How Defencely Popped a Shell to a Full Compromise of Top 10 Business Houses Across India

It’s again a pleasure to look forward to the crowd that we’re gathering here at our blogs & an immense gratitude that i feel of the responses. With your support, we bring you another extraordinary tale of red teaming & penetration testing scenario where Defencely breaks all frontier barriers & escalates the ecstasy of pure bliss of Red Teaming!

This post is intentionally crafted to show how much our Client benefit from our Dedicated Services & how few short fall measures in security could lead to a larger sub-set (not to talk of the master set) risks involved with businesses, data & a paramount of reputation included all in one fine package.

Contents

  • Introduction to Local File Inclusion.
  • Identifying a Local File Inclusion.
  • Escalating the simple file inclusion to spawn a shell.

Let’s get this started.

Introduction to Local File Inclusion –

Local file inclusion is critical level security vulnerability occurs when files are included without properly sanitizing the user controlled data, allows an attacker to include critical level system files through just a web browser.

Here is a example code which vulnerable to Local File Inclusion:

 

Identifying a Local File Inclusion –

We are using a Linux System here so we should try including some basic files to see if it’s getting included.

We tried including the “/etc/passwd” file which contains basics information about the users on a Linux system.

And we got this as a output:

Now we know that local files are getting included just by using some traversal characters going back to the directory and including the ‘passwd’ file.

Escalating the simple file inclusion to spawn a shell –

But this is not the end. We will try to escalate this to a command execution.

At this point, we have various ways to gain access to a shell using PHP wrappers or poisoning the log files which could be your good friend in that case. But we will use the classic method here where we will be reloading the environment variables to trigger our injected code to spawn a bash shell.

Let’s try including the “/proc/self/environ” system file which contains the environment of the process.

What’s the idea behind including the environ system file?

If you have noticed the above screenshot you can see that our HTTP_USER_AGENT variable displays our current USER AGENT.

We can actually tamper the User-Agent to some malicious PHP code to gain access to the shell. We tampered our User Agent to – <?php phpinfo(); ?>

And we got this as a output –

Now we have a code execution on server. We will escalate this from a Web shell to a Teletype shell.

What we did here is, we have downloaded webshell from the internet directly on the server using WGET with the help of the system(); function as we now have code execution on the server.

WebShell:

Teletype shell:

The Kernel was vulnerable to DirtyCow but we haven’t escalated this to the root as because this exploit overwrites the root account and makes the system unstable or may result in a crash so we haven’t took that risk to get the root privileges. This was a short one time shoot for a very highly confident Client of ours of which the risks involved were far beyond. Which is why, we keep it confidential.

Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.