Final summer time I began studying about data safety and hacking. During the last yr I’ve performed in numerous wargames, seize the flag and penetration testing simulations, repeatedly enhancing my hacking abilities and studying new issues about ‘how one can make computer systems deviate from their anticipated habits’.
Lengthy story quick, my expertise was all the time restricted to simulated environments, and since I think about myself a white-hat hacker (aka one of many good guys) I by no means caught my nostril into different peoples’ companies — fairly actually.
Till now. This shall be an in depth story about how I hacked right into a server which hosted 40 (that is an actual quantity) web sites and my findings.
Be aware: Some prerequisite CS information is required to comply with via the technical elements of the article.
A good friend messaged me that an XSS vulnerability was discovered on his web site and that he desires me to take an additional look.
This is a vital stage, as I’m inclined to ask for him to formally specific that I’ve his permission to carry out a full check on his internet software and on the server internet hosting it.
The reply was optimistic.
In the remainder of the submit, I’ll be referring to my good friend’s web site as http://instance.com.
The primary transfer is all the time to enumerate and discover as a lot data as you’ll be able to about your enemy — whereas making an attempt to alarm them as little as doable.
At this stage, we set off our timer and begin scanning.
$ nmap –top-ports 1000 -T4 -sC http://instance.com
Nmap scan report for instance.com redacted
Host is up (zero.077s latency).
rDNS file for redacted: redacted
Not proven: 972 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_ Doubtlessly dangerous strategies: TRACE
|_http-title: Sufferer Website
139/tcp open netbios-ssn
443/tcp open https
|_ Doubtlessly dangerous strategies: TRACE
|_http-title: Website would not have a title (textual content/html; charset=UTF-Eight).
445/tcp open microsoft-ds
5901/tcp open vnc-1
| Protocol model: Three.Eight
| Safety sorts:
|_ VNC Authentication (2)
8080/tcp open http-proxy
|_http-title: 400 Dangerous Request
8081/tcp open blackice-icecap
The scan accomplished in about two minutes.
That’s quite a lot of open ports! By observing that the FTP (port 21) and SMB (ports 139/445) ports are open we will guess that the server is used for file internet hosting and for file sharing, together with it being a webserver (ports 80/443 and proxies at 8080/8081).
Doing a UDP port scan and scanning greater than the highest 1000 ports can be thought of if the above scan’s data was not sufficient. The one port we’re allowed to work together with (with out credentials) is port 80/443.
With out losing any time, I launch gobuster to enumerate for any fascinating information on the internet server whereas I’ll be digging for data manually.
$ gobuster -u http://instance.com -w /usr/share/wordlists/dirbuster/directory-list-2.Three-medium.txt -t 100
Seems the /admin path was an “admin software” which allowed authenticated customers to change stuff on the internet server. It required credentials and since we’ve neither a username nor a password we transfer on. (spoiler: gobuster didn’t discover something of worth)
To date we’re about three minutes in. Nothing helpful, but.
Searching to the web site we see that it asks us to log in. No drawback, we create an account with a dummy e-mail, click on the affirmation e-mail and log-in after few seconds.
The web site welcomes us and prompts us to navigate to our profile and replace our profile image. How sort.
Seeing that the web site seems to be customized constructed, I’m inclined to check for an Unrestricted File Add vulnerability. On my terminal I execute:
echo “” > exploit.php
I attempt importing the “picture”, and bingo! The uploader permits the exploit.php file to get uploaded. After all, it has no thumbnail, however meaning my file received uploaded someplace.
Right here we’d count on that the uploader does some form of processing on the uploaded file, checks its file extension and replaces with the accepted file extension like .jpeg, .jpg so as to keep away from distant code execution by an attacker importing malicious code, like yours actually.
Individuals care about safety in any case.
proper? Proper? …RIGHT?
`Copy picture handle` ends in the next url being copied to our clipboard:
So it appears we’ve our webshell prepared and functioning:
Seeing that the webserver runs perl scripts (actually, perl?) we seize a perl reverse shell from our favourite cheatsheet, set the IP/Port and we’re rewarded with a low-privileged shell — sorry, no screenshot.
~5 minutes within the evaluation, and we have already got a low-privilege shell.
To my enormous shock, the server was not internet hosting just one web site, however 40 completely different ones. Sadly I haven’t stored screenshots of each single element however the output was alongside the strains of:
$ ls /var/www
entry.log site1/ site2/ site3/ … the listing goes on
You get the purpose. Surprisingly, learn entry to ALL the hosted web sites was out there, which meant I may learn all of the websites’ backend code. I restricted myself to instance.com’s code.
Notably, contained in the cgi-admin/pages listing, all of the perl scripts have been connecting to a mysql database as root. The credentials for the database have been there in cleartext. Let these be root:pwned42
Certain sufficient, the server was working MariaDB and I needed to resort to this challenge earlier than having the ability to entry the database. Afterwards , e execute:
mysql -u root -p -h localhost victimdbname
And we’re within the database with root privileges.
