.git you some with DVCS-Pillage

Ron over at SkullSecurity put out a post on  Using "Git Clone" to get Pwn3D

Worth a read if you havent.  Unfortunately the key to his post relied on wget and directory listings making it possible to download everything in the /.git/* folders.

unfortunately(?) I dont run into this too often. What i do see is the presence of the /.git/ folder sometimes the config or index files it there but certainly no way to know what's in the object folders (where the good stuff lives)[or so i thought].

So i posed the following to twitter

to which i got two great replies.

The first one pointed me to:
https://github.com/evilpacket/DVCS-Pillage
(thanks Kos)

and the second was a shortcut to using the tool by the author (thanks Adam)

DVCS is pretty handy.  With it you can pillage accessible GIT, GS and BZR repos.  Similar functionality for svn already exists in metasploit 

Does it work?  yes mostly...an example:

user@ubuntu:~/pentest/DVCS-Pillage$ ./gitpillage.sh www.site.com/.git/
Initialized empty Git repository in /home/user/pentest/DVCS-Pillage/www.site.com/.git/
Getting refs/heads/master
Getting objects/ef/72174d7a5d893XXXXXXXXXXXXXXXXXXXX
Getting index
Getting .gitignore
curl: (22) The requested URL returned error: 404
About to make 245 requests to www.site.com; This could take a while
Do you want to continue? (y/n)y
Getting objects/01/f0d130adf04d66XXXXXXXXXXXXXXXX9e4ddb41
Getting objects/49/403ecc2d8a343da9XXXXXXXXXXXXXXX3f094d9
Getting objects/d3/1195ab0e695f8b89XXXXXXXXXXXXXXXXXa3af5
Getting objects/f9/b926f07XXXXXXXXXXXXXXXXXXXX567cf438c6a
Getting objects/57/78a12e2edebXXXXXXXXXXXXXXXXXXX3f3a0e8d
---snip---
trying to checkout files
error: git checkout-index: unable to read sha1 file of wp-register.php (caad4f2b21c37bXXXXXXXXXXXXXXX81c7949ec4f74e)


#### Potentially Interesting Files ####


wp-admin/export.php - [CHECKED OUT]
wp-admin/includes/export.php - [CHECKED OUT]
wp-admin/setup-config.php - [CHECKED OUT]
wp-config-sample.php - [CHECKED OUT]
wp-config.php - [CHECKED OUT]
wp-settings.php - [CHECKED OUT]


anything useful in there?

user@ubuntu:~/pentest/DVCS-Pillage/www.site.com$ more wp-config.php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, WordPress Language, and ABSPATH. You can find more information b
y
 * visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
 * wp-config.php} Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'site_wordpress');

/** MySQL database username */
define('DB_USER', 'site_wp');

/** MySQL database password */
define('DB_PASSWORD', 'XXXXXXXX');


another way to turn a low to pwned :-)

From LOW to PWNED [12] Trace.axd

Post [12] Trace.axd


"Trace.axd is an Http Handler for .Net  that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file through a browser displays the trace log of the last n requests in time-order, where n is an integer determined by the value set by requestLimit=”[n]” in the application’s configuration file."
http://www.ucertify.com/article/what-is-traceaxd.html

It is a separate file to store tracing messages. If you have pageOutput set to true, your webpage will acquire a large table at the bottom. That will list lots of information—the trace information. trace.axd allows you to see traces on a separate page, which is always named trace.axd.
http://www.dotnetperls.com/trace

LOW? Actually a Medium.

What can I do with it?

• Read ALL variables and data from HTTP requests
• POST requests rock! ?

Discovery?

• Metasploit
• Vuln Scanners

Metasploit

Example

Main trace.axd page

Viewing a request

Post request with creds

-CG

From LOW to PWNED [11] Honorable Mention: Open NFS

Post [11] Honorable Mention: Open NFS

Open NFS mounts/shares are awesome.  talk about sometimes finding "The Goods".  More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions.  so checking to see whats shared and what you can access is important.

