Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
License: MIT License
i make. i break. computer witchcraft at stition.ai.
reach out:
mufeed [at] stition [dot] ai
pgp fingerprint:
49B7 4F49 C33A 02A9 7536 257F 45BE E76A 9562 CB5E
moonwalk does not seem to clear track in bash session when it used in bash session which contains trap with DEBUG mode
Step to reproduce
Put the command logger in ~/.bashrc:
#!/bin/sh
debug_poc() {
echo "$USER($UID:$GROUPS) ran $BASH_COMMAND" >> /tmp/commands.log
}
trap debug_poc DEBUGAnd try moonwalk in a bash session:
$ sudo moonwalk start
$ echo "in mw"
$ sudo moonwalk finishNow let's see if our tracks were cleared:
$ cat /tmp/commands.log
kali(1000:1000) ran sudo moonwalk start
kali(1000:1000) ran echo "in mw"
kali(1000:1000) ran sudo moonwalk finishHello!
Currently I see that moonwalk can be used only on a Linux or Darwin target machine and they seem to be two different executables in the Release section.
Is it possible to have one single executable that is able to identify alone the OS or by an argument provided by the user (i.e., --os linux) and it clears all logs?
And mostly, is it possible to be compatible it for Windows target machines?
Also resolve the current shell (zsh, etc.)
Basically:
$ ps -p $$
$ OR
$ echo $0hello.. it seem moonwalk get is broken
$ ./moonwalk start
[INFO] Found /dev/shm/.MOONWALK as world writable.
[INFO] Set /dev/shm/.MOONWALK as the logging directory
[SKIPPED] Logging /var/log/messages requires sudo privileges.
[SKIPPED] Logging /var/log/auth.log requires sudo privileges.
[SKIPPED] Logging /var/log/kern.log requires sudo privileges.
[SKIPPED] Logging /var/log/boot.log requires sudo privileges.
[SKIPPED] Logging /var/log/lighttpd requires sudo privileges.
[SUCCESS] Saved the current log states.
$ /tmp/moon ./moonwalk get nolog.txt
[>] To restore the access/modify timestamp of this file, use command ↓
$ touch -a -d '2022-10-08 12:33:26.379565377 +0800' -m -d '2022-10-08 12:33:26.379565377 +0800' nolog.txt
$ /tmp/moon ./moonwalk finish
Error: Os { code: 2, kind: NotFound, message: "No such file or directory" }
I'm seeing this crash on moonwalk finish using the latest:
error: Utf8Error { valid_up_to: 16527, error_len: Some(1) } }', src/core/clear.rs:34:15
stack backtrace:
0: 0x56158421f44c - std::backtrace_rs::backtrace::libunwind::trace::he79a6b2087577c89
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x56158421f44c - std::backtrace_rs::backtrace::trace_unsynchronized::h9277c4233029dddb
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x56158421f44c - std::sys_common::backtrace::_print_fmt::hbb2b612ef9b02ca8
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/sys_common/backtrace.rs:67:5
3: 0x56158421f44c - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hc8c6e5fc9f07659b
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/sys_common/backtrace.rs:46:22
4: 0x5615841e439c - core::fmt::write::h72801a82c94e6ff1
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/core/src/fmt/mod.rs:1149:17
5: 0x561584220f1a - std::io::Write::write_fmt::h49956859070326a8
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/io/mod.rs:1660:15
6: 0x561584220f1a - std::sys_common::backtrace::_print::h7c949d00e447ca1b
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/sys_common/backtrace.rs:49:5
7: 0x561584220f1a - std::sys_common::backtrace::print::hac5d7b208ff86b2e
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/sys_common/backtrace.rs:36:9
8: 0x561584220f1a - std::panicking::default_hook::{{closure}}::h2d5b8c951b73433e
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:211:50
9: 0x561584220f1a - std::panicking::default_hook::hc1d5a882e94ba293
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:228:9
10: 0x561584220f1a - std::panicking::rust_panic_with_hook::hc9dd570d8cf7aba9
