diannaosec

  In this lab, when we check the sudo configuration for the student user, we find that they can run apache2 as root and they can set the environment variable LD_PRELOAD ld is a common linker found on linux systems. A linker takes different object files and links them into a final executable binary. The LD_PRELOAD environment variable lets us set a path to an object file which will be loaded by ld before anything else. From an attacker's point of view, this opens an opportunity to perform malicious acts on the compromised machine. In this example, we can exploit this to gain elevated privileges. We first of all need to create a malicious c file which will open a bash session using the uid and gid of the root user - on linux this is the number 0 In the example above, I have used the echo command with the -e flag so I can use escape characters. I have done this as I wanted to include newlines using \n The c code looks as follows: #include <stdio.h> #include <sys/types.h> #...

  In this lab, we are given access to a server which is being used as a place for web app developer students to serve their projects. Knowing the purpose of the compromised machine, we navigate to the /var/www/html directory and start to enumerate sensitive strings. It is always a good idea to have a look on the system for strings such as: password username db_username db_password db_user db_pass passwd This can be done in various ways - I like to color the discovered strings in red. The command I used to find the creds on this box is: find . -type f -exec grep --color=auto -ie "db_password" --color=always {} /dev/null \; It was logical to next have a look inside the file of interest. Now it was a simple matter to check for password reuse.   This lab shows us the importance of enumerating sensitive strings and checking for easy wins such as password reuse. The web-root directory and its child directories are a good place to look for sensitive creds being leaked. I hope this ...

  In this lab, we find an instance of the postfix mail server running whilst we are enumerating the running processes. We can have a look at the log files for this service. Linux logs just about everything and by default stores the resulting files in /var/log In this case, the default location has been changed by somebody so we need to search elsewhere. Log files help admin and other users know what is going on with the system - they often contain error messages. These files are therefore of interest to attackers as they can help us understand the compromised system and perhaps they will leak sensitive data. There are lots of log files, though, so it makes sense to look into those which relate to running processes and services. The files themselves can be quite long, so we can utilize the tail command - this is useful as often the most useful error messages are found towards the end of the log file. The log file for the postfix mail service has leaked sensitive data - it was a good...