Low? currently an "info" with Nessus 5

Anyway, you probably want to know about finding it. You have a few options.

standard portscanning (of course)

1. scan for port 111/2049
2. do showmount -e / showmount -a
3. metasploit module

example:
root@attacker]# showmount -e 192.168.0.1
Export list for 192.168.0.1:
/export/home/  (everyone)
/export/mnt/   (everyone)
/export/share/ (everyone)

3. look to see what's exported and who is mounting ("everyone" FTW)

To mount an NFS share use the following after first creating a directory on your local machine:

[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badperms

change directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1

to abuse NFS you can check out the rest from http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users.  I'm going to put it here in case it goes missing later:

"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.

If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read.  The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.

-rwxr----- 517 wheel 898 daves_secret_doc

The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.

Move away from the mount point and unmount the share
umount /local_dir

create a user called dave
useradd dave
passwd dave

Edit /etc/passwd and change the UID to 517

Remount the share as local root

Go into daves directory
cd dave

issue the command
su dave

As you are local root you can do this and as you have an account called dave you will not need a password

Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."

NfSpy is supposed to assist with the above: https://github.com/bonsaiviking/NfSpy

nmap scripts to do additional info gathering

nfs-ls
nfs-showmount
nfs-statfs

Valsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the slides) video  white paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)

Fun Reading:
Swiss Cyber Storm II Case: NFS Hacking: http://www.csnc.ch/misc/files/publications/2009_scsII_axel_neumann_NFS.pdf

From LOW to PWNED [10] Honorable Mention: FCKeditor

Post [10] Honorable Mention: FCKeditor

FCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.

Examples:

http://www.exploit-db.com/exploits/12697/
http://www.exploit-db.com/exploits/15484/
http://www.exploit-db.com/exploits/17644/

Big O'l list on Exploit-DB

CVEdetails on FCKeditor.

LOW?

Actually most FCKeditors checks in Nessus I found were either Medium or High (hence honorable mention and not in the talk).

There is a good write-up of a classic case of FCKEditor abuse here:

http://secureyes.net/nw/assets/File-Upload-Vulnerability-in-FCKEditor.pdf

Google Dorks


inurl:/editor/filemanager/browser/default/connectors/[LANGUAGE]/connector.php

From LOW to PWNED [9] Apple Filing Protocol (AFP)

Post [9] Apple Filing Protocol (AFP)

The Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services supported including Server Message Block (SMB), Network File System (NFS), File Transfer Protocol (FTP), and WebDAV.

http://en.wikipedia.org/wiki/Apple_Filing_Protocol

Lives on TCP port 548

LOW?

What can I do with it?

• Read access to files/folders (always fun)
• Write access (sometimes)

Discovery?

• Vuln scanners (duh)
• Nmap scripts
• afp-showmount
• afp-serverinfo
• afp-ls
• afp-brute
• afp-path-vuln (directory traversal exploit)

Nmap examples

Connecting to AFP servers

Super easy if you have a Mac

Linux you can use Afpfs-ng

Window? dunno. Don't think so...

From LOW to PWNED [8] Honorable Mention: Log File Injection

Post [8] Honorable Mention: Log File Injection

So this didn't make it into the talk, but was in the hidden slides...

not positive this is a "low" but a friend suggested it, so here you go.

Goes like this:
Request gets logged
Something malicious gets written commonly something like a one line PHP backdoor

1. 1.  Use an LFI vulnerability to browse to page get shell
1. Example 1:  Php Shell Injection On A Website Through Log Poisoning http://www.securitytube.net/video/167
2. Rails 3.0.5 Log File Injection http://packetstormsecurity.org/files/99282/Rails-3.0.5-Log-File-Injection-Proof-Of-Concept.html
3. http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
4. Example 2: BURP SUITE - PART IV: LFI EXPLOIT via LOG INJECTION  http://kaoticcreations.blogspot.com/2011/12/burp-suite-part-iv-lfi-exploit-via-log_20.html
2. 2. Wait for an admin to view logs and do whatever you did (XSS)
1. Example 1: http://xforce.iss.net/xforce/xfdb/50170
2. Example 2: http://www.securityfocus.com/archive/1/464471

Can also do fun stuff like this (TNS Logfile injection in Oracle)

From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH

Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server.  Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
     *Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory.  VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.

