#UofTBootCamp #classwork #linux #permissions #users #groups #su #sudo #less #more #shellbreaking #shellexploit #exploit #escapeexploit

Running commands from inside of less with sudo access

Run !bash inside of less to drop to a root shell

sudo

sudo and su basics

su substitute user identity sudo execute a command as another user

sudo -l will list (if no command is specific) the allowed/forbidden commands for the invoking user (or a specific user if -U). If a command is specific, it will list the “fully-qualified” path to the command.

sudo -lU <user> to check if has can run sudo OR sudo -nv

Updating the /etc/sudoers/ file withvisudo`

sudo visudo to see the file john ALL=(ALL:ALL) /usr/bin/apt, /usr/bin/less to give john access to run apt as root and less

Syntax for /etc/sudoers/

The first ALL is the users allowed (john) The second one is the hosts (ALL, as in all machines) The third one is the user as you are running the command The last one is the commands allowed

Activity 1

Determine what sudo activities the sysadmin user has using sudo -lU sysadmin:

(ALL : ALL) ALL meaning that sysadmin user can run on all commands as root on all hosts.

Record what access each user on the machine has:

Find all real users:

grep -E '^UID_MIN|^UID_MAX' /etc/login.defs to find the range for the real users on the machine.

getent passwd {1000..6000} to display only those users.

However, this does not tell us what commands each user has effectively bc I would now have to manually search each one then save that into a file.

Display all users:

awk -F':' '{ print $1}' /etc/passwd OR compgen

Display all sudo users:

getent group sudo | cut -d: -f4

grep '^sudo:.*$' /etc/group | cut -d: -f4

Find the user who has sudo access to the less command

cat /etc/sudoers | grep less

Switch to Root

sudo su root

Check for users or groups

grep <user or group name> /etc/passwd or group

Users and Groups

UID over 1000 = standard user

groups or groups <user> prints your user's groups to the screen

id prints the groups + GIDs

sudo usermod -L <user> to lock the account

sudo usermod -G <group-to-remove> <user> to remove from a

sudo deluser --remove-home <user> to remove

--remove-home flag removes the home folder, too

`sudo usermod -aG to add to the

Activity 2

1. Use a command to display your ID info.

2. Use the same command to display the ID info for each user on the system.

– In case you forgot, how can you learn what these usernames are? – Record the output from this series of commands to a new file in your research folder.

3. Print the groups that you and the other users belong to.

– Record the output from this series of commands to a new file in your research folder.

4. Document in your research folder anything suspicious related to any of the users.

– Hint: Are there any users that shouldn't be there?

5. Make sure you have a copy of the home folder for any rogue users and then remove any users from the system that should not be there. Make sure to remove their home folders as well.

Hint: Remember from the first activity, the only standard users that should be on the system are: admin, adam, billy, sally and max.

1. Verify that all non-admin users are part of the group developers.
   • If the developers group doesn't exist, create it and add the users.

#nmap #netstat #netcat #ncat #telnet #tcpdump #curl #wireshark #bannercapture

nmap: networking mapper/port scanner that reports what it is able to connect to

USAGE: – when you want to know about open ports on a remote system – when you want further info about the service listening on each port – when you need a second opinion about listening ports

netstat: network statistics / diagnostic that reports what the kernel knows about listening the established connections

USAGE: – what is listening on your local machine? – process or interface/address info for each port – ONLY IF you trust the OS to give the correct answer (if you've been hacked, a rootkit can make the OS lie to netstat about what really is going on)

netcat: port-scanning, banner grabbing, transfer files

• open ports, send packets, receive packets
• file transfer, sending custom requests to services (SMTP, HTTP), tunneling
• handles lower OSI layers of connection so user can manipulate upper layers as needed; banners are at application layer

ncat: concatenate and redirect sockets

telnet

tcpdump

wireshark

Follow-Up Questions

• why are banners are application level
• nc vs nmap usage cases for banner capture

#linux #networking #router #automation #bash #python #ruby

The suggest from my tutor was to “write an automation script that goes into my router and pulls the logs from the router logs to system logs and then scans them for any occurrences of nmap and sends the results to me in an email. Possibly filtering by priority?

To Research

Router Access

• does my router have logs accessible
• can my router easily transfer those logs to my system logs or do I have to manually do that?

System logs

• where is the appropriate place to put them?

Cron job

• set it up where?

