Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3184] No subject

Browse source
This commit is contained in:
CPol 2022-05-07 19:19:13 +00:00 committed by gitbook-bot
parent 06e3bda49a
commit ed75eb1335
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
7 changed files with 72 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
SUMMARY.md
View file

@ -108,8 +108,8 @@
* [Socket Command Injection](linux-hardening/privilege-escalation/socket-command-injection.md)
* [Wildcards Spare tricks](linux-hardening/privilege-escalation/wildcards-spare-tricks.md)
* [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
* [Useful Linux Commands](linux-hardening/useful-linux-commands.md)
* [Bypass Linux Shell Restrictions](linux-hardening/bypass-linux-shell-restrictions/README.md)
* [Useful Linux Commands](linux-hardening/useful-linux-commands/README.md)
* [Bypass Linux Shell Restrictions](linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
* [DDexec](linux-hardening/bypass-linux-shell-restrictions/ddexec.md)
* [Linux Environment Variables](linux-hardening/linux-environment-variables.md)

2
generic-methodologies-and-resources/pentesting-methodology.md
View file

@ -98,7 +98,7 @@ Specially in Windows you could need some help to **avoid antiviruses**: \[Check
If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:
* [**Linux**](../linux-hardening/useful-linux-commands.md)
* [**Linux**](../linux-hardening/useful-linux-commands/)
* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
* [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)

55
linux-hardening/bypass-linux-shell-restrictions/ddexec.md
View file

@ -16,11 +16,66 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## Context
In Linux in order to run a program it must exist as a file, it must be accessible in some way through the file system hierarchy (this is just how `execve()` works). This file may reside on disk or in ram (tmpfs, memfd) but you need a filepath. This has made very easy to control what is run on a Linux system, it makes easy to detect threats and attacker's tools or to prevent them from trying to execute anything of theirs at all (_e. g._ not allowing unprivileged users to place executable files anywhere).
But this technique is here to change all of this. If you can not start the process you want... **then you hijack one already existing**.
This technique allows you to **bypass common protection techniques such as read-only, noexec, file-name whitelisting, hash whitelisting...**
## Dependencies
The final script depends on the following tools to work, they need to be accessible in the system you are attacking (by default you will find all of them everywhere):
```
dd
bash | zsh | ash (busybox)
head
tail
cut
grep
od
readlink
wc
tr
base64
```
## The technique
If you are able to modify arbitrarily the memory of a process then you can take over it. This can be used to hijack an already existing process and replace it with another program. We can achieve this either by using the `ptrace()` syscall (which requires you to have the ability to execute syscalls or to have gdb available on the system) or, more interestingly, writing to `/proc/$pid/mem`.
The file `/proc/$pid/mem` is a one-to-one mapping of the entire address space of a process (_e. g._ from `0x0000000000000000` to `0x7ffffffffffff000` in x86-64). This means that reading from or writing to this file at an offset `x` is the same as reading from or modifying the contents at the virtual address `x`.
Now, we have four basic problems to face:
* In general, only root and the program owner of the file may modify it.
* ASLR.
* If we try to read or write to an address not mapped in the address space of the program we will get an I/O error.
This problems have solutions that, although they are not perfect, are good:
* Most shell interpreters allow the creation of file descriptors that will then be inherited by child processes. We can create a fd pointing to the `mem` file of the sell with write permissions... so child processes that use that fd will be able to modify the shell's memory.
* ASLR isn't even a problem, we can check the shell's `maps` file or any other from the procfs in order to gain information about the address space of the process.
* So we need to `lseek()` over the file. From the shell this cannot be done unless using the infamous `dd`.
### In more detail
The steps are relatively easy and do not require any kind of expertise to understand them:
* Parse the binary we want to run and the loader to find out what mappings they need. Then craft a "shell"code that will perform, broadly speaking, the same steps that the kernel does upon each call to `execve()`:
* Create said mappings.
* Read the binaries into them.
* Set up permissions.
* Finally initialize the stack with the arguments for the program and place the auxiliary vector (needed by the loader).
* Jump into the loader and let it do the rest (load libraries needed by the program).
* Obtain from the `syscall` file the address to which the process will return after the syscall it is executing.
* Overwrite that place, which will be executable, with our shellcode (through `mem` we can modify unwritable pages).
* Pass the program we want to run to the stdin of the process (will be `read()` by said "shell"code).
* At this point it is up to the loader to load the necessary libraries for our program and jump into it.
**Check out the tool in** [**https://github.com/arget13/DDexec**](https://github.com/arget13/DDexec)****
<details>

