Author: kanishka10

Posted on by

SetUID privilege escalation in Linux

Hello, aspiring Ethical Hackers. In this article, you will learn how to perform SetUID privilege escalation in Linux. In our previous article, we have exploited cron jobs to change SetUID bit of an executable. What exactly is a SetUID bit?

SETUID stands for Set User ID on execution. This allows a user with low privileges to run a command with higher privileges. The difference between SUDO and SETUID is that in SUDO you can execute a command only if the root user can do it.

With the concept of SETUID understood, let’s see how binaries with SETUID bit set can be found. One way to find them is by using find command as shown below.

setuid privilege escalation


Here are some examples of gaining root privileges by exploiting programs with SETUID bit set.

1. bash

Emp116

2. csh

Emp117

3. env

Emp117 1

4. nice

Emp119

5. node

Emp120

6. setarch

Emp121

7. stdbuf

Emp122

8. strace

Emp123

9. taskset

Emp124

10. tclsh

Emp125

11. time

Emp126

12. timeout

Emp127

13. unshared

Emp128

14. xargs

Emp129

15. php

Emp130

16. expect

Emp131

17. find

Emp132

18. python

Emp133

19. flock

Emp134

20. gdb

Emp135

21. ionice

Emp136

22. logsave

Emp137

23. make

Emp138

These are some examples of linux privilege escalation by exploiting SETUID bit.

Posted on by

Beginners guide to Antivirus

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about malware and virus. In this blogpost, you will about Antivirus. But what is an Antivirus.

What is an Antivirus?

Antivirus, also called as Anti-malware is the software specifically created to detect and stop malware and virus from performing their malicious actions on the computer or mobile. To identify and prevent malware, it uses many techniques. They are,
1. Signature based detection
2. Heuristic based detection
3. Behavior based detection
4. Sandbox based detection
5. Cloud based detection

Antivirus

1. Signature based detection:

This type of AV detects malware by comparing its code with known malware samples. This samples the Anti Malware uses for comparison are known as signatures. These signatures are regularly updated (in most cases, daily) by the anti malware in order to stay one step ahead of malware. This is the reason why antimalware needs regular updates.

2. Heuristics based detection:

The problem with signature based detection is that it can only detect known malware or malware that is around more. To overcome this problem, many of the antivirus nowadays detect malware using heuristic analysis. In this type of analysis, the Antivirus tries to identify malware by examining the code in a virus and analyzing the structure of malware.
By doing this, the antivirus actually tries to simulate running the code and see what it actually does. If it finds any malicious intention in the code like the malware replicating itself or trying to rewrite itself, it classifies the code program as malware. As already mentioned, this is used by almost all modern antimalware.

3. Behavior based detection:

In behavioral detection, the antivirus detects suspicious activity in the operating system. If the AV notices that any new program is trying to modify or make changes to system like altering files or running a code to communicate with external systems, then it flags the program as virus and blocks it. So instead of scanning the code of -the malware, it just scans for any suspicious activity.

4. Sandbox based detection:

In Sandbox detection, the Antivirus classifies a program as malware after executing the program in a contained environment separated from the operating system. This contained environment is known as sandbox. If the program performs any suspicious or malicious activity in the sandbox, the antivirus classifies the program as malware. This method of detection takes a heavy toll on the system resources.

These are the ways in which antivirus can detect malware or payloads we create in penetration testing. There are a few other concepts you need to understand about antivirus.

Results of an Antivirus scan

As soon as a new program or file touches the hard disk, the AV scans the file using one or all the methods explained above and concludes. An AV can conclude to any of the four results given below after scanning a file.

  1. True Positive (TP)
  2. True Negative (TN)
  3. False Positive (FP)
  4. False Negative (FN)
Antivirus 2

1. True Positive (TP):

When antivirus detects a truly malicious file as malicious, it is called True Positive.

2. True Negative (TN):

When an antivirus doesn’t classify a genuine and harmless file as malicious, it is called as True Negative.

3. False Positive (FP):

When a genuine file is flagged as malicious by the antivirus, it is known as False Positive. False positive is not a problem but becomes a frustration and can also create some problems. For example, in May 2007, Symantec flagged essential operating system files as malicious and deleted them due to faulty virus signatures. This left thousands of PC’s unable to boot. Similarly, in October 2011, Microsoft Security Essentials, mistakenly flagged Google Chrome browser as Zbot banking trojan and removed it.

4. False Negative (FN):

However frustrating and problematic can be a false positive result, the most dangerous result of an Antivirus is False negative. This occurs when an Antivirus fails to identify a malicious program as malicious and flags it as harmless. Black Hat Hacker groups always try to achieve this False negative result while creating their payloads. It is when they get this result in AV’s it is called FUD payload.

Posted on by

Linux Privilege Escalation : Cron Jobs

Hello aspiring Ethical hackers. In this article you will learn how to exploit Cron jobs for Linux Privilege Escalation. If you are familiar with Windows Task Scheduler you will readily understand what cron is. Yes, it is used to schedule jobs or commands in Linux.
For example you have a Linux server and want to clean cache regularly once a day. You can do this manually everyday or schedule a job to do this daily without your intervention. Here’s where cron jobs assist you. You can assign a job in cron. Sometimes these jobs are assigned with root privileges and these can be exploited to gain root privileges. Let’s see it practically.

For this article, we have a target on which we already gained a shell. Then I ran the PE.sh privilege escalation script on the target to find ways to elevate privileges on the target.

As I scroll down the output of our PE.sh file, we can see our target has some cron jobs set.

linux privilege escalation with cron jobs
Emp106i
Emp107

As you can see in the above images, we can set cron jobs monthly, daily or hourly. But our job here is to not schedule cron jobs. It is to exploit them. As we scroll down further, we can see the format of a cron job.

