Secure Dose

Saturday 8 September 2018

Poison - Hack The Box

 



Poison was one of the machine in hack the box and got retired few minutes back. It was my first box and took me a bit long to root this for no reason. Why Poison was my first box? Because I had to start with something really easy just because I get some confidence to play. Well, lets get started.

Getting Started:
I initiated with nmaping on the box. Lets find top 10 ports in nmap-services using --top-ports flag.


More other options can be used to determine open and running ports but this is usually I use for quick results.
As can be seen in the above screenshot, port 22 and 80 are open. I quickly went to my browser and this is what I found.


They had already given some filenames which I tried. On trying them, I observed a URL pattern which smells fishy. It was like this, http://10.10.10.84/browse.php?file=ini.php. I was able to view the content of the file. Lets try /../../etc/passwd instead of ini.php


Awesome! Its LFI. Noted. For now lets move on to other files we already know and explore their content.
All the files had some or the other php array but listfiles.php was listing out current directories files which had an interesting file with name pwdbackup.txt.

This password is secure, it's encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo=
This string looks like base64. On decoding the the string 13 times "Charix!2#4%6&8(0" is something I found. This says it all because Charix looks like a username and if you remember, /etc/password had charix as a user on this box but then the question arise, how to login to the system? nmap results says that the box has ssh service. The credentials were correct and here we could successfully login as charix user.

 
Escalating Privilege:
ls command have a file namely 'secret.zip'. While trying to unzip the file, the error was to provide a password to the file. quick google search and got to know that unzip -P file.zip would extract the file contents. Did not work. I downloaded the file using python SimpleHTTPServer.




On trying to unzip and crack this locally, found nothing. But wait, I haven't tried what I already have. Lets try the charix password and yes, it did worked locally. On extracting the strange string did not mean anything. Lets leave this for now.

 

I tried to access /root/root.txt just to make sure I was not having access to it. 
Lets try to gather some information about the system:


FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

There are couple of ways to get this information about FreeBSD Version is using uname -a and strings /boot/kernel/kernel | grep RELEASE commands. I tried to find any public exploit available for this FreeBSD version but nothing interesting found. So, freebsd is better at security and usually it is not that easy to gain other privilege over such BSD systems.
I tried to search for file name with the string 'password' using find / | grep 'password'. Found some interesting files and on analyzing them did not come up with what was required.


Finding some root internal service which can also reveal something good. 
So lets see the running processes which is running on the machine with a ps aux.
We can see some processes running under root privileges. Nothing interesting except a single service, vnc. Yes, this is something I should try to exploit.
 

But wait, this wasn't found in nmap. Why was this even a service running, when it was supposed to be accessible from outside?? On searching more about this, I got to know that it was possible to create an ssh tunnel to any port. 

https://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html
The above article says VNC to make more secure. but now, how this could be exploited? We have the service internally running as a root. Somehow if we can access vnc would be great as it will give a root access directly. We somehow need to run commands on vnc connecting with vnc. So let us create an ssh connection to vnc which is already running as a root. 

   
We are getting connected as charix and after logging in, nothing happens. It is simply creating a coonection to the port and that is it. After sometime, it struck me that when we are connected as ssh, we are exposing internal services to the host. All it require is a way to access vnc. Do we have something? vncviewer is something which should work. 



It ask for the password. We do have a pass file. On a bit of searching I found that it was possible to provide password from a file. I tried doing the same on the file directly.


As soon as this, a popup with a shell I could see..



I hope you all enjoyed the article. Share it if you liked it.. :)

Saturday 25 August 2018

Celestial - Hack The Box

SPOILER ALERT!!
Celestial was pretty straightforward. It was not as easy as Poison to achieve user access. Though root was pretty easy. Celestial made me do alot of different things and in the process learned alot of new things. This is the advantage of Hack The Box as well as other vulnerable machines and CTF.

