Low-privileged user with UID greater than INT_MAX can run any command in Linux

A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl command unauthorizedly. cve-2018-19788

Here I have tested this vulnerability with Debian linux.

To verify the INT_MAX value using below command,

root@testing:-# getconf INT_MAX

If it shows 2147483647 value, Next create a normal user account with UID greater than INT_MAX. Then login to that account to run any systemctl command without any super user access.

You can get  a full interactive root access from that user using "systemd-run" command.

Clone a repository with all branch using Bash Script

This bash script will cone a repository with all branch.

Create a new file git_clonerepo.sh and Put the below bash script in that file and make executable using chmod +x git_clonerepo.sh and run it

$ vim git_clonerepo.sh

#!/bin/bash
function repoclone {

        echo -n "Enter the Git repository URL : "
        read  url
        reponame=$(echo $url | awk -F/ '{print $NF}' | sed -e 's/.git$//')
        git clone $url
        cd $reponame
        for branch in $(git branch -a | grep '^\s*remotes' | egrep --invert-match '(:?HEAD|master)$'); do
            git branch --track "${branch##*/}" "$branch"
        done

}

repoclone


$ chmod +x git_clonerepo.sh

$ ./git_clonerepo.sh

Share files and directories using Python SimpleHTTPServer

SimpleHTTPServer module that comes with Python. It provides standard GET and HEAD functions.

It can be used to set up a very basic web server serving files relative to the current directory. You can use this to turn any directory in your system.

Advantage with the built-in HTTP server is that you don't have to install and configure anything. The only thing that you need, is to have Python installed.

To start a HTTP server on port 8888

manivel@manivel ~/webserver $  python -m SimpleHTTPServer 8888
Serving HTTP on 0.0.0.0 port 8888 ...

       -m     ---> module-name
       8888 ---> port  (You can also change the port to something else)

This will now show the files and directories which are in the current working
directory.

Open your favorite browser and type in any of the following addresses:

http://localhost:8888  or  http://127.0.0.1:8888   or   http://ipaddress:8888

If you don't have an index.html file in the directory, then all files and directories will be listed.

Mariadb secure configuration on CentOS 7

For secure your MariaDB by setting up the following,
1. Set up root password
2. Disabling remote root login
3. Removing test database 
4. Removing anonymous users
Finally reload the privileges.



[root@server ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!
 
By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
 
[root@server ~]#

[root@server ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 657
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 


MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)

MariaDB [(none)]>

 

Create files and Directory with Single Linux Command

In linux to create a direcotry use mkdir command and to create a file use touch command.

To create a new directory

[sysads@sysads ~]$  mkdir folder

To create a new directory with sub-directories,

[sysads@sysads ~]$  mkdir -p folder_1/folder_11/folder_111

              -p  ----> --parents (no error if existing, make parent directories as needed )


To create a new directory with multiple sub-directories,

[sysads@sysads ~]$  mkdir -p folder_2/{folder_21,folder_22,folder_23,folder_24,folder_25}

To create a new directory with multiple sub-directories and sub-directories with multiple sub-directories,

[sysads@sysads ~]$  mkdir -p folder_3/{folder_31/{folder_311,folder_312},folder_32,folder_33}


To create an n number of folders where the numbers increment

[sysads@sysads ~]$  mkdir -p folder_100/folder_1{01..20}

To create an n number of files with extension (i.e .txt) where the numbers increment

[sysads@sysads ~]$  touch folder_100/file_1{01..20}.txt

Git Basic Commands

Today we will see some useful Git commands,

To check git version
$ git --version

To set config values
$ git config --global user.name "Manivel Rajendran"
$ git config --global user.email "example@gmail.com"
 

To list config values
$ git config --list

 

To reset the config values

$ rm ~/.gitconfig
 

To getting help with git
$ git help config

   Example :
      $ git config --help
      $ git add --help

Initialize the git
   $ git init

To check status of the file
   $ git status

Add files or folder from working area to staging area

        Add a file or folder  
           $ git add file_name

       Add all files or folder
           $ git add -A

Remove files or folder from working area to staging area

       Remove a file or folder
             $ git reset file_name

       Remove all files or folder
             $ git reset


Commit the change with message
   $ git commit -m "Initial Commit"

To view changes between commits
   $ git diff

To view commit log
   $ git log


List, Create, Merge and Delete branches

       To list the branch
           $ git branch

       To list all the branch (Local and Remote)
           $ git branch -a

       To create a branch
           $ git branch branch_name

       To change one branch to another
           $ git checkout branch_name
      
       To merge a branch with current branch
           $ git merge branch_name

       To check everything merged with current branch
           $ git branch --merged

       To delete branch on local
           $ git branch -d branch_name

       To delete branch on Remote
       $ git push origin --delete branch_name
  


Specifies untracked files in .gitignore

    $ vim .gitignore
         *.pyc
        .htaccess
        documents

Clone a repository into a new directory

     Clone from upstream
         $ git clone https://github.com/manivel23/repository.git  .
 
