Friday, 29 April 2016

Walkthrough Droopy v.02

Walkthrough Droopy v.02 :

In this post i shall outline the steps i followed to get root on Droopy hosted at vulnhub . https://www.vulnhub.com/entry/droopy-v02,143/.

From this post onwards i shall try to enlist all the useful links i used to compromise the box for posterity.

Detailed Steps to root :

A nmap scan of the box reveals that only port 80 is open and there seems to be a Drupal 7 website hosted.  After running nikto and dirbuster i decided to run a tool to enumerate CMS's. I know a good one exists for wordpress but surpisingly i could not find much for Drupal. I did come across a tool called CMSMap which according to this github page enumerates wordpress, drupal and joomla . I decided to give this a try to see any information it could reveal. Also i really wanted to be able to learn about Drupal enumeration tools and techniques.

Since the tool is not already built in Kali i decided to follow the github instructions and build it on my box.



The tool was quite good at enumerating the Drupal website and immediately tells us that the site is outdated and suffers from a known vulnerability "Drupal Vulnerable to SA-CORE-2014-005".

Seems like there exists a possibility of launching SQL injection attacks against the box. I decided to use an existing exploit against the box. The exploit https://www.exploit-db.com/exploits/34984/ helps to change the admin credentials on the backend site.



The exploit worked and now we have changed the admin credentials on the box. We now login to the box with credentials "admin:hello".

Once we are able to login to the box we are able to create additional posts/pages. Checking under the "Modules" tab i see that there is a plugin called "phpfilter" which can be enabled to allow php content to be executed on the webpage. This opens the possibility of executing some php reverse shell code by creating a webpage and executing the same via the webserver. Hence we try this approach. I use standard reverse shell from pentest monkey.




Once we get a reverse shell we see that the box is a 64bit ubuntu 14.04 box which is known to be vulnerable to local priv escaltion exploit https://www.exploit-db.com/exploits/37292/ We compile and run the exploit to get root on the box .


Also for completeness I must admit I could have also used a Metasploit module to get a shell but i wanted to avoid using metasploit as much as possible :0

Final Verdict :

Overall it was relatively easy box to pawn but fun nevertheless. Thanks for the creator to take time to create one . Keep up the good work "knightmare" .

Useful Links :

https://github.com/Dionach/CMSmap
https://www.drupal.org/SA-CORE-2014-005
https://www.exploit-db.com/exploits/37292/
https://www.rapid7.com/db/modules/exploit/multi/http/drupal_drupageddon

Wednesday, 13 April 2016

Z-wave protocol analysis using Ez-Wave

Background: Recently I was able to get my hands on a couple of IoT devices talking the propriety Z-wave protocol. Specifically I had 2 devices -

i) Z-Wave 3 in 1 PIR Motion sensor  which can detect movement, temperature and luminance.
ii) Z-Wave smart Energy Plug which can give information about the energy cosumption of the device connected to it. Also it can switch the device ON/OFF depending on the requests sent to it by a Z-Wave controller.

These devices are already deployed in many smart homes. Hence its important to analyze the security capabilities of these devices. This got me rolling and here is post about how to sniff Z-wave packets using SDR. It seems that the state of the art in pentesting any wireless comunnication protocol is by using these SDRs.

A detailed security assessment of Z-Wave protocol and Z-Wave enabled devices was presented at ShamooCon 2016 Breaking Bulbs Briskly by Bogus Broadcasts https://www.youtube.com/watch?v=IgquSEhAGvA by Joseph Hall and Ben Ramsey which details the how many Z-Wave device manufacturers disregard security and dont even encrypt the data exchanged between the Z-wave device and the Z-wave controller. This opens up possibilities of a range of attacks that can be launched on the Z-wave devices. They also release a open source tool to play around and sniff these packets called EZ-Wave . In this post i shall try to sniff some of the traffic generated by my Z-Wave devices.

EZ-wave Installation:

Install EZ-wave dependencies:

The instructions for installation are detailed on the github site @ https://github.com/AFITWiSec/EZ-Wave. However there are a number of software bundles that need to be installed especially the Gnu-radio which has a lot of dependencies. Hence instead of installing all these packages myself i used a linux distribution Pentoo Linux. (http://www.pentoo.ch/about). The advantage of using the Pentoo linux is that all the software requited for EZ-Wave installation such as GNU Radio, OsmocomSDR, HackRF host software, Wireshark etc  are all  pre-installed in the distro saving the time to install them manually.

The simplest way is to download the pentoo linux package from the downloads section of the site and then burn the image into a live USB stick. One important thing to note here is that Michael Ossmann (maker of HackRF) highly recommends in his "Introduction to SDR " tutorial (https://greatscottgadgets.com/sdr/) to not connect the HackRF to any virtual machine for performance reasons but to use it directly on the base OS.  Also on a side note if you are a newbie its highly recommended to go through at least his first tutorial where he introduces the SDR concepts  (https://greatscottgadgets.com/sdr/1/) and also the tutorial on HackRF usage. (https://greatscottgadgets.com/sdr/5/) .

We now boot from the live USB. (In case   you get an error like boot device not found press "Tab" on the keyboard and select pentoo5 OS or type it and press enter). The Pentoo linux should boot correctly. Launch an GUI using the "startx" command. In case there is no IP address allocated to the box just do a "dhcpcd eth0" to request an IP address.

Now to test that we have the HackRF software working correctly plugin the hackrf devices into the USB port and run the command "hackrf_info" . I use 2 Hackrfs since they are half-duplex and i wish to receive and transmit at the same time.


Install Scapy-Radio 

We can see that both our devices are correctly detected. Next we install the EZ-wave tool itself. We run the setup.sh script which clones the scapy framework
and then we install it.



I noticed that if you use pentoo linux then you dont need to worry about making changes to the gnu-radio config file.

Install Wireshark

We downloaded the source package for wireshark version 1.12.10 from https://www.wireshark.org/download/src/.  Copy the wireshark dissectors files to the wireshark-1.12.10/epan/dissectors. Wireshark by default tries to use Qt version5 for building the wireshark UI. This gave me errors so i choose to make my wireshark ui with gtk3. Hence its important to tell wireshark to use gtk3 library instead of qt5 libraries at the config stage. Hence our steps to build wireshark were



EZ-Wave Usage:

In order to sniff packets we start gnu-radio companion  and provide it as input the Zwave radio configuration file.

Select the Zwave.grc file to open in the gnuradio-companion

One important thing to take note of in the .grc file is the variable central frequency i.e center_freq . The European standard Z-wave devices ( which I have ) talk on 868.42 Mhz ( instead of the default central frequency hardcoded in the .grc file which is for the US Z-wave devices) and hence this variable needs to be changed to reflect the frequency of your device. To change the variable double click it and then key in the new value.

gnuradio-companion main window
After changing the .grc file we need to recompile the flow graph. Finally we can run it by pressing the play button on the top menu. (Also make sure that the python modules are in the python path environment variable else there may be some errors)

The HackRFs should now be able to pick up Z-wave packets in the vicinity. I forced the Z-wave device to send some packets by pressing the button on the device body. All the captured Z-wave packets are sent to localhost:52002 and can be seen using the wireshark and the new dissector. You can apply some filters like !icmp to remove the interrogation commands sent to the Z-wave devices.

Wireshark Z-wave packet capture

We can see the homid and nodeid of the captured Z-wave packet. The data exchanged between the Z-wave controller and the Z-wave device is also not encrypted.