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:606:17
11: 0x56158422046f - std::panicking::begin_panic_handler::{{closure}}::hf5dee398c82a5cad
12: 0x56158421fab4 - std::sys_common::backtrace::__rust_end_short_backtrace::hc6e01318a754dc4c
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/sys_common/backtrace.rs:139:18
13: 0x5615842203ed - rust_begin_unwind
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:498:5
14: 0x5615841d9521 - core::panicking::panic_fmt::h7b8580d81fcbbacd
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/core/src/panicking.rs:107:14
15: 0x5615841d9613 - core::result::unwrap_failed::h885d3f7beb571353
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/core/src/result.rs:1661:5
16: 0x5615841f4f00 - moonwalk::core::clear::clear_me_from_history::h38035a5b95404389
17: 0x5615841f9c3c - moonwalk::start::init::h5a36c6e6fc465eb6
18: 0x5615841eec53 - std::sys_common::backtrace::__rust_begin_short_backtrace::ha39658a6b03ed62d
19: 0x5615841eec6d - std::rt::lang_start::{{closure}}::h0ef3ca2fc82345bf
20: 0x56158421eddd - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h6c750193e4920652
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/core/src/ops/function.rs:259:13
21: 0x56158421eddd - std::panicking::try::do_call::h02274dfcd9faf3ac
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:406:40
22: 0x56158421eddd - std::panicking::try::h6804f9d41b571054
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:370:19
23: 0x56158421eddd - std::panic::catch_unwind::hd51f6164bf3938ec
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panic.rs:133:14
24: 0x56158421eddd - std::rt::lang_start_internal::{{closure}}::h9b7eb891d44cd5c3
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/rt.rs:128:48
25: 0x56158421eddd - std::panicking::try::do_call::haf8d551523bae443
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:406:40
26: 0x56158421eddd - std::panicking::try::h7a438e992ba8b1cc
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panicking.rs:370:19
27: 0x56158421eddd - std::panic::catch_unwind::h759691315e97e81b
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/panic.rs:133:14
28: 0x56158421eddd - std::rt::lang_start_internal::hff5980633344c2a1
at /rustc/c5ecc157043ba413568b09292001a4a74b541a4e/library/std/src/rt.rs:128:20
29: 0x5615841fa0b2 - main
30: 0x7fb6bd9c2d0a - __libc_start_main
at ./csu/../csu/libc-start.c:308:16
31: 0x5615841dbdda - _start
32: 0x0 - <unknown>
With last version, it seems that my .zsh_history was not clean as expected
Step to reproduce
$ #in zsh
$ sudo moonwalk start
$ echo "in moonwalk"
$ sudo moonwalk finishThen :
$ history # or cat ~/.zsh_history
[...]
1054 sudo moonwalk start
1055 echo "in moonwalk"
1056 sudo moonwalk finish
is it not the expectedbehaviour right?
moonwalk crashes when I try to use start subcommand (other also subcommand btw).
I have tried all the installation way provided in the README, nothing change.
Here is the output of the command:
$ moonwalk start
thread 'main' panicked at 'failed to execute child process: Os { code: 2, kind: NotFound, message: "No such file or directory" }', src/core/recon.rs:10:10
stack backtrace:
0: 0x5556628d9ebc - <unknown>
1: 0x55566289ebfc - <unknown>
2: 0x5556628dba6f - <unknown>
3: 0x5556628db09f - <unknown>
4: 0x5556628da524 - <unknown>
5: 0x5556628db01d - <unknown>
6: 0x555662893521 - <unknown>
7: 0x555662893613 - <unknown>
8: 0x5556628aa0fb - <unknown>
9: 0x5556628adce0 - <unknown>
10: 0x5556628b422b - <unknown>
11: 0x555662894c6c - <unknown>
12: 0x5556628b2483 - <unknown>
13: 0x5556628a93f3 - <unknown>
14: 0x5556628b3d36 - <unknown>
15: 0x7fd44b532bf7 - __libc_start_main
at /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
16: 0x55566289682e - <unknown>
17: 0x0 - <unknown>
Aborted (core dumped)
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.