     Clone from local
          $ git clone  ../repository.git  .


Manage set of tracked repositories

       View remote repository info
            $ git remote -v

       To add a remote repository
            $ git remote add staging https://github.com/manivel23/repository.git

Pull and Push
     
      To pull latest commit remote repository to local
      $ git pull origin master

              origin --> name of the remote repository
              master --> name of the remote repostory branch
    
      To push latest commit local to remote
      $ git push origin master
 
      To push all branch local to remote

      $ git push --all origin

         

       To pull latest commit a specific brancha name from remote repository to local
        $ git pull -u orgin specific_branch_name
     
               -u  ---> set-upstream
   
To disable SSL verification

$git config --global http.sslverify "false"

Renew letsencrypt certificate in nginx on Centos

To renew your letsencrypt certificate,

please follow the following steps

First you need to stop the nginx service on centos using the following command

[root@manivel]# service nginx stop
Stopping nginx:                                            [  OK  ]

[root@manivel]#Go to the letsencrypt folder and run the following commands to renew the certificate,


[root@manivel letsencrypt]# ./certbot-auto renew

./certbot-auto renewSaving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/manivel.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for nginx.manivel.com
tls-sni-01 challenge for mail.manivel.com
Waiting for verification...Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/manivel.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/manivel.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@manivel letsencrypt]# 


Start the nginx service using the following command


[root@manivel letsencrypt]# service nginx start 
Startting nginx:                                            [  OK  ]

[root@manivel letsencrypt]#
Now you have successfully renewed your letsencrypt ssl certificate.

Web Application Fingerprinting

Description

First steps when performing a web application penetration test is to find the version of the web server and the web application. The reason for that is, it permits us to discover all the known vulnerabilities that are affecting the web server and the web application. For doing this we will get a lot of information like application name, software version, web server info, OS, and more

How to Test  

There are several way to identify the web server and web application details. here we will use some of them.

HTTP response header to Fingerprint Web Server and Web Application.

It can be perform different way but here we will do with netcat and telnet command. 

We will send an HTTP request by using the HEAD method through  Netcat command

 We will send an HTTP request by using the HEAD method via telnet command

As we can identify from the above HTTP response header,

1. Type of the web server from the Server filed name along with the version.

2. Type of the technology from the X-Powered-By field name along with the version.

3. Web application is running on the web server which is a Ubuntu.

Cookies to Fingerprint Web Application

Another way to determine the web application framework are looking for framework specific cookies.

HTML Source code to fingerprint web application

In some cases the web application framework and version can be discovered through source code inspection. So it is always to look there as well.You can see in the following example that we have discovered the application framework by looking at the comments and footer tag.

File Extensions to fingerprint web application

Some time file extension will disclosure the web application technology.

 

In above post we saw few methods to identify the web server and web application fingerprinting. There are more methods and different tools available to verify the fingerprinting result precisely.

 

Reference:

https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004)

Export Mysql Database and Table schema without Data

This post i will show you how to dump just the schema of the a mysql database , for a single table, or for several tables.

Database structure for all tables with no data to a file

[root@manivel]# mysqldump -d -u root -p database_name > database_schema.sql



         -d  ---> -d flag to denote that no data should be included in the output.

[root@devops devops]# mysqldump --no-data -u root -p database_name > database_schema.sql

        --no-data --> to denote that no data should be included in the output.

Database structure for one table with no data to a file

[root@manivel]# mysqldump -d -u root -p database_name  table_name> table_schema.sql


Database structure for several table with no data to a file


[root@manivel]# mysqldump -d -u root -p database_name  table_name_1 table_name_2 table_name_3 > multiple_table_schema.sql

Nginx warning - A client request body is buffered to a temporary file /var/cache/nginx/client_temp/

Today I saw a unknown warning error on the Nginx server that it happens when i was trying to upload a file to a website, checking the logs I found this error "A client request body is buffered to a temporary file "

This is my log file:

2018/06/27 12:27:38 [warn] 20230#20230: *743 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000007, client: 10.177.6.42, server: 10.177.6.45, request: "POST /creation/upload/component/9656/video/ HTTP/1.1", host: "10.177.6.45", referrer: "http://10.177.6.45/creation/upload/component/9656/video/"

 

Solution :

 

While investigating this, I found that the size of the uploaded file is larger than memory buffer set for my file uploads.

After that I changed the "client_body_buffer_size" variable value in Nginx configuration file

[root@server ]# vim /etc/nginx/conf.d/default.conf

client_body_buffer_size 100M;

Then restart the nginx service

[root@server ]# service nginx restart
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
[root@server]#

My issue is resolved.

Working with Ansible

Consider the following terms while using Ansible.

Control Node
   
 Control host is a machine where we have installed the Ansible. This control host controls all remote nodes.

Managed hosts
    Remote nodes are named as managed hosts.

