Krb524 exploit metasploit


  • Using Nmap to detect the Arucer (ie, Energizer) Trojan
  • Hacking Unreal IRCd 3.2.8.1 on Metasploitable 2
  • Hack The Box – Doctor – 10.10.10.209
  • Intrusion I must honestly say that this foothold has cost me hours of work. I even needed a nudge to get me in the right direction, but I really learned a lot from that. Hack The Box community thanks! Below I explain per subsection how you can abuse both vulnerabilities. You can choose which foothold you want to take. What is Cross-Site Request Forgery? Due to a programming error in the code of the website, the attacker can inject malicious code and instruct the webserver to execute random commands.

    This step had also taken me a long time. I found that spaces in the code are a problem for the execution of the code. The next problem. I have to get rid of the spaces. So, there was another vulnerability to discover. I have never used this injection before, thus it was a quiet journey for me to get this one.

    Template engines can present dynamic data via web pages and emails. Unsafely embedding user input in templates enables the Server-Side Template Injection. In the explanation page of PortSwigger about Server-Side Template Injection, I have learned how to determine which template engine is being used.

    As template engines identify themself in the resulting error message. After a time I noticed that the archive page is changing. The result is again reflecting to the archive page. I now know that this box is using the Twig or Jinja2 engine. I have modified the payload to execute a reverse shell to my machine. As the payload is working, I know that this webserver is using the Jinja2 engine. With this payload in the content section of the message, I got the reverse shell. Privilege Escalation Enumeration The last phase of this box.

    In the reconnaissance phase I have discovered the Splunk Service. I have nothing done yet with this one, so I think that Splunk is the path to gain root privilege. After logging in I get a large number of extra menu options. I will first start with the version of Splunk. In the menu it says version Splunk build: 8. But, if this is not properly secured, it could be hijacked.

    The last step is to read the root flag. Did you also like this write-up? Please consider spending a respect point. Do you want to support this blog? That possible! You can support me by buying me a cup of coffee. I want to keep this blog free of advertisements because they are placing cookies on your machine and following you.

    Many Thanks!!

    Since there are tons of PLCs exposed to the Internet, I thought whether it would be possible to take advantage of the processing and memory provided by them to store certain payload so that it can be recovered later from the stager. So, the scenario is as follows: An attacker locates a PLC exposed to the Internet with enough space to store certain payload.

    The attacker uploads the payload to the PLC's memory. The main advantages of this method are: The use of third party PLCs provides anonymity and makes traceability difficult. No need to upload the payload to a server. In addition, once the payload is retrieved, its contents could be overwritten easily even from the stager itself. So, in this kind of scenarios you just need a Modbus handler or just use an emulator from which to serve the stage when the stager connects to it.

    I have also seen networks that expose Modbus devices to be remotely managed, so this would also be a good place to use the stager. Any writing on the PLCs registers may disrupt the process control strategy for which it was programmed. With a good network card you can scan Internet on your own with tools like masscan or Zmap looking for devices running Modbus on port As you can see from the following output at least PLC are available out there.

    Many of this IPs are just honeypots easily to detect ; for instance, Conpot as well as others hosted in Cloud services. For our intention even the honeypots could be useful as long as they have enough memory.

    Depending on the control strategy loaded, the PLC will have more or less memory accessible so the script will first check if there is enough room for the payload. To check the size, a Modbus request with an operation ID 03 Read Holding Register will be sent, trying to read a particular record from a certain address each record is 16 bits.

    To upload the payload use the option -upload as follow. This option admits the parameter -addr to indicate the starting address, that is to say, the holding register number from which to load the payload address 0 if not specified. In the example before, the size is bytes; to check that it was loaded successfully we can download the same number of bytes from address 0 with the option -download Apart from using the script to upload a certain payload it is obvious that it can also be used to upload any type of file.

    I think it's an interesting way to exfiltrate and share information. Who would suspect that the holding registers of a certain public PLC store a. It is important to note that the holding records where the payload is loaded can be modified by the PLC. The idea would be to upload the payload from a certain direction and then check, during some time, that the payload has not undergone any modification.

    With plcInjectPayload. Once the payload is uploaded to the PLC it is necessary to retrieve it from the victim's computer. To get this I have created a stager that speaks Modbus; it takes less than bytes I will try to optimize much more its size. So this block communicates with the PLC via Modbus to retrieve the payload.

    The code gets the first 4 bytes to know the stage size and to reserve the necessary memory via VirtualAlloc. Then, it get the payload by making successive "read holding" requests function code Due to protocol specifications, for each read request, the PLC can return a maximum of bytes holding registers so the stager will recover the payload in chunks of this size.

    Let see a practical example. Recently I found in www. The shellcode, once executed, write to "log. So, first we put the payload in a binary file and prefix it with its length in little endian taking 4 bytes. The following diagram depicts in detail the Modbus traffic generated. As seen in the next picture, the Wireshark output follows the above scheme. The process Monitor window confirms that the stage is running successfully look at the log.

    To make the first tests I did a Modbus handler in python plcModbusHandler. Here a video with the whole process.

    We can use this information to perform a vulnerability assessment and see how we can exploit this service.

    Unreal IRCD 3. As we already expected there are 3 direct hits for this version of Unreal IRCd: The first is a remote downloader and Trojan execution script written in Perl. The second is a Metasploit exploit written in Ruby.

    The third result is a local configuration stack overflow exploit for Windows which can be used to DOS the service. Since we already know that the target machine is running Linux we will ignore this search result. Since we cannot see the downloaded file we can only guess that this file sets up a bind shell on the target host.

    Payload 2 downloads a file named bot.

    Using Nmap to detect the Arucer (ie, Energizer) Trojan

    We can only guess what this option exactly does. Payload 3 downloads a file too which is saved as rshell. Then the correct permissions are set and the file is executed. We can only guess that the downloaded payload is a reverse shell.

    Code analysis part 2 The first three lines set the value of 3 variables named host, port and type to nothing. Then they are assigned with the values from the first three arguments; the host, the port and the type. The 3 lines to follow test the 3 variables for null values and execute the usage function when a null value is found on 1 of the variables.

    For example, I move to the phpshell now tecmint-nix folder and rename phpshell.

    Hacking Unreal IRCd 3.2.8.1 on Metasploitable 2

    By default no username or password will work, hence you need to add username and password manually. To create a user name and password call the pwhash. As stated in the Result section you need to add the sha line as it as by copying and pasting into config. Open config.

    Hack The Box – Doctor – 10.10.10.209

    I think it's an interesting way to exfiltrate and share information. Who would suspect that the holding registers of a certain public PLC store a. It is important to note that the holding records where the payload is loaded can be modified by the PLC. The idea would be to upload the payload from a certain direction and then check, during some time, that the payload has not undergone any modification. With plcInjectPayload. Once the payload is uploaded to the PLC it is necessary to retrieve it from the victim's computer.

    To get this I have created a stager that speaks Modbus; it takes less than bytes I will try to optimize much more its size. So this block communicates with the PLC via Modbus to retrieve the payload. The code gets the first 4 bytes to know the stage size and to reserve the necessary memory via VirtualAlloc.

    Then, it get the payload by making successive "read holding" requests function code Due to protocol specifications, for each read request, the PLC can return a maximum of bytes holding registers so the stager will recover the payload in chunks of this size. Let see a practical example.


    Krb524 exploit metasploit