Linux for Pentester: xxd Privilege Escalation

In this article, we are going to make our readers familiar with another influential command i.e. “xxd” which assist for converting any hex dump to a binary and vice-versa. So, by knowing this certainty now we will check how wisely we can make it applicable in Privilege Escalation.

Table of Content

Introduction to xxd

  • Major Operation performed using xxd

Exploiting xxd

  • SUID Lab setups for Privilege Escalation
  • Exploiting SUID

Introduction to xxd

As we know whenever we want to convert any format of a file into another format then, we can grab that simply by using online converter which helps to convert a file into the desired format such as: “pdf to word, jpg to pdf, excel to pdf” etc. but what if someone desired to get any file into its hexadecimal form or binary??

So, in this article, I’m emphasizing the way through which one can easily get hex dump or binary format for any file. This can be achieved by one of Linux command i.e. “xxd”. The xxd command enables the user to generate a hex dump of a given file and can also reverse a hex dump back to its original ASCII form.  This phenomenon can also help in the procedure of encoding and decoding any mysterious file.

First, we will check for its help/man command to identify how we can use xxd for this conversion.

By typing the above command, we can achieve a list of arguments that can be used with xxd for generating hex dump of a given file.

Major Operation performed using xxd

Converts file contents into hex: For instance, I’m creating a new file by the name of “secret.txt” and now I want to convert its whole content into the hexadecimal form so, I will type the below mentioned command to execute the desired output.

Syntax: xxd <options> filename

By the below image it’s clear that xxd has generated the hex dump for the file “secret.txt”.

Here, we can observe the following hex dump are obtained its default format such as:

  • Indexing the number of lines. (eg: 00000000, 00000010, 00000020…………00000220)
  • The default number of octets per group is 2 (-e: 4 little-endian hexdump) which is groupsize of 4 bytes. (eg: 4967 6e69…………6e67)
  • The standard column length is equal to 16 bits with whitespace. (eg: Ignite is Having)

Skip the nth line with xxd: While converting a file there may be lots of data that may not be of our use so, instead of obtaining whole data we can skip those contents that are needless (skip the no. of lines). For this, we can use xxd to skip the nth line and produce hex value after skipped lines.

Suppose in our circumstance we want to generate hex dump from line 5 ahead then this can be attained by using “-s” argument followed by xxd command.

To limit output up to particular length: As above I have explained how one can retrieve data by skipping no. of lines i.e. output from a specific line but, if we need to limit the length of standard output then we will use “-l” argument instead of “-s”.

Here I’m limiting the length of my contents to print the data up to limited range i.e. 5th line as shown in below screenshot.

Hence, we can observe the difference between both commands; the first command generates the hex value initialized from the 6th line and the second command ended with the 5th line as per hex indexing, take reference from the above screenshot.

Converts file contents into binary: In above all image we have noticed that file has been dumped into its “hex form” but whenever we wish to produce the “binary form” for any file then we will use “-b” option. On using this option, the result will switch to its bit dump (binary digit) by grouping the output data into its octet using “1 or 0” rather than hex dump. To attain the same as per below image type command:

Set column length: As above I have described how we can skip and limits the output up to range. Now I will illustrate how we can set column length. By default, it used to be 12, 16 for any dumped file but now I will explain what else we can do.

For this I’m taking three occurrences:

Default: As we know the default column length is 16. This will print 16 characters including whitespace.

Set the column length up to 32: I have set end index to limit printing data range by using “-l” option now after doing so I will set column length up to “32” which can be achieved by using “-c” argument.

From the given below screenshot, we can easily realize how xxd has limits the column length.

Set the column length up to 9: As above, now I have set column length up to “9” by following the same process as discussed above.

In all case, xxd has created the hex dump for a file by counting each character with whitespace.

Print Plain hex dump style: The postscript option “-ps” is used only in case when we required our output in plain hex dump style. Here we have saved its output inside hex file to obtain the plain hexadecimal value of the secret.txt file. To ensure the result we have used the cat command to read output from hex file.

From the below image, it can be cleared that how xxd has created plain hex dump style for file “secret.txt” by restricting the plain text.

To revert any file: To return any generated output into its original form we can use the “-r” option. In our case we have used “-r -p” to print the reverse output from plain hex dump style into its ASCII form.

Groupsize bytes: If we required to group the output into a number of octets then we can use the “-g” option for this purpose. By default, it is 2 (-e: 4 little-endian hex dump). So, if we set this value to 4 then it will be grouped into 8 bits.

In below screenshot, we have set this value to 8 which will group into 16 bits as desired output to concise the result.

SUID Lab Setups for Privilege Escalation

The SUID bit permission enables the user to perform any files as the ownership of existing file member. Now we are enabling SUID permission on xxd, so that a local user can take the opportunity of xxd as the root user.

Hence type following for enabling SUID bit:

Exploiting SUID

Now we will start exploiting xxd service by taking the privilege of SUID permission. For this, I’m creating a session of the victim’s machine which will permit us to develop the local user access of the targeted system.

Now we need to connect with the target machine with ssh, so type the command:

As we know we have access to victim’s machine so we will use find command to identify binaries having SUID permission.

Here we came to recognize that SUID bit is permitted for so many binary files, but our concerned is:   /usr/bin/xxd.

Taking privilege of SUID permission on xxd we are going to grab the shadow’s file for extracting password hash file.

In the below image first, I have requested to expose the /etc/shadow file by the use of xxd which will produce the hex dump for the file along with that I have piped the xxd command to revert its output.

Now I have use john the ripper tool to crack the password hashes. By doing so we will get credential of the user as shown in below image.

Once we get the user’s credential then we can switch user. Here first we check sudo rights for user: raj and noticed that user “raj” has ALL privileges.

Therefore, we switch to the root user account directly and access the root shell as shown in the image. Hence, we have successfully accomplished our task of using xxd command for Privilege Escalation.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Linux for Pentester: CAT Privilege Escalation

Today we are going to talk about CAT command and learn how helpful the cat command is for Linux penetration testing and how we’ll progress cat to scale the greater privilege shell.

Table of Content

  • Introduction to CAT
  • Major Functions of CAT command
  • Sudo rights Lab setups for Privilege Escalation
  • Exploiting Sudo Rights

Introduction to CAT

In Linux, Cat stands for “catenate,” which is one of Unix-like operating system most frequently used commands. It reads file information and displays its content as an output. It enables us to build, view and link files. So, we can not only see the content using CAT command; apart from this we can, copy the content of the file to some other file and view the files with numbers and so on. Not only this we will do such things which is not only new but is what we might have not thought of. We will perform Privilege Escalation using CAT command. That’s sounds interesting. Isn’t it? So, let’s start-

Major Functions of CAT command

At first, we will run cat -h command which means help and which will tell you about all the options which are available in CAT command as we can see in the picture below.

Write and Read a file:

Our next step is to create a file using the cat command. And for this, we will use greater than sign (>) after cat command to generate a new file. So, we have created a new file named notes.txt by using (>) this sign after cat command and write the content which you want to keep in the file as in our case I have written “Welcome to Hacking articles” in the file notes.txt

Not only this we can also edit the content of the existing file without opening the file by using greater than sign twice (>>) as you can see in the screenshot that we have added “Join Ignite Technologies”  in notes.txt

Now we can confirm this by reading the file once again.

Number all output lines:

Now let’s say if we want to view file contents preceding line numbers or in other words you want to view the output serialized. So first we will create a new text file named dict.txt in which we have written some content which is going to be easily readable number wise with -n command.

As a result, this add a serial number column for every line as shown below:

Overwriting a file

Now we want to copy the content of file dict.txt into notes.txt or in other words we want to overwrite the file notes.txt. So in order to do, this first we write the file name from which the content is to be copied and then we will write the file name whose content we want to replace followed by greater than sign(>).

As you can observe in the picture below that we have replaced the content of notes.txt with dict.txt

Concatenating files:

Now we want to merge two files together or in other words, we want to combine two files. So, what will we do? Its again very simple; we will use greater than sigh here but now twice (>>) and the content will be replaced successfully. So here we have another new file which is pass.txt and then we will proceed towards merging two files for which we will use (>>) sign again as we have done in the image below. Now again we will use -n to put this content number wise which we have done above.

As result, you can observe that we have concatenate dict.txt in the pass.txt file.

Reverse order

As the name suggests and we can reverse all the content using tac command which is just a reverse of cat command and it works for this purpose only.

With the help of tac command, we try to reverse the file by making a vertical flip as shown below.

Sudo rights Lab setups for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for cat executable. Here we are going to add a user by the name of the test in the suoders files and here we have given permission to user test to run cat command as root user.

Exploiting Sudo Rights

Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run cat as root user.

Now our next step is to exploit sudo rights through cat command. So, we will run cat /etc/shadow command to see all the users and their respective passwords hashes.

Wonderful! We have got all the user’s list and their passwords’ hash value.

Cracking the Hash Password

Now our next step is to crack the hash value so that we are going to use “John the Ripper” tool to crack this hash value in order to get the password in decrypted form. So first we have taken one user whose password we want to check. So, run the following command in the terminal-

Great! We have cracked the password successfully. Now we will switch user raj to check if we can log in through that password and we can see that we have successfully logged in as raj user.

Now we will run sudo -l command to check if user raj, and found he has all the root permissions.

Now, we will again try to switch to user root and we are logged in as root and then we run id command we get to know that we got a root shell.

So, we have performed privilege escalation through cat command successfully.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Linux for Pentester: Find Privilege Escalation

Today in this article we are back with another most advantageous command from the series of Linux for Pentester i.e. “Find’. The Find command is used to search the list of files and directories, so by knowing this fact, we will now illustrate how we can avail it in Privilege Escalation.

Table of Content

Introduction to Find

  • Major Operation performed using Find

Exploiting Find

  • Sudo Rights Lab setups for Privilege Escalation
  • Exploiting Sudo rights
  • SUID Lab setups for Privilege Escalation
  • Exploiting SUID

Introduction to Find

 Find command is a command line facility for a walk around a file pyramid structure to find the exact location of the file and directory as per the user’s desire. This search command can be used by the variability of services like search any file by “size, permissions, date of modifications/access, users, groups” and many more as per user requisite.

Alike every command the Find also can be concisely understood by its help/man command as per below image.

Major Operation performed using Find

Search any file by particular name in the current directory: This command supports the user to search any file by a specific name. Suppose we want to search a text file by the name of “raj” from current directory then simply compose the command as per below screenshot.

Search any file by particular name in the home directory: If we wish to find all the files under home directory by desired file name, in our case it is “raj.txt” then from command as below:

(It will permit the user to find all “raj.txt” file under home directory)

Find files by its extension: This can be returned by specifying the particular file extension. If any user wants to fetch any file by its extension, then it can be done by “-type f” option followed by Find As in our scenario we are fetching for .txt

One can also use the “-type d” option instead of the “-type f” for retrieving the directory.

This command will support the user for printing all .txt file as the desired output.  

Find files with full permission: Whenever anybody wishes to explore for the files that have full permission i.e. “777” then it can be simply acquired by “-perm 0777” followed by Find command with the option “-type f” which will print the output for all the files that have“777”

To find all files for a specific user of a directory: If we need to find all those files that belong to a particular user under any selective directory then that we can execute this by command as:

In our instance, we are finding for all those files that belong to user “raj” under “tmp directory”.

  • To find all hidden files: If we want to find all hidden files within any directory then we will type the command as below:

This command will give a consequence for all hidden files in the current directory.

To find all readable files within a directory: To find all readable files from a specific directory. In the below screenshot we are discovering for all those files that is in the readable form under /etc directory

By typing above command, we will get all readable files that come under /etc as output.