Inventory file
    This is the default ansible 'hosts' file. It is a collection of nodes with related datas and grouping that ansible can connect and manage.

Prerequisite:


1. Setup ssh key-based authentication. (Ansible is a agent-less tool and use SSH protocol to deploy modules on managed hosts.)

2. Install python on managed hosts

Setup ssh key-based authentication

Generate ssh key

copy ssh key file to managed hosts

checking auto login from control node to remote nodes.

Adding managed hosts in Inventory file

[root@sysads ~]# vim /etc/ansible/hosts

[servers]

10.177.6.249

Testing with ansible modules

Session Expired, Please login again when using Adminer

I was trying to access the database using adminer.php but I could not able to login, even though I filled in the correct credentials.

The log file gave me the exact issue.

[root@beta-server ]# cat /var/log/nginx/error.log

[error] 24318#24318: *46 FastCGI sent in stderr: "PHP message: PHP Warning:  Unknown: open(/var/lib/php/session/sess_0c6qn562knk0fm7vkil358kr80, O_RDWR) failed: Permission denied (13) in Unknown on line 0
PHP message: PHP Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in Unknown on line 0" while reading upstream, client: 10.130.12.45, server: example.com, request: "GET /?username=root HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fpm.sock:", host: "example.com", referrer: "http://example.com/?username=root"

Solution

These errors occur because PHP has no way of saving sessions on disk.

The location of the PHP session path can be found in "/etc/php.ini" under session.save_path. The default path is /var/lib/php/session. If this directory does not exist, then create it and change permissions on it.

[root@beta-server ]# chmod -R 700 /var/lib/php/session
[root@beta-server ]# chown nginx.nginx -R /var/lib/php/session

After all these changes, i can able to login successfully.

Install Ansible on Ubuntu 16.04

Ansible is a IT automation, configuration management tool to manage the infrastructure. For more information click here
 
For installing Ansible you have to configure PPA on your machine.For this,you have to run the following commands

root@manivel:~# apt-add-repository ppa:ansible/ansible

 Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy. Avoid writing scripts or custom code to deploy and update your applications— automate in a language that approaches plain English, using SSH, with no agents to install on remote systems.

http://ansible.com/
 More info: https://launchpad.net/~ansible/+archive/ubuntu/ansible
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp7y79v8_4/secring.gpg' created
gpg: keyring `/tmp/tmp7y79v8_4/pubring.gpg' created
gpg: requesting key 7BB9C367 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp7y79v8_4/trustdb.gpg: trustdb created
gpg: key 7BB9C367: public key "Launchpad PPA for Ansible, Inc." imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
OK


root@manivel:~# apt-get update

root@manivel:~# apt-get install ansible


For checking Ansible version you have to run the following command

root@manivel:~# ansible --version

ansible 2.5.4
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/manivel/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0 20160609]

Open a .vmdk file in VirtualBox

Let see here how to open a .vmdk file in VirtualBox.

First Open the VirtualBox application and click  "NEW" button to create new virtual machine.

Choose a descriptive name of the new virtual machine and  Select the type of operating system.
Then click "Next".

Select the amount of RAM memory and Click "Next".

This step you have to choose below things,
1. Choose "use an existing virtual hard disk file"
2.  Choose a virtual hard disk file

Choose a .vmdk file and click open.

Click "Create" button

Now you can see that your .vmdk file imported successfully on VirtualBox.

compgen Command on Linux

This command will list all available commands on Linux.

To list all the commands 

manivel ~ # compgen -c 

If you want to count the total available commands on linux,  type below command

manivel ~ # compgen -c | wc -l
4031

To list all the bash aliases 

manivel ~ # compgen -a 

To list all the bash built-ins

manivel ~ # compgen -b 

To list all the keywords

manivel ~ # compgen -k 

To list all the bash functions

manivel ~ # compgen -A function

bind(): No such file or directory [core/socket.c line 230]

I configured uwsgi with nginx and got the following error


 


Solution :


Later i found socket parameter of uwsgi doesn't exists. So, I have created the following folder as per the uwsgi configuration.



[root@localhost]# mkdir /var/run/uwsgi


After i restart the uwsgi and it is working fine.


(venv)[root@localhost ]# uwsgi --ini uwsgi.ini

Format USB Drive in Linux

Insert usb drive into your laptop or machine and follow the steps to format

Step1  : Identify the usb drive

manivel ~ # df -h

Step2 : umount the usb drive

manivel ~ # umount /dev/sdb

Step3: Recheck the usb drive whether umount or not

manivel ~ # df -h | grep /dev/sdb

Step4: Format the usb drive with vfat filesystem

manivel ~ # mkfs.vfat -n "LAB-9" -I /dev/sdb

-n ----> Volume name
-I ---> device type

In this way you can format the usb drive with different file system methods.

Step5:  Mount the usb drive


manivel ~ # mount /dev/sdb /mnt/manivel_pendrive/


This is the image overall steps covered.