Transcript
Filipi Pires: This is Filipi Pires. We’ll talk about pivoting in a Docker environment and exploitation.
I am a security researcher at senhasegura. Senhasegura, a global company that provides products with privilege access management (PAM), is my employer. I support Hacking is NOT a Crime. Hacking is not a crime is an amazing project that we started in the U.S. but have many supporters around the globe. This project aims to raise awareness about hacking. This concept refers to when you use your creative mind and when you use your knowledge to help companies. It’s not a hacker when you think about the leaks, information exposure, and ransomware. It is a threat actor. It is an attacker. It’s a cybercriminal. Hacking is a way to use your creative mind in technology. It depends on the area you work in. When you use your creative mind, hacking is a concept. I’m part of the coordinating group of the DEFCON Groups in Sao Paulo. I’m an instructor for HackerSec. It’s a Brazilian company that offers trainings. I’m the instructor of the malware analysis course. This particular course is in Portuguese. I am an instructor, writer, reviewer, and editor of these three magazines in Europe. I am an instructor for the malware attack types using the kill chain methodology in English.
What is Pentesting?
I’d like to briefly explain what pentesting is, and when you can use these techniques in pentesting. Pentesting is a simple term. It’s when you execute a similar attack. It simulates the real attacks when there are the same threat actors and attackers in different companies. It basically involves security professionals who simulate some exploitations. The simulation of real-world attacks is used to determine the attacker’s method or strategy.
Types/Services – Pentesting
The black box contains types and/or details about pentests. It’s very similar when we talk about cyber-criminals. You only have information about the company name, Filipi Company. Then you need to take some steps like reconnaissance steps. You will need to search the internet for this company. You will need to search GitHub for possible credentials about certain projects. However, you don’t know anything about the infrastructure or the IP address. They can use the cloud environment, but they must have some on-premises. If they have, for instance, infrastructure ascode. You don’t have any information about the company. You only know the name of the company. It is the basic definition of the black box.
It’s different when you talk about the whitebox. It’s a different approach. You have one in the finite method, or another approach designed to perform this task. You have some code that you can use inside the company. Or when you know something about the infrastructure, or a specific range. You are familiar with the architecture. You can tell when there is a specific scope. It is a defined scope.
There are two options when it comes to the gray box. One is similar to the mixture of the white and black boxes. For example, the gray box contains the company name. You know some information but have another specific. You can use this scoping for any of these types of pentesting. What is the exact object you are testing? The gray box is a way to talk about the internal environment. You’re using the same mix that you used in code review and in some applications. Sometimes, the strategies come from outside the company.
Execute Pentesting
Let me run this pentest. It is a test that I did in 2020, during which I was involved in Hack The Box. Hack The Box allows us to perform penetration tests or simulate penetration tests. This test is executed on a machine that is not available for execution. This is the explanation of the penetration test techniques. This is the basic idea. It is essential that you do some scanning. Usually, an attacker has an IP address or host. In this case, I have the address. However, I could register the domain. In this particular case, I have the IP number. I scan the network to determine if there are any services or ports that are being used. It doesn’t matter if it’s a regular port or not. What are the services? If I can find any information about the services running in this application, it is possible to identify Apache, Tomcat, NGINX, and Tomcat. This scan is the first. Then I set the IP address on internet because I knew that this application was a web-based application when I performed this scan. I put here in my domain. I was able to see more information about my blog and the website. I was able to see several pages. I placed the mouse cursor above the words to see if there were any redirections. This is extremely important.
The blog is another page, or many pages, within this application. Sometimes, you may have some articles within this. This section of the web site can sometimes be used for SQL injection or cross-site Scripting. I see the information about Facebook and Twitter as well as Google pages. I use the mouse to see if there are any redirections. Another important page is about contact. You can see that you may have the contact form at times. It’s a good idea to use this form to execute SQL injection, cross site scripting, or any other techniques. It’s helpful to see how professionals conduct penetration tests.
This is the first response I received from Nmap scan. We found OpenSSH on the 22 port, 80 port using HTTP and Apache. You can see that the version and server is Ubuntu. Another web service is running in a similar environment. It’s another port. When I click here, I try to open the application. Let’s take a look at the results. I put the port 8080. It is Apache Tomcat. This page has open authentications. It’s very close. Misconfiguration is the main vulnerability. There have been many instances when security personnel or developers used incorrect spellings to describe these applications. The professional or individual didn’t follow the recommended security procedures. We are using the username and password in their entirety. Look at what happened. Are we putting admin and admin paths? I can access the web page. This is another page within the same environment. I don’t know where I am so I only have access to one. This is the first IP address. It is 10.10.10.101. One server is in the 80 port and another in the 8080 port. Perhaps I can have them both on the same server. I don’t really know. I’m investigating.
This could be an advertisement company. I can upload images. Again, I’m looking at pages, about us, and services. Have a look at the things I found. I can upload something. This is a crucial point when discussing penetration testing. Sometimes, if you find an upload part of the applications it means you can upload something on the server side. If you are able to upload something on the server side, you might be able to use techniques such as a file upload to try and gain remote access to this web site. This is where you have found uploads. This is usually when penetration testers perform this test. Usually they like to see about this, and to use this vulnerability. We can upload only the image or the Zip file. There are two options to upload this. I cannot upload the PHP, for example, because I don’t know if I have any PHP or another programming languages here. This is a portfolio site. Another option is contact. You might find some form that will allow me to explore more about this. I can conduct some tests. These penetration tests can be used to explore many options.
Next, you will need to use WFuzz tools. It’s a web-fuzzing tool. It can be used to do some fuzzing. I will use it to find new directories that I have not found. For example, if a domain is registered, such as affiliate.com I can use it to check if I find a subdomain. Sometimes subdomains can be found during penetration tests. Let me continue. Let me check this, ok WFuzz-w, just so we can set the word list we will use here in this case. We are using dirbuster’s word list. In this case, it is another fuzzing instrument. I set the IP address here, and it starts at high end channel, because I want to see these results, 404. You can’t connect it because it means that you don’t have this page in your website. I found other directories on the web server. I found the image, archive, upload, users and CSS.
Let me verify that I found the information you are looking for in this directory. You can see what I found here. It is forbidden. This page is located inside this website. We can access the directory from the web application but I don’t know how to access it. This is different when we talk about the 404. It means that you don’t have the page in the web server. The results will differ depending on whether you are using the web page or the web application. You will also see other common misconfigurations. Here you can see the version of the server. This server runs Apache. The specific version of Apache is running on this web server (in this case, 2.4.29). Another option is to grab the information and then put it on the Internet to search for exploits from this particular version. Another option is Ubuntu. It’s a Unix platform Server. If you think about attackers, that is how they see it.
Let’s look at archives, another folder. To find out more about a particular folder, you can use uploads and users. Let’s now see what we have. The image has been added. You can take a look at the image. I don’t have access. That’s why I made a recording to make it easy to explore. You can see that I put users I found here a page from the support team, Aogiri tree Members login. It’s a web site from this guy. I tried using the same login, admin admin, and [inaudible 00:15:06]The logins. I used root, root again to resolve the problem. Invalidate login is also an option. I have more information I can explore.
I prefer to use multiple tools when I’m performing tests. In this instance, WFuzz is what I am using, but I also like to use dirbuster and other tools. Here is dirbuster’s result. As you can see, there were directories that were found during testing. This directory includes images, archives, uploads and users. As you can see, I also found another directory and users. I found other things, such as index, blogs, contacts. These are all things I have seen in the web application. I found here the secret.php. Let’s look at what we can find on this page. Have a look at it. This is a possible conversation regarding the support team. Look at that, Aogiri tree secret chat. We have an application that users can access, but we don’t have the username and password. We can see that this conversation has some PrintScreen. This is likely to happen occasionally, I’m supposing, for audit logs. The chat is currently unavailable.
It’s an interesting conversation. Here are four users: Tatara (Noro), Kaneki (and Eto). Let’s take another look at the conversation. Kaneki, for example, is telling Tatara that remote code execution may have occurred in the environment. Tatara needs to investigate further because they discovered some user.txt within the desktop. This is a quick rule. If you play Hacking the Box, you might try to put this user.txt in a flag. This is a rapid rule, so it’s not considered a flag. It’s a simple conversation with the user and some bio that the user found within the environment. It’s impossible to access our server. However, before CCG attempts, I will inspect the IP logs and eat them. Noro may be responsible for network security. They probably have access to all IP addresses and can investigate more. Noro tells Kaneki that she needed access to remote servers. This is a fascinating request for Kaneki from Noro. Probably Kaneki has some privileges. Why? You can see that Noro requested access to the remote server. ILoveTouka is the first to respond. They request access. We can see Kaneki gives us the password.
