Author: Cordian

Posted on

VulnHub – DC-3

Machine: DC-3
Target IP: 10.0.2.11
Attacker IP: 10.0.2.15
Difficulty: Easy
Goal: Get /root/the-flag.txt
Link: https://www.vulnhub.com/entry/dc-3,312/
VM-Creator: https://twitter.com/dcau7

For initial reconnaissance we use Nmap to scan the system for open ports. Interestingly, even when we use the option -p- to scan all 65535 ports (TCP) Nmap identifies only one open port as shown in figure 1.

1. Nmap output

When browsing the root webpage on port 80 we are presented with some information about the boot2root challenge but nothing too interesting. To gather more information about the HTTP service we use the tool Gobuster to search for further directories as shown in figure 2.

2. Using Gobuster to search for hidden directories

When browsing the /administrator directory we find a login page for the CMS backend Joomla!.

3. Joomla! at http://10.0.2.11/administrator

To identify the version of Joomla! we can use a tool called Joomscan as shown in figure 4.

4. Joomscan to identify Joomla! version.

After identifying version 3.7.0 we use Searchsploit to look for any known exploits or vulnerabilities for the specific version. As figure 5 shows we are in luck and there is an SQL-injection vulnerability for Joomla! Version 3.7.0.

5. Using Searchsploit to search for available exploits

With the command  “searchsploit -x exploits/php/webapps/42033.txt” we can take a closer look at the exploit and see that there is already a prepared Sqlmap call as proof of concept.

6. Joomla! SQL-Injection exploit description

When we run the Sqlmap statement and replace the target address we can verify that the SQL-injection is working and pull the names from the existing databases from the target as shown in figure 7.

7. SQL-Injection verified with Sqlmap

Afterwards we dump the Joomla! Database with the following command and receive the username and hash for the administrator of the backend.

Sqlmap -u “http://10.0.2.11/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml” –risk=3 –level=5 –random-agent –dump -D joomladb -p list[fullordering]

8. Sqlmap dumps user table from joomladb

To crack the hash with a dictionary attack we need to know what hashing algorithm to use. To identify the algorithm, we can use a tool called Hashid as shown in figure 9.

9. Using Hashid to identify hashing algorithm

The next step is to use Hashcat to perform the dictionary attack. But before we can do that, we use the Hashcat help function to search for the corresponding algorithm to know which parameters to use.

10. Searching for correct Hashcat mode

With the following command we are able to execute a dictionary attack and crack the hash to receive the cleartext password as shown in figure 11.

hashcat -a 0 -m 3200 hash.hash /usr/share/wordlists/rockyou.txt –force

11. Hashcat result

With the username “admin” and the password “snoopy” we have administrative access to the Joomla! backend. We can use this to edit an existing template to place a PHP reverse shell (LINK).

12. Replacing PHP-Template code with reverse shell

After placing the reverse shell code we start a Netcat listener on port 443 for handling an incoming connection. To execute the PHP code we browse the webpage of the modified template at:

http://10.0.2.11/templates/protostar/error.php

As figure 13 shows this allows us to receive a reverse connection to the target system.

13. Netcat incoming connection

From there on we need to escalate our privileges on the target system. After checking some initial stuff like home directories for interesting information and cron jobs we download and execute Linpease (LINK) on the target machine.
Linpease reveals an old kernel exploit and marks it as 99% change for privilege escalation as shown in figure 14.

14. Linpeas detects old kernel version

Next up we use Searchsploit to check the kernel version 4.4.0-21-generic and we find one that is 32-bit system compatible (Linux Kernel 4.4.x (Ubuntu 16.04) – ‘double-fdput()’ bpf(BPF_PROG_LOAD) Privilege Escalation).

15. Using Searchsploit to find kernel exploit

When checking the description for the kernel exploit with the following command we find a download mirror on Github.

searchsploit -x exploits/linux_x86-64/local/39772.txt

We download it to our attacking machine and host the needed files with an Python simple web server. Afterwards we download the exploit to the target system as shown in figure 16.

16. Downloading Exploit to target machine

We check the compile.sh script from the exploit and check if GCC is installed on the target to compile the exploit. Indeed GCC is installed on the target so we compile the exploit and run it afterwards to gain root privileges.

17. Root privileges and flag

 

 

Posted on

Malware/Phishing: Stealing Firefox Login-Information

Malicious E-Mails are very common these days. It is easy to place code inside an Office document that downloads and executes arbitrary files or even give initials access over a PowerShell reverse TCP connection (for further information about this topic take a look at the new Tool-List for Phishing). But what if you face a dedicated environment where running arbitrary executable files is not an option due to some sort of application white-/blacklisting? One security flaw that could exist in such an environment is the lack of restrain on how Firefox handles credentials. If you can steal login information off a target you might be able to login on some by that target frequently used Web-Applications for further information gathering or placing an implant. Or if you get lucky, that target allows some sort of remote connection (Remote Desktop Services or VPN for example) without a multi factor authentication.

To steal Login-Information that is stored/saved within Firefox you need three files: Logins.json, key4.db and cert9.db. All three files are stored in the %appdata%\Mozilla\Firefox\profiles folder inside the current user profile (for Windows). The goal is to read the content of that files, Base64 encode it and send it off to a HTTP-Server on the Internet. Once the data has been exfiltrated it is possible to recover all three files by decoding them and then access their content with a tool called Firefox Decrypt.

1. First we need to set up a rogue HTTP-Server that receives the exfiltrated data (LINK – PW: offensive).

1. Rogue Python HTTP-Server

 

2. The next step is to create a PowerShell script that reads the all three files, Base64 encodes the content and then sends each file inside the body of a POST-Method to our HTTP-Server (LINK – PW: offensive).

2. PowerShell script for data exfiltration

 

3. To use the PowerShell script inside an Office document we have to make some adjustments. First we rewrite the script into one line of code by deleting all line breaks and using semicolons. Then we save the whole code block in a variable which we execute at the end of the script with an Invoke-Command -ScriptBlock method (LINK – PW: offensive).

3. Rewriting the PowerShell script as a single line of code.

 

4. We then embed that code inside an Office document, preferably as Base64 encoded payload. To encode the payload as Base64 the following command can be used:
cat payload.txt | iconv -t UTF-16LE | base64 -w0

4. Payload inside Office document

 

5. Once the phishing script has been successfully executed the HTTP-Server receives the encoded data and stores it inside a new folder.

5. Incoming data handled by the HTTP-Server

 

6. Now all the received files can be decoded. Make sure to decode all three files per profile.

6. Decoding the logins.json file

 

7. The last step is to use the Firefox Decrypt tool to recover the stored login information.

7. Getting the clear text Login-Information

If the target made use of a master password to protect the stored information you could try to recover the passwords with a dictionary attack or credential stuffing.

Countermeasures:
-Do not save passwords with Firefox or use a really strong master password to protect them.
-Use execution policies, PowerShell code signing and Trust Center settings to prevent Office documents from executing arbitrary code.

Disclaimer:
-This post is for educational purposes only.
-Using these techniques outside of test environments is prosecutable and thereby prohibited.
-All (PowerShell-)code has been uploaded to VirusTotal before publishing.

Results VirusTotal.com for OriginalPowerShell.ps1

 

 

Results VirusTotal.com for OneLinerPowerShell.ps1