Saturday, October 29, 2016

Getting to the root@hostname:~# of the problem

What is privilege escalation?

Let's look at the subject in a less technical fashion first. What does it mean to elevate one's privileges? It's being able to do something that you do not have privileges for, for example: The wife of a powerful CEO can elevate her privileges by convincing her husband to do something for her that she normally couldn't do. This could be money, power, valuable items, etc.

In terms of hacking or computer security (two sides of the same coin) we either need a program to execute our own code with higher privileges or we need to prevent any program from executing user-supplied code at higher privileges than the user is allowed; or more specifically, the hacker is allowed.

Whenever someone asks about or googles for 'linux privilege escalation' there is one blog that everyone cites: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/. This blog post is very thorough and hits on an important point; Enumeration is key. You only need one avenue by which to raise your privileges and there are many, many different ways to do so.

I recommend going through g0tmi1k's blog and understanding what each command does and how it can be used for privilege escalation. Once you understand the methodology, there are a few things I personally recommend when attempting to escalate your privileges.

  1. 'sudo su root' - This is by far the easiest privilege escalation I've ever seen but, when you have sudo privileges you are simply using them to change your user to the root user and boom! You're root.
  2. Cracking root user privileges. If you don't believe that random passwords are used for root accounts, then that means a user set the root password and can potentially be brute forced. However, this is obnoxiously noisy, just for your reference. 
  3. Use the Linux Exploit Suggester built into Kali Linux to find exploits based on the kernel version. https://github.com/PenturaLabs/Linux_Exploit_Suggester
  4. Use the Linux Privilege Checker which automates G0tmi1k's blog enumeration process and suggest potential exploits. https://www.securitysift.com/download/linuxprivchecker.py
Lastly, the difference between a script kiddie and a professional hacker will be the depth of understanding of these scripts, methodologies, and privilege escalation exploits. If one doesn't work on a kernel it says it should work with, learn why.

Hack Responsibly. Hack Professionally.

Friday, October 14, 2016

prof_dev5.sh

#!/bin/bash

echo "Make a plan for your Professional Development!"
echo ""
echo "Anything worthwhile rarely succeeds without proper planning, why should your career and professional development be any different? The first step to developing a great plan is to establish a baseline. Where are you currently? What do you have? Skills, knowledge, abilities, connections, and anything else you can enumerate."
echo ""
echo "The next step is to figure out where you want to be. Where do you see yourself in 1, 5, 10 years? Don't think of where you should be, or where you ought to be, or where you have always thought you would be. Think of your wildest, craziest passion and strive for it. This is where you want to be."
echo ""
echo "These dreams may change and that is OK; it is OK to change what you want at different points in your life. What should not change is your drive to achieve your passion, no matter what it is."
echo ""
echo "Lastly, we connect the current dots with the future dots with specific, concrete, implementable steps. Some steps could be as simple as a flick of a switch or throwing away an old picture. On the contrary, some decisions can be life altering such as quitting your job, selling your home, or moving across the country. No decision should be made lightly but, just because they are difficult doesn't mean they are bad decisions. You will never be happier than when you are pursuing and accomplishing your passion!"
echo ""
echo "So how can you connect the dots? How can you plan for your success? The steps are simple but, the change can and will. be. hard. Embrace it and strive for your passion."
echo ""
echo "Think about your plan this weekend and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"
echo ""
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"

Thursday, October 13, 2016

prof_dev4.sh

#!/bin/bash

echo "Humility is a top quality"
echo ""
echo "No individual knows everything and there is a 100% chance that in the past and in the future, we have/will said/say something wrong, incorrect, or abrasive to someone else. In this moment, remember humility."
echo ""
echo "It is OK to be wrong and make mistakes both professionally and personally and in fact, we can use them to our advantage when we admit that we were wrong. As Dale Carnegie says in his book, 'If you are wrong, admit it quickly and emphatically'."
echo ""
echo "For some reason, some people refuse to admit they were wrong. They refuse to admit they are wrong about reports, wages, resumes, and big and small decisions alike. In my experience, the damage comes from hiding, re-framing, or ignoring mistakes; the damage does not come exclusively from making mistakes."
echo ""
echo "You should always strive to be better, make fewer mistakes, and accept responsibility for the mistakes you do make. No matter which mistakes you make, admit you were wrong and be better in the future."
echo ""
echo "Embrace your humility and accept responsibility for your mistakes and definitely your successes!"
echo ""
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"
echo ""
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"

