Watched an hacking tutorial, followed the steps and pwnd every host in your VirtualBox lab.
Felt like a blackhat, you started an engagement in real life and it goes like the Titanic.
Want to see some (un)common defence and a way to bypass them?
During this talk, you’ll follow the path from no-access to checkmating the king, dodging and going past unexpected pitfall using well and maybe less known tricks and tools.
Pentesting an unfriendly environment: bypassing (un)common defences and mate the king
1. Sandro "guly" Zaccarini
PENTESTING AN UNFRIENDLY ENVIRONMENT:
BYPASSING (UN)COMMON DEFENCES AND
MATE THE KING
some visibility to the sponsors of course
2. once upon a time in a high school
2
1995, dade murphy used his hacking skill to seduce kate libby
3. looking for help to learn
▸ caught up in excitement, a decision was taken:
▸ have to learn to hack
▸ ...must ask for mentorship from that weirdy^Wquirky
guy who lives in the CLI
3
sure we can do the same! we just have to learn operating systems from the inside, a couple of scripting language, C and assembly, follow a bunch of people on twitter/
youtube/facebook/linkedin, of course reddit/netsec is gold. and also should follow 245 blogs...
4. looking for help to learn
▸ caught up in excitement, a decision was taken:
▸ have to learn to hack
▸ ...must ask for mentorship from that weirdy^Wquirky
guy who lives in the CLI
3
sure we can do the same! we just have to learn operating systems from the inside, a couple of scripting language, C and assembly, follow a bunch of people on twitter/
youtube/facebook/linkedin, of course reddit/netsec is gold. and also should follow 245 blogs...
6. brain overflow
▸ too much work, not enough time
▸ lazyweb to the rescue: !google hacking tutorials
4
7. ▸ HOWTO hack with^W^Winstall Kali Linux
▸ MSSQL penetration testing using nmap
▸ From PHP local file inclusion to RCE
▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local
Admin)
▸ From directory listing to uid 0
5
easy peasy
8. ▸ HOWTO hack with^W^Winstall Kali Linux
▸ MSSQL penetration testing using nmap
▸ From PHP local file inclusion to RCE
▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local
Admin)
▸ From directory listing to uid 0
5
easy peasy
9. ▸ HOWTO hack with^W^Winstall Kali Linux
▸ MSSQL penetration testing using nmap
▸ From PHP local file inclusion to RCE
▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local
Admin)
▸ From directory listing to uid 0
5
easy peasy
10. whoami
▸ Sandro "guly" Zaccarini
▸ proud father
▸ martial&security artist
▸ wine&food taster
6
▸ @theguly
▸ happy to build and secure
▸ hungry to break
▸ born purple
11. of course everything seen in real life is protected by NDA, no really-real stuff will be showed
12.
13. let's start
▸ full scope pentest
▸ OSINT, then nmap all the things
▸ found some websites, an Exchange and nothing more:
▸ https://www.bigcorp.it
▸ http://timesheet.bigcorp.it:8080
9
14. let's start
▸ full scope pentest
▸ OSINT, then nmap all the things
▸ found some websites, an Exchange and nothing more:
▸ https://www.bigcorp.it
▸ http://timesheet.bigcorp.it:8080
9
VERIFY /MANAGER/HTML
DIG!
15. tutes chapter 1
▸ website: dirbuster, wfuzz, CMSmap, shell upload, pwn
▸ bruteforce is slow, and this looks like a custom website
▸ won't find anything, even forgotten backups
10
"dirbuster" in background, because it's cheap, and move to tomcat
16. tutes chapter 1
▸ website: dirbuster, wfuzz, CMSmap, shell upload, pwn
▸ bruteforce is slow, and this looks like a custom website
▸ won't find anything, even forgotten backups
▸ tomcat: upload bypass, weak credentials
▸ ./msfconsole, use, set, exploit, pwn
10
"dirbuster" in background, because it's cheap, and move to tomcat
17. tomcat manager 02
▸ see video at https://www.youtube.com/watch?
v=YMfK_xq2iAc
12
18. our tool of choice: reGeorg
▸ all we can use was 8080/tcp inbound: let's proxy it
▸ The successor to reDuh, pwn a bastion webserver and
create SOCKS proxies through the DMZ. Pivot and pwn.
▸ https://github.com/sensepost/reGeorg
13
23. tutes chapter 2 - linux privesc
▸ ./linux-priv-esc.sh && ./LinEnum.sh
▸ lots of *possible* kernel exploit
▸ sudo/sudoedit local root
▸ ...and many more
15
24. tutes chapter 2 - linux privesc
▸ ./linux-priv-esc.sh && ./LinEnum.sh
▸ lots of *possible* kernel exploit
▸ sudo/sudoedit local root
▸ ...and many more
▸ ...but we heard about that somethingc0w universal root
15
25. easy root
▸ after a quick search/edit at dirtycow exploit list:
16
for example, exploit at 3 backups passwd to /usr/bin/passwd.bak
what happens if you run it twice? :)
26. confirm the reason of the oops
▸ we have a clue about that tomcat ops:
17
again, this is a semplification. of course the network is filtered on the gateway and not just here with iptables
27. local file inclusion
▸ crawling, found what looks like the backup of a website:
18
very easy local file inclusion, let's pwn the webserver!
28. tutes chapter 3 - PHP+LFI+RCE
▸ ?page=/proc/self/environ
▸ include(/proc/self/environ): failed to open stream: Permission denied
▸ ?page=/var/log/httpd/access_log
▸ include(/var/log/httpd/access_log): failed to open stream: Permission denied
▸ ?page=/var/lib/php/session/sess_ID
▸ are you sure you can write arbitrary data to sessions?
