findingprivilegeescalations withstrace& sysinternals · findingprivilegeescalations...
TRANSCRIPT
![Page 1: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/1.jpg)
Finding Privilege Escalationswith strace & SysInternals
@ OWASP Stammtisch Stuttgart 06.11.2017
![Page 2: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/2.jpg)
• Diplom Mathematiker (FH)• Administrator – Developer – Architect – Penetration-Tester• Some 0days• Certificates: OSCP, OSWP, OSCE, ISO27001 Foundation• Founder of Ungeheuer IT UG (haftungsbeschränkt)
![Page 3: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/3.jpg)
Ungeheuer IT
• Sitz in Rülzheim (Between Karlsruhe and Mannheim)
• Any kind of Penetrationtests• Kunden aus den Bereichen
• Kommunen• Versicherungen• Banken• Industrie• Kritische Infrastrukturen
12:10
![Page 4: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/4.jpg)
Agenda
1. Some Basics2. Sysinternals & Procmon3. Strace
![Page 5: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/5.jpg)
Basics
![Page 6: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/6.jpg)
Basics
What is Privilege Escalation?
„Privilege escalation is the act of exploiting a bug, design flawor configuration oversight in an operating system or softwareapplication to gain elevated access to resources that arenormally protected from an application or user. The result is thatan application with more privileges than intended bythe application developer or system administrator canperform unauthorized actions.“Wikipedia
![Page 7: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/7.jpg)
Basics
You Start Here Your Target
![Page 8: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/8.jpg)
SysInternalsthe Windows part
![Page 9: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/9.jpg)
Sysinternals
What is Sysinternals?
Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities tomanage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.- Wikipedia
![Page 10: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/10.jpg)
Lots of nice toolsAccessChk AccessEnum AdExplorer AdInsight AdRestore
Autologon Autoruns BgInfo CacheSet ClockRes
Contig Coreinfo Ctrl2Cap DebugView Desktops
Disk2vhd DiskExt DiskMon DiskView Disk Usage (DU)
EFSDump FindLinks Handle Hex2dec Junction
LDMDump ListDLLs LiveKd LoadOrder LogonSessions
MoveFile NTFSInfo PendMoves PipeList PortMon
ProcDump Process Explorer Process Monitor PsExec PsFile
PsGetSid PsInfo PsPing PsKill PsList
PsLoggedOn PsLogList PsPasswd PsService PsShutdown
PsSuspend RAMMap RegDelNull Registry Usage (RU) RegJump
SDelete ShareEnum ShellRunas Sigcheck Streams
Strings Sync Sysmon TCPView VMMap
VolumeID WhoIs WinObj ZoomIt
![Page 11: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/11.jpg)
Lots of nice toolsAccessChk AccessEnum AdExplorer AdInsight AdRestore
Autologon Autoruns BgInfo CacheSet ClockRes
Contig Coreinfo Ctrl2Cap DebugView Desktops
Disk2vhd DiskExt DiskMon DiskView Disk Usage (DU)
EFSDump FindLinks Handle Hex2dec Junction
LDMDump ListDLLs LiveKd LoadOrder LogonSessions
MoveFile NTFSInfo PendMoves PipeList PortMon
ProcDump Process Explorer Process Monitor PsExec PsFile
PsGetSid PsInfo PsPing PsKill PsList
PsLoggedOn PsLogList PsPasswd PsService PsShutdown
PsSuspend RAMMap RegDelNull Registry Usage (RU) RegJump
SDelete ShareEnum ShellRunas Sigcheck Streams
Strings Sync Sysmon TCPView VMMap
VolumeID WhoIs WinObj ZoomIt
![Page 12: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/12.jpg)
ProcMon - GUI
![Page 13: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/13.jpg)
ProcMon - GUI
Name of theProcessexecuting
![Page 14: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/14.jpg)
ProcMon - GUI
Operation
![Page 15: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/15.jpg)
ProcMon - GUI
The relatedPath
![Page 16: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/16.jpg)
ProcMon - GUI
Result
![Page 17: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/17.jpg)
ProcMon
• It is also able to log during boot!
![Page 18: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/18.jpg)
ProcMon - Boot
![Page 19: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/19.jpg)
ProcMon
• But what can we do with it?
• We can find Privilege Escalations by combining• ... the %PATH% variable• ... errors in the ProcMon Log• ... a broken application
![Page 20: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/20.jpg)
ProcMon – Filter for PrivEsc!
![Page 21: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/21.jpg)
ProcMonPATH=C:\Windows;C:\Python27;C:\SomeFolder;C:\BrokenTool\bin
C:\Windows
C:\Python27
C:\BrokenTool\bin
C:\SomeFolder
Foo.exe
![Page 22: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/22.jpg)
ProcMonPATH=C:\Windows;C:\Python27;C:\SomeFolder;C:\BrokenTool\bin
C:\Windows
C:\Python27
C:\BrokenTool\bin
C:\SomeFolder
Foo.exe
Foo.exe (Malicious)
Shell
![Page 23: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/23.jpg)
Powershell is nice to us!
• Before it calls its own functions and methods it first searches in PATH!
![Page 24: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/24.jpg)
ProcMon - Demos
![Page 25: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/25.jpg)
Stracethe Linux part
![Page 26: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/26.jpg)
Strace
• Available on (almost) all Unix/Linux based systems(for AIX and Solaris there is truss)
• It traces system calls and signals• It is possible to attach to running processes• Can follow forked threads
![Page 27: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/27.jpg)
Simple strace call
![Page 28: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/28.jpg)
How to use it?
• Put some placeholder into the parameters and grep for them
![Page 29: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/29.jpg)
Strace - Demos
![Page 30: FindingPrivilegeEscalations withstrace& SysInternals · FindingPrivilegeEscalations withstrace& SysInternals ... 3.Strace. Basics. Basics WhatisPrivilegeEscalation? „Privilegeescalationistheactofexploitingabug,designflaw](https://reader031.vdocuments.net/reader031/viewer/2022021820/5ad995eb7f8b9a6d7e8b8f58/html5/thumbnails/30.jpg)
Only Local Priv Esc?
You can also check remote protocols for RCE!