Thursday, October 25, 2018

Vulnhub: Mr Robot



Hello there, I'm here again with another great vulnhub machine.
This time we'll learn a few basic techniques with the nostalgic Mr Robot Vulnhub machine!

If you would like to see the POC video watch it below. If you don't like spoilers too fast, read on.




Overview: Methodology

The steps to compromise this machine were simple: I started with enumerating directories and services. By using directory fuzzing, we obtained the 1st key as well as a dictionary file which was used to bruteforce passwords. After enumerating and bruteforcing our access to the web application, we obtained access by uploading a reverse shell and accessing our 2nd key for this challenge. Lastly, I proceeded with the privilege escalation phase to obtain the last key.

Set-up: VM Network Settings and IP Assignment

We go to the site and download the image. Verify the checksum and proceed to importing it to our Virtual software of choice. For this exercise, I've used VirtualBox, but you can use any as long they support the .ova extension.

After setting our VM Network Settings to Bridge, we conduct an ifconfig to determine what our network IP/Range is and then we scan our network by range to find the VM with: netdiscover -r [ip/subnet]



Reconnaissance: enumerating and scanning

Once we have the IP Address of our VM, we proceed with the enumeration so we use a few tools for this:

nmap: enumerate ports (80, 443 found to be open)


nikto: look for misconfiguration and low hanging fruits, compromising dirs


dirbuster: maps directories containing juicy data/admin portals, etc.


After looking at nikto and dirbuster results, we don't only found out the server's Wordpress site version but also the admin portal located in: /wp-login.php:





After looking at the robots.txt file, we find our 1st key along with a dictionary file to download:







Looking at the dictionary file, we can see that there are duplicate entries, so we open it with Sublime Text -> Edit -> Permute Lines -> Unique and we obtain a fresh non-duplicate copy. We save it as a new file and proceed with enumerating usernames. Easy process, moving along...

In the /wp-login.php page, we grab the login post parameters with Burp Suite and proceed to brute-force the username with Hydra:


hydra -L [location-of-dictionary-file] -p unknownPassword [ip-address] http-form-post "/wp-login.php:log=^USER^&^pwd=^PASS^:invalid"



We can see that the same username has been found but case sensitive: elliot, Elliot and ELLIOT.

Now that we know the username, we can use wpscan to bruteforce the password with the unique dictionary file we downloaded from the robots.txt file:

sudo wpscan --url 192.168.2.10 --wordlist /home/vicio/Labs/Vulnhubs/MrRobot/fsocity_unique.dic --username ELLIOT


We can see the password obtained for the elliot, ELLIOT or Elliot username.


Access: Using credentials and obtain reverse shell

We enter the credentials obtained with Hydra and WPScan to the WP Portal:





We then navigate to the "Appearance" -> Editor Section and in the right-hand sidebar, we click on the 404 Template. From here, we can upload our own or a custom PHP reverse shell to gain access to the box.  I used the PentestMonkey's reverse shell and changed the settings to fit my needs (IP and port number):



Now, the only thing we need to do is to set up a listener to our machine (in this case on 192.168.2.8 on port 7777) and navigate a non-existing page in Wordpress and we'll get shell access.



We can now spawn a bash shell with Python and proceed to read our next key:


As you can see, even though we obtained access to the box, we still need to access as "robot", the regular user to read its key.  We can see the hashed key but not the key-2-of-3.txt file. As the file name states, the file in which the credentials are stored (robot:c3fcd3d76192....) contains a MD5 password, which needs to be cracked. Our fastest way is to see if it has been cracked already and publicly disclosed in the Crack Station website.


Password has been cracked before so now we have to copy and paste it in our shell to get user access:



Post Exploitation: Privilege Escalation

From here, we do a search for the entire system (find /) for SUID permissions (-perm /u=s) and discard any error messages (stderr) (2>/dev/null) to clean our results.


Here, we can see that nmap has its permissions to be accessed with a regular user, in this case robot user. When we check for its version, it shows 3.81.