After simply seven minutes, we’ve full learn/write entry to the contents of 35(!) databases.
Right here I’m morally obligated to cease and disclose my findings thus far. The potential harm is already enormous.
What an attacker may do
Dump the contents of all of the databases, as described right here, ensuing within the knowledge of all 35 firms to be leaked within the public area.
Drop all of the databases, successfully deleting the info of the 35 compaines
Go away a backdoor for persistent entry as apache with a cronjob, as described right here, in case they need a return journey.
I ought to notice right here that the mysql course of was working as root so I figured I’d attempt executing ! whoami in hopes of getting root. Sadly, I used to be nonetheless apache.
Time to take a break. Cease the timer.
What can additional go fallacious?
After disclosing my findings, I get additional permission to dig deeper.
Earlier than wanting in methods to escalate my privileges to root and have the ability to trigger huge potential harm, I used to be taking a look at what different fascinating information I may learn with my restricted person.
At that time, I remembered in regards to the open SMB ports. That meant that there must be some folder someplace that’s being shared within the system amongst customers.
After somewhat enumeration, the next seems within the listing /house/samba/secured (please excuse me for the mass censorship):
Inside all of those directories, there have been information of every person of the internet hosting firm. That included every kind of delicate knowledge, amongst others:
.psd/.ai information (Designers know the way essential it’s to maintain these personal, it’s their work and their strategies in any case)
Cookie sqlite information
Pirated e-books (chuckled once I noticed this)
Credentials to their WiFi SSIDS
What an attacker may do
Camp exterior the corporate’s workplaces, login to their intranet and carry out every kind of enjoyable assaults you are able to do on native networks
Dump all of the delicate knowledge listed above to the general public area
It took a while to undergo the folders and notice how critical this challenge is.Another break.
The ultimate blow
After wanting round for somewhat longer as apache I resolve it’s time to go for the large fish, alas get root entry. I confer with a preferred cheatsheet and begin enumerating the system for fascinating information.
Because of my digging thus far I had already gone via most of those strategies already and didn’t appear to have the ability to discover one thing that may enhance my foothold.
That’s when it hit me. Within the Seize the Flag challenges that I’m used to enjoying, the working system is often patched and it’s some deliberately misconfigured service that finally offers you the sought-after root privilege. In the actual world nevertheless, folks don’t patch.
I imply, have a look at Equifax (couldn’t resist).
What sort of Linux is the server working?
$ cat /and many others/challenge
CentOS Linux launch 7.2.1511 (Core)
What model is the kernel?
This seems to be like an previous Kernel model.
Does this remind you of one thing? If not, have a learn right here (trace: it’s VERY critical)
I discovered this blogpost which pointed me to check if the Kernel was weak with the script discovered right here.
I immediately wrote an e-mail totally disclosing the main points and potential impression of each step as described above, and wrapped the night time. Whew.
What an attacker may do
Learn/modify ALL information on the server
Go away a persistent backdoor (as carried out with apache)
Set up and probably unfold malware into the server’s intranet
Set up ransomware (taking the databases of 35 firms and all of the internet hosting firm’s knowledge hostage is not any small factor)
Use the server as a cryptocurrency miner
Use the server as a proxy
Use the server as a C2C server
Use the server as part of a botnet
… (use your creativeness)
rm -rf / (not even joking)
The following day, I received contacted by my good friend (who got here in touch with the corporate working the server) and was knowledgeable that the bug within the file uploader was fastened.
Summarizing, we discovered:
An online software with an Unrestricted File Add vulnerability, which led to a low privilege shell.
Credentials to mysql database, which led to learn/write entry to 35 databases
Plenty of readable delicate information
Lastly, we abused an unpatched kernel to acquire root entry.
Let’s begin with the uploader which gave us our preliminary foothold. Because the entire internet software’s backend was written in perl — and as I don’t communicate perl — I can not actually counsel fixes on that.
One repair I’d counsel can be to not use perl in 2017 however that’s simply my opinion, be at liberty to show me fallacious.
Relating to the filesystem, I like to recommend taking nice care in assigning correct file permissions for customers, in keeping with the precept of least privilege. That approach, even when a low privileged person like apache will get entry, they don’t seem to be in a position to learn any delicate information.
Operating all web sites on the identical server is a nasty thought, I’m unsure if a dockerized strategy would resolve the difficulty.
Having the identical credentials for all databases is for positive a nasty thought.
Single factors of failure are usually not good to have.
Lastly, PATCH EVERYTHING. It’s actually one command: su -c ‘yum replace'(CentOS particular)
Thanks for studying and for making it till right here, sorry for the lengthy submit. I needed to be thorough, this was one critical scenario ?
This story is republished from Hacker Midday: the vacation spot for the place hackers begin their afternoons. Like them on Fb right here and comply with them down right here: