Training

Training registration has closed.

Quick List

Details

TitleBareback Unix Privesc: Who Needs Kernel Ohday?
Abstract

Any ol' chump can get from www-data to root with some Linux kernel local privilege escalation expoit - where's the fun in that? It's just not sporting. What sort of monster rocks up to a nest of duck eggs, jams his shotgun in and blasts them with both barrels?

Metlstorm presents a class on unix local privilege escalation from a kinder, gentler era, when people respected filesystem permissions, and the concept of a multi-user OS that provided some actual segregation between users wasn't a tragic joke.

The class will cover the usual range of Unix privilege escalation techniques, with an emphasis on not using off the shelf exploits. Learn to rely on your own skills, a mastery of all things posix, and your trusty shell interpreter. This includes

  • File system permissions: 40 years of fail
  • Exploiting SUID binaries
  • Manipulating process environments
  • Abusing shell, perl, python and other sysadmin glue
  • Local networking and non-IP sockets
  • Password hijinks
  • Leveraging treasure you find lying around

And, in order to help you use your newfound skills safely, some discussion of (but not really hands on) unix intrusion:

  • Post-intrusion cleanup
  • Antiforensics
  • Rootkits, Persistence & Hiding in Plain Sight
  • Pivoting

The class is designed for people who use and administer Unix systems day-to-day - sysadmins, unix programmers, linux-on-the-desktop users, people with beards - who grok unix, but don't actually go around busting into systems. Making the theoretical practical will help you defend better, as well as coming in real handy next time your coworker does something poorly advised...

If your idea of Unix admin starts with "putty.exe" you're probably not the target audience, unless you accompany it with a goodly amount of rage at being forced to use an XPSP2 corp standard desktop build. Familiarity is assumed with a rootshell, scripting, you'll be able to handle complex shell pipelines, and are not afraid to bust out your awk, xargs, tcpdump or strace.

You'll need a laptop (presumably running unix!) with (working) VirtualBox (or be willing to bodge a vbox vm into your hypervisor of choice) and wireless if you want tubes.

At the end of the class, you should have a good understanding of how people who aren't rolling ben_hawkez.c will priv-esc on your boxen, what to yell at your developers about, and be able to pwn up your fellow sysadmins with considerably more aplomb.

LocationFri 26 0900 @ BNZHQ1
Duration180 mins
NameMetlstorm
OriginWellington, New Zealand
BioMetlstorm is a cashed up, card carrying whitehat sellout, writing up customers for ICMP timestamping and SSLv2 like Qualys told him to. When he's not faffing with his word templates, he spouts poorly thought through faux-pinions on the risky.biz podcast, and organises (largely by sulking about off topic posts on #kiwicon) the second best hacker con in New Zealand. Don't let the beard fool you - he loves Windows, and heartily endorses products made by Computer Associates. Metl has bored previous Kiwicons, Ruxcons, Syscan, a Defcon and a Blackhat, pottered around a few networks (including yours) and in his spare time stuffs his face with pies and griefbacon. Metl aspires to work for EDS in an audit and compliance role, so recruiters, please contact him IMMEDIATELY.

TitleSo you wish you could read all the shellcode?
Abstract
char shellcode[] =
	"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7"
	"\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f"
	"\x5b\x06\x38\xf4\                               \xcc\xd6\xdc\xa8"
        "\x82\x67\x73\xdf\       Hitchhikers             \x8e\xb3\x0b\xa8"
        "\xf4\xae\x73\x09\             Guide To          \x23\xe4\x7c\xc1"
	"\xb7\x8e\x73\xf0\    Windows Exploit Writing    \xb9\x8c\x14\xd0"
	"\x08\x54\x9e\xd3\                               \xa8\xd6\x07\x50"
	"\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82"
	"\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3"
	"\xa4\x7d\x2e\x7f\x27\x82\xf8\x80";

char what[] =  
  "Windows shellcode and exploitation techniques. By the end of the   "
  "session you will be able to write exploits for windows 2K,XP,2k3   "
  "This will include stack and heap exploits and bypassing DEP        ";

char requires[] =  
  "Something to load up a few Virtual machines (VMWARE)               "
  "   vmplayer was free last time I checked                           "
  "   Virtual machines will be made available for download prior      ";
  
char prereq[] =
  "Don't worry too much, as you can work in groups anyway, but if you "
  "do have time then have a look at;                                  "
  "                                                                   "
  "immunity debugger,smashing the stack for fun and profit            "
  "msrpcheap.pdf, msrpcheap2.pdf,New-Win32-Exploitation.pdf           "
  "Practical-SEH-exploitation.pdf, DEPLIB.pdf                         "
  " 'uninformed bypass dep'                                           ";

char time[] =  
  "We will probably have around 4 hours, and the approach I will      "
  "take is to learn by doing, so you may not get all the theory       "
  "behind it, but you'll be able to do it and understand what is      "
  "going on.                                                          ";
LocationFri 26 1300 @ BNZHQ1
Duration240 mins
NameBrett Moore
OriginAuckland, New Zealand
BioNew Zealand's very own security pinup, Brett "Remote Code Execution" Moore has walked the mean streets of these savage lands for over a decade. Shatter attacks? Brett Moore. Heap freelist technique? Brett Moore. Cradling his head in his hands against the back wall of the Defcon stage so he didn't barf on the lectern during his talk? Brett Moore.

TitleLearn to Pop Your Locks
Abstract

This is a 3 hour session (so make sure you go to the loo first!), going over the basics of lock picking. Even if you have never seen a lock pick, this session will have you popping locks in no time (and no! this isn't a dancing term).

This is aimed at people who have little or no experience with locks and picking. Seats are limited to 10 - 12 people, so we can all get a chance to have a play (please keep your minds out of the gutter).

I hope to have a few sets of tools for sale (about $15 a set).

Topics I hope to cover:

  • basics of how a lock works
  • basics of the tools
  • opening a door lock
  • a play with handcuffs
  • other types of locks

and if there is enough time...

  • world domination
LocationFri 26 1400 @ BNZHQ2
Duration180 mins
NameD.Roc (aka Derek Robson)
OriginWellington, New Zealand
Bio

D.roc is a unix admin who is forced to work with Solaris during the day, and damaged enough to like open BSD at night. He also enjoys country music and long strolls in the park.

Having done a lock picking session at the last two Kiwicons he has decided to offer some training so you have a fighting chance at the Te Kuiti Warrior challenge on Saturday night.