Lets Get Started:
The machine was little unstable as sometimes I could not even connect to it and was loosing connection frequently due to some reason. To start, lets nmap to see what are the open ports. Initially for a normal scan, I didn't find anything but after few more scans, I found one open port and below are the results:


As we can see, there is only one port available. After a bit of searching got to know that this is used for nodejs. This is how it looks like when opened up on browser.
  
404? Well I tried to enumerate directories but was showing error i.e no GET request defined for the application but soon this grabbed my attention:

Well, this can be a hint but no. I wondered, how this came up? May be because someone did a mischief? No. It struck me first about expression injection based on this. Soon I realized that there must be some kind of session used. This came up when I refreshed it again. Whenever a new user land on this page, 404 was shown, though it wasn't 404 Error and as soon as refreshed, the application gives session to the user. The session was base64 encoded.

This again looks like a hint. I thought, lets change the use to another use and again encode it with base64 and provide the application, a rough session id by changing the username to admin. No results, so I tried playing with this json and something I came across.
This Error caught my attention. So now we have something related to nodejs serialization. Is there any vulnerability related to serialization in nodejs? Yes! Deserialization to RCE.
Some of the programming languages have serialization function to convert data into an object. There are various reason to serialize something. When a nodejs data is been serialized it looks something like this.
{"rce":"_$$ND_FUNC$$_function (){\n \t [Code] \n }()"}
This can be seen when a function is converted into a serialized format. We already knew that the application is taking a serialized data to it. I tried to run this to know if this works for me before even trying to exploit.




Error!! I tried to change rce in the format to dummy but soon realized that this is the correct format and this is how the application should respond.

Payload
Why not have a serialized format there to make it execute the way we want? Lets run some nodejs based shell. nodejsshell.py can help us with thi.



The payload is ready all you have to do is to place it in the serialize formatted function between  {"rce":"_$$ND_FUNC$$_function (){\n \t [code] \n }"} but will this even work? The answer is NO! If you look at the image where I found a proper payload has () at the end on the function. This is similar to constructors. Function is called itself, placed the payload in the function and base64'd it and sent the request. 




and


It did not took me long to go to Documents to find the user flag but a thing to notice that Documents also had a python script named as script.py which was getting updated every 5mins. It had a single line of code saying, script is running. I remembered it clearly there was an output.txt file there on the user's root folder.

On checking the contents it was printing the output of script.py file. I also recognized that the permissions given to the file was root only.
I wrote a small python script in script.py


Believe me, I was literally waiting for 5mins.


This is enough to make it clear that we could now run anything as root. I even got a reverse shell though by just providing a python based reverse shell. To know, what exactly was going on, I thought to check out the logs.


There was this cronjob responsible to execute the script.

I Hope you enjoyed the article. Please share and comment.

Wednesday 3 May 2017

Hands on Eternalblue, Doublepulsar and Patch

I know, I am writing after a quite long time but I had to!
Eternalblue and Doublepulsar are the exploits by NSA which were leaked by Shadow Brokers. These leaks are known to be a big Cyber Chaos after Stuxnet.
I though to dive into it.

Setting up the environment:
Here is a piece of the orignal exploit by two researchers, Pablo Gonzalez and Sheila Berta from ElevenPaths for the msf implementation.
You can clone it from here
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/
I assume that you are aware about the how's and do's of msf.
Download and place the exploit file into it.
/usr/share/metaplsoit-framework/modules/exploit/windows/smb/
Search for eternalblue and use it on msfconsole.
In the options, give the path to the dependencies for both eternalblue, doublepulsar and also fulfill rest of the options.Make sure you are giving correct TARGETARCHITECTURE value and PROCESSINJECT value. 

This may give you an error for wine. Simply run wine foo.exe and it will create a .wine folder to your root directory.
Run again and it should successfully run. 


It is not really necessary to set value for LHOST unless you have networks constrains.
I have got access to the win7 machine.