Wednesday, October 12, 2016

prof_dev3.sh

#!/bin/bash

echo 'What is in a name?'
echo ""
echo "Interestingly enough, EVERYTHING! People love hearing their own names. It's a sweet note in their ears, soft touch on their skin, and a warm bite of food in their mouths. Everyone loves to hear their own name."
echo ""
echo 'Make a genuine effort to remember peoples names when you meet them because it can and will pay dividends 100x over in the future. Clients will warm up to you faster if you greet them after a week by saying "Hey John, how was the weekend with the in-laws?" rather than "Hello again, lets jump into business".'
echo ""
echo 'When I first learned this trick, I struggled to use it because I thought it was ridiculous. I thought that people would either like you or not like you and that was just the hand you were dealt. Eventually, I combined remembering names with smiling and it was incredible how many MORE people seemed to be genuinely pleased to see me.'
echo ""
echo "This is not a panacea for the jackasses, the jerks, or the rudest people; everyone has to deal with their reputation. This is also not foolproof, not everyone will like you and that is OK. This tip is meant to increase and build upon your desire to develop professionally."
echo ""
echo 'Use this tip regularly until it becomes second nature and watch the scales slowly tip in your favor when meeting and remembering new people, clients, supervisors, investors, friends, or anyone else.'
echo ""
echo "In conclusion, the simple act of remembering names will help you in the future. I can't tell you how, where, or to what end but, I would not doubt for a second its usefulness."
echo ""
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"
echo ""
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"

Tuesday, October 11, 2016

prof_dev2.sh

#!/bin/bash

echo 'Three Meeting "Hacks"'
echo ""
echo 'I was lucky enough to participate in a meetings course recently and there were three main points I took away from the course'
echo ""
echo 'Main point 1: Every meeting needs an agenda'
echo 'Main point 2: Every meeting needs an outcome or decision'
echo 'Main point 3: Every meeting needs a parking lot'
echo ""
echo 'Every meeting needs an agenda so both the attendees and the meeting host know how the meeting should be progressing. In addition, it helps keeps everyone accountable for the initial time table set for the meeting.'
echo""
echo 'Every meeting needs an outcome or a decision to be made otherwise, why else would you have a meeting? This outcome or decision can be as simple as "Everyone is informed of a new product" or as complicated as "We will decide on the number of hours, pay rate, and quantity of interns for the next 7 years". This is also how anyone can determine the success or failure of a meeting.'
echo ""
echo 'Lastly, every meeting needs a parking lot. A parking lot is a separate place (paper, whiteboard, notebook, etc) for ideas that aren't directly relevant to the meeting but, shouldn't be forgotten. For example, if you are talking about the budget in a meeting and an idea for a company picnic comes up, put that idea in the parking lot. This keeps the meeting on topic and allows for everyone's ideas to be heard. Don't underestimate the effectiveness of this idea!'
echo ""
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"
echo ""
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"


Monday, October 10, 2016

prof_dev1.sh

#!/bin/bash

echo "The best way to win arguments, is to avoid them."
echo ""
echo "One thing I see A LOT is arguments where people are just shouting at each other. Sometimes they have differing opinions, and they should be discussing them, and other times they are just yelling to be heard."
echo ""
echo "Everybody wants to be heard."
echo ""
echo "If an argument is unstructured, aggressive, switching from non-personal to personal attacks, or downright silly, see if you can't isolate who is trying to be heard in this argument and what they are trying to have heard."
echo ""
echo 'Quoting How To Win Friends & Influence People and quoting Benjamin Franklin within the book, "If you argue and rankle and contradict, you may achieve a victory sometimes; but it will be an empty victory because you will never get your opponents good will."'
echo ""
echo "Look for ways to agree, hear your opponent, acknowledge what they are saying but, most importantly, avoid arguments in the first place."
echo ""
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"
echo ""
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"

Shell Scripting Professional Development Tips

Good afternoon everyone,

This week I decided to release a daily shell script/blog post with a professional development tip. The idea is that you can read the blog post here and you can copy the text and run it as a shell script on your linux distro as a reminder. Set it as a cron job or run it when you need it. Show it to your friends and coworkers! 

I will be releasing the first one today immediately after posting this and they follow the naming pattern of prof_dev{number}.sh. Enjoy all week long and check back often to see updates!

-Hack Responsibly, Hack Professionally

Thursday, October 6, 2016

My OSCP Story

Good evening,

I'm going to deviate from my normal professional development and technical discussions to talk about an accomplishment I'm rather proud of, I passed the OSCP test! For those of you who don't know what OSCP is, check out the website here: https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

First I want to say that this blog is completely my own opinion and does not accurately reflect the views of any past, present, or future employees nor does it represent the views of the Offensive-Security team.