Email server

• can I send it directly to my thundermail client or does it have to go through gmail?

Additional Practice

• redo this assignment using my linux machine?
• redo in py?

#networking #ifconfig #ip #loopback #nic

• Use the -v verbose flag to provide type info on some interfaces: ifconfig -v en6

Relevant terms

NIC: Network Interface Cards:

• circuit board required for computer to connect over a network.
• wired/wireless, across LAN or large-scale network via IP
• physical layer + data link layer device
• internal/external:

LAN vs WAN vs The Internet

LAN: Local Area Network – communications between consecutive devices such as in schools, hospitals, institutions

WAN: Wide Area Network – interconnects multiple LAN to allow shared access to apps, services, other centrally located resources, i.e. connecting between enterprise headquarters, branch offices, facilities, cloud, etc. Eliminates need to install the same application server, firewall, or etc. resource in multiple locations.

The Internet: global communication system, including hardware and infrastructure, using TCP/IP to transmit data via various media types between networks. Connected by guided, wireless, fire-optic tech.

World Wide Web is one of the services communicated over the internet.

Internet Services: include communication services (mail, mailing list, telnet, IM), information retrieval services (FTP, Gopher, Archie, VERONICA), Web services (app interaction), Video Conferencing.

---

lo0 = loopback interface: allows server/client processes on a single system to communicate with each other w/o interference of NIC. Also known as 127.0.0.1 or localhost.

Using ifconfig lo0 to examine this gives me:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP> inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=201<PERFORMNUD,DAD>

So I tried to ping 127.00.01 and it was successful, implying that the TCP/IP software stack on my machine is successfully loaded and working.

The loopback is used for troubleshooting or when “a server offering a resource you need is running on your own machine”, i.e. running a webserver.

gif0

is a “generic tunnelling device for IPv4 and IPv6”. Virtual.

stf0

interface supporting 6to4, an internet transition mechanism for migrating from IPv4 to IPv6 via encapsulation (can tunnel IPv6 traffic over IPv4).

enX where X is a num

refers to physical network interfaces. en0 is the first device to start — your wifi. The rest are (likely) Thunderbolt interfaces on a MacOS.

ap1

???

awdl0

is the Apple Wireless Direct Link, typically used for Hotspot functionality

llw0

brdige0

Thunderbolt bridge for transferring files over cable between two Macs.

utunX where X is a num

are related to sharing info between devices on the same iCloud account, also created by any VPN interfaces.

---

Follow-Up Questions

• what is the scopeid?
• why is the mac address written in hex?
• what is the Skywalk system?

#UofTBootCamp #classwork #linux #processes #ps #grep #awk

Given a VM with a shady user running a shady script...

###...list all processes running in real time

top for finding running processes in real time

lsof -u jack for finding jack's processes lsof | grep jack for highlighting ps aux | grep jack

How many tasks have been started on the host?

ps aux | wc -l ps aux | grep jack | wc -l ^ not great because grep has not filtered out occurrences of jack elsewhere

ps -eo user | grep jack | wc -l -o allows you to specify format -e selects all processes, including those of other users

ps -U jack -u jack u every process running as jack (real and effective ID) in user format?

How many are these are sleeping?

ps -U jack -u jack u | awk '{if ($8=="S" || $8=="D") print $0' | wc -l (1 process is sleeping)

ps -eo user,state | awk '{if ($2=="S" || $2=="D") print $1,$2}' | wc -l

Which process uses the most memory?

ps -eo user,pid,cmd,%cpu,%mem --sort=-%mem | head -20

Search all running processes by a specific user

ps -eo user,pid,cmd,state | grep root | awk '{if ($4=="R") print $1,$2,$3, $4}'

ps -U root -u root u | awk '{if ($8 == "R") print $0}'

BONUS:

List all processes with a TTY terminal

ps -t ps -eo pid,tty,cmd | grep pts

Identify the ID of suspicious processes:

ps -eo pid,user,tty,cmd | awk '/str.sh/{print $0}' – returns the matches including the awk command process

ps -eo pid,user,tty,cmd | awk '/[s]tr.sh/{print $0}' – adding the [] around the first character will avoid matching the awk command itself

ps -t | grep "[s]tr.sh" | awk '{print $0}'

WHY DOESN'T A WILDCARD WORK HERE?????