By doing a little research on this version, we can see not only that it's outdated but also that interactive mode is enabled on it since it was later removed due to performance issues. We give it a go and sure it executes. We try help and we find the ability to execute commands as root. Please, tell me you're seeing this too!


From here, it's a walk in the park. We just concatenate the key file contents within /root/ and to obtain our last key:


I hope you enjoyed this easy but creative Vulnhub. I might do a POC video later with Mr Robot soundtrack!

!

Sunday, August 5, 2018

VulnHub: Bulldog I

Hey guys, I've been pretty busy but I recompiled a video about this pretty easy VulnHub. I hope you enjoy it.




To make it instructional, it's important to note the following main vulnerabilities in the server:

1. Hashes revealed in source code
2. Easy hashes to guess (already in online database)
3. Webshell prone to OS command execution, allowing reverse shell
4. Master password burried in Binary
5. Allowing sign ins from any location


MORAL:

Never, never, NEVER assume that other people won't find the trails you leave for other developers to find (due to your laziness and malpractices).


Have fun and happy hacking!

Thursday, March 29, 2018

OWASP TOP 10: SSTI

This time we'll talk a little about server-side template injection (SSTI) attacks, when they occur and what to do to mitigate the risk.


Overview

As any other type of injection, SSTI is on the top of the OWASP list threatening web applications in a daily basis.  SSTI is abused when directives are injected to a user input which is unsafely embedded to a template. The effect can be catastrophic, especially when remote code execution (RCE) is possible.

POC
In the following short video, we can see how a server-side template injection occurs in a Flask with Jinja template engine. The POC is made inside of a CTF challenge so only the flag is shown and no RCE is allowed. In real-life systems, other data may be exposed which would endanger the company's assets.

 

Mitigation
The risk of accepting template directives causing a server-side template injection attack can be mitigated by rendering templates within a sandbox environment, protect user input fields by preventing the creation of templates from them and checking the documentation of the template engine for specific patches/advise in how to harden that engine.


Sources:
https://nvisium.com/resources/blog/2015/12/07/injecting-flask.html
https://portswigger.net/kb/issues/00101080_server-side-template-injection 
http://flask.pocoo.org/docs/0.12/templating/
       

Tuesday, March 27, 2018

Binary Exploitation Basics - Int Limits & Buffer Overflow

It's been a while. I've been practicing and delving more into the CTF world. Hacking capture the flag events help you not only to understand different areas in cyber security but also to think outside of the box. Lately, I've been blessed to find some easy CTFs to understand basics of binary exploitation; a subject that can be cumbersome for many, including myself.  I hope that, with this video Blog, you can understand the very basics of C integer limits and buffer overflow residing in the gets function of a C program.

Let's start.

Binary 1: C Integer Range Limitations

In the first program, accumulator.c, we are looking at an int variable ('n') being assigned to user's input, but it only allows us to have access to the (secret) flag if the variable is negative.  The problem is that it doesn't let us enter negative values.  If we enter a "too high" value, it also fails to give us the flag.

The secret I found here was to understand the limits of signed integers in a C program. As you can see in the table below, the maximum range in which an signed integer can go is 2147483647. If we enter that value, and then add one to it, the variable will go out of range causing the program to give us the minimum value of int, which is –2147483647 –1 and that will be placed into the variable giving us the flag.







Binary 2: Buffer Overflow in 'gets()' function

In this challenge we have to use a disassembler (such as gdb or objdump) to see which functions are used in the program to give/retrieve data. After a little time examining the main() function, we can see that the C program is retrieving data using the gets() function instead of fgets(). By doing a little Google search, it appears to be a common issue which leads to a buffer overflow.

By running a one liner in python we are overflowing the buffer with 500 A's, causing a segmentation fault; and because gets() does not check for bounds in the buffer, it simply gives us all the data available in the array, including the flag.


There is a simple fix for this. By using fgets() to read data, instead of gets().

I hope you enjoyed this video and learned a few things just like I did. Cheers!