I'm happy to have finished up Linux privilege escalation. The capstone lab was satisfying to complete.
In order to get the flags, it was necessary to use programs with SUID bit set. I figured this out after
In particular, base64 was used to read one of the flags directly, and also read etc/passwd and etc/shadow. After moving the info over via scp, this information could be cracked offline with John to provide credentials to access the second flag.
*Looking into Oauth2 implementation*
Months ago, I wrote a very basic SMTP application for sending eBird alert data to my personal email. Although functional, it was not a particularly secure application.
I made some revisions to not only incorporate TLS, but specify the best version and encryption algorithms. Practically speaking, the key difference is using SMTP_SSL with a custom context argument. Below are the parts relevant to discussion. The full code will (eventually) be available on GitHub.
#sends data by email to designated recipient from env set gmail
import smtplib
import ssl
def sendData(RECIPIENT, body):
...
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.minimum_version = ssl.TLSVersion.TLSv1_3
context.maximum_version = ssl.TLSVersion.TLSv1_3
context.load_verify_locations("C:\Python311\Lib\site-packages\certifi\cacert.pem")
try:
with smtplib.SMTP_SSL(SMTP_SERVER, TLS_PORT, context=context) as mailserver:
print(mailserver.sock._sslobj.cipher()) # see the cipher being used!!!
...
The context attribute has a number of different attributes and functions available in the documentation. Here, the minimum and maximum version to TLSv1_3 to ensure usage. When using SSLContext directly, the certificate path location must be specified, as it is not called automatically as it would be with ssl.create_default_context().
With some digging, it is possible to verify that the settings are being utilized correctly in the underlying socket. The socket is accessible under the sock attribute, and the private _sslobj print(mailserver.sock._sslobj.cipher())
1 2 3 4 5*More to come soon*
I wanted to access my devices remotely by SSH without paying for anything. Ngrok was an easy choice for my use case. The issue, however, is whenever an SSH session is started, the URL used to gain access changes.
I needed a way to be updated on when the address changes. The first thought I had was to run a shell script when the computer started up. This script would start Ngrok and email me the link over SMTP/TLS. If the service was interrupted, the same script should restart the service and run again.
This became a batch file ran as a Windows service. The file runs a powershell script that starts ngrok, captures the url, and sends it to a Python SMTP server.
Two days of digging through forums and instructions to configure passwordless SSH.
I am using two Windows laptops here, a CLIENT and a SERVER.
When finished setting this up, you can add on ngrok (free) to maintain the connection remotely. I tested this by setting up a remote SSH connection from my iPhone (using a-shell) and my laptop running the ngrok instance.
Will be adding details on using ssh-agent, managing private keys and ACLs at a later date.
Here are some resources that were useful during this configuration
1 2 3 4 5 6for the SERVER:
PS> "C:\Windows\System32\OpenSSH\sshd.exe" when successful
PS> notepad "C:\ProgramData\ssh\sshd_config"PS> Set-Service -Name sshd -StartupType "Automatic"For the CLIENT:
PS> dir "C:\Windows\System32\OpenSSH\ssh.exe"
PS> ssh-keygen -t ed25519PS> ssh-keygen -t ed25529 -f "yourfilename"PS> icacls /inheritance:r /grant:F "YOUR_DOMAIN\YOUR_USER" "NT AUTHORITY\SYSTEM" PS> icacls <path> /remove:g "OFFENDING_DOMAIN_USER_COMBINATIONS"
- PS> $the_key = Get-Content -Raw ~/.ssh/id_ed25519
- PS> $the_new_file = "C:\ProgramData\ssh\administrators_authorized_keys"
- PS> New-Item $the_new_file
- PS> $the_trick = New-Object System.Text.UTF8Encoding $False
- PS> [System.IO.File]::WriteAllLines($the_new_file, $the_key, $the_trick)