Emp108

In the above image, you can see the exact format of a cron job. It is minutes first, hours, day of month, month and day of week. We can see a cron job named /opt/new_year.sh that is scheduled to run at the 00:00 time of first day of the first month of every year. That is the occasion of New Year.

But what does * * * * * mean? It means these cron jobs are scheduled to run every minute of every hour of every day of the week (i.e daily) , every month. That typically means these jobs run each and every minute. The important thing to notice here is that all these jobs are running as user “root”.

Let’s manipulate one the these scripts, let’s say /opt/my_script.sh. We have a SETUID bit set on “dash” shell, one of the shells installed on the target system.(We will see in a short while what SETUID is). This can be seen in the image below.

Emp111

We are editing the my_script.sh file with a command “chmod u-s /bin/dash”. This will remove the SETUID bit. Wait for one minute and check the /bin/dash command.

Emp112

The SETUID bit is removed. Not just that, we can add new users on the target system as shown below.

Emp114

That’s how cron jobs can be exploited for linux privilege escalation.

Posted on by

Bypass Antivirus with AV | ATOR

Hello aspiring Ethical Hackers. In this article you will see how to bypass Antivirus with AV | ATOR. AV | Ator is a backdoor generator utility that uses cryptographic and injection techniques to bypass AV detection. The AV in AV | Ator stands for Anti Virus. Ator is character from the Italian Film Series “Ator” who is a swordsman, alchemist, scientist, magician, scholar and engineer with the ability to sometimes produce objects out of thin air.

ATOR takes C# shellcode as input, encrypts it with AES encryption and generates an executable file. ATOR uses various methods to bypass Anti Virus. Some of them are,

Portable executable injection : In portable executable injection, malicious code is written directly into a process (without a file on disk). Then, this code is executed by either invoking additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.

Reflective DLL Injection : DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. This will overcome the address relocation issue.

Thread Execution Hijacking : Thread execution hijacking is a process in which malicious code is injected into a thread of a process.

ATOR also has RTLO option that spoofs an executable file to look like having an “innocent” extension like ‘pdf’, ‘txt’ etc. E.g. the file “testcod.exe” will be interpreted as “tesexe.doc” and of course we can set a custom icon. ATOR can be run on both Windows and Linux. We need Mono to run ATOR on Linux.

Let’s see how to install ATOR in Kali Linux. Clone the ATOR repository from Github as shown below.

AVIATOR 1

Then unzip the zip archive.

AVIATOR 2

Then, Install Mono as shown below.

AVIATOR 3

After moving into the extracted directory, there will be an AVIATOR executable. We just need to run it with Mono.

AVIATOR 4

If you want to run ATOR in Windows, you can just download the compiled binaries from Github . When you run the executable, the ATOR GUI opens.

bypass antivirus with AV | ATOR

Let’s see all the options in detail.
1. It contains the encryption key that is used to encrypt the shellcode. Keep it default if you want.
2. It contains the IV used for AES encryption. Keep it default too.
3. Shellcode in C# format.
4. It will show the encrypted payload.
5. The location to which the generated executable is to be saved.
6. Various Injection techniques.
7. Set a Custom Icon to the executable.

Let’s create the shellcode using msfvenom.

AVIATOR 5
AVIATOR 6
AVIATOR 7

Copy the shellcode generated above and paste it in the payload column. Click on “Encrypt” to see the encrypted payload in (4). Click on (7) to set a custom icon (we are using pdf icon). Select the path of the executable (5) and select the injection technique (6) and click on “Generate EXE” button. Here’s the payload.

AVIATOR 9

Before executing it on the target, start a listener on the attacker machine.

AVIATOR 10

As soon the payload is executed on the target, we will have a shell as shown below.

AVIATOR 11

See how to bypass antivirus with

Posted on by

Cracking Wifi passwords automatically with Wifite

Hello aspiring ethical hackers. In this article, you will learn about a tool named Wifite. It is an automatic Wireless password cracking tool that tries almost all known methods of wireless cracking like Pixie-Dust attack, Brute-Force PIN attack, NULL PIN attack, WPA Handshake Capture + offline crack, The PMKID Hash Capture + offline crack and various WEP cracking attacks.
Wifite is installed by default on Kali Linux. Just like any wireless password cracking method, Wifite needs monitor mode to be enabled on the wireless interface as shown below. However, it automatically enables this monitor mode but if it fails to enable it, you can enable it manually as shown below.

Wifite Wep 2
Wifite Wep 3

Let’s see how Wifite works in cracking WEP, WPA and WPS enabled networks. Once everything is ready, open terminal and start Wifite using command as shown below.

wifite

It starts displaying all the wireless networks in your vicinity as shown below.

Wifite Wep 6

Let’s target the Access Point “Hack_Me_If_You_Can” which has WEP security enabled. Once you select the access point you want to target, hit CTRl + C and enter the number of that access point. In our case it is “1”.

As soon as you enter the number of that access point, Wifite tries out various attacks against the access point and grabs its password as shown below.

Wifite Wep 7

WEP is too easy. Let’s see how it fares in cracking WPA password. We start Wifite as shown above. Our target is once again “Hack_Me_If_You_Can”. However, as you can see it is secured with WPA now.

Wifite Wpa 3

It starts attacking employing various methods as shown below.

Wifite Wpa 5 1024x561

Now, let’s target a Access Point with WPS pin enabled.

Wifi Wps 7 1024x421
Wifi Wps 8 1024x374

As you can see, Wifite is successful in cracking WEP, WPA and WPS keys automatically without running any complex commands . Learn how to crack Wifi passwords with Besside-ng.