Filipi, how do I know that it is a password for my account? Because I investigate. Here’s a spoiler. Kaneki then tells Eto that Eto started the X servers. He wants to connect to the WordPress server and update it. So, some actions are needed to update the information. It’s a crucial conversation. It’s common for penetration testers to be able to think more about what they are doing when they are executing something.
Demo – Giving Access Inside the Environment
Let’s see another demo. This is the key point. First, I created a PHP file to explore the file upload. Then, I used another vulnerability called command execution. I first created this shell PHP to gain access. However, while I was doing this investigation, I realized that there was another vulnerability called command execution. This can be used as a Zip file to explore virtual machines. This is the vulnerability. Zip Slip is a widely-known critical vulnerability in archive extraction. It allows attackers to create arbitrary files on the system and can often result in remote code execution. This is the idea of this exploitation.
I needed to create a file to upload into the virtual machine. That’s how it works. Then, I can set a traversal of this vulnerability so that I can explore the virtual machine in multiple ways. First, I had to upload the file inside the virtual machine. This is the exploitation. Take a look at traversal bat exploitation. That’s it. Next, I need to find an exploit or create one. I found evilarc.py which is a python exploit that I can use in this instance. Here I can see Python 2.7. I call the script in Python and then I choose my shell.php. I chose system operations, in this instance Unix. I set the path so that I can upload this file, inside the virtual machine, when I explore it. I set the file and create some evil.zip.
I will upload my shell to the root of the webpage, var/www/html. If I have the access, and if the Zip Slip is present, I could upload my shell inside that page. I now have my shell here and can execute some commands from the browser. I set ifconfig so that it would see the IP address. We can see that we have another IP address, 172. In this instance, it’s a Class B from the Network. Remember that I had the class A 10.10 when I gained access. It is two classes in the same environment. I have the command execution on the server so I can manipulate commands in that environment. I don’t yet have the reverse shell but I can set commands in the server.
Next, I will need to open a port on my computer. This is my callback. Here’s my shell reverse. Let’s get there. I open Netcat, and I set here the open port, as well as the reverse shell. I have the access, which is specifically user www-data. I have a docker env so it’s possible that I have some container, some Docker within my environment. I need to find out more about this, as I have gained access. This is specifically users, it’s the www-data user. How can I gain access to this environment more deeply and how can I escalate privilege. Here’s my shell reverse. It’s a tentative, as you can see. However, this is the main shell that I can use to execute commands via the browser. I attempt, and I am granted access reverse. This allows me to execute a command within this environment. All those images are visible on the web page.
Next, if I am able to upload my file there I can generate something similar. I checked the permissions I had to upload the file and found that I could upload it as a root or with permission. I then generated my keygen. This is specifically SSH, which is my public key. I then set here the key hacker. I then use my public key to upload my key into the virtual machine. This is how dangerous it can be if you find something in the authorization. I set evilarc.py. I set -0 for the operating system. Here is the path I created. I entered my public key into the virtual machine. I gained root access using SSH after that. I now require remote code execution. I placed my private key inside the virtual machine and now I have access.
Pivoting Techniques
Let’s discuss pivoting techniques. It’s simple. It’s an integral part of many penetration tests. This publication contains the entire article. The pivoting techniques are basically the use of the first compromised network system as I gain access to it, along with routing techniques at protocol or application level to allow or help to compromise other systems within the same network or another network. It’s a way to jump between networks. But first, you must compromise a system. On the other side, you could say that it’s the techniques that allow an attacker to move laterally. Let’s assume that I have the class B (the IP address), 172. However, I have the class A 10.10 inside the corporate. I can have something outside the environment, such as a class C 192.168. You can pivot if you have more then one Docker environment or container within my environment. I can have four IPs on the network. That’s the main point.
