 Hi, I'm Jake LaBelle and my talk today is going to be on finding surrogate chains on a mainframe So who am I? I'm a security consultant at fsecure Technically associate, but sounds a bit shit. So I've been on a couple mainframe jobs So not expert by any means. I'm currently streaming from basing stoke UK Wishers in Vegas, but what can you do? And I was gonna put a picture here, but just look to the right and yeah, there I am So before I go into my tool, I've created I'll just do a quick High-level introduction to ZOS, which is the operating system that you find on most mainframes one of the A major difference between Linux and Linux windows and ZOS is that ZOS has data sets So for example here, it's user a 1.rex slip and one thing to know about it is it's a flat file system So there's no folders, but normally how it works is that you'll have your high-level qualifier Which is normally the owner first so user oh one, which would be and then dot something dot something buddy, but and You have apostrophes around data sets. This indicates that it's an absolute path in all of my gala program the I have apostrophes around every single data set because just easier You can also have partition data sets Where so user a 1.rex slip is the is the data set, but then you can have multiple members in that data set So for example in this one would be hello and the picture below is just a picture of DS list Which just shows a lot of which shows all the data sets of a high-level qualifier of IBM user and so yeah so my Program is mostly written in racks, which is a scripting language like Python Has a couple slightly unique functions though. So one of them is address, which lets you run a program in another program, so This is running list dsd in TSO and the output of that You can store using something called outtrap, which you will then put all the output of that TSO command into a stem variable Which is basically an array So another language that's used is the JCL, which is a job control language. It's a batch job though So when you submit a JCL the JCL is then Run at some point by the mainframe and on the first line of every JCL you have the job card Which has the title of the job and a couple of other parameters. So for example This will notify the user After it's run and it will also store it in the spool So in all of in my In my program all of the JCLs that I have are embedded inside racks scripts And so this one for example, it will queue all of the lines of the JCL It will then use outtrap to concatenate those lines and then submit them the reason why I use this in a rex script It's because you can then pass arguments easier and you can then have a more dynamic JCL so one of the major subsystems on ZOS is OMVS, and it's a Unix subsystem And it's kind of like the WSL Windows subsystem for Linux. However, there's no segregation between The two part so On there's no segregation between TSO and MVS TSO being the the main part of where you log into the mainframe So on TSO you can run OMVS commands and on OMVS you can run TSO commands so if you have access to one you basically have access to the other and the security of OMVS, so for example what would be slash etc slash sudoers is managed by RACF and RACF is Resource Access Control Facility and this can handle different type of resources. So for example datasets surrogates or as mentioned before the sudo the OMVS Resources so for example super user would be in there So each resource has an owner and they have Alter access so basically complete access to the resource. You can also set a UACC Which is how much access that just any random user has to the resource You can also permit other users to have access. So there's four different types of access you can give it's execute read update and alter and they do what they sound like they do one other special Attribute you can give to a user is special special means that you basically have Alter access to every single resource which you can think of as being like having roots One of the main classes in ZOS is surrogate and There's a couple different types of these. So we have star dot submit. So for example user ID dot submit so user I1 dot submit would mean if you had read access to this you could submit a JCL as that as User I1 there's also BPX dot serve dot user ID So for example BPX dot serve dot user I2 means you can run a su command as that user There's also DFH start dot user ID and this just means you can run a kicks Transaction as that user. I don't use DFH dot star star dot star dot Do I don't use DFH dot I don't use DFH start in my program, but it's But maybe in the future so One thing that you'll find on mainframes or surrogate chains the reasons why these occur is because there's lots of users and No one knows what they were all but all of them are for so for example. I was added as a user on a pentest job and 20 years later someone's probably gonna ask who is this Jake character and why does he have access to these things? no one's gonna know and No one's gonna delete it because maybe it will break something and that also tends to the other thing where Mainframes have been running for decades. It's one of their major selling factor So the person who added me is probably going to be long gone before the next person even looks at me so a Surrogate chain is where for example user one has read access to a surrogate class on user two and user two has read access to a surrogate on user three So in this case user one practically has access to everything that user three has And the way you can list what access what surrogates you have you can run a command our list surrogate star however rackf has a thing where you can only see the Protections on a rackf that you have at least read for so in this case user a user one would not be able to see that user two has a surrogate has has a read on a surrogate on user three the other problem is that Star dot submit is a batch job. So let's say you wanted to run a rex script that that's ran a ran the jcl from user one to To as a surrogate on user two You and then what I then wanted to from user two run a surrogate run a jcl to user three You can't just run that in one program because it's it's using a jcl which again, it's a batch job So what you could do is you could manually submit reverse shells one at a time. So you'd as user one Find out that you had a user two surrogate Then you would submit a reverse shell for user two then once yours user two you'd list all your surrogates again And then you would submit a reverse shelf user three. However, this takes a long time and There's a lot of users. So you this might not even be feasible Another thing you could do is you could just use a user which has read access to all the resources So for example a special account or an auditor account The auditors it doesn't really they don't they don't really have a read access to these but they basically do Then You could also then use this to find all the surrogate chains The only problem with this is that you're not going to get a special account You're definitely not going to get a special account on a on a pen test And you probably won't get an order an auditor account on a pen test either So I created a tool is the github link to it and I'll and it allows you to find and exploit surrogate chains So the first thing you do with the tool is you run begin dot rex it gets all the output datasets ready it gets the Unix file ready and It adds the current user that you're running it from to the path and it starts k a dot rex go dot rex gets the path that currently is at so When the first run it would just be just the original user if it's special If your user that you have a special it will just stop because if you have special you've already won It'll then run plugins dot rex, which I'll explain later It will list all the surrogates that you have read access to and it checks that those surrogates haven't been visited yet The reason why I had to add this is because I didn't want to deal with cycles And this was the quickest and easiest way to deal with that So you won't actually get the the whole I guess surrogate network, but you will get a chain of through them If it sees that it's a star dot submit resource it will run sub him dot rex And if it sees that it's a bpx dot serve dot star resource, it'll run unix m dot rex So sub him dot rex just submit to jcl as the surrogate user which then runs gator dot rex So then we'll continue it on Unix m dot rex is a jcl, which just runs gator It's moved into omvs with begin dot rex to slash temp slash unix m and then gator calls it with Bpx batch with that you run omvs commands in TSO and then you do So to that target user So plugins dot rex is a list of rex scripts to run on each user I have it'll there's a number of enumeration scripts you can run. I have three that I have Set up already one of them just lists the user so This will tell you if they have special if they have operate Operations it work groups. They're connected to those types of things I also have one which will just list your your access to any of all of the Rack of databases, it's unlikely you'll have anything other than None for this but that might as well test if you have read access. It's really good It lets you unload the database so you can see all the things in the rack of database really useful If you have updated alter, then you can just put yourself in a special and I have a tool to just write yourself in But yeah, they're very unlikely, but if it does happen hit the jackpot The other one is it will search all of the APF Libraries to see what access you have to those you can think of APF libraries is kind of like set Set GUID libraries in unix. It's not really but if you have updated alter You can you can get special and that there's tools out there to do that. Oh and also If you have any other scripts you want to add it's fairly easy to just it's fairly extensible Just add your own rec script in and like for example if you have one one if you have a just a Linux script that you have that will that you can use you can quickly add that to there So to test to see that the program was working properly I Using an emulated ZOS create a thousand users then randomly assigned a couple operators and couple special users added a couple of surrogates of each type to each user and then ran gator the test script to generate all of these users on GitHub as well so using the output of the all the paths that were generated and also the the user the list user command so Here you can see The large squares are operators and the big star is special Shows you all the paths to get to these users If you anyone can think of a better way to show a thousand nodes on a graph then yeah, that'd be helpful. I Also created a a shell macro So from the user that you ran the gator gator from you can pick any user that's in the path the surrogate the surrogate chain and it run shall be that user it will then keep submitting a JCL Continuously passing on how far along in the target it is To how far along in the path to the target is and at the end it will submit a cat so shall it's like a interpreter Here's the github link to it by main framed I've also just created a bash script, which will quickly upload all the rec scripts It's just quick to set that up And yeah, that's my tool and I'll do a quick thing on if you want to get into mainframes yourself So one of the probably the easiest way is with tk4 minus. It's based on a 1980s mainframe MVS 3.8 J it runs on a Raspberry Pi, which is pretty cool Everything's open source and public domain pretty cool again. Here's the link to download it and there's a user guide to just get started and yeah Here's a picture of it again pretty cool And On there you can install two fairly important things so you can get kicks which is a kicks clone and There's a moshics guides. I've put the youtube link to it and Kicks is like web servers before web servers were cool. So so you can test your cobalt scripting and Brex is just a Backported thing that lets you run rec scripts again. Here's the moshics guide to get it installed if you can't able to get these installed I have a one with these already installed on my github tk4 base. That's what I called it Another tool to get yourself to get started on mainframes is Hercules. It's a q-public license It's a mainframe emulator, and it's what tk4 uses to run Now there is an old version of zdo s version 1.10 online But Piracy is bad So yeah, don't do that but if you do end up getting a ZOS version there's a This is the github link to mainframes lamps, and yeah, they're pretty good to get started And there's a Mattermost Community that's fairly good to answer any questions if you want to ask me any questions my username is to DASU So yeah, drop me a message on there and yeah, I'll answer And that's my It's my talk done Are there any questions?