Jail Video by IppSec

ippsec · January 6, 2018, 3:23pm

00:52 - Recon - NMAP
04:05 - Recon - Getting Linux Distro
04:35 - Recon - GoBuster
05:40 - Analyzing Jail.c source
09:45 - Begin Binary Exploitation
15:10 - Verify Buffer OVerflow
17:35 - Create Exploit Skeleton
20:50 - Finding EIP Overwrite
23:02 - Adding Reverse TCP Shellcode
30:15 - Switching to “Socket Re-Use” Shellcode
32:20 - Shell Returned
34:00 - NFSv3 Privesc Begin
40:15 - Begin incorrectly playing with SetUID
43:10 - SELinux Escape
45:25 - Using SELinux Escape to copy SSH Key
48:55 - Logging in as Frank
50:00 - Privesc to adm (sudo rvim)
51:44 - Begin of finding a way to root
55:58 - Begin cracking rar file
57:18 - Using Hashcat to generate custom wordlist
60:40 - Cracking with JohnTheRipper
62:30 - RsaCtfTool to exploit weak SSH Pub Key
63:36 - Login as root with SSH Private Key
64:11 - EXTRA CONTENT: Alternative Privesc to ADM (NFS)
65:21 - Creating a directory to give other users NFS Write access
67:30 - Correct way to do SetUID Program
71:04 - Using SetUID Programs to write to disk

alamot · January 8, 2018, 8:20am

Very nice! Good Job. Here is a link that shed some light upon security mitigations related to uid/euid that make hackers’ life just a little bit more difficult: Tavis Ormandy: Security Debianisms

I know that some guys simply copied /bin/sh to nfsshare, chmod it and got a shell as user frank BUT you have to find a shell version that doesn’t drop the privileges when uid != euid (nowadays the shells of most linux distros do drop them).

madx75 · January 10, 2018, 6:51am

thanks very useful

forGP · January 15, 2018, 1:19pm

@alamot I would just execve stuff, spending a massive ammount of time