I started the course, Penetrating Testing with Kali Linux (or PWK), at the end of July with 60 days access to the lab. I think, given my background, this was sufficient time but, the amount of time you should purchase DEFINITELY depends on your background. Do not let the price tag fool you, the extra time you spend studying and learning will definitely help you pass the exam. The lab is full of machines with many different configurations, operating systems, and vulnerabilities that you, as the student, need to figure out how to exploit. Some exploits will land you on a root shell immediately and some will only land you with a low-privilege shell. If you have a low privilege shell then you need to escalate your privileges to root or Administrator (Linux vs Windows).

There are something like 50 virtual machines in this practice lab and the learning opportunities are figuratively unlimited; there is typically more than one way to exploit most systems. Rumor has it that if you are able to exploit every box in the public network (there are other hidden networks) except for Pain, Sufference, and Humble then you're good to go for the exam BUT there is no proof to this and the amount of learning required to pass the exam is different for everyone.

The exam consists of 5 boxes of varying points values and students need 70/100 points to pass the exam. So now I'll give my experience with the labs and exam.

My PERSONAL experience with the labs was awesome. I loved exploiting every single box and with every successful exploit I felt like I understood the process, exploits, and methodology just slightly better. I think I ended up exploiting around 30-35 of the available boxes (life got in the way of the rest of them) but, the most important thing for me was to understand the methodology. I really started to understand how Remote File Inclusion/Local File Inclusion (RFI/LFI) exploits were used, I really understood what to look for with privilege escalations. I became more familiar with metasploit. I was able to understand and modify exploits for my own use when necessary. These and other skills are explained in the course material but, its up to you to take those examples, do them, understand them, experiment with them, and master them to be used during the lab and on the exam. I can't believe it took this long to mention it but, you will learn to "Try Harder" in this course. One common misconception, in my opinion, is that the course material is everything you need to pass the exam. This is both true and not true. It is true that you have every tool you need to exploit any machine. It is not true that you know how to use each and every tool exactly as necessary to exploit any machine. When you are frustrated, angry, and all the admins will say is "Try Harder", take it to heart and try harder. You will be so glad you did.

Now, for my exam story. I thought I had scheduled my exam for Friday Sept 30th at 5am. When I woke up to take the exam, I never got the email so I contacted support. They had no record of my registration and even though I was frustrated, I scheduled my ACTUAL exam for October 3rd at noon. I spent the weekend playing around with virtual machines from VulnHub just to whet my appetite for the OSCP exam. Monday comes around and I get up, get ready, and at noon I get the exam email with my connection details. I spun up my PWK virtual machine and it would not connect to the internet. WHAT. I tried to configure the virtual machine adapters and it wasn't working. So, after 15 minutes, I got my laptop, which was conveniently also running Kali Linux, and I was able to connect to the exam network and start my exam. I looked at the point values for the machines and started with the lowest valued machine to get in the swing of things. I was able to exploit the first machine in about an hour. BOOM 1/5. I then moved onto the next machine and after about three hours I got the second machine completely. BOOM 2/5. I worked on the third box and after another three hours or so, I got the next box. BOOM 3/5. I was feeling really good but I didn't want to get cocky or disheartened; I wanted to maintain a level, calm, focused attitude. So, at this point, it's about 7-8pm and I continued on the fourth and fifth machines and by 2am, I had a low privilege shell on the fourth machine. I slept from 2am to 6am and got up, took a swig of mountain dew, and brewed some coffee and got back to work. Well, little did I know, my laptop had updated and crashed and would not boot into the graphical UI. So I switched back to my desktop and spun up a new Kali virtual machine and was able to continue the exam. I had a low privilege shell on the fourth machine and I could not figure out how to escalate. I searched and searched until I finally was going through the output of a tool and saw something I had missed before. It basically said, in a very inconspicuous way, "you might want to check this out?" Well THANK YOU output. Way to not draw attention to something I'm looking for. Anyways, I was able to use this to finally escalate my privileges on the fourth box and get proof.txt. Thus, I had four out of five boxes completely compromised with one hour left in the exam. I tinkered with the last box and found a vulnerability but could not even get a low privilege shell. 4/5. Not bad at all. According to the scores I believed I had passed but ultimately Offsec had the final say. I contacted the admins and told them of my technical difficulties and they were willing to work with me but, I was able to get the screenshots and data off my laptop using recovery mode and then I wrote up the report.

Well, today I got the email! "We are happy to inform you..." I had successfully completed the exam and I am officially OSCP certified. I laughed and cheered and told my family and friends that I had passed that 'super hard, 24-hour, hacker exam'. The best part about this exam was the hard work. This exam meant so much to me because of how much effort I put into this course and exam. I spent over 100 hours learning and practicing this material. I don't regret one single minute of it and I can't wait to start the Cracking The Perimeter course and get the OSCE next.