Find SUID files: Whenever any command runs, at which SUID bit is set then its effective UID becomes the owner of that file. So, if we want to find all those files that hold the SUID bit then it can be retrieved by typing the command:

Find SGID files: The SGID permission is similar as SUID but the only difference is that, whenever any command runs at which SGID permission is set, then the process will have the same group ownership as the owner of the file. So, to run all those files that possess SGID bit, type command:

To find SUID & SGID files simultaneously: If we want to fetch all those files simultaneously at which both bits i.e. “SUID & SGID” are set then frame command as:

To find all writable file: To find any writable directories within any desired directory such as: /home, /tmp, /root, then we will run the command as:

As per below image we have find all writable directories from /home.

Exploiting Find

Sudo Rights Lab setups for Privilege Escalation

Now we will set up our lab of Find command by granting it higher privilege i.e. with administrative rights. As we know the performance of every command gets changed after the influence of higher privileges. Same we will check for our Find command and will grasp what effect it would have after the accomplishment of sudo rights and how we can custom it more in privilege escalation.

To recognize it more visibly first we will create a local user (test) who retain all sudo rights as root.

To add sudo right open /etc/sudoers file and frame below command as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting Find service by taking the privilege of sudoer’s permission. For this, we must have a session of the victim’s machine which will enable us to devise the local user access of the targeted system which will support us further to escalate the root user’s rights.

 For this we need to connect with the target machine with ssh, so type the command as shown below for performing the same.

Then we checked for sudo right of “test” user (if given) and found that user “test” can execute Find command as “root” without a password.

Find command let you perform some specific action such as “print, delete and exec”. So here we are taking the privilege of “exec” for executing the command to access root shell by running /bin/bash with the help of find command as given below:

On running above command, we have successfully escalated the root shell as shown in the below image.

SUID Lab setups for Privilege Escalation

As we know the SUID bit permission enables the user to execute any files as the ownership of existing file member. Now we are enabling SUID permission on Find so that a local user can take the opportunity of Find as the root user.

Hence type following for enabling SUID bit:

Exploiting SUID

As we know we have access to victim’s machine so we will use Find command to identify binaries having SUID permission.

So here we came to recognize that SUID bit is empowered for so many binary files, but our concerned is:   /usr/bin/find.

As we know Find command supports the user to perform some specific action such as print, delete and exec. So here again we are taking the privilege of “exec” for executing another command i.e. “whoami”

Similarly, you can take honour of Find command for escalating the root privileges.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Cloakify-Factory: A Data Exfiltration Tool Uses Text-Based Steganography

In our previous post, we had already discussed on “Cloud Storage Uploads for data exfiltration” and today we are going to discussed “Concealed Method for Data Exfiltration” to extract the unauthorized data. Here you will learn how an intruder can exfiltrate data through steganography approach.

Table of Content

  • Overview
  • About Data Exfiltration
  • Cloakify Installation and Usages (for Linux)
  • Method -I
  • Method II
  • Cloakify Installation and Usages (for Windows)

Overview

We will perform red team practice, where we will attempt to collect the important files from the victim’s machine by inducing steganography with the help of concealed methods. When copying information from the destination machine, we will try to transform the data to befool the network monitors so that they can not identify the data packet travelling in the network.

All this could be performed by using a single tool named “Cloakify Factory”.

Cloakify Factory transforms any filetype (e.g .zip, .exe, .xls,etc.) into a list of harmless-looking string. This lets you hide the file in plain sight and transfer the file without triggering alerts. The fancy terms for this “text-based steganography”, hiding data by making it look like other data. Cloaked files defeat signature-based malware detection tools.

About Data Exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Methods of Data Exfiltration

Open Methods:

  • HTTP/HTTPS Downloads & Uploads
  • FTP
  • Email
  • Instant Messaging
  • P2P filesharing

Concealed Methods:

(From Wikipedia)

Cloakify Installation & Usages (for Linux)

CloakifyFactory – Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into a list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection.

