Hello aspiring Ethical hackers. In this article you will learn how to exploit Cron jobs for Linux Privilege Escalation. If you are familiar with Windows Task Scheduler you will readily understand what cron is. Yes, it is used to schedule jobs or commands in Linux. For example you have a Linux server and want to clean cache regularly once a day. You can do this manually everyday or schedule a job to do this daily without your intervention. Here’s where cron jobs assist you. You can assign a job in cron. Sometimes these jobs are assigned with root privileges and these can be exploited to gain root privileges. Let’s see it practically.
For this article, we have a target on which we already gained a shell. Then I ran the PE.sh privilege escalation script on the target to find ways to elevate privileges on the target.
As I scroll down the output of our PE.sh file, we can see our target has some cron jobs set.
As you can see in the above images, we can set cron jobs monthly, daily or hourly. But our job here is to not schedule cron jobs. It is to exploit them. As we scroll down further, we can see the format of a cron job.
In the above image, you can see the exact format of a cron job. It is minutes first, hours, day of month, month and day of week. We can see a cron job named /opt/new_year.sh that is scheduled to run at the 00:00 time of first day of the first month of every year. That is the occasion of New Year.
But what does * * * * * mean? It means these cron jobs are scheduled to run every minute of every hour of every day of the week (i.e daily) , every month. That typically means these jobs run each and every minute. The important thing to notice here is that all these jobs are running as user “root”.
Let’s manipulate one the these scripts, let’s say /opt/my_script.sh. We have a SETUID bit set on “dash” shell, one of the shells installed on the target system.(We will see in a short while what SETUID is). This can be seen in the image below.
We are editing the my_script.sh file with a command “chmod u-s /bin/dash”. This will remove the SETUID bit. Wait for one minute and check the /bin/dash command.
The SETUID bit is removed. Not just that, we can add new users on the target system as shown below.
Hello aspiring Ethical Hackers. In this article you will see how to bypass Antivirus with AV | ATOR. AV | Ator is a backdoor generator utility that uses cryptographic and injection techniques to bypass AV detection. The AV in AV | Ator stands for Anti Virus. Ator is character from the Italian Film Series “Ator” who is a swordsman, alchemist, scientist, magician, scholar and engineer with the ability to sometimes produce objects out of thin air.
ATOR takes C# shellcode as input, encrypts it with AES encryption and generates an executable file. ATOR uses various methods to bypass Anti Virus. Some of them are,
Portable executable injection : In portable executable injection, malicious code is written directly into a process (without a file on disk). Then, this code is executed by either invoking additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.
Reflective DLL Injection : DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. This will overcome the address relocation issue.
Thread Execution Hijacking : Thread execution hijacking is a process in which malicious code is injected into a thread of a process.
ATOR also has RTLO option that spoofs an executable file to look like having an “innocent” extension like ‘pdf’, ‘txt’ etc. E.g. the file “testcod.exe” will be interpreted as “tesexe.doc” and of course we can set a custom icon. ATOR can be run on both Windows and Linux. We need Mono to run ATOR on Linux.
Let’s see how to install ATOR in Kali Linux. Clone the ATOR repository from Github as shown below.
Then unzip the zip archive.
Then, Install Mono as shown below.
After moving into the extracted directory, there will be an AVIATOR executable. We just need to run it with Mono.
If you want to run ATOR in Windows, you can just download the compiled binaries from Github . When you run the executable, the ATOR GUI opens.
Let’s see all the options in detail. 1. It contains the encryption key that is used to encrypt the shellcode. Keep it default if you want. 2. It contains the IV used for AES encryption. Keep it default too. 3. Shellcode in C# format. 4. It will show the encrypted payload. 5. The location to which the generated executable is to be saved. 6. Various Injection techniques. 7. Set a Custom Icon to the executable.
Copy the shellcode generated above and paste it in the payload column. Click on “Encrypt” to see the encrypted payload in (4). Click on (7) to set a custom icon (we are using pdf icon). Select the path of the executable (5) and select the injection technique (6) and click on “Generate EXE” button. Here’s the payload.
Before executing it on the target, start a listener on the attacker machine.
As soon the payload is executed on the target, we will have a shell as shown below.
Hello aspiring ethical hackers. In this article, you will learn about a tool named Wifite. It is an automatic Wireless password cracking tool that tries almost all known methods of wireless cracking like Pixie-Dust attack, Brute-Force PIN attack, NULL PIN attack, WPA Handshake Capture + offline crack, The PMKID Hash Capture + offline crack and various WEP cracking attacks. Wifite is installed by default on Kali Linux. Just like any wireless password cracking method, Wifite needs monitor mode to be enabled on the wireless interface as shown below. However, it automatically enables this monitor mode but if it fails to enable it, you can enable it manually as shown below.
Let’s see how Wifite works in cracking WEP, WPA and WPS enabled networks. Once everything is ready, open terminal and start Wifite using command as shown below.
It starts displaying all the wireless networks in your vicinity as shown below.
Let’s target the Access Point “Hack_Me_If_You_Can” which has WEP security enabled. Once you select the access point you want to target, hit CTRl + C and enter the number of that access point. In our case it is “1”.
As soon as you enter the number of that access point, Wifite tries out various attacks against the access point and grabs its password as shown below.
WEP is too easy. Let’s see how it fares in cracking WPA password. We start Wifite as shown above. Our target is once again “Hack_Me_If_You_Can”. However, as you can see it is secured with WPA now.