I've also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into

Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you.  I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.

metasploit has a module to test for PUT functionality as well.  

http://www.metasploit.com/modules/auxiliary/scanner/http/http_put

HTTP SEARCH

HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.

Mubix did a post on it http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html

From LOW to PWNED [6] SharePoint

Post [6] SharePoint

Misconfigured SharePoint  can be *really* useful. Examples of things you can do with it are:

• User/Domain Enumeration
• Access to useful files

Regular / Auth Protected SharePoint also gives you a point to conduct brute-force attacks against AD or SharePoint users.

We regularly find awesome stuff  once we have access to SharePoint. Its not uncommon to find service account passwords, alarm information, employee directories, all kinds of useful stuff.

LOW?

Finding SharePoint servers

random targets...lots of interesting things can be found with google dorks.

If you need to look at specific servers:

Stach and Liu's has released their SharePoint Diggity tools
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

you can also roll your own
http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt

Examples of open access

If you have credentials you can use web services calls to pull information from AD, from: http://blog.mindedsecurity.com/2011/07/athcon-2011-presentation.html

Stuff to read:
http://www.mindedsecurity.com/fileshare/Fedon_Athcon_June11.pdf
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

From LOW to PWNED [5] Honorable Mention: Null Sessions

Post [5] Honorable Mention: Null Sessions

Null sessions are old school. they  used to be useful for pretty much every host in a domain.  Unfortunately, I very rarely run into an environment where all workstations let you connect anonymously AND get data.

Where they can come in useful is

• Against mis-configured servers
• Against domain controllers to pull info

Low? actually a medium...

More than once I've had a PT where a master_browser was exposed to the Internet.  We were able to connect to the server using rpcclient and enumerate users.  After that we had a full list of the users in the domain to conduct external brute forcing attacks with.

If you like pretty pictures, it kinda looks like this, there are command line utilities as well...

Cain uses null sessions by default to try to pull information.  On modern systems this will fail.

But domain controllers/master_browsers do allow this, so if you find yourself in the position to be able to speak with one you can a list of users for the domain

You can then take that list of users and do brute force attacks against various services.  I rarely don't find at least one username/username in an environment.

From LOW to PWNED [4] Browsable Directories

Post [4] Browsable Directories

"Index of" can be your friend and the  same with "web mirroring". Unfortunately, and also to the point of the talk/series you have to go look at this crap.  It's *usually* not important. stuff like the /icons/ in Apache.

But every now and then pure gold will show up.  so you have to go look at it.

LOW?

So some examples of browsable directories that were not /icons/  :-)

yeah yeah but real world?! so for story time, we were doing a PT, the site had SQL Injection so were able to pull down lots of data but the sensitive stuff was *encrypted* so we were kinda stuck.  Poking around further we found a directory with indexing enabled. what was there?  database backup and a site back up with the decryptMe PHP function along with the current encrypt key :-)  All from a "low" vulnerability.

From LOW to PWNED [3] JBoss/Tomcat server-status

Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [3] JBoss/Tomcat server-status

There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.

http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/

http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true

/manager/status/all

LOW?

This can be useful to find:

• Lists of applications
• Recent URL's accessed
• sometimes with sessionids 
• Find hidden services/apps
• Enabled servlets
• owned stuff :-)

Finding 0wned stuff is always fun let's see

Looking at the list of applications list one that doesnt look normal (zecmd)

Following that down leads us to zecmd.jsp that is a jsp shell

If you are interested in zecmd.jsp and jboss worm it comes from -->  this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf

thoughts?

-CG