Posts

Privilege Escalation. Basics On Windows, SYSTEM is the highest privilege possible. Local Administrators can effectively get SYSTEM privileges. On Linux, root (uid=0) is the highest privilege possible. Regular users can escalate to root privileges on demand (i.e. sudo). Techniques Kernel exploits - leverage a flaw in the OS. Vunerabilty is determined by researching kernel version, patch levels. Tend to be patched quickly. High privileged programs - get a program running at a higher privilege to execute your code. Often things are unnessarily run with high privileges for convenience sake. For example, JBoss running on TomCat, running as root. Deploy a WAR to JBoss with an embedded reverse shell. Credential theft - leverage techniques to compromise a user with higher privileges. The primary method of lateral movement within organisations. Dumping of hashes, such as responder, SCF files on writab shares, UNC requests (when a user attempts to \\server an auth request is sent and can be captured), network sniffing. Password reuse. SCF to steal credentials. Insecure configurations - abuse incorrectly services or programs. Service paths with whitespace is a great example e.g. C:\anti-virus\virus definition\bin\update.exe, Windows path probing will attempt to find and run C:\anti-virus\virus.exe. On Linux in the /etc/shadow file, the prefix e.g. $6 indicates the hash function and salt, for example, this entry: ...

Exploitation An exploit is some software which leverages a vunerability to perform an action. Important to differientiate the payload from the exploit. A payload is something executed via an exploit. Finding Exploits Exploit DB Google SearchSploit - a local mirror of exploit-db; useful for local cached copies. For example CVE-2008-4250, maybe assigned different vendor specific labels. In this case MSE08-067, by searching Google and heading to the Microsoft security bullitin: ...

Covers basics starting with enumeration. There is a process to exposing vunerabilities. Not a linear process. Imposter syndrome is huge in this field, due to the complexity of the field, and how many domains it covers. The anatomy of a hack (EEE); Enumeration, Exploitation, Escalation There are multiple ways to do one thing, for example to figure out if the sshd daemon is running you could: Check if port 22 is listening netstat -tlp Check if the sshd process is running Try to ssh connect to the daemon List the running services through systemd Tools Tools to grok: ...

PostgreSQL (postgres or pg) is an amazing open source relational database that provides the SQL DSL for interacting with data. Installation is a breeze with any package manager, packages to grab: postgresql and postgresql-common: core server postgresql-client-common and postgresql-client: client libs and binaries postgresql-contrib: useful bolt on modules Once installed, is managed as a daemon by systemd. $ sudo systemctl start postgresql $ sudo systemctl stop postgresql $ sudo systemctl restart postgresql $ sudo systemctl reload postgresql $ sudo systemctl status postgresql Core Concepts Configuration Depends on distro, generally somewhere like /etc/postgresql/11/main. ...

Recently I’ve had the opportunity to dig into Apache Spark, thanks to some training from Brian Bloechle from Cloudera. What is spark? Fast, flexible, and developer friendly, Apache Spark is the leading platform for large scale SQL, batch processing, stream processing, and machine learning. Java, Scala, Python and R are first class citizens when its comes to consuming the various Spark API’s. I’ll cover PySpark in more detail. Spark is an agnostic processing engine, that can target a number of cluster managers including Spark Standalone, Hadoop’s YARN, Apache Mesos and Kubernetes. In the context of Spark, some useful surrounding ecosystem to be aware of: ...

Installation on Linux is well documented. wget https://www.scootersoftware.com/bcompare-4.2.4.22795.x86_64.rpm su rpm --import https://www.scootersoftware.com/RPM-GPG-KEY-scootersoftware yum install bcompare-4.2.4.22795.x86_64.rpm On my Fedora 27 box, I found the launcher bash /usr/bin/bcompare exits with a return code of 1, if the linker cannot resolve all dependencies. BC_LIB=/usr/lib64/beyondcompare export BC_LIB EXEC=$BC_LIB/BCompare #check to see if we have all of the shared libraries. CHECK=`ldd $EXEC | grep "not found" | wc -l` if [ "$CHECK" -ne "0" ]; then echo Some Shared Libraries were not found ldd $EXEC exit 1 fi Dumping out the shared libs BCompare depends on: ...

Hey there, these are some of my notes about IRC in general, and the CLI client irssi. IRC Primer Internet Relay Chat (IRC) is an open protocol that uses TCP and optionally TLS. IRC was born in August 1988, by Jarkko Oikarinen at the University of Oulu in Finland. Years later, in 1993, was standardised as RFC 1459. Assigned port 194/TCP by IANA, however in practice most use 6667/TCP, and nearby ports (6660-6669, 7000). ...

I’m a convert. This conference was incredible, with passionate presenters, excellent content with an amazing inclusive and friendly community vibe. Most sessions are available on YouTube. Things I am inspired to do post LCA 2018: Setup ctags with Vim. Think ‘go to definition’ for Vim, with support for 40+ langs. Specifically Exuberant Ctags and unite-tag. Play with more kernel syscalls (like ptrace). Signal processing and logic analyser lab and kit. More notes. Resume the nand2tetris journey, part 2. Use IRC more. Some CLI options Irssi BitchX WeeChat. And keybase. Imagine a Slack for the whole world, except end-to-end encrypted across all your devices. Or a Team Dropbox where the server can’t leak your files or be hacked. Always support and subscribe to lwn.net. Look into supporting the Software Conservancy Foundation (SCF) Pick up some new langs; go and rust seem to be current shiny. I met a number of kernel developers. Find out a bit more about what they do through the offical MAINTAINERS file. Yubikey or Nitrokey, start using. Open source physical USB device to enable secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware (such as computer viruses) and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. Linux Device Drivers book now maintained by Jonathan Corbet (executive editor at lwn.net), start reading, and create drivers, the gateway drug to the kernel. Time to refresh handle, bio, and CV. Checkout TaskWarrior, a CLI for managing tasks. Consider using more compact unique IDs such as Twitters snowflake e.g. 12738165059 Use more state machines. Study The Architecture of Open Source Applications. Some of the sessions I got to attend. ...

Born in 2008, LXC (pronouced lexy) is a userspace interface for the Linux kernel containment features, that enables the creation and management of application containers. LXC leverages a number of kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles Seccomp policies Chroots (using pivot_root) Kernel capabilities CGroups (control groups) LXC containers are often considered as something in between a chroot and a full blown VM. The goal of LXC is to create an environment as close as possible to a standard Linux installation, without the need for a separate kernel. ...

Some of my (and others) notes of managing PKI with the excellent openssl. Its simple and just works. To get going will create a root CA (Certificate Authority) and an intermediate signing CA. Using the CA’s will issue three keypairs; one for email protection, one for TLS, and one for digital signatures. The digital signature keypair will be presented in the form of a CSR (Certificate Signing Request), as if generated by a third party that would like a keypair, signed by our CA hierarchy. ...