Only you need to type following for downloading the cloakify from GitHub in the target machine.

Let’s run the python script to lunch cloakifyfactory.py

CloakifyFactory is a menu-driven tool that leverages Cloakify Toolset scripts. When you choose to Cloakify a file, the scripts first Base64-encode the payload, then apply a cipher to generate a list of strings that encodes the Base64 payload. You then transfer the file however you wish to its desired destination. Once exfiltrated, choose Decloakify with the same cipher to decode the payload.

Let’s take an example now that we want to copy a text file “pwd.txt” from within the target system containing the login credentials of different machines in the network.

Method -I

It may be dangerous to copy the text file directly, so we will transform the input file data into another file as output. To do so follow the below steps:

  1. Run the python script to launch cloakifyfactory.py
  2. Press 1 to select cloakify a file option
  3. Enter the path of the source file that you want to transform an the input file.
  4. Enter the path of the destination file to where you want to save the output.

 

Further, you will get a list of ciphers, choose the desired option for encrypting the file. Suppose I want the whole content to get changed into facial emojis.

  1. Press 3 for emoji cipher
  2. Allow to Add noise to cloaked file by pressing Y for yes.
  3. Then press 1 to select prependemoji.py as a noise generator.

This will save the output result inside the raj.txt file.

As result, you will get the output content something like shown in the below image.

Now if you want to obtain the output result in its original format, then you can go with the decloakify option which will revert the transformation into its original existence, but before that, you have to give all permissions to removeNoise.py

To do so follow the below steps:

  1. Run the python script to launch cloakifyfactory.py
  2. Press 2 to select decloakify a file option
  3. Enter the path of the file that you want to restore back into its original format.
  4. Enter the path of the file to where you want to save the output.

Press Y to answer yes because we have added noise to cloaked file and select noise generator.

Method II

Again, we have a similar file that we want to cloaked into another format directly without operating the cloakifyfactory console.

 

This time you can use a single command to cloak the file by adding specify the type of cipher as given below:

After executing the above command, we can observe the output result would be something like this as shown in the below image.

So we have used the file.txt file as destination file to save the transformed information inside it without printing the output result on the screen. Moreover, further, we have used decloak command to revert the transformed file back into its original state.

Cloakify Installation and Usages (For Windows)

As we all know this is an exfiltration tool and data could be exfiltrate from any platform either from Linux or Windows based OS, therefore cloakifyfactory has built the application both platforms. In the 1st phase, we have use python-based application for Linux machine and now remotely we are going to deploy cloakify factory inside Windows machine using MSI package of python for our python based application.

Thus, we downloaded the MSI package in our local machine (Kali Linux):

Now our purpose is to show how an intruder can remotely exfiltrate the data using cloakifyfactory. So, we had compromised the system first and got the meterpreter session and then uploaded the MSI package inside the victim’s machine to install the dependency required for python.

Now download the zip file for cloakifyfactory from GitHub in your local machine.

We also need to download 7-zip exe program for extracting the cloakify-master.zip.

Now extract the 7za920.zip  and you will get the 7za.exe file that we have to inject in the victim’s machine.

Now let’s upload 7za.exe and cloakfy-master.zip in the remote system. And further, use the 7za.exe program to unzip the cloakify-master.zip.

Therefore, execute the following command:

Now we want to transfer the secret.txt file of the compromised machine but directly copying the file might generate the alert, therefore, we will transform the data as done above.

Now again we try to covert the content of the secret.txt file by hiding it behind the cloaked file. And it is very simple as performed earlier with little modification. So now we can run the cloakify.py file with the help of python.

Thus, we can observe that with the help of cloakify we have transformed the filetype cannot be detected easily.

Conclusion: cloakify-factory could be very useful for exfiltrating data internally as we saw it has many cipher script that used to the cloaked data file and hence it is a very effective tool for performing text-based steganography.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here