Hacking Challenge : Reverse/Crack/Exploit SHC v4
intika opened this issue · comments
SHC v4 Hardening Challange :
With the new hardening experimental features, flags -H -s
or just -H
that aim to fix all current exploits, the challenge here is to find any new easy exploit.
This is a hacking challenge to reverse, decompile the bash, intercept, crack, or find an exploit
in the purpose of decoding the bash source.
The hardening implementation is not perfect, but i did not found any new easy exploit as before... do you have any idea :D ?
Flag (-s) : set the binary to a single process (need -H)
Flag (-H) : enable hardening features
How hardening feature works :
- Check the name of the parent process
- Use ptrace to trace itself and lock tracing as only one process can be the tracer
- Seccomp-Sandboxing to avoid code injection and or function call out of it contexte
- Improved chromatography for used variable.
Known possible exploit (hard - not tested) :
- Injecting code in parent process to ptrace child
- Intercepting decrypted bash variable
- Custom patched kernel
- LD_PRELOAD
- Sandbox-it
Known possible exploit (easy - not tested) :
- Custom patched bash shell
Possible protection improvement :
- Piping bash #51
- Use some techniques from https://github.com/jvoisin/pangu
- Lock the binary to be only runnable in a single defined machine
THE GAME IS OPEN :D
Note : this challenge is only in the spot of hardening features, otherwise the app is easily exploitable... also you may be interested in the old exploit tool https://github.com/yanncam/UnSHc
Bounty : 100 free licenses for pro version ! hahahhahahahahhahahaha (just kidding indeed)
@intika I just fork it in Rust, Please hack it, haha .
currently it's very simple one.
https://github.com/chenyukang/rshc