▸ upload and ?page=/tmp/`mkstemp`
▸ if you can upload there is a race to win, if you can't there's no race at all
▸ ?page=expect://ls
▸ include(): Unable to find the wrapper "expect"
▸ ?page=php://input data:// etc
▸ allow_url_include anyone? :)
19
29. local file inclusion oops...
▸ rules of thumb: YMMV
▸ PHP LFI to RCE is more difficult nowdays
▸ chain bugs and business logic, there is (almost) always a
path to RCE
20
30. back to the plan
▸ now, back to the plan: there are possible low hanging fruit
▸ what have been pwnd:
▸ bastion host (root dance here)
▸ webapp
▸ mysql database
21
once you have a foot on a network, tutorials says that Responder is the way to domain admin. let's go!
31. back to the plan
▸ now, back to the plan: there are possible low hanging fruit
▸ what have been pwnd:
▸ bastion host (root dance here)
▸ webapp
▸ mysql database
▸ tutes say: Responder.py FTW!
21
once you have a foot on a network, tutorials says that Responder is the way to domain admin. let's go!
34. tutes chapter 5
▸ and nobody should be LA if not really needed...(ok, ok :) )
▸ but: our server is in a DMZ and we don't have any access
to smb/wmi in LAN
▸ and we shouldn't even see any usefull traffic
24
35. back to the plan[2]
▸ what we have:
▸ an Exchange
▸ a timesheet app (maybe they also collect reports?)
▸ teh timesheet interface itself!1
25
36. capture passwords for teh glory
26
this is auth.jsp
we saw on mysql config that timesheet auth at LDAP, a.k.a. (hoply) valid domain creds
therefore we add an unNoticedRoutine that logs creds
37. while unNoticedRoutine works unnoticed
▸ lurk into the timesheet database: no useful info, just hrs
and customers' name
▸ still no logins (a.k.a. domain creds) so far
▸ maybe we could also tamper login.jsp for the lulz
27
"for the lulz" of course means BeEF
43. BeEF oops...
30
timesheet logs shows accesses, but no hook in here
we know that the network is segmented and "well" protected at layer4. we suspect that there are also layer7 protection (read: web proxy)
but wait, if we saw log it means that we have credentials!
44. BeEF oops...
30
timesheet logs shows accesses, but no hook in here
we know that the network is segmented and "well" protected at layer4. we suspect that there are also layer7 protection (read: web proxy)
but wait, if we saw log it means that we have credentials!
45. meantime our unNoticedRoutine()...
▸ logged some credentials!
▸ how to (ab)use those creds?
▸ Exchange maybe?
▸ something more than email lurking?
31
hold on, overexitement here
46. let's rule it out!
▸ Ruler is a tool that allows you to interact with Exchange
servers remotely, through either the MAPI/HTTP or RPC/
HTTP protocol. The main aim is abuse the client-side
Outlook features and gain a shell remotely.
▸ drops a shell by abusing scripting at:
▸ outlook rules
▸ outlook forms
▸ outlook home page
▸ https://github.com/sensepost/ruler
32
47. because we're talking about pitfalls...
▸ outlook rules: patched 06/2017
▸ outlook forms: patched 10/2017
▸ outlook home page: patched 10/2017
33
"work for sure", isn't it? no, patched :)
48. never overlook lurking
▸ MailSniper is a penetration testing tool for searching
through email in a Microsoft Exchange environment for
specific terms (passwords, insider intel, network
architecture information, etc.).
▸ also GAL, too-open mailboxes, password spray
▸ https://github.com/dafthack/MailSniper
34
49. never overlook lurking
▸ MailSniper is a penetration testing tool for searching
through email in a Microsoft Exchange environment for
specific terms (passwords, insider intel, network
architecture information, etc.).
▸ also GAL, too-open mailboxes, password spray
▸ https://github.com/dafthack/MailSniper
▸ what's not *that* explicit is that she needs a valid "domain
session" OR an Exchange admin account...oops...
▸ will keep this for next session maybe :)
34
50. back to BeEF oops...
35
back to that possible web proxy, start with assumption
51. with a little help from a friend
▸ Domain Fronting A.K.A. High Reputation Redirectors
▸ CDN anyone?
36original pictures from https://blog.cobaltstrike.com/
a very good read is here: https://bitrot.sh/post/30-11-2017-domain-fronting-with-meterpreter/
52. with a little help from a friend...
▸ cloudfront, like lot of other CDNs, lets us to bypass
reputational filter and hook the target
▸ note: ALL the traffic goes through the CDN, both the hook
and the following communications between the browser
and BeEF service
▸ oops warning: they also do some basic malware analysis
37
ED
now, back to beef that hooked a browser
54. time's almost gone
▸ we already stumbled^Wdodged lots of stones
▸ prepare to evade an eventual (NextGen)AntiVirus
▸ no more chances to fail, AKA no chances to test even a
part of the FUD tutorial plethora
39
FUD of course means fully undetectable, NOT fear/uncertainty/doubt :)
55. last chance, shellter the exe
▸ see video at https://www.youtube.com/watch?
v=6v20_gNRD4I
40
56. approoved by Bob: ShellterPro
▸ Shellter is a dynamic shellcode injection tool, and the
first truly dynamic PE infector ever created.
▸ One-stop-shop for AV evasion
▸ ShellterPro introduces some extra features:
▸ Dynamic Payload Injection In DLLs
▸ Multi-Payload Chaining
▸ donates part of the fee
41
pro means $$, but it's very cheap :)
57. last oops, at least for today
▸ meterpreter supports domain fronting since nov 2017
42
because i'm not that lucky, also meterpreter/reverse_https looks broken when i'm working on this presentation :)
58. with a little help from a friend...
▸ see video at https://www.youtube.com/watch?v=-
Wu23uDsLDo
43