Let’s start with the first. I have the access here. I now have the Kaneki access. This allows me to access the entire environment. After I gain root access, I can also collect all the SSH key to access it. I now have Kaneki access. I can now see the ifconfig. Take a look at that, 172.20.110. This is my first container. There is also some information on the main webpage. Let’s look at the notes and see if it is of interest to you. Vulnerability in Gogs was discovered. Kaneki has this information. The Gogs were found. The Gogs application is now in the environment. This is the best information. We didn’t know the exact location where we would need to install these Gogs. Is there a directory for the Gogs application exactly?
“I have disabled the registration function on our server. Please ensure that no one has access to the test account.” Here’s another. Let’s say you are a developer and you manage this server. We open text notes many times to write something. The attacker can see the information you have written if you are under attack. This is the main point. Kaneki has a test account so we can try to get this information from someplace. Let’s find out more. We found Gogs in our test account, so we can access it.
You can see the secret.jpg page. Remember these photos. You are correct, Kaneki has the privilege. Let’s look at another: “I’ve installed a file server in the server network. Eto, if you need to send file to server, you can use my computer, DM me.” Let’s take a look at this. Kaneki has an account test, which is most likely a Kaneki PC. Here’s the Kaneki PC key. Look closely, there are two SSH keys. You can see Kaneki is the administrator guy. He has the privilege of accessing them. They have access to two environments. This is the Docker. This is the main Docker. We also have this class, class B, 172, IP address. Kaneki has full access to another container. However, I was not sure what this IP address should look like.
Let’s do another demo on pivoting techniques. I need to find out how many Dockers and information I have in this environment. Remember that I got the Kaneki access. Take a look at this article about another failure: the keys within the backup directories. Unfortunately, we cannot find many information. You can see that I have set here the Kaneki.backup. It’s interesting. Here is the Kaneki_pub. What is this exactly? This is the test account. This is the test bank Kaneki mentioned in his note. He told the people that they didn’t have to access it because there might be important information within. It’s a Kaneki laptop. You can see another IP address. Let’s look at what happened when I tried to connect SSH with this kaneki.backup. Let’s take a look at this. Now I have access in kaneki.pc. This is a test account. I have access to this server. Look at this, we now have another thing. 172.20 is the class B. But here we have another network: 172.18. This is the third container within the same environment. How can I use the pivoting technique in this situation? I am an attacker and I use the class C, which is 192.178. How is it possible to connect in this system if there is no channel to get there? That’s the point. I can’t get access to this network. How can I gain access to this network? To gain access, you will need to use this user or a forward channel. These are the methods used.
Let me explain. I have created my page. I have here the hacker. This is my SSH using root. I will open the port in my environment. Are you using this port 2020? Is this port open in my environment? I need some information from this channel. Let’s look at my VPN, which I use. I’m in class B in this case. I will attempt to connect to this other IP address but I would like access to another IP address, 172.18. It’s another channel. You can take a look at it. This is a test account. I set here to my local service, as I will be putting my environment, which is a server, there. This port will be used by me. I will add another IP address, 172.18.0.2. I will open the 3000 port. I will use this port to establish communication. This port is what I’m using because it’s the one I can open in my environment. This is the port forward which I can use in these pivoting methods. I attempt to connect and get the password ILoveTouka. I attempt to connect. Kaneki will provide the password. I now have complete control of this environment. Look at 172.18. It is me in this network. How is this possible? Use this port forward and these pivoting methods through the SSH. That’s what you need to know.
As the attacker, I have access to this entire network via my personal computer. It’s impossible to connect to this particular port if I don’t have the possibility to open this port forward using SSH. I’m using pivoting techniques for jumping because of this. I am here in class, on this particular machine. These techniques are used often by the attacker and the penetration tester to manipulate additional commands the penetration has before their computer. They are using techniques because of this. This is their purpose.
Look at what I found in the end. I entered here my localhost IP address, 172. I then add the port 3000. The Gogs application is what I found. I tried to connect in this setting using my machine. I now have another privilege app to explore in this setting. This is possible because I use the pivoting techniques to open this port forward. It would have been impossible to connect inside the Gogs had I not used this technique. Gogs is at risk because we read the Kaneki machine message.
More presentations with transcripts