Complex Attack Types: Sample Scenarios 27
Perhaps the most important feature of this article, in which we focus on a clear target and use various principles together, is to learn how we can infiltrate the other system through a specific document format.
In part of this scenario, we will also be developing some of our DFIR capabilities. You may see that the IPs change from time to time, do not care, we will be using different machines as we progress. The entire methodology is the same.
Let’s start, cyberpunks!
First, let’s take the steps we always do to get started. After saving the target IP and wordlist locations as fixed on the shell, let’s define the target on local DNS.
Let’s send a standard ping query and check the ICMP message.
Everything seems fine. We can move on to the next step.
Using the Nmap tool, getting to know the other network and machine better and discovering open ports is an important step in creating our attack scenario: nmap -sC -sV -oN nmap_result.txt -Pn -T4 -A --script=vuln $target_ip
-sC
:Default Scripts: Enables the use of the default set ofnmap
scripts. These scripts perform a variety of tasks, such as version detection and basic vulnerability checks.-sV
:Service Version Detection: Probes open ports to determine what service and version are running.-oN nmap_result.txt
:Output to Normal File: Saves the scan results in normal output format to the specified file (nmap_result.txt
).-Pn
:No Ping: Disables the ping scan.nmap
will not try to ping the target hosts before scanning. Useful for scanning hosts that do not respond to ping requests (ICMP).-T4
:Timing Template: Sets the timing template to 4 (Aggressive), speeding up the scan by reducing wait times between probe transmissions.-A
:Aggressive Scan Options: Enables several advanced and aggressive scan options, including OS detection, version detection, script scanning, and traceroute.--script=vuln
:Vulnerability Scripts: Runs a set ofnmap
scripts specifically designed to check for known vulnerabilities on the target.
You are familiar with it, but you need to be patient. The output of this command will benefit you.
We have a lot of important information. We see that some critical applications and ports are open.
- 22 : SSH — OpenSSH 7.2p2
- 25 : SMTP — Postfix SMTPD
- 80 : HTTP — Apache HTTPD 2.4.18
- 389 : LDAP — OpenLDAP 2.2.X,2.3.X
- 443 : HTTPS — Apache HTTPD 2.4.18
As mentioned above, we also have version information. You can conduct exploit research on these and expand your attack surface considerably. There are also advisory CVE numbers for our Nmap query response, it is recommended that you take a look at them.
Let’s give an example of how to do exploit research.
As you can see, you can conduct research on the target version with this method and apply the necessary approach in your own attack scenario.
Now we have moved on to the stage where we will explore other pages on the web server: gobuster dir -u ourtargetsite.thm -w /usr/share/wordlists/dirb/common.txt -r --random-agent
With this command, you can retrieve hidden pages and other stored details.
Yes, there are pages where we receive 200 HTTP codes. And we have a potential .php file that maybe we can use.
Check it.
We discovered an application page. Note this. We need to navigate.
It looks like an industry related to chemistry. A brute-force can be tried through the login entries here, add this as a note to the attack mechanism.
Now we need to take a look at the home page.
Interesting… There seems to be a puzzle here. It is also possible to obtain the same page content with curl: curl -s http://ourtargetsite.thm
These are the element names: Ag,Hg,Ta,Sb,Po,Pd,Hg,Pt,Lr
There is a puzzle here and we are expected to solve it. This image reminds us of the hex layout. We need to prove this theory.
Reference this periodic table.
Let’s continue by considering the numerical equivalents of the elements here and start the test.
Such as:
Ag = 47
Hg = 80
Ta = 73
.
.
.
Here is the full order list: 47, 80, 73, 51, 84, 46, 80, 78, 103.
We can use a function registered as default in Python.
python3 -c "print(''.join([chr(i) for i in [47, 80, 73, 51, 84, 46, 80, 78, 103]]))"
Yes, our theory is valid! We have a hidden page and it is PNG.
Control it.
In such cases, the other theory may be in the page source.
We don’t have much detail. We need another clever idea.
It’s time to take this visual to our local location and use our DFIR capabilities.
Let’s use the exiftool tool and take a look: exiftool PI3T.PNg
We have the date and the creator name. Perhaps this will allow us to create usernames and receive a potential SSH connection. In such cases, every detail you get is worth gold.
Our focus: Piet Mondrian
As you research this name, you come across another interesting detail. You can use this resource: http://www.ibiblio.org/wm/paint/auth/mondrian/
Piet Mondrian was a Dutch painter and theoretician who is widely regarded as one of the greatest artists of the 20th century. Born on March 7, 1872, in Amersfoort, Netherlands, and died on February 1, 1944, in New York City, he is best known for his contributions to the De Stijl art movement, which he co-founded with Theo van Doesburg. Mondrian’s work is characterized by a highly abstract, geometric style, featuring a grid of vertical and horizontal black lines and the use of primary colors. This style is often referred to as “neoplasticism.”
What about Piet programming language? It sounds PPL.
In Piet, programs are written using colored blocks instead of text. The flow of the program is controlled by the arrangement and color transitions of these blocks. The basic unit in Piet is called a “codel,” which is a single block of color. The language uses 18 distinct colors and transitions between them to represent different commands. The program execution flow is determined by the movement of a “pointer” that traverses the colored blocks. The pointer moves through the program space, changing direction based on the colors it encounters.
This is more plausible. We can continue this methodology.
Add this site to your list for PIET execution: https://www.bertnase.de/npiet/npiet-execute.php
We need to use GIMP (GNU Image Manipulation Program) through our Kali machine. GIMP (GNU Image Manipulation Program) is a free, and open-source raster graphics editor available on Kali Linux and many other operating systems. It is widely used for tasks such as photo retouching, image editing, and image composition.
Install it: apt-get install gimp
Then open the program and upload the image, then save it as PPM.
Choose the “Raw” option and then click on “Export”.
You may need to follow the methodology below. Let’s install a decoder: https://github.com/gleitz/npiet.git
The instruction advised us to run ./configure
.
Then just make
it.
Then just run it ./npiet /root/PI3T.ppm
You got credentials like : nagi***%n3p3UQ&9BjLp4$****osadmin%n3p3UQ&9BjLp4$7uhW***giosadmin
Remember the login page, you can log in here now.
Apart from this, we can also follow another method. We can do an exploit investigation first.
Nagios XI before 5.6.6 allows remote command execution as root.
The CVE assigned to this is CVE-2019–15949: https://www.cvedetails.com/vulnerability-list/vendor_id-1424/Nagios.html
The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
It is an RCE vulnerability.
Let’s try using Metasploit: msfconsole -q
Then search: search CVE-2019–15949
We will use exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce
You can enter the required password and username information here and start the attack.
Yes, the session is opened and we are now inside.
Now let’s stabilize the reverse we received on the shell: python -c ‘import pty; pty.spawn(“/bin/sh”)’
Let’s look at potential usernames.
As you can see, we have root permission.
That is it!
Don’t give up on hacking.
Code for good.
^-^