What it does?
It actually uses the original binary present in the leak using wine.
You can find this on Ln 105 and 114 


Not so deep but just an overview that the orignal binary, exploits the SMB protocol and have Windows Kernel exploit and then:
  • DLL Injection
  • Process Injection
You need to have a persistence access so that on every startup it then just require a multi handler and no exploiting again, and again each time you want to access.

Exploitation Scope: 
  • Windows XP(all service pack)(x86)(x64)
  • Windows Server 2003 SP0/1/2(x86)
  • Windows Vista(x86)(x64)
  • Windows Server 2008(x86)
  • Windows Server 2008 R2(x86)(x64)
  • Windows 7(all service pack)(x86)(x64)

Reliable?
These exploits aren't reliable for win7 as well as win server 2k8 R2 as it doesn't always exploit it but does affect the server in some or the other way. 
Following are the behaviors:
  • Unexpected Shutdown
  • BSOD
  • Reboot
  • Hangs up
  • Errors poping up
So if these are the issues you are facing since 3-4 days, you probably being attacked using these "public" 0days.

What did I see?
Lots of errors and critical issues the system was facing.
Let me share:


There were lots of Criticals, Errors and Warnings.
Ok, on analysing these errors you may get a good idea on how these exploits work! :)

If you are interested to dive into few of them following are the links where you can understand it more deeply
https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/custom-dynamic-link-libraries-are-being-loaded-for/912df301-9adc-4a07-8fff-5edd50e9d64b
https://community.spiceworks.com/windows_event/show/1844-microsoft-windows-wininit-11#windows_event_comment_1857
Patch Available?
MS17-010 for Eternalblue and I think MS16-123 for Doublepulsar.


For Eternalblue if you are not interested to have ms17-010, you can disable the SMBv1,2,3 protocol by the following PowerShell Commands.
For SMBv1 Client:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
For SMBv2,3:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
Share if you liked it. :)

Sunday 22 May 2016

Penetration Testing and Its Methodology


Following is the video about Penetration testing and the mythologies used to implement it. 




You can view and download the presentation here


Friday 1 April 2016

InfoSec Positions today!





When we dive into InfoSec, we generally try finding what are the jobs positions, what are their role, etc..
With a small compilation, lets find what all position we have in the filed of Security and what are their roles.
Following is a small list:

Security Engineer:
Security engineers have responsibility for developing effective computing fixes to increase the security of their company's systems and projects. They are in charge of creating innovative ways to solve existing production security issues and must possess an advanced understanding of intrusion detection and prevention protocols.

Security Engineer Tasks:
  • Create test plans which will allow for a proper evaluation of security issues for new hardware and software.
  • Identify security solutions and implement a multi-layered defense to protect the networks.
  • Test new or upgraded hardware and software and implement new technologies.
  • Configure and set up firewalls and intrusion detection systems.
  • Respond to network intrusions and be familiar with performing forensic investigation.
Information Security Engineer:
Large enterprise have employees working in a variety of office locations, job sites, and home environments (through telecommuting). Information security engineers help maintaining integrity of all data communicated and stored through the business enterprise. They maintain  and develop protocols for the safe use, entry, transmission, Transactions, and retrieval of data and software assets at a company.

Information Security Engineer Tasks:

  • Create test plans which will allow for a proper evaluation of security issues for new hardware and software.
  • Identify security solutions and implement a multi-layered defense to protect the networks.
  • Test new or upgraded hardware and software and implement new technologies.
  • Configure and set up firewalls and intrusion detection systems.
  • Respond to network intrusions and be familiar with performing forensic investigation.
Security Consultant/Adviser:
Security Advisers evaluate the existing security to conclude the potential risk of a breach. The consultant develops security policies and procedures that reduces the risk to objects, employees and computer systems. Consultants may also provide evaluations and assessments in collaboration with sales staff for the security business.

