From f2203aaf2ba062c89fcbddd1a2e2ebdd4c2d7448 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 19 Feb 2018 13:57:07 +1100 Subject: [PATCH 1/3] add probably-harmless c program --- Mac/Payloads/hello.c | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 Mac/Payloads/hello.c diff --git a/Mac/Payloads/hello.c b/Mac/Payloads/hello.c new file mode 100644 index 00000000..19833ac7 --- /dev/null +++ b/Mac/Payloads/hello.c @@ -0,0 +1,6 @@ +#import +int main() +{ + printf("Don't run random binaries!\n"); + return 0; +} From 1ad74772b7fe2c0ee020625dd821659cba3e6a84 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 19 Feb 2018 14:29:52 +1100 Subject: [PATCH 2/3] mac and linux example setuid binary --- Linux/Payloads/hello.c | 9 +++++++++ Linux/Privilege_Escalation/Setuid_and_Setgid.md | 11 +++++++++++ Linux/README.md | 2 +- Mac/Payloads/hello.c | 3 +++ Mac/Privilege_Escalation/Setuid_and_Setgid.md | 11 +++++++++++ Mac/README.md | 2 +- 6 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 Linux/Payloads/hello.c create mode 100644 Linux/Privilege_Escalation/Setuid_and_Setgid.md create mode 100644 Mac/Privilege_Escalation/Setuid_and_Setgid.md diff --git a/Linux/Payloads/hello.c b/Linux/Payloads/hello.c new file mode 100644 index 00000000..db599921 --- /dev/null +++ b/Linux/Payloads/hello.c @@ -0,0 +1,9 @@ +#import +#import +int main() +{ + printf("Hello\n"); + sleep(60); + printf("Don't run random binaries!\n"); + return 0; +} diff --git a/Linux/Privilege_Escalation/Setuid_and_Setgid.md b/Linux/Privilege_Escalation/Setuid_and_Setgid.md new file mode 100644 index 00000000..87f9e51b --- /dev/null +++ b/Linux/Privilege_Escalation/Setuid_and_Setgid.md @@ -0,0 +1,11 @@ +# Setuid and Setgid + +MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166) + +Navigate to [hello.c](../Payloads/hello.c) + +Input: + make hello + sudo chown root hello + sudo chmod u+s hello + ./hello \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index 68be5681..035317d8 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -3,7 +3,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port | -| Bootkit | Setuid and Setgid | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | +| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | | [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | | Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | | Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | diff --git a/Mac/Payloads/hello.c b/Mac/Payloads/hello.c index 19833ac7..db599921 100644 --- a/Mac/Payloads/hello.c +++ b/Mac/Payloads/hello.c @@ -1,6 +1,9 @@ #import +#import int main() { + printf("Hello\n"); + sleep(60); printf("Don't run random binaries!\n"); return 0; } diff --git a/Mac/Privilege_Escalation/Setuid_and_Setgid.md b/Mac/Privilege_Escalation/Setuid_and_Setgid.md new file mode 100644 index 00000000..87f9e51b --- /dev/null +++ b/Mac/Privilege_Escalation/Setuid_and_Setgid.md @@ -0,0 +1,11 @@ +# Setuid and Setgid + +MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166) + +Navigate to [hello.c](../Payloads/hello.c) + +Input: + make hello + sudo chown root hello + sudo chmod u+s hello + ./hello \ No newline at end of file diff --git a/Mac/README.md b/Mac/README.md index 0f8e544e..569f8c97 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -7,7 +7,7 @@ | [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy | | Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Logon Scripts | Launchctl | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | | Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | -| LC_LOAD_DYLIB Addition | Setuid and Setgid | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | +| LC_LOAD_DYLIB Addition | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | | [Launch Agent](Persistence/Launch_Agent.md) | Startup Items | [Gatekeeper Bypass](Defense_Evasion/Gatekeeper_Bypass.md) | [Keychain](Credential_Access/Keychain.md) | [Process Discovery](Discovery/Process_Discovery.md) | SSH Hijacking | Source | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | [Launch Daemon](Persistence/Launch_Daemon.md) | Sudo | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Third-party Software | Space after Filename | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | | Launchctl | Valid Accounts | Hidden Files and Directories | Private Keys | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | | Third-party Software | Input Capture | Scheduled Transfer | Fallback Channels | From 258d7c83d518b4838bb158126d35f32f573f1db5 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 19 Feb 2018 14:32:10 +1100 Subject: [PATCH 3/3] fix formatting issue --- Linux/Privilege_Escalation/Setuid_and_Setgid.md | 4 ++++ Mac/Privilege_Escalation/Setuid_and_Setgid.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/Linux/Privilege_Escalation/Setuid_and_Setgid.md b/Linux/Privilege_Escalation/Setuid_and_Setgid.md index 87f9e51b..e785a5d2 100644 --- a/Linux/Privilege_Escalation/Setuid_and_Setgid.md +++ b/Linux/Privilege_Escalation/Setuid_and_Setgid.md @@ -5,7 +5,11 @@ MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166) Navigate to [hello.c](../Payloads/hello.c) Input: + make hello + sudo chown root hello + sudo chmod u+s hello + ./hello \ No newline at end of file diff --git a/Mac/Privilege_Escalation/Setuid_and_Setgid.md b/Mac/Privilege_Escalation/Setuid_and_Setgid.md index 87f9e51b..e785a5d2 100644 --- a/Mac/Privilege_Escalation/Setuid_and_Setgid.md +++ b/Mac/Privilege_Escalation/Setuid_and_Setgid.md @@ -5,7 +5,11 @@ MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166) Navigate to [hello.c](../Payloads/hello.c) Input: + make hello + sudo chown root hello + sudo chmod u+s hello + ./hello \ No newline at end of file