Sunday, 18 February 2018

ASM to ShellCode and Shellcode to ASM

As i have started a journey into vulnerability research and exploitation, i thought of sharing some topics which I found very confusing initially. So i will try to detail as much information as possible.

So we will begin by writing a simple helloworld assembly code. The code will do the following

  • Print HelloWorld
  • and Exit
Now you may wonder why do I have to write a code that exits ? If such is the case then you might probably have written good amount of code in high level language. The compilers of high level languages takes care of it i.e writing the extra code in the object file like the exit code. Internally every operations like read , write , exit and so on requires some low level calls to kernel. These calls are called SysCalls. So if you are programming using high level language like C and C++ , then you don't need to write codes to make the syscalls because due to the abstraction layer that hides the excessive code that is required to code. The compiler takes care to generate the object code which has essential exit code in it. To trigger these syscalls we need to use interrupt. Now these interrupt is maintained using an interrupt table. The diagram below shows the workflow of the syscalls and the interrupt



Now that i have given you a brief idea on why we need to write an exit code in asm, we will program a helloworld code



Now that I have a working , elf binary , my next target is to generate the shellcode from it.

I will use the objdump utility to view the disassembled contents of the binary along with the opcodes.


There is a nice one liner at ( http://www.commandlinefu.com/commands/view/6051/get-all-shellcode-on-binary-file-from-objdump ) which we can use to get the shellcode from the binary.

objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Using this technique, we can get a nice shell code from it which we dont need to extract manually from the disassembled code

Sweet! Now our 1st part of the tutorial is over , moving to the next , ShellCode to Assembly.

Now if I present you with the following shellcode, how will you get back to a working elf executable.
"\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\xa4\x90\x04\x08\xba\x10\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x02\x00\x00\x00\xcd\x80"'

Lets copy the shellcode and save the contents inside a file. Please note we are going to save the shellcode as raw hex file and not as text. To do it we need help of perl

Syntax :   perl -e 'print "YOUR SHELL CODE"' > outputFile

perl -e 'print "\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\xa4\x90\x04\x08\xba\x10\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x02\x00\x00\x00\xcd\x80"' > hexraw

Now we will use the ndisasm utility to get the disassembled code from the file. So what ndisasm is doing here is converting the hex opcodes into equivalent asm instructions.

Syntax :  ndisasm -b 32 hexraw



Now you can see , we almost have the same code that we wrote, except there is an hardcoded address 0x80490a4 at line 3 and hardcoded value at line 4. The problem is we got the disassembled code of the .text section and not the .data section. Let us fix the code by modifying the code a little.

Finally we are able to get back our ASM code and make it execute successfully



References:

https://en.wikipedia.org/wiki/System_call
https://www.youtube.com/watch?v=G4wA7Zm-DIU&feature=youtu.be
http://searchsecurity.techtarget.com/answer/What-is-the-relationship-between-shellcode-and-exploit-code

Tuesday, 16 January 2018

SANS HOLIDAY HACK 2017 : PART 5

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?

We can find the about the IP of the internal host from the NMAP scan on the compromised machine from PART 2 of this series.

nmap -PS80 -v 10.142.0.1/24 --open



Let us connect to the Alabaster's system again using SSH followed by local port forwarding


We will modify our host file slightly to get the point to http://eaas.northpolechristmastown.com



Now we have done this, we can browse to the website



Going through the website we find 2 interesting thing.

1. One DisplayXML where all the Elves are listed out




2. One Builder form which allows us to upload and build the GUI from an XML file


Also there is a sample available on the website at http://eaas.northpolechristmastown.com/XMLFile/Elfdata.xml

This is something how it looks like



Now I tried performing XXE Attacks, but failed


One blog post from SANS came useful to me , which is provided in the HINTS that got unlocked on solving terminal challenges.

https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities

So we create two files

1. One containing the malicious xml code which we will upload xxepoc.xml. We can create this POC by looking at the XML Structure from the available XML code above.



2. One containing the malicious code which we will host evil.dtd

Okay so after this I uploaded the XML document and then looked at the apache access.log


However I cannot find any contents from the greatbook.txt. I tried many combination.

After failing multiple times I decided to have a look if anyone has solved this challenge or not, and interestingly I found one

https://duo.com/blog/sans-holiday-hack-2017-writeup

After doing the comparison of both our POC code, I found only one thing different.


The author is encoding % sendit with % sendit in the evil.dtd

I don't know the reason behind it as the 2nd occurrence of % is not encoded. However for the sake of solving it I tried to modify it and execute the payload and looked at the access.log file.

And guess what?  It worked !!!


I need to find the reason why it has to be done in this way and if you know the reason do comment in the section with the answer.

So following the url from the access.log we can find the 6th Page of the book






SANS HOLIDAY HACK 2017 : PART 6

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

Challenge

8) Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?

On doing an nmap scan on  internal network using the compromised Alabaster's system, we can find the edb server


We will connect to Alabaster's machine again and use SSH Port forwarding to port 80 to get access to the web application.


Also we will edit our hosts file to make sure we can point at edb.northpolechristmastown.com


Now we can access the application


Once we do this we can try logging with alabaster's credentials, but it doesn't work.

