Info Sharing Blog

Friday, October 9, 2020

Zerologon Vulnerability : Exploitation [CVE-2020-1472] Walkthrough.

October 09, 2020 Posted by jaacostan , ,

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability | Severity : Critical

As per Microsoft,  An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

We use Impacket primarily to exploit this vulnerability. And for that set up a virtual environment. Though it is not mandatory to have a virtual environment to run Impacket, however for stability purpose we are using the virtual env.

python3 -m pip install virtualenv
python3 -m virtualenv impacketEnv
source impacketEnv/bin/activate
pip install git+https://github.com/SecureAuthCorp/impacket

Once the environment is setup and Impacket is installed, start the exploitation. Secura ,the company behind the discovery of the Zerologon vulnerability has released a script for testing the exploitation.

Link : https://github.com/SecuraBV/CVE-2020-1472 

THM has modified the script a little bit for the sake of PoC. Now run the script. You can see in less that 20 seconds, the vulnerability can be exploited. 

Syntax : python3 <script.py> <Domain_controller_name> <IP_Address>

The password has been changed and the vulnerability has been successfully exploited. Now we can dump the AD credentials using the tool secretsdump.py , which is by-default available with the installation of Impacket. Run the tool.


 The tool will quickly dump all the hashes. Now we have the hash of all users including the Administrator. Now use pass the hash method to gain the access to the Domain Controller. 

Use evil-winrm tool for this purpose. For more details on this tool, visit https://github.com/Hackplayers/evil-winrm

Pass the hash of the Administrator and shoot. 

That's it. We have successfully hacked by exploiting the CVE-2020-1472 vulnerability and has opened a shell with domain admin privileges. 

I was planning to setup a lab to try the POC. But thanks to THM for providing the lab environment. They were quick to release a room on this.

Links & References :

Whitepaper on Zerologon by Secura : https://www.secura.com/pathtoimg.php?id=2055

THM room : https://tryhackme.com/room/zer0logon 

Microsoft Security Advisory page :https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472


Free AWS Cloud Practitioner training and Practice exam.

October 09, 2020 Posted by jaacostan ,

 
Prepare for AWS cloud practitioner certification exam by participating in the AWS Certified Global Challenge. AWS offers free training, a free practice exam, suggested resources, Q&A opportunities. 
 
Registration will be open October 1 - December 31, 2020. To attend live training sessions, sign up by October 11, 2020. Registrants after October 11, 2020 will be able to review recorded training sessions. To be recognized for meeting the Get AWS Certified Global Challenge, take and pass your AWS Certified Cloud Practitioner exam on or before December 31, 2020.
 
Only Training and practice exam voucher is provided by AWS. For earning the Cloud Practitioner title, you need to take the AWS Cloud Practitioner Exam that costs 100 USD.
 
 

 

Wednesday, October 7, 2020

THM Walkthrough : Blog

October 07, 2020 Posted by jaacostan ,

THM Room : Blog

Link : https://tryhackme.com/room/blog 

Objective : Grab the root & user flags by exploiting the vulnerability in WordPress version. [CVE-2019-8942,CVE-2019-8943]

Access the IP from your browser. That returns a non-formatted webpage, that hints you may add the URL in the hosts file.


Add the URL in the hosts file.  If you go through the web page source in your browser, you can see that many of the page links are called using the URL blog.thm. If you enumerate more, you can also find the WordPress version as well. Or you could find it using the wpscan tool.
Perform the nmap scan.

So we have ssh, web and samba share. Lets explore the samba share.


Nice, we can get some files from here. So i used steg tools and found a text file.

And unfortunately, its a rabbit hole.

Now lets perform a directory scan. I have used my favorite tool gobuster for this.


We can see a large number of directories, but not much use with this room objective.

Now, since we know that the website is hosted in wordpress, lets use wpscan to enumerate the users in it.


So we have identified some valid users. But which one we can use? bjoel is Billy Joel and he is supposed to be the admin of the page and Karen Wheeler is his mom. We can see some of the comments made by them in the website as well.

Lets perform a brute force attack to get the credentials. I have done it for both users and we could find the password of Karen.


