Pwning Red Team Toys: CrunchRAT RCE
Breaking red team toys is a fun game. Usually its the red team who are ruining everyone else’s day, so, why not give them a little something back?
Anyways, I was scrolling through the Githubs when I came across this CrunchRAT thing by t3ntman. Looked interesting. A neat little implant for use on red team engagements. It uses PHP/MySQL for the C&C panel, and the implant itself is in C#.
So, I decided to take a look at the PHP code first. It uses PDO, which is great, prevents all the nasty SQL injections. It also specifies in the readme file the following…
Obviously, it would be a Pretty Bad Idea to allow random crap to be uploaded to your webroot. I had a funny feeling though, so I decided to take a look at “update.php” in the specific bit for accepting uploads from implanted hosts…
Ok. So we know the following:
- $downloadsPath is not gonna be in the webroot, assuming you didn’t massively fuck things up.
- We control $hostname variable and the name/extension/content of the uploaded file.
- We can hit this with no auth whatsoever, we just have to vaguely look like an implant beaconing home.
Now, for the more astute in the audience, you probably see where this is all going…
If we can find somewhere to write to in the webroot, we can use directory traversal in the $hostname parameter to traverse out of the nice, safe, NOT IN WEBROOT directory untrusted implant uploads get shoved into, and drop a nice webshell into the webroot. Lovely.
So, it just so happens that the setup script provided creates a “/var/www/html/uploads” directory writable by the apache user — so trusted users can upload files to drop onto the implanted hosts.
Yeah. You know what happens next…
You can acquire the exploit in the usual place.
Anyway, what did we learn from this? Well, we learned a few things…
- “Safe” upload directories… Aren’t.
- Red team folks write tools that are fun to audit.
- Its really worthwhile examining other security folks code from a security angle.
TL;DR: Audit thy own toolings.