ps -t | grep “*.sh” |

---

About Me

#whoami #cv #extendedcv #favouritebooks #philosophy #email #me #at #yffenim@protonmail.com #guaranteed #slow #reply

---

CTF Learning Journey

#bandit #overthewire #hackthebox #leviathan

---

Infosec Concept Notes and Cheatsheets

#threatmodeling

---

UofT Cybersecurity Bootcamp

#UofTBootcamp #classwork #homework #classwork

---

Homelab Experimentations

#brainstorm #config_1

---

Searchable Tags by Topic

#ssh #nmap #nc #git #grep #awk #ps

---

Other Careers

#activism #poetry #prose #fiction #literature #movementtherapy #personaltraining

#git #gitlog #gittag #gitshow #repo #ssh

Bandit 28: Reverting to an older Git Commit

We have a cloned repo that contains the file README.md. Inside it says:

- username: bandit29 - password: xxxxxxxx

Clearly the password has been removed in our current version of the repo. The stated purpose of .git is version control so it reasons to can easily check if previous .git commits exist by viewing git log:

`commit edd935d60906b33f0619605abd1689808ccdd5ee Author: Morla Porla morla@overthewire.org Date: Thu May 7 20:14:49 2020 +0200

fix info leak

commit c086d11a00c0648d095d04c089786efef5e01264 Author: Morla Porla morla@overthewire.org Date: Thu May 7 20:14:49 2020 +0200

add missing data

commit de2ebe2d5fd1598cd547f4d56247e053be3fdc38 Author: Ben Dover noone@overthewire.org Date: Thu May 7 20:14:49 2020 +0200

initial commit of README.md`

So I decided to try to reverse back to initial commit using git reset --hard HEAD~1

Received the result: HEAD is now at c086d11 add missing data

Checked my README.md file and viola! Ze password iz mine!!

Bandit 29

Same as previous bandit. We are given a repo and inside the README.md are the following credentials:

• username: bandit30
• password:

I started poking around the .git and directory and found this in ORIG_HEAD that looks interesting:

208f463b5b3992906eabf23c562eda3277fea912

Since it like a git commit hash, I tried reverting to it, found nothing. Then I noticed that the packed-refs file also contained some git commit hashes:

# pack-refs with: peeled fully-peeled bc833286fca18a3948aec989f7025e23ffc16c07 refs/remotes/origin/dev 208f463b5b3992906eabf23c562eda3277fea912 refs/remotes/origin/master 786d5bea2bd2dcbed2c8896a310c3c5306bc713c refs/remotes/origin/sploits-dev

Another way I could have accessed this info would be using the git show-ref command to check for all git references in local repo.

I then reset git to the /origin/dev' and checked theREADME` and yes! Password found!

git reset --hard bc833286fca18a3948aec989f7025e23ffc16c07 HEAD is now at bc83328 add data needed for development

Bandit LV30: Searching an “empty” repo for clues

#git #gitlog #gitshow

Similar to the last two levels, we are given a repo only this time, it's EMPTY save for a the READMD.md that just has this hilarious message: just an epmty file... muahaha < MIS-SPELLED AND ALL! I laughed.

Then I tried the usual suspects:

git log gives us just the initial commit of README.md — not helpful:

`commit 3aefa229469b7ba1cc08203e5d8fa299354c496b Author: Ben Dover noone@overthewire.org Date: Thu May 7 20:14:54 2020 +0200

initial commit of README.md`

I tried git show which describes the HEAD commit by default:

`commit 3aefa229469b7ba1cc08203e5d8fa299354c496b Author: Ben Dover noone@overthewire.org Date: Thu May 7 20:14:54 2020 +0200

initial commit of README.md

diff —git a/README.md b/README.md new file mode 100644 index 0000000..029ba42 —– /dev/null +++ b/README.md @@ -0,0 +1 @@`

This does look like there was a new README.md file created, the useless one. Not sure how helpful this is?

Decided to poke around the repo references again: less ./.git/packed-refs

# pack-refs with: peeled fully-peeled 3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret

This secret tag is interesting. Git tags are a reference point to a specific moment in git history and store data about that point. This can be accessed with the command syntax: git show <tag>

So I tried git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea

And the password onwards appeared!

#threathunting #log

What is threat-hunting? An overview of terms.

As defined by NIST: Threat-hunting is “the proactive searching of organization systems, networks, and infrastucture for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organization responses.”

IOC (Indicators of Compromise) can be defined as “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” IOC can be network-based or Host-based. Beginners might use IOC lists

FQDN: Fully Qualified Domain Name.

Threat-hunting as a hypothesis-based method

• come up with ideas/questions and go prove it right or wrong
• need a baseline of “normal” to be able to detect abnormal behaviour esp for “behavioural analysis” but you would not need such analysis when hunting for user downloading files from the internet (for example).
• proxy traffic threat hunting example: look at URI, regex off the file name and extension, stack analysis, etc.
• When is baselining useful? net.exe or net1.exe abuse cases.

Follow-up Questions

Why is “DNS over HTTPS” not real security?

• C2 acts like DNS server
• looks for specific queries
• system is impersonated
• looks up info, local system checks for caches, finds nothing so it goes to the internet
• goes to evil site
• asks question of evil site, response contains... EVIL ???

What is TTL?

• DNS TTL = time each step takes for DNS to cache a record. A shorter time means faster updates, longer time is usually used for reputable resource hosting sites like libraries, reference sites.

What is DMZ?

• perimeter network (part of old sec model?)

Detection for C2

• auto-encoders
• neural nets
• datamash to find “c2 channel jitter”?
• rotate FGDN to multiple C2 servers
• MOOBIX? rotating c2 from multiple
• Domain fronting – IP addresses shifting
• a mail server can be a C2 – “SSL interception breaks things”?
• CDN?

What to look for in Threat Hunting Analysis:

• session size
• unexpected protocol use, i.e. too many FQDNs
• detect C2 over DNS: capture all DNS traffic, filter, extra text/size/count, review total FQDN

How to track?

• external IP tracking
• internal IP tracking

Other follow-up Questions:

• Supple Chain attacks: Sunburst – Solarwinds binaries were digitally signed even though they contained malicious code — meaning that app whitelisting does not work here.

#bash #scripting #nc #networking #ports

What we know:

• There is an open and listening port (30002) that will send back the password if it receives the current lv password + correct pin

What to do with this knowledge:

Attempt 1: I tried writing a script that iterates through 0000-9999, combines each number with the current level's password, and then send each line to the port:

#!/bin/bash start=0000 count=9999

while [ $start -lt $count ] do echo "current password $start" | nc localhost 30002 ((start++)) done

Mistakes Made:

Unfortunately, my loop never stopped looping...

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again. Timeout. Exiting. I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again.

FOLLOW UP ON WHY

Attempt 2: Breaking it down more

This time I decided to separate the problem into two parts:

Script 1: Create a list of possible password + pin combos

#!/bin/bash touch list.txt

for i in {0000..9999} do echo “UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i”>> list.txt done`

Script 2: Iterate through my list.txt and send each one to the listening daemon with nc

#!/bin/bash for line in list.txt do nc localhost 30002 $line done

And viola!

#bandit #bash #scripting #permissions #cron

What we know:

• We will be writing a shell script
• This shell script is removed once executed, meaning that there is likely a script that will remove our script
• The script file that the cronjob relevant to this level is located here: /usr/bin/cronjob_bandit24.sh and contains:

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" owner="$(stat --format "%U" ./$i)" if [ "${owner}" = "bandit23" ]; then timeout -s 9 60 ./$i fi rm -f ./$i fi done

What to do with what we know:

First, let's understand the cronjob_bandit24.sh script:

1. #!/bin/bash indicates which shell program will be used to interpret the script — in this case: bash (Bourne Again Shell).

2. An variable is initiated and saves the results of the whoami command. (To verify that the current user is bandit23, I ran the whoami command inside of the directory where the script is located.) We navigate to a directory based on this variable: `/var/spool/bandit23'

3. A loop will initiated through all the files in this directory and for the files that are not equivalent to . or .., we (1) save data from the stat command regarding the file into the variable owner then we (2) check if the file owner is bandit23 and if so, (3) the file is deleted after 60 seconds.

(There's more but these are the most crucial steps to understand for our goals.)

So I attempted to navigate to the bandit23 directory (/var/spool/bandit23/) and received the error message that: -bash: cd: bandit23: No such file or directory

Going back one step into /var/spool/, I discovered that bandit24 exists as a directory. What does this mean?