4
linux-hardening/privilege-escalation/escaping-from-limited-bash.md
View file

@ -146,8 +146,8 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
[https://gtfobins.github.io](https://gtfobins.github.io/\*\*]\(https/gtfobins.github.io)\
**It could also be interesting the page:**
{% content-ref url="../bypass-linux-shell-restrictions/" %}
[bypass-linux-shell-restrictions](../bypass-linux-shell-restrictions/)
{% content-ref url="../useful-linux-commands/bypass-bash-restrictions.md" %}
[bypass-bash-restrictions.md](../useful-linux-commands/bypass-bash-restrictions.md)
{% endcontent-ref %}
## Python Jails

19
linux-hardening/useful-linux-commands.md → linux-hardening/useful-linux-commands/README.md
View file

@ -1,4 +1,4 @@
# Useful Linux Commands
<details>
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Common Bash
## Common Bash
```bash
#Exfiltration using Base64
@ -135,7 +134,7 @@ sudo chattr +i file.txt
sudo chattr -i file.txt #Remove the bit so you can delete it
```
# Bash for Windows
## Bash for Windows
```bash
#Base64 for Windows
@ -157,7 +156,7 @@ python pyinstaller.py --onefile exploit.py
i686-mingw32msvc-gcc -o executable useradd.c
```
# Greps
## Greps
```bash
#Extract emails from file
@ -239,7 +238,7 @@ grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' *.txt > us-phones.txt
egrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt
```
# Nmap search help
## Nmap search help
```bash
#Nmap scripts ((default or version) and smb))
@ -248,14 +247,14 @@ locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | gre
nmap --script-help "(default or version) and smb)"
```
# Bash
## Bash
```bash
#All bytes inside a file (except 0x20 and 0x00)
for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done
```
# Iptables
## Iptables
```bash
#Delete curent rules and chains
@ -288,8 +287,6 @@ iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
```
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -305,5 +302,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

4
linux-hardening/bypass-linux-shell-restrictions/README.md → linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
View file

@ -159,8 +159,8 @@ You could use **burpcollab** or [**pingb**](http://pingb.in) for example.
If you are inside a filesystem with the **read-only and noexec protections** there are still ways to **execute arbitrary binaries**. One of them is by the use of **DDexec**, yo can find an explanation of the technique in:
{% content-ref url="ddexec.md" %}
[ddexec.md](ddexec.md)
{% content-ref url="../bypass-linux-shell-restrictions/ddexec.md" %}
[ddexec.md](../bypass-linux-shell-restrictions/ddexec.md)
{% endcontent-ref %}
## References & More

6
pentesting-web/command-injection.md
View file

@ -46,7 +46,7 @@ ls; id # ; Chain commands
### Bypasses
If you are trying to execute **arbitrary commands inside a linux machine** you will be interesting in read about this [**WAF bypasses**](../linux-hardening/bypass-linux-shell-restrictions/).
If you are trying to execute **arbitrary commands inside a linux machine** you will be interesting in read about this [**WAF bypasses**](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md).
### **Examples:**
@ -134,8 +134,8 @@ powershell C:**2\n??e*d.*? # notepad
#### Linux
{% content-ref url="../linux-hardening/bypass-linux-shell-restrictions/" %}
[bypass-linux-shell-restrictions](../linux-hardening/bypass-linux-shell-restrictions/)
{% content-ref url="../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md" %}
[bypass-bash-restrictions.md](../linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
{% endcontent-ref %}
## Brute-Force Detection List