Cool. We know know the user credentials. We can log in to the WordPress admin console and since Karen is a normal user, we cannot edit the configurations in it.

Since we know the WordPress version, lets search over the web for any known exploit. And we can find one.

We can see that a Metasploit module is available for this particular exploit.

Open metasploit and use the rce. Set all the required options and run the module.


Great. We got the meterpreter shell and now access the shell. You can go through the home directory and can find the user.txt under bjoel user folder. but again, its a rabbit hole. No flags in it. 

Search for SUID files.

So, we can see one unusual binary, checker.

Search about it in the internet and i couldn't find anything particular about it. So i assumed its a custom made and might be out shot.

Use ltrace to find more about the binary. We can see this checker just gets the “admin” env variable and checks if it’s not null.
So assign something to admin and hack the program.

Run the checker and now we are root.

Search for the user flag.


That's it. We got the both root & user flags. Happy hacking.

For more articles : https://www.jaacostan.com/search/label/hacking


Sunday, October 4, 2020

Saturday, October 3, 2020

Hacking Printers [PRET - Printer Exploitation Toolkit].

October 03, 2020 Posted by jaacostan

I have recently tried the PRET toolkit to hack the printers connected or accessible in your network. PRET stands for Printer Exploitation Toolkit. PRET can access the printer in your network or USB and exploits the features of the printer language. A hacker can perform activities such as capturing or manipulating print jobs, accessing the printer's file system, cached documents, access memory and even do permanent damages as well. PRET utilizes TCP port 9100 when connecting the printer over the network.

There are three main languages that printers speak and you should know the exact one to successfully exploit the machine. You can do basic enumeration, try one by one.
1. ps (Postscript)
2. pjl (Printer Job Language)
3. pcl (Printer Command Language)

You can see network printers everywhere. But how often organizations update the firmware of their printers? This could be a soft target for hackers.

 Usage: Access and clone the toolkit from Github : https://github.com/RUB-NDS/PRET

 # pip install colorama pysnmp //Install the dependencies.

You can simply run the pret.py. This will search for the locally connected printers in your network by using SNMP. 

To access a network printer, provide the IP and the printer language. Here i tried pcl 


Try different printer languages.Example:
python pret.py {IP} pjl
python pret.py laserjet.lan ps
python pret.py /dev/usb/lp0 pcl
// works if your printer is connected to your system.

Once you successfully connected the printer, you can use the basic UNIX commands to browse through the printer and access the documents and configurations.

Access the toolkit Github page to see the complete supported commands. [https://github.com/RUB-NDS/PRET]

When new vulnerabilities in a printer firmware are discovered, respective exploits are also been created by the developers/hackers. You can see network printers everywhere. But how often organizations update the firmware of their printers? This could be a soft target for hackers and it is very important to perform firmware updates for the network connected devices such as printers, scanners, IoT devices etc.






Monday, September 28, 2020

Ignite '20 : Attend for free PaloAlto certification vouchers and product training.

September 28, 2020 Posted by jaacostan

Register for Ignite '20 to be eligible for free PaloAlto product training and certification prep courses. Specific product deep dive training sessions and free certification vouchers will only be available to those who attend the two-day, virtual Ignite '20 conference happening on November 16,17,18. After engaging in a full session, you’ll get a voucher to take the exam of your choice for free.

Use your company email for registering this event. 

Link for Ignite '20 Registration : https://ignite.paloaltonetworks.com/

Splunk Certification Promo !

September 28, 2020 Posted by jaacostan

Splunk is offering a limited time discounted certification exam offer.

From August 1 through October 31, all eligible candidates can register for one certification exam for a $50 registration fee. Register your desired exam at PearsonVUE and use the code STUDYUPBUTTERCUP at checkout to avail this offer.

Link for exam registration tutorial : https://www.splunk.com/pdfs/training/Exam-Registration-Tutorial.pdf

Link for Promotion details : https://www.splunk.com/pdfs/training/Certify-in-Place-Promotion.pdf

Friday, September 18, 2020

[Experience] My new cellular number and possible security risks.

