How Apache Strut2 Vulnerabilities Can Compromise your Security!?

Dear Readers,

It’s a fresh week start for us & as part of our ongoing efforts to spread cyber security awareness, we’ve taken measures to go an extra mile & bring you rich blog posts about tales & adventures at Defencely Lab. We are going to explain & demonstrate how we chained up critical information to gain access to millions of customer accounts in order to safeguard our valued clientele pro-actively.

Majority of our clienttele are major finance brokering companies & we’d like to add that as the industry is grooming under leadership of real time markets, it’s critical to retain the value accordingly & an online heist would certainly impact as part of financial loss to the growing company.

Getting remote command executions using Struts2 vulnerability (CVE-2017-5638).

The vulnerability exists on the Jakarta based file upload Multipart parser. There are public exploit available, we using one of them to save time.

Credits: https://github.com/mazen160
Exploit: https://github.com/mazen160/struts-pwn

Use Git to clone the repository ..

Use the help -h flag to get more details on the flags & using the exploit. The flag –check helps us to verify if the target is vulnerable.

And that is how you get code execution.

That’s all we have for now. Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

Let’s act pro-actively.

Security Mis-configuration in the Corporate World!

It’s again a pleasure to look forward to the crowd that we’re gathering here at our blogs & an immense gratitude that i feel of the responses. With your support, we bring you another extraordinary tale of red teaming & penetration testing scenario where Defencely breaks all frontier barriers & escalates the ecstasy of pure bliss of Red Teaming!

This post is intentionally crafted to show how much our Client benefit from our Dedicated Services & how few short fall measures in security could lead to a larger sub-set (not to talk of the master set) risks involved with businesses, data & a paramount of reputation included all in one fine package.

Security Misconfiguration

A security misconfiguration can happen in any part of an application.

Today, We are going to discuss about how we owned a target using a similar misconfiguration which lead us to compromise the whole database system.

The screenshots used in the post will be intentionally created on our lab environment to reproduce the same scenerio and maintaining the security policy of the target company.

The process of reconnaissance took us to a IP. A simple NMAP scan throws the result:

So, there was something running at the PORT `8000`. When we took a look into the that – we found that:

The developers left the old config files lying that too on a publicly exposed server. We checked if any phpMyAdmin was running on the target host.

And we were in.

Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

How Defencely Popped a Shell to a Full Compromise of Top 10 Business Houses Across India

It’s again a pleasure to look forward to the crowd that we’re gathering here at our blogs & an immense gratitude that i feel of the responses. With your support, we bring you another extraordinary tale of red teaming & penetration testing scenario where Defencely breaks all frontier barriers & escalates the ecstasy of pure bliss of Red Teaming!

This post is intentionally crafted to show how much our Client benefit from our Dedicated Services & how few short fall measures in security could lead to a larger sub-set (not to talk of the master set) risks involved with businesses, data & a paramount of reputation included all in one fine package.

Contents

  • Introduction to Local File Inclusion.
  • Identifying a Local File Inclusion.
  • Escalating the simple file inclusion to spawn a shell.

Let’s get this started.

Introduction to Local File Inclusion –

Local file inclusion is critical level security vulnerability occurs when files are included without properly sanitizing the user controlled data, allows an attacker to include critical level system files through just a web browser.

Here is a example code which vulnerable to Local File Inclusion:

 

Identifying a Local File Inclusion –

We are using a Linux System here so we should try including some basic files to see if it’s getting included.

We tried including the “/etc/passwd” file which contains basics information about the users on a Linux system.

And we got this as a output:

Now we know that local files are getting included just by using some traversal characters going back to the directory and including the ‘passwd’ file.

Escalating the simple file inclusion to spawn a shell –

But this is not the end. We will try to escalate this to a command execution.

At this point, we have various ways to gain access to a shell using PHP wrappers or poisoning the log files which could be your good friend in that case. But we will use the classic method here where we will be reloading the environment variables to trigger our injected code to spawn a bash shell.

Let’s try including the “/proc/self/environ” system file which contains the environment of the process.

What’s the idea behind including the environ system file?

If you have noticed the above screenshot you can see that our HTTP_USER_AGENT variable displays our current USER AGENT.

We can actually tamper the User-Agent to some malicious PHP code to gain access to the shell. We tampered our User Agent to – <?php phpinfo(); ?>

And we got this as a output –

Now we have a code execution on server. We will escalate this from a Web shell to a Teletype shell.

What we did here is, we have downloaded webshell from the internet directly on the server using WGET with the help of the system(); function as we now have code execution on the server.

WebShell:

Teletype shell:

The Kernel was vulnerable to DirtyCow but we haven’t escalated this to the root as because this exploit overwrites the root account and makes the system unstable or may result in a crash so we haven’t took that risk to get the root privileges. This was a short one time shoot for a very highly confident Client of ours of which the risks involved were far beyond. Which is why, we keep it confidential.

Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.