Posted on

PwnKit : Explained with POC

Hello aspiring ethical hackers. In this article, you will learn how to use PwnKit to elevate privileges on a Linux system. But first things first. What exactly is polkit?

Polkit is a component that controls system-wide privileges in Unix-like operating systems. Put simply, it provides an organized way for non-privileged processes in Linux to communicate with privileged processes. Known earlier as PolicyKit, it’s name was changed to polkit since version 0.105 which was released in April 2012 to emphasize the rewritten component and changed API.

In Linux, you use SUDO to usually execute commands with privileges of a root user. However, it can also be done with polkit by using command pkexec. But the fact is SUDO is more preferred as it is more easily configurable.

So how is this polkit exploited to elevate privileges on a Linux system. A memory corruption vulnerability PwnKit (CVE-2021-4034) was discovered in the pkexec command (which is installed on all major Linux distributions). The vulnerability is present in polkit since the original release of 2009.

The vulnerable targets include but may not be limited to Red Hat 8, Fedora 21, Debian Testing ‘Bullseye” and Ubuntu 20.04. Most of the systems would have now received patches but any OS with no updates should still be vulnerable.

The version of polkit installed can be checked as shown below.

Polkit 1

We are testing it on Debian Testing 11.2 (BullsEye). There is another command apart from “pkexec” to interact with polkit from the command line. It is “dbus-send”. It is a general purpose tool used mainly for testing but installed by default on systems that use D-Bus. For example, on a Linux system, D-Bus can be used to create a new user named “hackercool” as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:hackercool string:”blackhat Account” int32:1

This is as simple as that. This command will manually send a dbus message to the accounts daemon to create a new user named “hackercool” with a description of “blackhat Account” and will make the new user a member of SUDO group (as we set the int32:1 flag). Then all that’s left is setting the password to the newly created user.

But before we do any of this, we need to check the time taken to run the above command? This can be done by prepending the time command to the above command as shown below.

Polkit 4

It takes almost 7 seconds to execute this command. But wait, why do we need to check the time taken to execute this command? Because we have to kill it at the correct time. Once again why we need to kill it? Well, here’s the answer.

When you run the above command (without time) and terminate it after some time and then polkit asks dbus-daemon for the connection, dbus-daemon correctly returns an error. Here’s where polkit goes wrong. Instead of rejecting the request it treats the request as it came from root process and viola we have an authentication bypass.

However, the timing of the vulnerability is very difficult to detect. Hence we need to kill the command after over half time. Why? it seems polkit asks d-bus daemon for the terminated connection multiple times on different codepaths. Almost all the codepaths handle it correctly except one. We are looking for this one codepath. So if we terminate the command early, privilege escalation may not work correctly.

I hope everything is explained. Now, let’s get into practical exploitation. So what I want to do is run the same command as we ran above to create a new user named “hackercool” but this time killing the process after 5 seconds. As the command takes 7 seconds to complete, I have chosen to terminate this command after 5 seconds. i.e almost more than half time.

Polkit 5

As you can see in the image below, a new user named “hackercool” is created and added into SUDO group.

Polkit 8

Now, all we have to do is create a password for this user. Note that we have to create a SHA-512 hash. This can be done using OPenssl. Once the hash is created use the dbus-send command once again but this time to create the password for this newly created user. This can be done as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<SHA-512 HAsh’ string:’Ask the pentester’ & sleep 5s; kill $!

pwnkit

It’s done. Let’s login as the new user.

Polkit 9
Polkit 10

As you can see, we successfully elevated privileges on a target system by creating a new user. To learn Real World Ethical Hacking, Please subscribe to our Monthly Magazine.

Posted on

WordPress Reverse Shell : Multiple Methods

Hello aspiring Ethical Hackers. In this article you will learn about multiple WordPress reverse shell methods. As you all might already know, WordPress is a popular open source Content Management System (CMS) based on PHP and MySQL or MariaDB as database. It was released in year 2003.

SInce then, it grew out to be one of the most popular CMS around the world. It is used as blogging software, membership site and online store etc. WordPress is used by over 60 million websites.

In this article we will show you how to gain a reverse shell on a WordPress website once we have the credentials of the website. This is a comprehensive collection methods to gain reverse shell on WordPress.

This Tutorial assumes that you have already acquired WordPress credentials and can access the WordPress dashboard.