Security Consultant Tasks:
  • Develop security design
  • Design security processes and documentation(Policies).
  • Conduct a security test and prepare a report for all the weakness along with their solution and fix.
  • Demonstrate the designed security system. 
Security Analyst:
A security analyst is responsible for maintaining the security and data integrity within the company or an organization. Security analyst have the knowledge about the security information of his company. The security analyst has to even work with the business administration as well as its IT department for communicating flaws and security investments.

Security Analyst Tasks:
  • Responsible for protecting sensitive data
  • Responsible to ensure that nobody can have an unauthorized access to the system or network.
  • Security analyst must plan and document all security information which includes physical and internet security.

*Note:There are lots of position but I haven't covered them all just for the sake of simplicity.

Sunday 8 November 2015

Bug Bounty!!

The Bug Bounty Trends
These days in India there's lot of people into earning money via Bug Bounty..
What actually bug bounty is? An ATM Machine where people get dollars??
Actually no. Lets see what it is actually and why there is more craze about bug bounty especially here in India.




What is Bug Bounty?
Well, bug bounty is a program offered by many companies which are into developing a Web-based or Standalone products to find bugs in it and on submission they verify the bug and based on the seviourity, these companies provide rewards. It is similar to any kind of deal.  It is open to public and anybody can take this program by finding bugs(Generally, Security bugs!) and properly reporting.
You might be thinking that If anybody can take this deal then penetration testers are losing their job then? Actually No they are not.


How it works?
There are procedure, protocols and standards has to be followed by the person taking part in the program for the sake of the companies risk. Not following these protocols can be illegal and may land you into jail and official issues. We will be discussing about it soon.
First lest see what actually companies do to start such a program.

Their bug bounty program is initiated only and only after they test their own application first.
This includes all types of tests like Security testing, Unit testing, Functionality testing, Compliance testing, etc and only after they are fine with it they initiate these programs. The reason is, if they do not do so, their company procedure will increase, also their reputation and trust among their clients reduces. 
Reputation? how? 
If they do not have their own testing team, they are likely to have more critical bugs, easy to find and exploit. This directly strikes the reputation of the company and hence, penetration testers are not losing their job at all.

How they take bug bounty these days?
Most of the bug hunters today are taking their level of skill based on the bug they find in much reputed companies  web-applications. The more reputed the company, the much "pro" they are.
Another thing is, a source of money to again a big population.
There are many out there who actually take this as a learning process.

What is the advantage of bug bounty program?
I would like to highlight the things we learn. 

1)The professionals who have actually participated bug bounty usually have their own blog where they post how did they found bugs. Reading bout such bugs you learn more about how to discovers vulnerabilities. So when we actually participate into this we increase our skill set into Vulnerability Assessment. 
  1. Vulnerability assessment 

2)When we submit bug to them we actually learn how to write a report. A quick search and you can find many ways to write a bug report with a good POC(Proof of Concept) with video and screenshot.
Here you can find why writing good report is important.
  1. Vulnerability assessment
  2. Bug Reporting

3)Interacting in a formal way is another skill you can add to your list. Many of them have skills and are good into VA but their interacting power is not so good hence they lose the bounty program. I have come across few people who find good bugs into reputed companies but they eventually do not get their bug approved just because of the interaction issue.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills

4)Companies get to know about your skills and may also hire you. Similar thing happened with me when I was finding something to do in my vacations. I found a bug in a startup's web-application, reported them and I was doing internship withing few weeks. Cool right? 
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure 
5)You can include this into your CV that you participated in such bug bounty programs where you reported vulnerabilities in so and so companies. This makes your CV more attractive and gives a reason to hire you.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure
  5.  Attractive Portfolio

There are many websites which provide a platform for Hunters and Companies both.
To find some reputed companies program search about them. 
There are many more things which come up to you and you can learn. 
Hope this article helps to know more about bug bounties.  
pic source: bugbounty.att.com

Wednesday 15 July 2015

The Famous Top 10!


Introduction:
The title says it all.
This is a list which has world top 10 vulnerabilities being found on web application.
Every person from the InfoSec community knows about it but as a beginner you should know about it.
In this post we'll check out what are this top 10 list and what is owasp.


