Good day, dear readers. For a long time I did not write examples on the pen test from my own practice, it's time to fix it. There is just one order, after the completion of which enough time has passed, and the client has allowed to publish the information online, but, naturally, without mentioning the name of the company, the names of its employees, etc. In order not to take a lot of time, I will try to explain everything briefly, without water.
One day I received an order for testing the security of the provider company X. The purpose of testing is to get from the external network to the local network of the campaign, and then get access to any information that provides at least some commercial value. Baseline - the organization's website (we present it as site.com).
It all started with a search for machines that are on the same subnet as the official site. 10 such hosts were found. There was nothing to dig under the belt: all the services “looking out” were the latest versions, the Brutus in the popular login / password dictionaries did not respond or opposed it (banned by IP, long delay between login attempts), on web servers when accessing Over IP, the finisher did not find any suspicious directories or files.
Then, with the help of Google, Bing and a couple of pereboroschis, a list of site.com subdomains was compiled It turned out that once upon a time on a separate server, the provider provided web hosting services. Unpretentious conditions, a small fee, a third level domain as a gift. Many of these domains still function today.
')
On exploring these sites, one of them discovered the phpBB forum of a very old version 2.0.15 containing the RCE (Remote Code Execution) vulnerability. The vulnerability was immediately exploited, and a shell was poured into one of the forum directories. However, in the PHP settings for each client, the open_basedir option was turned on with the indication of its working directory, which limited the actions of the interpreter. The safe_mode was turned on.
But there was a way out of this situation. Rummaging in phpinfo (), I found the safe_mode_exec_dir option with the path “/ usr / bin /”. As it turned out, the administrator entered such permission at the request of one of the clients who needed access to imagemagick binaries. Of course, perl was in / usr / bin. Therefore, on the host via system (), a barley backdoor was immediately launched, poured into the same directory as the shell.
There was a slight disappointment inside me - this server was not connected to the company's local network, but the shell on it is already something. Moreover, there were no special distinctions in the rights, and I easily roamed the web directories of all deployed hosts. It took about 2 days to process information from this server. All the passwords from the database, the admins of the hosted sites, their users and other things were collected, in the hope that some test project from some administrators and containing a privileged login and password would fall among them.
The expectations were met, and in the end I found 2 projects left by the admins. The first was a copy of the old version of the main site of the company, and the second was a beta host that hosted the new version of the same site before the full launch. And there, and there was a forum in which company employees communicated with users, gave advice and laid out the news. All their hashes were immediately merged and put on brute.
There were also found the scripts of the old version of the personal account, through which users could view the statistics of their account and change the tariff plans. A new version on the beta host was not observed, but the old one contained actual details of access to PostgreSQL, which was not available for connection from the outside. The pgsql client on the host where I was located was not installed. There was only the corresponding module in Perl (the scripts of the old LC were written on it). I had to write on it a small console utility that receives a sql query from the user and displays its result in a readable form.
With its help, I was able to connect to the database and get to the client base. In particular, up to a table containing user names and passwords for connecting to the Internet. In it, I was hoping to find administrator accounts. Theoretically, they should have been the very first in the table. However, everything turned out to be much simpler. Client logins consisted of a set of numbers, while for special accounts they were alphabetic. There were only 10 of them. Fortunately, the passwords were stored in the clear, and there was nothing to be done. The collected data was added to the already lost passwords, and I received a list of usernames / passwords for privileged users, which could help me get to other servers.
Several administrative accounts from the forums found earlier came up to the admin panel of the forum of the current site. It was IPB3, and pouring the shell through the admin panel was easy. Immediately the current list of staff accounts was reconciled with what I had. 2 new usernames emerged, whose hashes immediately went bust. With those hashes that did not have time to get lost during this time, I did it easier. A backdoor was added to the forum code, which records the logins of the logins that interest me, and the sessions of these users were deleted from the database, due to which each of them had to log in again. By the end of the next day, my list of effective logins and passwords for administrators increased by a few more entries. It's time to use it.
To select targets on the very first host where I managed to get a shell, nmap was collected, and they scanned all the same 10 hosts that were accessible from the outside, but on behalf of the server that was on the same network with them. This gave its results - new services “surfaced”, access to which was absent from the Internet.
Then Hydra was assembled and SSH brute launched (I decided to start with it) of all 10 servers. This gave access to 3 additional servers. Now I could gain a foothold on 5 out of 10. But I didn’t have to do this, since one of them was connected to the company's local network.
Expanding on it the same Nmap and Hydra, I began to explore LAN. Many interesting things were found, but the internal FTP server and the Open-E NAS-XSR administrative web panel (file storage) were the first to attract attention. FTP was immediately delivered to brute, but on Open-E NAS-XSR I went to Google, since I had never met this product before.
There, in addition to general information, default administrative passwords were found, which, as you probably already guessed, approached the discovered control panel. It contained a list of smb-storage directories and the names of users who had access to it. Hydra again surprised me, saying that smb access to these logins is carried out without passwords. Using 3proxy on the server accessible from the external network, I made port forwarding to the “ball” and, connecting to it from my machine, downloaded several randomly selected doc-files, which were transferred to the customer as the desired evidence.
Be careful when administering your resources and enjoy your work week :)