Blue Team Training Series part 2

# Blue Team Training Series part 2 ###### tags: `cybersecurity` `blue team` `nfs` `smtp` `metasploit` `smtp_enum` `smtp_version` `hydra` `mysql` ## Understanding NFS Network File System allows a system to share directories and files over a network. Through NFS, users and programs can access files on a remote system as if they were local files. NFS does this by mounting all / a portion of a file system on a server. The portion of the file system that are mounted can be accessed by clients with whatever privileges are assigned to each file. A detailed explanation of how NFS works can be found [here](https://docs.oracle.com/cd/E19683-01/816-4882/6mb2ipq7l/index.html) ### how nfs works 1. Client requests to mount a directory from a remote host on a local directory. 2. Mount service acts to connect to the relevant mount daemon using RPC(remote procedure call). 3. Server checks if the user has permission to mount whatever directory has been requested. 4. The server returns a file handle which uniquely identifies each file and directory that is on the server. If someone wants to access a file using NFS, an RPC call is made to the NFSD (the NFS daemon) on the server. The call takes the following parameters: * file handle * name of the file to be accessed * user's UID(USER ID) * user's GID(GROUP ID) These are used to determine access rights to the specified file. ### Enumeration This is the process of establishing an **active connection** to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. ### NFS-common This package is requisite in any machine that uses NFS, either as a client or server. It includes: **lockd, statd, showmount, nfsstat, gssd, idmapd, mount.nfs** ### Mounting NFS shares Your client system needs a directory where all the content shared by the host server in the export folder can be accessed. This folder can be anywhere on your system. Once the mount point is created, use the mount command to connect nfs shares. syntax: **mount -t nfs [IP]:[share] /tmp/mount/ -nolock** * mount: execute the mount command * -t nfs: type of device to mount * IP: the ip address of the NFS server * share: the name of the share you wish to mount * -nolock: specifies not to use NLM locking ### Exploitation steps 1. Establish what shares are on the target device by: **/usr/sbin/showmount -e [IP]** 2. Mount the share using: **mount -t nfs [IP]:[SHARE] /tmp/mount -nolock** If you have a low privilege shell on any machine and you found that a machine has an NFS share you might be able to use that to escalate privileges, depending on its configuration. #### Root-squash shennanigans Root squashing is enabled by default on nfs shares. This prevents anyone else connecting to the NFS share from having root access to the NFS volume. Remote root users are assigned a user **nfsnobody** when connected, which has the least local privileges. If this is turned off however, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system. #### SUID When a suid bit is set for a file it allows users to run the file with the permissions of the file(s) owner/group. If the owner is a super user we can leverage this to get a shell. #### The plan * We will upload files to the nfs share * Then control the permissions for said file * We can set the permissions of whatever we upload, in our case a bash executable * We then login through ssh * And execute the bash exe to get a shell ### Threat Model 1. NFS Access 2. Gain Low privilege shell 3. Upload bash exe to NFS share 4. Set SUID permissions through NFS due to misconfigured Root Squash 5. Login through ssh 6. Execute SUID bash exe 7. Root access #### Executable You can get an executable for ubuntu 18 [here](https://github.com/polo-sec/writing/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash) copy it to the mount folder add the suid by : **chmod +s** after assigning **chmod 755** permissions to the bash file Remember to run the executable with the -p option for persistence. syntax: **./bash -p** where bash is the name of the executable ## Understanding SMTP Simple mail transfer protocol is used to handle the sending of emails. Support of email services needs a protocol pair: **SMTP** and **POP/IMAP**(Post office protocol / Internet Message Access Protocol). Together they allow the user to send outgoing mail and retrieve incoming mail respectively. Basic functions of an SMTP server: * verifies who is sending emails through the smtp server * sends the outgoing mail * if the outgoing mail cannot be delivered, it sends the message back to the sender POP and IMAP are responsible for transfer of email between a client and a mail server. POP has a simplistic approach of downloading the inbox from the server to the client. IMAP synchronises the current inbox with new mail on the server, downloading anything new. Thus, changes to the inbox made on one computer over IMAP will persist if you synchronise the inbox from another computer. The POP/IMAP server is responsible for this process. POP- port 110, IMAP- port 143 **In practice it looks like this:** ![how email works](https://i.imgur.com/3o3y5e3.png) 1. The MUA (mail user agent) connects to the SMTP server of your domain e.g smtp.google.com which initiates the **smtp handshake**. This is done over the smtp port (usually 25). Once the connections have been made and validated, the smtp session starts. 