Penetration With BackTrack - Engaged!

Offensive Security - PWB course

 Start date: 11-08-13

Dear Readers,

It has been a while since I posted something.

I am now official started on this course which I had in mind for over 2 years. This was my dream. The dream came to reality. I am looking forward to give it my all and complete this in 60 days.

 I will soon do a little update again.

Keep in touch.

/T1m3

Exploitation - Testing environment

Well I messed a little bit around with some shellcoding atm,
and tested things in my Virtual Environment - Got a Shell, but because of the Effective User ID is set to r3verse, is on purpose, since I wanted to see the function in action.

Anyways -
Success on SHELL by using Netcat to enstablish a TCP bind socket connection on port 31337.

Using a program I used from AoE, I managed to get a shell enstablished.

As image shows bellow.

Newly exploited Tinyweb server, and got r00t access! =)

Took a bit of time to figure out, but while I was calculating about how large my NOP sled should be and allign the 78-byte shellcode, since the buffer was 500 bytes I knew that I had a chance to get control over the program execution - and thereby exploited the web server! ...  It's a good day!

AoE - Started & recent coding projects

Dear readers,

I have begun on reading The Art of Exploitation, and I love reading every bit, while doing something pratical, as in follow in the book, and complete the exploits my self on the distro I have gotten from the book I bought.

I already love this book :) - and by that I mean, every page!
I wonder why I didn't start reading this earlier on.. but anyways, I will complete this book and will post some useful information regarding exploit development.

A little example of my first program I did examine memory in x86 architecture in my Linux Distro.
Simple program that looks up from the ASCII chart and prints to the screen "Hello".

Now back to reading! - although I got my 2'th semestre examination, I hope to still be able to follow through the process.


Lately I did complete coding a Recycling system, and now finished my job with making a simple bouncing ball game!

And the ball bouncing game as follows:

That's enough information for now.
I hope to make a new post soon enough with my new acknowledgement in exploit development! =)

Next book upcoming! - The Art of Exploitation 2nd edition

Dear Readers,


If you have been followed my postings so far, I have been posted within my expertise from the book I did read - Gret hat Hacking 3ed. I will might do a review on it soon...

During a little 2 semestre project within Computer Science, I do not have the time atm to keep posting news all the time. We're busy making a new database system for a taxi company. Regardless my new upcoming book which I am excited to get busy with, I will post updates when I find something useful. Tomorrow I will be done reading grey hat hacking ethical hacker's handbook - 3. Edition, And will soon start on a new tast within Exploit Development. A book called "Hacking: The Art of Exploitation, 2nd Edition". I'm very excited!, and I hope to share some nice updates with my surroundings!

Thank you!
 - Max Jensen

AccessChk - Win Escalate privileges

AccessChk

Used for locating read,write & execute directories and files. Thus, can be abused to i.e(privilege escalation within Access Directories, on windows machines such as the copy function - will allow arbitary code to run as a given super user). Dangerous stuff. Although a solution to this I recommend - DeepFreeze, is a great program to keep windows at the state where nothing changes within changes, and basically as the name indicate - Deep Freeze Windows!

Background history: 

Cesar Cerrudo, an Argentinean pen-tester who focuses on Windows Access Control, coined the phrase “token kidnapping” to describe an escalation technique involving pro- cess and thread ACLs. The steps in the “token kidnapping” process are outlined here:
1. Start with SeImpersonatePrivilege and NetworkService privileges. The most likely paths to get those privileges are as follows: 

- Attacker has permission to place custom ASP pages within IIS directory running in classic ASP or “full trust” ASP.NET

- Attacker compromises SQL Server administrative account 

- Attacker compromises any Windows service

2. The RPCSS service runs under the NetworkService account, so an attacker running as NetworkService can access internals of the RPCSS process.
   
3. Use the OpenThreadToken function to get the security token from one of the RPCSS threads.
   
4. Iterate through all security tokens in the RPCSS process to find one running as SYSTEM.
   
5. Create a new process using the SYSTEM token found in the RPCSS process.
   

Microsoft addressed this specific escalation path with MS09-012. However, other similar escalation paths may exist in third-party services.
Cesar’s excellent “Practical 10 Minutes Security Audit: Oracle Case” guide has other examples of process ACL abuse, one being a NULL DACL on an Oracle process allowing code injection. You can find a link to it in the following “References” section. 

Hunting Malicious Code

AxMan

Is a tool which enumerate all methods that an ActiveX control supports. When you’re hunting for a vulnerability and see methods such as CreateObject() or Launch() or Run(), take a close look to make sure they can’t be repurposed to run malicious code. 

Little background story:
 
WScript.Shell directly from the Internet zone will fail, as it is only to be used in a trusted environment such as the Local Machine zone. However, Russian hackers discovered that instantiating the safe-for-scripting WMIScriptUtils. WMIObjectBroker2 ActiveX control, and then calling the method CreateObject() de- fined on the ActiveX control, allowed them to create any arbitrary object, bypassing security checks! They promptly used this client-side vulnerability to install malware by hosting the exploit code on hundreds of adult websites. At the time it was being abused, no other IE zero-day vulnerability was widely known in the community, so anybody who wanted to install malware was using this vulnerability. 

For example examine this code at first:

<script>
      var o = new ActiveXObject("WMIScriptUtils.WMIObjectBroker2");
      var x = o.CreateObject("WScript.Shell");
      x.run("cmd.exe /k");

</script>

You will notice that WScript.shell is not a secure Object to call.

Microsoft Security Bulletin MS06-073 (WMIScriptUtils)
www.microsoft.com/technet/security/bulletin/ms06-073.mspx
Metasploit exploit www.metasploit.com/modules/

Fuzzing tools and advices

Valgrind 

It can be a critical piece of instrumentation that can help to quickly isolate memory problems, in particular heap-based buffer overflows, which manifest themselves as invalid reads and writes in Valgrind. 

Spike

is designed to assist in the creation of network-oriented fuzzers and supports sending data via TCP or UDP. Additionally, SPIKE provides several example fuzzers for protocols ranging from HTTP to Microsoft Remote Procedure Call (MSRPC). SPIKE libraries can be used to form the foundation of custom fuzzers, or SPIKE’s scripting capabilities can be used to rapidly develop fuzzers without requiring detailed knowledge of C program- ming. 

Spikes can contain static data, dynamic fuzzing variables, dynamic length val- ues, and grouping structures called blocks. 

Spike Proxy

Handles all the fuzzing and is capable of performing attacks such as SQL injection and cross-site scripting. SPIKE Proxy is written in Python and can be tailored to suit your needs. Basically it makes sure that you are able to bypass the application WAF within your attempt to i.e(Brute force every single combination of a password and username within the web application server).
  

Mangleme

Mangleme, a great utillity to start a stressing test upon a webserver. Such as exploiting poor code within META tags or just trying to overload it with mass inputs. This is also called Fuzzing! - Make sure you test your own website for arbitary code execution. It's a fundamental pice of software, because you can build upon this, and create your own fuzzing utility. Although Mangleme is an old tool, it's still a good framework!..


References:

http://valgrind.org/

http://resources.infosecinstitute.com/intro-to-fuzzing/ 

http://freecode.com/projects/mangleme