Miscellany

 I've been doing little things here and there, but nothing worthy of a full blog post.  I'm trying to get in the habit of writing at least weekly, though.

I'm doing little things here and there on TryHackMe, but I'm running into more and more rooms that are premium-only.  Rooms that you need to complete to finish training paths, or even worse, to complete free rooms.  Looking over Hack The Box, it's similarly restricted for free users, plus it has time limits and no way around the time limits.  At least THM only limits your use of their in-browser attack box for free users, but VPN access is unlimited.  The $10/mo. doesn't sound like much for THM, but it adds up and I really can't justify it right now.

I'm still slowly working my way through "Violent Python", and it's inspired Copperhead and Pocketnuke over on my github.  Pocketnuke is a more refined version of the C runstub I mentioned previously in this blog.

I had been studying again for my CCNA, but that's fallen by the wayside for right now.  Instead, I'm slowly working on studying for the eJPT.  Or at least, doing INE's PTS courses through their free "starter pass".  I'm not sure I want to do pentesting, or jump right into Red Team, but at least in my opinion, you can't defend against the enemy properly unless you know how they think and operate.  So, like when I was in high school and hung out in 2600 IRC to learn how they would attack my server so I could protect it, I'm learning pentesting.

Book Reviews - "Defensive Security Handbook" and "Practical Cloud Security"

 To brush back up on security and learn new things that have become the standard in the past five years or so, I've bought a stack of books I'm working my way through.  The first two I decided to start with are "Defensive Security Handbook" by Brotherston and Berlin and "Practical Cloud Security" by Dotson.

"Defensive Security Handbook" built nicely upon what I already knew from doing security as a sysadmin and what was taught in the Security+ study materials.  It's basically a crash-course in how to set up good security policies and procedures if you're a sysadmin or something similar who has been handed a whole environment and been told "oh, by the way, we think this was secure, but you need to make sure and you need to bring the security up to date.".  Needless to say, I wish I'd had this book when I was at All-Spec, but it came out long after I'd left there.  If you find  yourself in a similar situation, or just want to make sure your security is right, or are trying to make the move from the infrastructure side of IT to the security side, I highly recommend this book.  I finished it in a week or so, and enjoyed it.  The writing is engaging as well as informative.  The book isn't meant to be a comprehensive security book, just a starting point with suggestions on where to go beyond what's covered in the book.  5/5

"Practical Cloud Security", conversely, was a slog.  The problem might be the fact that I have very little hands-on experience with cloud, but I kept finding myself getting bored by this book, and I'm not sure I retained much of the information I read.  It's definitely geared for someone facing a move to a cloud environment, or starting a position with a company that has a cloud environment, who's going "now what?".  I do like that for any specific cloud security features, the name of each feature in each cloud environment was listed.  I'll reserve judgement on the book for now, and just give it a 3/5.

Next up on the menu will be "Violent Python" and "Applied Incident Response".  Happy hacking.

Changing users with SUID and setuid/setgid

 Doing the Linux privilege escalation room on TryHackMe reminded me of a trick I've used in the past.  I haven't used it for nefarious purposes, only to get around a web script being run as the woefully unprivileged apache user, when it needed to run as a more privileged user.  It could easily be used as a good pentesting exploit.  I DO NOT endorse using this for evil.  Only use this for good, people.

It uses what I call a run stub.  It's a C wrapper that launches the script, but only after it changes the UID/GID to the desired higher-privileged user.  The run stub has to have SUID permissions and be owned by root.  So, chmod u+s runstub after compiling runstub.c into runstub.  The permissions listing should say: -rwsr-xr-x root root.

Below is the code: 

#include <stdio.h> 
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
int uid;
int gid;
char runprog[512];
int main(int argc, char *argv[])
{
setgid(<gid>); /* <gid> is whatever GID you want to switch to */
setuid(<uid>);  /* <uid> is whatever UID you want to switch to */
snprintf(runprog, 512, "/path/to/script %s", argv[1]);  /* runprog is the buffer, 512 is the size of the buffer, the rest is the script you're trying to run and any arguments you want to pass to it, specified on the run stub's command line */
system(runprog);
return 0;
}

The two magic parts here are setuid()/setgid(), which *nix uses to switch users and groups in things like sudo and su, and system().  The snprintf() line formats the command into a string that can be passed to system(), which executes commands.

So, use your powers for good, and happy hacking.