 0x080484ce <+6>: and $0xfffffff0,%esp 0x080484d1 <+9>: mov $0x0,%eax 0x080484d6 <+14>: sub %eax,%esp 0x080484d8 <+16>: movl $0x80484a4,-0xc(%ebp) 0x080484df <+23>: cmpl $0x2,0x8(%ebp) 0x080484e3 <+27>: jne 0x80484fc <main+52> 0x080484e5 <+29>: mov 0xc(%ebp),%eax 0x080484e8 <+32>: add $0x4,%eax 0x080484eb <+35>: mov (%eax),%eax 0x080484ed <+37>: mov %eax,(%esp) 0x080484f0 <+40>: call 0x804839c <strlen@plt> 0x080484f5 <+45>: cmp $0x3,%eax 0x080484f8 <+48>: jbe 0x80484fc <main+52> 0x080484fa <+50>: jmp 0x8048505 <main+61> 0x080484fc <+52>: movl $0x0,-0x5c(%ebp) 0x08048503 <+59>: jmp 0x8048579 <main+177> 0x08048505 <+61>: mov 0xc(%ebp),%eax 0x08048508 <+64>: add $0x4,%eax 0x0804850b <+67>: mov (%eax),%eax 0x0804850d <+69>: mov %eax,(%esp) 0x08048510 <+72>: call 0x804839c <strlen@plt> 0x08048515 <+77>: mov %eax,0x8(%esp) 0x08048519 <+81>: mov 0xc(%ebp),%eax 0x0804851c <+84>: add $0x4,%eax 0x0804851f <+87>: mov (%eax),%eax 0x08048521 <+89>: mov %eax,0x4(%esp) 0x08048525 <+93>: lea -0x58(%ebp),%eax 0x08048528 <+96>: mov %eax,(%esp) 0x0804852b <+99>: call 0x804838c <memcpy@plt> 0x08048530 <+104>: mov 0xc(%ebp),%eax 0x08048533 <+107>: add $0x4,%eax => 0x08048536 <+110>: mov (%eax),%eax 0x08048538 <+112>: mov %eax,(%esp) 0x0804853b <+115>: call 0x804839c <strlen@plt> 0x08048540 <+120>: sub $0x4,%eax 0x08048543 <+123>: mov %eax,0x8(%esp) ---Type <return> to continue, or q <return> to quit--- 0x08048547 <+127>: movl $0x0,0x4(%esp) 0x0804854f <+135>: lea -0x58(%ebp),%eax 0x08048552 <+138>: mov %eax,(%esp) 0x08048555 <+141>: call 0x804835c <memset@plt> 0x0804855a <+146>: mov -0xc(%ebp),%eax 0x0804855d <+149>: mov %eax,0x4(%esp) 0x08048561 <+153>: movl $0x80486c0,(%esp) 0x08048568 <+160>: call 0x80483ac <printf@plt> 0x0804856d <+165>: mov -0xc(%ebp),%eax 0x08048570 <+168>: call *%eax 0x08048572 <+170>: movl $0x0,-0x5c(%ebp) 0x08048579 <+177>: mov -0x5c(%ebp),%eax 0x0804857c <+180>: leave 0x0804857d <+181>: ret End of assembler dump. |