OWASP:
OWASP(Open Web Application Security Project) is an open community where security researchers, professionals and security enthusiast from around the globe work together and build an Open Source security tools and project.
Anybody can contribute to it and anybody can create their own projects.
They even have an owasp slack team, where you can ask, join, chat and share files. Join the team @owasp.slack.com
and you can check out it's wiki to owasp.org

 List:
 These are the list of vulnerabilities defined and regularly updated. This is the list you must always have in priority while you test a web application. You can even consider this as a check list to have a eye or decide your vulnerability testing priorities. 


I was speaker at a local security meetup last to last month, where I represented and explained these lists and demonstrated XSS and Injection category. You can find the PDF from the resource section with the title "Breaking Web Application" and here is official list with description - [OWASP TOP 10].  

1. Injection:
Injection is the 1st category of Top OWASP List. Injection are the malicious codes written in between the original code.
Now the question arise, But we don't have access to the code then how it is possible to write such codes?
Answer to this is very simple. You don't need to have any kind of access to the original code. A simple typical way to write code in between the original code is to write where the user inputs are provided but it's not always necessary that only user inputs are the ways to inject malicious codes. There are several other ways like writing the code in the URL itself, into http request headers, into a crafted file which executes as soon it is uploaded, etc. 
There are so many method to inject as mentioned above. We will understand this briefly in later posts.

2. Session Management & Broken Authentication:  
The session management includes the maintenance of the state of entity communicating with it and Authentication is an act to confirm that something communicating with the system is the one who they claim they are.

3. Cross-Site-Scripting
Cross-site-scripting is also known as XSS. This is a generally used as a client side attack which affects the clients visiting the infected websites. This vulnerability can do lot of harm to users like and eventually harm to the site visitors. This actually loads javascript the victims browser which can cause stealing of credentials and identity and much more.

4. Insecure Direct Object reference:
It occurs when a  reference is being unknowingly left open which gives direct access to the internal implementation object. This includes directory access, config files access, etc where an attacker can take advantage of this and can further exploit the system and gain deep access.

5. Security Misconfiguration:
A good security is defined when configuring the firewall, web application, framework, database and servers in a secured manner. For example default configuration and default users and passwords and
Directory listing, extra information exposed, etc. also falls in this category.

6 Sensitive Data Exposure: 
This is a flaw where many of the web applications are vulnerable to. Sensitive data like configuration files, Exposure of internal files sharing in a company or at an enterprise level, and similar scenario. Taking advantage of these sensitive data can cause tragedy to the system.

7. Missing Functional Level Access:
What if you get access to a privilege without being asked? It is like being a student you can still perform actions of your HOD or Principle. Similar there is a website and you know the admin page, now as you visit the page you directly get access to it. This is A7.

8. Cross Site Request Forgery:
Cross Site Request Forgery can be "csrf" too. This is a kind of an attack which uses a web page. When an authenticated user of a vulnerable web application visit the malicious site, an action is automatically performed which is being executed on the user's browser and which act on the vulnerable website. This can change the password of that user. It'll work as if the user itself changed it own settings.

9. Using components with known vulnerabilities: 
The developers when not knowing what libraries, components or packages or plugin they are using, when they get outdated and vulnerable, the developers do not know as they are not "Security freak" as you. ;) They are unaware and bang!!! Somebody takes the advantage who knows the plugin is vulnerable and the developer is pwned. This is where some web apps are compromised.

10. Unvalidated redirects and forwards:
An unintended and unexpected(Developer's perspective) redirect the user to any or similar looking website(probably malicious{phishing page,drive by downloads, etc}). In a nutshell, it uses a parameter to redirect the website to something else. As provided in the sweety curl braces above are the attacks can be exploited. 

Conclusion:
The famous top 10 are one of the most important parameters to have a closer look as they can be considered as a check list while conducting Vulnerability Assessment and Penetration testing.

 
biz.