2. The send mail process commences. Client first submits the sender and recepient address, the body of the email and attachments to the server. 3. The smtp server checks whether the domain name of the recepient and the sender is the same. 4. The smtp server of the sender makes a connection to the recipient's smtp server before relaying the mail. If the recipient's smtp server cannot be accessed, the email goes into the smtp queue. 5. The recipient's smtp server will verify the incoming email by checking if the username and domain have been recognised. The server then forwards the email to the POP or IMAP server. 6. The email shows up in the recipient inbox. You can read a more detailed explanation [here](https://computer.howstuffworks.com/e-mail-messaging/email3.htm) ### Enumerating SMTP Poorly configured /vulnerable smtp servers can often provide an initial foothold into a network. Before launching an attack, we should fingerprint the server to ensure we have the most accurate info possible. We can use the **smtp_version module in metasploit** to do this. It scans a range of ip addresses and determines the version of any mail servers it encounters. #### Enumerating users from smtp SMTP has two internal commands that allows the enumeration of users: * VRFY - confirms the names of valid users * EXPN - reveals the actual addresses of user's aliases and lists of e-mail(mailing lists) With these smtp commands we can reveal a list of users either manually over a telnet connection or with **metasploit's smtp_enum** module. note: a non metasploit tool that could achieve this is **smtp-user-enum** which works better for enumerating OS level user accounts on Solaris via the SMTP service. Enumeration is performed by examining the responses to **VRFY, EXPN, RCPT TO** commands. ### Exploiting SMTP By the end of enumeration you should have: * user account name * type of smtp server and OS running If ssh is open on this machine, we can try and bruteforce the password of the user's ssh login with **hydra**! syntax: **hydra -t 16 -l [username] -P [path to dictionary] -vV [IP] [protocol]** * hydra: runs the hydra tool * -t 16: number of parallel connections per target * -l [user]: Points to the user whose account you are trying to compromise * -P [path to dictionary]: Points to the file containing the list of possible passwords. e.g /usr/share/wordlists/rockyou.txt * -vV: sets verbose mode to very verbose. Shows the login+password combination for each attempt. * [IP]: ip address of the target machine. * [protocol]: sets the protocol. e.g ssh Once you get the password, you can then login with the earlier acquired user name and the now acquired password through ssh. ## Understanding MySQL MySQL is an RDBMS(relational database management system) based on SQL(structured query language). A database is a persistent, organised collection of structured data. MySQL as an RDBMS is made up of the server and utility programs that help in the administration of MySQL databases. The server handles all database instructions like creating, editing and accessing data. It takes and manages these requests using MySQL protocol. As follows: 1. MySQL creates a db for storing and manipulating data, defining the relationship of each table. 2. Clients make requests by making specific statements in SQL 3. The server responds to the client with whatever info has been requested. MySQL forms an essential part of the LAMP(Linux, Apache, MySQL, PHP) stack. ### Enumerating MySQL This is likely not going to be your first option for compromise. However, when you've attained credentials elsewhere and no other avenues are working e.g ssh you can try this. You need to have mysql installed on your system to connect to the server. You can do this by: syntax: **apt install default-mysql-client** ,this will install just the client package on your system. You can use metasploit or you can find other non-metasploit alternatives such as scripts from [Exploitdb](https://www.exploit-db.com/exploits/23081) and [ Nmap script](https://nmap.org/nsedoc/scripts/mysql-enum.html) You can validate your credentials manually by logging into the sql server syntax: **mysql -h [ip] -u [username] -p** #### steps: 1. validate creds: **mysql -h [ip] -u [username] -p** 2. use the mysql_sql module in msf with the default **select version()** this gives you the version running 3. use the mysql_sql module in msf but change the sql option to **show databases** this will give you a list of databases ### Exploiting MySQL In mysql, a schema is synonymous with db. i.e you can use create schema instead of create database. Hashes are the product of a cryptographic algorithm to turn a variable length input into a fixed length output. 1. Run **mysql_schemadump** in msf to dump the db schema 2. Run **mysql_hashdump** in msf to dump the hash 3. select hash of interest and paste in a hash file e.g hash.txt 4. Run **john the ripper** against the acquired hash. syntax: **john [hashfile]** You can read more about exploiting mysql [here](https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/ch-exploits.html)