A Whole lot of Host Based Vulnerabilities! - Paiet/SEC-335 GitHub Wiki

  • Default account settings

  • Sandbox escape

    • Sandbox = anything used to separate any computer process from other computer processes and/or the host
      • VM
      • Container
      • Browsers
        • Plugins
      • Mobile apps
        • Must ask for permission before accessing resources
      • PDFs/Documents
        • Macros
      • AV/AntiMalware
        • Quarantine
          • Email Attachments
    • Shell upgrade
      • Use apps with OS command capabilities
        • less
          • !bash
        • vim
          • :!bash
      • Upgrade your shell with supported programming language
        • python -c 'import pty; pty.spawn("/bin/bash")'
        • perl ---e 'exec "/bin/bash";'
        • ruby: exec "/bin/bash"
    • Evasion Techniques
      • Extended sleep: Malicious code sleeps until after AV analysis period ends
      • Root/Bootkits: Assumes control of OS functions to get around AV
      • Sandbox Detect: Malware scans to see if it's in sandboxed environment
      • Droppers: Non-malicious code that then downloads RAT
      • Logic Bomb: Malicious code isn't executed until triggered by X event

  • Physical device security (Hardware Attacks)

    • Cold boot attack
      • Retrieving encryption keys from RAM
        • Sometimes freezing the RAM with canned air
        • Special Software is needed
          • MsRAMDump
          • BitUnlocker
    • JTAG debug
      • Common hardware interface used for communication between computers and hardware chips on the board of a device
      • Joint Test Access Group
      • Allows developers to test functionality easily
      • Found on just about every embedded device today
      • SHOW IMAGES OF ROUTER JTAG
    • Serial console
      • Used to access network equipment
      • Authentication may not be configured
        • Because physical access is required
          • How's your site security?

Host-Based Vulnerabilities Pt.2

  • OS vulnerabilities

    • Mac OS

      • Quite a few available exploits for MacOS
        • searchsploit Apple
        • Exploits for iOS and MacOS
          • Including...
            • Arbitrary Code Execution
            • DoS
            • Persistent malware
              • Mactans
            • Bootkits
            • RAT/C2
              • MaControl Backdoor
        • Also attacks against iCloud
          • Phishing

    • Android

      • Side-loading apps is permissible and easy
        • Normal security vulnerabilities
          • Weak/No Creds
          • Theft
          • No encryption
          • No Malware Protection
          • Patches/Updates
          • Rooted
        • More specific

Host-Based Vulnerabilities Pt.3

Key Concept: Exploit host-based vulnerabilities

  • Windows security profile
    • Written in C
      • No built-in bounds checking
        • Can lead to
          • Arbitrary Code Execution
          • Privilege Escalation
          • Buffer Overflow
    • Closed source software
      • Fewer eyes looking for and fixing security vulnerabilities
    • Large code base
      • New vulnerabilities will be discovered long after release
    • Patches
      • Not everything gets patched
      • Old vulnerabilities may stick around for some time
    • Servers vs Workstations
      • Servers = more network vulnerabilities
      • Workstations = more application vulnerabilities
    • Common vulns
      • RCE
      • Buffer Overflow
      • DoS
      • Memory corruption
      • Priv Esc
      • Info disclosure
      • Security Bypass
        • Software weakness that allows for bypass of security
      • XSS/CSRF
      • Dir Traversal
  • Windows-specific priv esc
    • Creds/Passwords
      • Cpassword attack
        • cPassword value found in the SYSVOL share of AD Domain Controller
          • Version -le Server 2008
      • Clear text credentials in LDAP
      • Kerberoasting
        • Allows users to request encrypted versions of Service Account passwords
          • This is not a patchable exploit
          • It's how Kerberos works
        • Once you have the RC4_HMAC_MD5 encrypted password (mimikatz)
          • Exfil the hash and crack at your leisure
        • Powersploit
          • Invoke-Kerberoast
      • Credentials in LSASS
        • pwdump
        • fgdump
        • mimikatz
      • SAM Database
        • Offline
        • Online
    • Unattended installation
    • DLL hijacking
      • Windows looks for DLLs in specific locations in a specific order
      • This is an attempt to exploit this function along with weak folder perms
  • Unsecure file/folder permissions
    • Folder/File NTFS
      • Default permissions
        • Users = Read and Execute
    • Share
      • Default permissions
        • Everyone = Read and Execute
  • Keylogger
    • Software and hardware
  • Scheduled Tasks
  • Kernel Exploits

Host-Based Vulnerabilities Pt.4

  • Privilege escalation
    • Linux-specific
      • SUID/SGID programs
        • Run commands/executables as other user
        • The passwd command is prime example
        • How to search for executables that run as another user
          • ls -l
          • find / -perms -u=s -o -g=s -type f 2>/dev/null
            • DEMO: bWAPP old nmap
      • Sticky bits
        • Used to prevent file deletion by anyone except the owner or root
        • Set on /tmp and /home by default
        • Set sticky bit
          • chmod +t /common_directory
      • Unsecure SUDO
        • Takes advantage of poorly configured sudo
          • Allowing users to sudo as administrator or even root
        • EXAMPLE: ZICO2 from Vulnhub
          • Gain limited access as zico user
            • SSH with Zico's stolen creds
          • sudo -l to list sudo rights
          • man tar for possible insight to shell command execution
          • Using this knowledge...
            • sudo -u root tar -cf /dev/null sploit --checkpoint=1 --checkpoint-action='exec=/bin/bash'
              • You now have root privileges

Host-Based Vulnerabilities Pt.5

  • Ret2libc

  • Scheduled tasks

    • Check /etc/crontab for possible exploit
    • DEMO: bWAPP script2.sh
      1. cat /etc/crontab
      2. ls -l /root/script2.sh
      • Example of insecure file/folder permissions
      1. Modify script: chmod u+s /bin/dash
      2. Wait
      3. /bin/dash
      4. whoami and/or id

  • Kernel exploits

    • Shellshock
    • DirtyCOW
      • Effective against Linux Kernel version below 3.9
      • Race condition exploit
      • Back to Zico
        • uname -a
        • searchsploit Dirty COW
        • Good hit! 40839.c
        • Copy that to Zico machine
        • Read instructions and compile accordingly
        • Execute and wait
        • Login with newly created user

  • Unsecure service and protocol configurations

  • Exploitable services

  • Writable services

    • Modifying the startup parameters of a service
      • Executable path
      • Service account
      • Unquoted service paths
        • Diagram