Training

Any ol' chump can get from www-data to root with some Linux kernel local privilege escalation expoit - where's the fun in that? It's just not sporting. What sort of monster rocks up to a nest of duck eggs, jams his shotgun in and blasts them with both barrels?

Metlstorm presents a class on unix local privilege escalation from a kinder, gentler era, when people respected filesystem permissions, and the concept of a multi-user OS that provided some actual segregation between users wasn't a tragic joke.

The class will cover the usual range of Unix privilege escalation techniques, with an emphasis on not using off the shelf exploits. Learn to rely on your own skills, a mastery of all things posix, and your trusty shell interpreter. This includes

• File system permissions: 40 years of fail
• Exploiting SUID binaries
• Manipulating process environments
• Abusing shell, perl, python and other sysadmin glue
• Local networking and non-IP sockets
• Password hijinks
• Leveraging treasure you find lying around

And, in order to help you use your newfound skills safely, some discussion of (but not really hands on) unix intrusion:

• Post-intrusion cleanup
• Antiforensics
• Rootkits, Persistence & Hiding in Plain Sight
• Pivoting

The class is designed for people who use and administer Unix systems day-to-day - sysadmins, unix programmers, linux-on-the-desktop users, people with beards - who grok unix, but don't actually go around busting into systems. Making the theoretical practical will help you defend better, as well as coming in real handy next time your coworker does something poorly advised...

If your idea of Unix admin starts with "putty.exe" you're probably not the target audience, unless you accompany it with a goodly amount of rage at being forced to use an XPSP2 corp standard desktop build. Familiarity is assumed with a rootshell, scripting, you'll be able to handle complex shell pipelines, and are not afraid to bust out your awk, xargs, tcpdump or strace.

You'll need a laptop (presumably running unix!) with (working) VirtualBox (or be willing to bodge a vbox vm into your hypervisor of choice) and wireless if you want tubes.

At the end of the class, you should have a good understanding of how people who aren't rolling ben_hawkez.c will priv-esc on your boxen, what to yell at your developers about, and be able to pwn up your fellow sysadmins with considerably more aplomb.

char shellcode[] =
	"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7"
	"\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f"
	"\x5b\x06\x38\xf4\                               \xcc\xd6\xdc\xa8"
        "\x82\x67\x73\xdf\       Hitchhikers             \x8e\xb3\x0b\xa8"
        "\xf4\xae\x73\x09\             Guide To          \x23\xe4\x7c\xc1"
	"\xb7\x8e\x73\xf0\    Windows Exploit Writing    \xb9\x8c\x14\xd0"
	"\x08\x54\x9e\xd3\                               \xa8\xd6\x07\x50"
	"\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82"
	"\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3"
	"\xa4\x7d\x2e\x7f\x27\x82\xf8\x80";

char what[] =  
  "Windows shellcode and exploitation techniques. By the end of the   "
  "session you will be able to write exploits for windows 2K,XP,2k3   "
  "This will include stack and heap exploits and bypassing DEP        ";

char requires[] =  
  "Something to load up a few Virtual machines (VMWARE)               "
  "   vmplayer was free last time I checked                           "
  "   Virtual machines will be made available for download prior      ";
  
char prereq[] =
  "Don't worry too much, as you can work in groups anyway, but if you "
  "do have time then have a look at;                                  "
  "                                                                   "
  "immunity debugger,smashing the stack for fun and profit            "
  "msrpcheap.pdf, msrpcheap2.pdf,New-Win32-Exploitation.pdf           "
  "Practical-SEH-exploitation.pdf, DEPLIB.pdf                         "
  " 'uninformed bypass dep'                                           ";

char time[] =  
  "We will probably have around 4 hours, and the approach I will      "
  "take is to learn by doing, so you may not get all the theory       "
  "behind it, but you'll be able to do it and understand what is      "
  "going on.                                                          ";

This is a 3 hour session (so make sure you go to the loo first!), going over the basics of lock picking. Even if you have never seen a lock pick, this session will have you popping locks in no time (and no! this isn't a dancing term).

This is aimed at people who have little or no experience with locks and picking. Seats are limited to 10 - 12 people, so we can all get a chance to have a play (please keep your minds out of the gutter).

I hope to have a few sets of tools for sale (about $15 a set).

Topics I hope to cover:

• basics of how a lock works
• basics of the tools
• opening a door lock
• a play with handcuffs
• other types of locks

and if there is enough time...

• world domination

D.roc is a unix admin who is forced to work with Solaris during the day, and damaged enough to like open BSD at night. He also enjoys country music and long strolls in the park.

Having done a lock picking session at the last two Kiwicons he has decided to offer some training so you have a fighting chance at the Te Kuiti Warrior challenge on Saturday night.