Mistake 1: Checking Permissions

I thought that the /usr/bin/cronjob_bandit24.sh permissions could be checked from running whoami from the /usr/bin directory in which the file was found. Of course this is not true because whoami checks the current user and not the file. I knew this but I didn't pause to consider what exactly I was checking for when I mindlessly ran whoami. This error is silly, I should have been more mindful as to exactly what I am asking the computer to do in every command I make.

So to check the owner of the script in question, I ran: ls -alh cronjob_bandit24.sh

-rwxr-x--- 1 bandit24 bandit23 376 May 14 2020 cronjob_bandit24.sh

This means the script cronjob_bandit24.sh belongs to owner bandit24 and group bandit23. Now it makes sense that /var/spool/bandit23/ did not exist.

Back on track

I navigated into bandit24 directory and attempted to make a temporary directory only to discover that tmp already existed. (ls was denied.) Inside of tmp, I create a script that copies the password file from where it's located into where I can access it as bandit23.

!#/bin/bash cp /etc/bandit_pass/bandit24 /tmp/emin/pass

Then I created the directory tmp/emin/ and the file pass.

I moved a copy of the script into the relevant directory (/var/spool/bandit24') and waited for my password to appear in/tmp/emin/pass` but it never did!!

MISTAKE 2: Permissions Denied

I tried to execute my script myself using the command:

bash /var/spool/bandit24/tmp/lumpo.sh (yes, that's my script name..) and received the error message:

cat: /etc/bandit_pass/bandit24: Permission denied

I wasn't sure where exactly the error was triggered: was it the execution of the cat command on the original password file or was it the act of writing it onto the file I created? So I decided to check permissions on the files:

My script file is owned by bandit23. My script is run by a server-provided script (/usr/bin/cronjob_bandit24.sh) owned by bandit24.

It needs to read a file owned by bandit24 and write its contents into the file I created and therefore owned by bandit23. This means that the file owned by bandit24 must have permissions for user bandit24 to read its contents and the file I created must have permissions for user bandit24 to write its contents. The assumption I'm making is that because my script file is run by another script file owned by bandit24, it will belong to that user? FOLLOW UP

Checking permissions for the original password file: ls -alh /etc/bandit_pass/bandit24 gives me this information:

-r-------- 1 bandit24 bandit24 33 May 7 2020 /etc/bandit_pass/bandit24

I know that each file or directory has three permission types: read, write, execute. According to the Linux docs:

The first character is the special permission flag that can vary. The following set of three characters (rwx) is for the owner permissions. The second set of three characters (rwx) is for the Group permissions. The third set of three characters (rwx) is for the All Users permissions. Following that grouping since the integer/number displays the number of hardlinks to the file. The last piece is the Owner and Group assignment formatted as Owner:Group.

An example: _rwxrwxrwx 1 owner:group

So we can conclude that since the original password file can be read by the owner that runs it, this not the source of the problem.

Checking permissions on my file ls -alh /tmp/emin/pass gives:

-rw-r--r-- 1 bandit23 root 0 Jan 3 20:38 /tmp/emin/pass

This means that only the owner (bandit23) can read and write to this file. Otherwise, it is read-only.

So I ran chmod 777 on the file which gives full permission to access the file and verify that it is so: ls -alh /tmp/emin/pass

-rwxrwxrwx 1 bandit23 root 0 Jan 3 20:38 /tmp/emin/pass

Now if I try the script again, it should work! ALAS IT DID NOT!!!!!

Now questioning whether the permissions for the directory containing the file needed also to be changed? So I ran the same chmod 777 command recursively from the /tmp/emin directory.

STILL DIDN'T WORK!!!!

The only other file that does not have full permissions and that I have the ability to change is my script. So I changed it to full permissions and it worked. But why?

What is the difference between this file having full permissions: -rwxrwxrwx 1 bandit23 bandit23 59 Jan 3 20:35 lumpo.sh

Vs. read-only permissions? -rw-r--r-- 1 bandit23 bandit23 59 Jan 3 21:33 lumpo.sh

Remember that this file contains the script that copies the password from the bandit24 file to my file: cp /etc/bandit_pass/bandit24 /tmp/emin/pass

Why would my script need write permissions?! This doesn't make sense...

Follow-up Questions:

• What are the usage differences between a (POSIX) shell and bash?
• Why did cp but mv and cat work? Are there permissions blocking copying files on this server? Likely.

What I learned:

PERMISSIONS COME FIRST.