Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

Hardcoding Passwords in scripts!!! What could go wrong?


It was a lovely Friday afternoon and i was creating reports for the 2 Penetration tests I executed during the week. The mood was already for the weekend and we were busy cracking jokes and working at the same time.
One of our team mates was not in a mood though. When asked he said he has been on this box since morning and no breakthrough yet. We said that as long as you have checked everything it should be alright. It may happen that the box is really well configured!!!

He said well I have checked everything but do you mind running through it once again quickly to make sure I have covered everything. As i was almost done with my report. I gave him to review my report ;) and I headed to take a quick pick on the box.

I was already interested as this seemed to be a tough one. I checked the nmap report. Things looked fine.
Checked the Brute Force worlists used to crack SSH – Those were fine. I invested some time to go through the discovered services and the known vulnerabilities but nothing seemed exploitable.

I was heading towards trying a Zero day angle. Suddenly i had an idea to just browse the system manually.

I asked my team mate if he has got a low level creds on the box. He said yes as part of the test data that have given us a low level shell access. Awesome! Did you try to do a privilege Escalation and become Root?
He said yes i did try that but nothing worked.

If you are a pen tester you would know privilege escalation is not an easy task. See the blogs here for tips and tricks on privilege escalation. I was sure that my mate would have used a script to check for possible priv escalation means and attempted them one by one. So to verify i decided to do this manually. And i already knew that most of the steps were already tried so I was looking for something else. I asked him to show me the output of the script that showed possible priv. escalation means. Looking at it I could not see anything special. I was about to give my ok to him when my eyes got stuck on a command in the script:
grep -l -i password /var/log/*.log 2>/dev/null
This was used to search for the keyword “password” in the specified directory. I ran the command again and there was no fruitful match. I decided to change the path to point to the project directory.
grep -l -i password ~/Projects/Projectname/ 2>/dev/null
(actual path not shown above)
However still no fruitful result. I decided not to give up and I did this:
grep -l -i pass ~/Projects/Projectname/ 2>/dev/null
Changed the keyword to ‘pass’ instead of ‘password’ thinking someone might just use pass.
Bingo!!! 2 files appeared. I was super excited now. These were 2 scripts for backup jobs. Opening the script content was a Treat. The same password was used in both of them for a user called admin. This was a 16 character alphanumeric and special characters password. No wonder why the brute force did not work!!
Next was to try ssh to the box with this new password :) Within seconds we were admin on the box.
To my surprise sudo access was allowed and so in next few seconds I was root on the box. WOOT WOOT… Game over!!!
Now the possibilities were unlimited depending on the scope that my mate was working on. I left it to him from that point onwards. He gave credit to me for Pwning this box :) and an invite for beers. What wlse you need to end a week and headstart a weekend.
Learning: Never store clear text password in scripts.
Note2self and fellow pentesters: Add a line in your privilege escalation script to add the new keyword or modify it to pass* and do a recursive search in all directories.

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more