It starts attacking employing various methods as shown below.
Now, let’s target a Access Point with WPS pin enabled.
As you can see, Wifite is successful in cracking WEP, WPA and WPS keys automatically without running any complex commands . Learn how to crack Wifi passwords with Besside-ng.
Hello aspiring Ethical hackers. In this article, we will learn about a tool named Besside -ng, which can automatically crack WEP passwords and log WPA handshakes. This tool authored by Andrea Bittau is made in the line of another tool, Wesside-ng which only cracks WEP passwords automatically.
Before you run Besside-ng, monitor mode should be enabled on the wireless interface as shown below.
Once monitor mode is enabled on the wireless interface, we can run Besside-ng as shown below to automatically crack all the WEP passwords and log WPA handshakes.
If you want to crack the WEP password of a single Access Point, the command is as shown below
where “-c” is used to specify the channel the Wireless Access Point is running on and “-b” is the –bssid of the Wi -Fi access point.
Besside-ng automatically starts creating traffic and cracking the WEP key as shown below.
As you can see in the above image, it cracked a 64bit ASCII WEP key in less than 1 minute. How about 64 bit hexadecimal WEP key that’s a bit complex.
It took just 45 seconds to crack the password. This time, I generated a complex WEP key and tried again. The key was cracked in around 15 minutes as shown below.
Hello aspiring Ethical Hackers. In Part 2 of Buffer Overflow foe beginners, we will see how to write an exploit for a buffer overflow vulnerability. In Part 1 of this article, readers have learnt practically as to what buffer overflow is and how a buffer overflow vulnerability can be identified in a program using fuzzing. Our readers have also seen how we exploited it. But manually fuzzing the program can be tiresome sometimes. In the example we have shown in the previous article, the buffer only needed 32 characters to be overflown but what if the buffer has a very large (let’s say 1000) size. Manual fuzzing in such cases becomes a tiresome process.
We need some automation and simplification. It’s time to introduce PEDA. PEDA is a Python Exploit Development Assistance for GNU Debugger. It enhances the functionality of the GNU Debugger by displaying disassembly codes, `registers and memory information during debugging. It also allows users to create a random pattern within the gdb console and also find the offset etc. We will learn more about the tool practically. This tool can be installed as shown below.
Now let’s go into our C lab and load the program “second” with GDB normally as shown below. This is the same program we have used in Part1 of this article. As the program loads, you will see that the interface now shows “gdb-peda” instead of just “gdb” as in the previous article.
Let us test this program once again for the buffer overflow vulnerability. Here’s the disassembled code of the program “second”.
Let’s create a string of random characters of a specific length, say 50. This can be done using the “pattern_create” command in peda. Copy the random string.
Now let’s run the program. When it prompts you the question, “Name which superhero you want to be”, paste the string we just copied and click on “Enter”. Gdb-peda gives us information about the memory registers as shown below.
It also shows us the code being executed but the most important thing it shows is the memory stack.
If you observe the stack of the program above, you can see that the string of random characters we provided as input is allocated into two memory areas. The highlighted part went into first buffer and the rest of the random characters went into the second memory area.
Instead of counting how many characters are in the first memory area, we can find the number of characters using “pattern_offset” command. We copy the random characters that went into the first buffer and use it as shown below to find the offset.
We call it as offset as we need to fill this area with random characters as no code will be executed in this offset area (as in the Part 1 of this article). The offset is 32. Well, since we no- w know the offset, let’s write an exploit for this vulnerable program. Open a new file and write the exploit as shown below.
This is a simple python exploit and the comments should explain you what it does. Let us give you more information about it. The first line of the code is basically telling the exploit to launch a python interpreter. In the second and third line, we are importing pwntools and OS modules respectively. The pwntools library has all the functions needed in penetration testing and OS module has operating system functions. In the next line we declare a variable named “path” and assign it a function os.getcwd() . This function gets the current working directory (If the OS module is not imported, this line will not work).
In the next line, another variable is declared with the name “program” and we assign it the program we want this exploit to target. As our target program is named “second” we give that name. In the next line, the “full_path” variable combines both the “path” and “program” variables to get the full working path of the program. Till this part of the code, we have reached the program we want to exploit.
Now the exploitation part. The “fill_buffer” variable fills the offset area with 32 iterations of “C” (It can be any character of your choice, but make sure its 32 for this program). In the next line we are specifying the command to be executed after the buffer is filled. Here its is “whoami”.
The exploit only works when the buffer is filled and then the command is executed. So we need to combine the “fill_buffer” and “cmd” results. The process() command start the target program while the p.sendline(bof) command sends the output of “bof” to the program already started. The p.interactive() gives the user the control after the exploit runs. Once coding is finished, save the exploit with any name you want. We named it bof1.py. Then run it as shown.
As you can see in the above image, after filling the buffer the exploit was successful in executing the command “whoami”. Now change the command to be executed and run the exploit again.
Once again it runs successfully and executes the command. This gives us a shell. This is how buffer overflow exploits are written.
When most of our readers ask as to which programming language to start learning with in the journey of ethical hacking or penetration testing, Our suggestion is always python and yo -u now know why? Python is very simple but still effective. It has a readable and easily maintainable code compared to other programming languages. Hence, it is very easy to learn. In just about ten lines, you have written the first buffer overflow exploit although its for a intentionally vulnerable program.
