The most important step in hacking - Enumeration

Cinnamon1212 — Mon, 12 Jul 2021 09:26:40 +0000

What is enumeration?

Enumeration is the first and most important step of any form of hacking. You need an in depth understanding of what you're going up against. For example, in a CTF, you need to know which ports are going to be open and which services they belong to.

Network enumeration

Network enumeration is going to give us a better understanding of what targets on a network are doing.

Discovering hosts on a network

Tools such as:

Can help us enumerate which devices are on a network using ICMP packets (pings) or ARP. Some specialised tools such as Bloodhound may help us enumerate networks using Active Directory.

Discovering open ports on a target

Once we have our target, we need to understand what the target is doing and potential attack vectors. Below is a sample of an nmap scan:

We can see there are 5 ports open. We may be able to exploit the HTTP service on port 80 or gain access to SSH on port 20. Port scanning can be slow, tools such as PyRCON and Rust Scanner may help us speed up this process. Typically this isn't necessary but in a KOTH or battlegrounds game, we can't spare the time.

Website enumeration

Websites are a huge attack vector as they're often public facing and have countless possible flaws, depending on their configuration. There are many tools that we can use to gain a better understanding of the website. Such as:

Specialised tools can be used, for example WPScan. Allowing us to enumerate the wordpress CMS.

Domain enumeration

In a real-world scenario. You're likely to come across a target with more than one domain, each having it's own subdomains. There's plenty of tools that you can use to discover these. Again, PyRCON offers some options for this but I like tools such as sublist3r and publicly available records such as security trials.

Tools such as Dig (preinstalled on most Linux distros) may also be used for performing DNS queries, alongside nslookup. They may also be used for resolving a domain name from an IP Address (for example: 45.33.32.156 -> scanme.nmap.org)

Polkit CVE-2021-3560

Cinnamon1212 — Mon, 12 Jul 2021 00:31:27 +0000

Background

Polkit (AKA PolicyKit) is an essential component in Unix-like OSs for controlling system wide privileges. As you can imagine, exploiting this can lead to some nasty privilege escalation. There were a few mainstream OSs vulnerable to this (such as Ubuntu 20.04 and Red Hat Enterprise Linux 8), making this a very impactful exploit.

Understanding how and why this works

The original report can be found here.

Polkit is used to allocate privileges for users and processes. This exploit takes advantage of our ability to kill a dbus-send command the dbus daemon is able to pass Polkit the correct ID. In turn, Polkit errors and substitutes a 0 (all privs/root).

Demonstration

I'll be using the polkit box from TryHackMe to demonstrate this
We'll follow through the tutorial process. Our first command is:

time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:"Pentester Account" int32:1

It's pretty long, let's dissect it. This command will be ran and monitored using "time". Remember we need time in order to check when we need to kill the dbus-send command. Our dbus-send command is going to request to create a user called attacker (and print the reply back to us). Typically we'll see this happen in a GUI and we'd then be prompted to give a password.
That takes us to our next command:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$TRiYeJLXw8mLuoxS$UKtnjBa837v4gk8RsQL2qrxj.0P8c9kteeTnN.B3KeeeiWVIjyH17j6sLzmcSHn5HTZLGaaUDMC4MXCjIupp8.' string:'Ask the pentester' & sleep 0.005s; kill $!'

To continue making our new account, we need to provide a password. This takes a Sha512Crypt hash as input and uses that for the password. In plain text, the password is "Expl01ted".
Finally, we'll use the delay that we previously found to kill the command before the dbus-daemon is able to give Polkit our ID.
We're given a new account called attacker with the password of Expl01ted that's automatically added as a sudoer. We can su into this account and then sudo su to root.

How does this look in practice?

Honestly? It looks simpler than you'd expect. Other than the timing of the command, this is a low complexity attack since there's copy and paste dbus commands that we can use for this. Though even without those, some understanding of using dbus utils will let you exploit this.

DEV Community: Cinnamon1212