September 18, 2020 Posted by jaacostan

I recently moved to a new place and bought a new mobile connection from one of the cellular providers. Number got activated and then I created a new WhatsApp account. After I successfully opened my new WhatsApp, daily I started receiving many messages from the people I never ever met, complete strangers. They thought that the number belongs to a person, let’s say X. Initially I thought, OK this might be a normal thing because they might be contacting the person after a long time, and unaware that the person might have changed his/her number. I started telling them "wrong number". I have no idea whether the previous owner of this number was a politician or a famous/infamous person. But I keep getting many calls and messages intended to that person X. Some added me in to a few WhatsApp groups (work/personal). Getting frustrated.

People started sending sensitive documents, personal messages as well. And being a security pro, this led me to write a post regarding the possible security risks associated with this small 'wrong number' mistake. 

1) A Sender without verifying the receiving person, or his number started sending sensitive/confidential documents. This is a mistake from the sender and before you pass anything over any medium of communication, make sure that the receiver details are correct. 

2) Don't add people whom you don't know in to a WhatsApp group. 

3) Better avoid using WhatsApp for your job related or official purposes. There is a high chance of making a mistake by sending chats/files to the wrong person/group.

4) Now assume, the receiver is a evil person. He can impersonate the person, stole his/her identity and can perform social engineering attacks.  

5) The receiver can also misuse the confidential/sensitive information for illegal purposes.

So how to avoid such incidents?

1) Be cautious. You do your actions carefully. Make sure, you are communicating with the right person. 

If a person is not using his mobile connection for a period of time, for example 6 months, then the provider may cease the connection and release the number again in the market.

2) Enable two-step verification. So that, nobody can create/clone another WhatsApp for the same number on another device.

3) Don't sent your personal information, work related data over WhatsApp. I know the world is now running using WhatsApp. More than office communicator, people rely on WhatsApp. This is very wrong and unprofessional.

4) In your WhatsApp privacy -> Groups settings, restrict the people who can add you in to new Groups. 

Note: Some old guy started flirting as well. I guess the previous owner of the number was a female. Though i informed him that you are sending messages to the wrong person, he acknowledged and the very next day he started sending me new messages. 😆

I have blocked so many numbers and exited groups. Now thinking of deleting my WhatsApp. 😤

 


Wednesday, September 9, 2020

PrintSpoofer Windows Privilege Escalation tool : Usage and Illustration.

September 09, 2020 Posted by jaacostan ,

Lets talk about PrintSpoofer tool. This tiny tool is used for Windows Privilege Escalation. If the target server having the SeImpersonatePrivilege enabled and by using this tool, you can perform the Privilege escalation.

1) Look for the ways to elevate the privileges in the target machine. Run whoami /priv 


Check for the weakness in Windows Server where certain service accounts are required to run with elevated privileges utilizing the SeImpersonatePrivilege. Mostly people use Hot Potato to take advantage of this privilege function. But Hot Potato is successful only if the DCOM enabled in the target server. [Read more on this]. Here comes the usage of PrintSpoofer tool. You can abuse and exploit this with PrintSpoofer tool, even if the DCOM is disabled in the target server.

1) Get the code from Github.

https://github.com/itm4n/PrintSpoofer

Clone the directory. Note that, if you are trying to compile the code in a Linux machine, you may encounter compile error as it requires windows.h header file. 


I have used the Visual Studio in my windows machine and compiled the code to produce an exe output (PrintSpoofer.exe)

2) I have already gained the initial access in to the machine as a normal user. Means i do have the machine access and i can upload files in to it. I activated a simplepython web-server in my local machine and  from the target machine, downloaded PrintSpoofer.exe.


3) Once downloaded successfully, then just execute it to elevate the privileges. 

4) You have acquired the administrative privileges.

 

Thursday, September 3, 2020

Free courses and Online Training List.

September 03, 2020 Posted by jaacostan

Free courses and free contents. Build a skill. Invest some time and litt up.

1) GCFGlobal.
200+ courses ranging from MS office to Cyber Security.
https://edu.gcfglobal.org/en/topics/

2) OpenLearn

Courses on , well almost everything.
https://www.open.edu/openlearn/free-courses/full-catalogue

3) Alison
Free and huge catalog of courses.
https://alison.com/