Looking at the intercepted requests , we see that there is a session value in the cookie. My target is to steal the session cookie of the victim and replace our session value with it.

There is a client side simulation of a victim and we need to do a phishing attack.

This is the password reset page



There is an XSS filter working , so we  need to write a XSS Filter Evasion Payload to steal the cookie


So our payload for the attack is

Now we will try to send the forged password request to the victim


On successful exploitation, we can find the cookie of the victim in our access.log

At this point I tried changing the session value with the stolen cookie value but it did not work.

The source code at the home page revealed about one more juicy information. It seems the victim is storing np-auth token in the localstorage and also it checks if it is there it sends for validation. If successful it logs into the application.

Let's modify the XSS payload to steal the np-auth token.

After successful exploitation, we find the np-auth token

Now decoding the JWT Token it reveals us some information we need to log in and also to rectify the auth to make it valid , for example the expiry date.


So let us first try cracking the np-auth token, for this we can use one jwt-cracker


The jwt-cracker reveals that the Secret used to encode JWT token is 3lv3s

Now that we have all the information we need to do the following things

1. Modify the expiry date
2. Create a new np-auth token using the secret key
3. Add the np-auth token to our local storage

We will write a small piece of code to do the 1st two task in one shot !


Executing the program gives us the jwt token for our np-auth



For the next one we will open developer console and add the javascript code to store the generated np-auth value in the localStorge


After this we refresh the page , and bingo ! We are in !


Through the proxy tool we find UI models is fetched over an XML call which is then populated in the UI of the page.

Few points to note here from the code

1. We can search "beyond" the available option of ELF and Reindeer
2. To perform operation of administrator, an administrator password will be required

Now from the debug code we can understand that there is an LDAP application running


I tried searching with a well known reindeer information , Rudolph and then using blind injection techniques tried to figure out the password fields from it , and we found there was one field called userPassword which revealed the password in hashed form



So our final target should be writing an LDAP injection query that would allow me to bypass the query and allow me to search any data whose 'ou' can be anything that is *. Also one more thing we can assume from the message box that whenever i am trying to access Santa Panel , i am getting a notification, "You must be Claus to enter the Panel"

So I am using the gn value as "Claus" and ou = * 

On doing this request with input claus*)(ou=*))(&(gn=  and  modifying the request little bit by adding the password field, I can dump all the users information with hashed passwords.
Response


Our next step is to get the original value of the hashed password of Claus which is  001cookielips001




Now if we try to login with santas email and password , it wont work. Guess why ? Because we are logged into alabaster account by setting an np-auth token, so we need to generate one more auth token with Santa's information

Once we generate a new token using the department as 'administrator' and 'ou' as * and set it, on refreshing the browser we get a prompt. We need to provide the plaintext password here which we obtained by decryption of the hashed password.


And finally we can retrieve the letter





Sunday, 14 January 2018

SANS HOLIDAY HACK 2017 : PART 4

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.


Challenge
4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?


Initial nmap scan revealed that the mail server is located at 10.142.0.5


Again using SSH Port forwarding technique we would connect to port 80, and add one entry in our host file so that it can resolve the dns.



And there we have it..


Initial discovery gave us a robot.txt file pointing to a file

User-agent: *
Disallow: /cookie.txt




Analyzing the algorithm, the password in encoded in base64 followed by using AES-256 algorithm. 

Lets choose any password that would create 16 bytes  'ABCDABCDABCDABCD'.

Base64 encoded => QUJDREFCQ0RBQkNEQUJDRA==

Now keeping this 16 bytes of  plaintext message into base64  message as ciphertext, using any key of any value will result it as an empty string, which you can verify using typeof() function.


Using the login error we can find enumerate the user or find the right combination to create the username.


 It seems alabaster_snowball@northpolechristmastown.com does not exists but alabaster.snowball@northpolechristmastown.com

Using the above derivation for finding username and password , we can edit the cookies in this manner using cookie manager we can modify the existing cookie value

Cookie: EWA={"name":"GUEST","plaintext":"","ciphertext":""}



If we refresh the page,we are in ! Bingo


One mail from inbox gave us the juicy information we need.


The fourth page of GreatBook is revealed finally



SANS HOLIDAY HACK 2017 : PART 3

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

Challenge 3:
3) The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?

In my previous post I showed you how we obtained the password for allabaster snowball. Now luckily the compromised machine had nmap installed in it. So we are going to scan the internal network and try to find the SMB File Share.





So IP address 10.142.0.7 belongs to the SMB Server.

As the hint says "Alabaster likes to keep life simple. He chooses a strong password, and sticks with it". we can try logging in 10.142.0.7 via SSH. Interestingly we succeed in logging in via SSH.

Now the problem is it has limited commands availability. Lets access the port 445 of 10.142.0.7 via port forwarding technique using SSH as 10.142.0.3 as the server using local port forwarding techniques.


Now we can try using smbclient to find the shares using Alabaster's username and password


Now that we found the share name we can try accessing the share. I also found the 3rd Page from the GreatBook here.


And there we have page3 from Great Book