Wp Shell 1 1024x425
Wp Shell 2a 1024x464

1. Reverse Shell Through Vulnerable Plugins

One of the reasons for the popularity of the WordPress CMS is its plugins. WordPress plugins are additional extensions that are used to extend the functionality of the WordPress CMS. WordPress has over 58,559 plugins. Sometimes these vulnerable plugins are the reason attackers get a reverse shell on the WordPress target.
There are many vulnerable plugins which can be downloaded from websites like Exploit Database. We will use one such WordPress plugin Responsive Thumbnail slider version 1.0. This version of the plugin has an arbitrary file upload vulnerability which is used to upload malicious payload into the website. Since this target doesn’t have this vulnerable plugin installed, let’s upload this plugin ourselves and activate it.

Wp Shell 2 1024x492
Wp Shell 3 1024x530

Once the plugin is uploaded and activated, Metasploit can be used to exploit this vulnerable plugin. Start Metasploit and load the wp_responsive_thumbnail_slider_upload module as shown below.

Wp Shell 4

Use check command to confirm if the target is indeed vulnerable.

Wp Shell 6

After setting the credentials and executing the module, a meterpreter session on the target is gained.

Wp Shell 7

Here’s another famous wordpress plugin that can be exploited.

2. Reverse Shell Through Editing WordPress Theme

WordPress Themes enhance the look of the WordPress websites. The content of these theme can be edited to upload a reverse shell on the target. For this tutorial, we will upload the infamous C99 webshell. Here’s more about c99 web shell.

Wp Shell 9 1024x512
Wp Shell 10 1024x507

Here’s the 404.php page of the theme has been edited to copy the code of the C99 web shell into that page. Once the edited file is saved all that is needed to be done is visiting that page.

Wp Shell 11 1024x277

With C99 shell on the target website, there are a host of options to lay with.

3. Reverse Shell Through Uploading A Malicious Plugin

Uploading a malicious plugin is another way of gaining a reverse shell on a WordPress website. Github has many options of these WordPress malicious plugins. Let’s use one of them named malicious wordpress plugin that can be downloaded from here.

Wp Shell 15

After navigating into the “malicious-wordpress-plugin” directory, execute the wordpwn.py script. It will show the usage of the script.

wordpress reverse shell

Execute the script again by setting the LHOST, LPORT and by enabling the handler option. i.e the “Y” option. This will start a Metasploit handler.

Wp Shell 17
Wp Shell 18

By this time, a new file named “malicious.zip” is created in the “malicious-wordpress-plugin” directory.

Wp Shell 19

Upload this plugin into WordPress and activate it just like any other plugin.

Wp Shell 20 1024x307
Wp Shell 21 1024x304
Wp Shell 22 1024x345

This newly uploaded web shell can be accessed from two URLs given below

http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
http://(target)/wp-content/plugins/malicious/QwertyRocks.php

In this specific instance, the web shell got executed by visiting the first URL. This will give us a meterpreter session on the already listening handler.

Wp Shell 23
Wp Shell 24

4. Reverse Shell Through Metasploit Framework

Here is another simple method to gain a reverse shell. Metasploit Framework has a module that uploads a reverse shell as payload once the WordPress credentials are known.

Start Metasploit and load the exploit/unix/webapp/wp_admin_shell_upload module.

Wp Shell 25
Wp Shell 26

Set all the required options that includes credentials and execute the module.

Wp Shell 27
Wp Shell 28

This will give us a meterpreter session successfully. These are the four common methods through which a reverse shell can be achieved on the WordPress. Now, you decide Which is your favorite method of gaining a reverse shell on WordPress?

Posted on

SetUID privilege escalation in Linux

Hello, aspiring Ethical Hackers. In this article, you will learn how to perform SetUID privilege escalation in Linux. In our previous article, we have exploited cron jobs to change SetUID bit of an executable. What exactly is a SetUID bit?

SETUID stands for Set User ID on execution. This allows a user with low privileges to run a command with higher privileges. The difference between SUDO and SETUID is that in SUDO you can execute a command only if the root user can do it.

With the concept of SETUID understood, let’s see how binaries with SETUID bit set can be found. One way to find them is by using find command as shown below.

setuid privilege escalation


Here are some examples of gaining root privileges by exploiting programs with SETUID bit set.

1. bash

Emp116

2. csh

Emp117

3. env

Emp117 1

4. nice

Emp119

5. node

Emp120

6. setarch

Emp121

7. stdbuf

Emp122

8. strace

Emp123

9. taskset

Emp124

10. tclsh

Emp125

11. time

Emp126

12. timeout

Emp127

13. unshared

Emp128

14. xargs

Emp129

15. php

Emp130

16. expect

Emp131

17. find

Emp132

18. python

Emp133

19. flock

Emp134

20. gdb

Emp135

21. ionice

Emp136

22. logsave

Emp137

23. make

Emp138

These are some examples of linux privilege escalation by exploiting SETUID bit.

Posted on

Linux Privilege Escalation : Cron Jobs

Hello aspiring Ethical hackers. In this article you will learn how to exploit Cron jobs for Linux Privilege Escalation. If you are familiar with Windows Task Scheduler you will readily understand what cron is. Yes, it is used to schedule jobs or commands in Linux.
For example you have a Linux server and want to clean cache regularly once a day. You can do this manually everyday or schedule a job to do this daily without your intervention. Here’s where cron jobs assist you. You can assign a job in cron. Sometimes these jobs are assigned with root privileges and these can be exploited to gain root privileges. Let’s see it practically.

For this article, we have a target on which we already gained a shell. Then I ran the PE.sh privilege escalation script on the target to find ways to elevate privileges on the target.

As I scroll down the output of our PE.sh file, we can see our target has some cron jobs set.

linux privilege escalation with cron jobs
Emp106i
Emp107

As you can see in the above images, we can set cron jobs monthly, daily or hourly. But our job here is to not schedule cron jobs. It is to exploit them. As we scroll down further, we can see the format of a cron job.

Emp108

In the above image, you can see the exact format of a cron job. It is minutes first, hours, day of month, month and day of week. We can see a cron job named /opt/new_year.sh that is scheduled to run at the 00:00 time of first day of the first month of every year. That is the occasion of New Year.

But what does * * * * * mean? It means these cron jobs are scheduled to run every minute of every hour of every day of the week (i.e daily) , every month. That typically means these jobs run each and every minute. The important thing to notice here is that all these jobs are running as user “root”.

Let’s manipulate one the these scripts, let’s say /opt/my_script.sh. We have a SETUID bit set on “dash” shell, one of the shells installed on the target system.(We will see in a short while what SETUID is). This can be seen in the image below.

Emp111

We are editing the my_script.sh file with a command “chmod u-s /bin/dash”. This will remove the SETUID bit. Wait for one minute and check the /bin/dash command.

Emp112

The SETUID bit is removed. Not just that, we can add new users on the target system as shown below.

Emp114

That’s how cron jobs can be exploited for linux privilege escalation.

Posted on

Bypass Antivirus with AV | ATOR

Hello aspiring Ethical Hackers. In this article you will see how to bypass Antivirus with AV | ATOR. AV | Ator is a backdoor generator utility that uses cryptographic and injection techniques to bypass AV detection. The AV in AV | Ator stands for Anti Virus. Ator is character from the Italian Film Series “Ator” who is a swordsman, alchemist, scientist, magician, scholar and engineer with the ability to sometimes produce objects out of thin air.

ATOR takes C# shellcode as input, encrypts it with AES encryption and generates an executable file. ATOR uses various methods to bypass Anti Virus. Some of them are,

Portable executable injection : In portable executable injection, malicious code is written directly into a process (without a file on disk). Then, this code is executed by either invoking additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.

Reflective DLL Injection : DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. This will overcome the address relocation issue.

Thread Execution Hijacking : Thread execution hijacking is a process in which malicious code is injected into a thread of a process.

ATOR also has RTLO option that spoofs an executable file to look like having an “innocent” extension like ‘pdf’, ‘txt’ etc. E.g. the file “testcod.exe” will be interpreted as “tesexe.doc” and of course we can set a custom icon. ATOR can be run on both Windows and Linux. We need Mono to run ATOR on Linux.

Let’s see how to install ATOR in Kali Linux. Clone the ATOR repository from Github as shown below.

AVIATOR 1

Then unzip the zip archive.

AVIATOR 2

Then, Install Mono as shown below.

AVIATOR 3

After moving into the extracted directory, there will be an AVIATOR executable. We just need to run it with Mono.

AVIATOR 4

If you want to run ATOR in Windows, you can just download the compiled binaries from Github . When you run the executable, the ATOR GUI opens.

bypass antivirus with AV | ATOR

Let’s see all the options in detail.
1. It contains the encryption key that is used to encrypt the shellcode. Keep it default if you want.
2. It contains the IV used for AES encryption. Keep it default too.
3. Shellcode in C# format.
4. It will show the encrypted payload.
5. The location to which the generated executable is to be saved.
6. Various Injection techniques.
7. Set a Custom Icon to the executable.

Let’s create the shellcode using msfvenom.

AVIATOR 5
AVIATOR 6
AVIATOR 7

Copy the shellcode generated above and paste it in the payload column. Click on “Encrypt” to see the encrypted payload in (4). Click on (7) to set a custom icon (we are using pdf icon). Select the path of the executable (5) and select the injection technique (6) and click on “Generate EXE” button. Here’s the payload.

AVIATOR 9

Before executing it on the target, start a listener on the attacker machine.

AVIATOR 10

As soon the payload is executed on the target, we will have a shell as shown below.

AVIATOR 11

See how to bypass antivirus with