Defencely USP for Major Finance Brokering Giants! Are you Ready!?

As part of our ongoing efforts to spread cyber security awareness, we’ve taken measures to go an extra mile & bring you rich blog posts about tales & adventures at Defencely Lab. We are going to explain & demonstrate how we chained up critical information to gain access to millions of customer accounts in order to safeguard our valued clientele pro-actively.

Majority of our clienttele are major finance brokering companies & we’d like to add that as the industry is grooming under leadership of real time markets, it’s critical to retain the value accordingly & an online heist would certainly impact as part of financial loss to the growing company.

We are intentionally excluding the names of the target to stick to confidentiality clause which we’ve signed up. At this point, our readers should be able to have an analogy of the steps which are taken & mentioned in this post to get the complete picture of what’s happening.

We have been assigned the same target several times for serious security threats, we have reported some SQL Injection’s and some more serious security threats but the vendor was still not satisfied. This was time to escalate this more and make it more serious.

We started enumerating the target. While the enumeration process was going on, we got hands on a HTTP Service running on a port `8080`.

This was not any white-box – Pentest, we were not having any test credentials to check out the application. We don’t want to miss anything out this time, so we checked if these login parameter’s were properly sanitized. I tried breaking the Query – No errors thrown.

We were sure that this is a Time based Blind SQL Injection. We made the application sleep(20) for 20 seconds. Not wasting much of our time thrown the same to SQLMap. Exploitation process was quite slow, even after increasing the threads.

The application was built under ASP.NET framework – most probably written in C# with DBMS used was MSSQL. If you have used SQLMap before, you already know there’s a flag used for gaining os-shell if requirements meets & depending on the DBMS detected.

We gave this a try – this flag in SQLMap checked if the xp_cmdshell is enabled on the target system and luckily our target was having that enabled. SQLMap promoted us with this screen:

We were happy that we gained a not-a-proper shell but at least have command execution in there this time ..

As this is a Windows System .. i executed the some commands to make sure everything is working fine .. but the problem was no standard output was thrown our side. So were not able verify if everything is working that side and the commands are actually getting executed.

To make sure if the commands are getting executed i started capturing the ICMP packets on my side and tried pinging from the target system.

 

Pinging our system from the target

Capturing the ICMP packets on our side:

We received several requests from a specific IP. Including an Web Address on the headers.

We opened up the website and it was of an ISP. Our target was at the TOP of their client list.

Now it was time to get a proper shell on the target. We were not sure if powershell was present there on the target. Simply typed powershell.exe on the os-shell prompt and it was a long delay and did a exit from the prompt. What we did is, created a file name ‘def.txt’ on our local and started the inbuilt Python HTTP Server and tried downloading the file on the target’s machine using powershell ..

We can see, it actually tried downloading the file from our created HTTP Server ..

Tried downloading netcat on the target machine to initiate a connection between both the target and my system. But there was some kind of firewall dropping my netcat connection every time i connect to the target ..

But a simple MSF reverse TCP did the work ..

That’s all we have for now. Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

Let’s act pro-actively.

 

How Chaining Of Attack Vectors Gave Defencely an Upper Hand in Pentests!?

Howdy,

Today as part of our ongoing efforts to spread cyber security awareness, we’ve taken measures to go an extra mile & bring you rich blog posts about tales & adventures at Defencely Lab. We are going to explain & demonstrate how we chained up critical information to gain access to millions of customer accounts in order to safeguard our valued clientele pro-actively.

We are intentionally excluding the names of the target to stick to confidentiality clause which we’ve signed up. At this point, our readers should be able to have an analogy of the steps which are taken & mentioned in this post to get the complete picture of what’s happening.

CONTENTS

  1. Understanding the workflow of the Application.
  2. Technical Understanding.
  3. Chaining up and Exploiting the vulnerability on the basis of Collected information.

WORKFLOW

Our target had an Android Application as well as a Web Application giving ourselves a wide scope to start enumerating and having a general idea of how their applications were working at the back-end, we look our own research time to be spend wisely before we actually started to hit the targets.

Working of the Web Application: This web application allows anyone to Sign Up for their services hosted on a particular sub-domain say example.target.com. And once you’re signed up as a normal user with the company you can upload your details and information related to you on the account to set it up according to the services offered.

Working of the Android Application: This Android Application is of their Partners Portal. The Android Application was more interesting as this Application doesn’t allows everyone to sign up as a Partner, You need to verify yourself as a legitimate person having skills on the works they offer & submitting documents related to the work they are offering. We reverse engineered the APK file & The only thing which were similar between the Web App & the Android App was both their APIs which were connecting to the same domain but having different endpoints.

So, this was going really interesting as we do not have access to any of their test credentials for the Partner’s Android App to test their API endpoints. We were only left with the reverse engineered files & codes on the desk. Now we have a basic idea about how things were working, let us jump into the technical understanding of the application and lets understand how we escalated this from having nothing to compromising millions of their accounts registered with the company.

TECHNICAL UNDERSTANDING 

If you want to register yourself as a Partner you need to call them on a given number on the website to their 24 * 7 available customer support and can provide details they needed to verify yourself as a legitimate partner.

So, what would you have done if you were at the same scenario we were? It’s obvious. We called them up & social engineered them to make them believe that we want to sign up as a partner and provided some legit looking details which were actually dummy details created at our end. The verification process was over, everything went fine. But they informed us that they will take couple of days to provide us the credentials to partner portal. We know we have deadlines, 2-3 days was a long time and we can’t afford wasting time on just registering a account on their partner’s portal.

If you remember we already have reversed engineered the APK file. So we went that way. We started looking into the huge source codes available.

We were looking through the directory structures and found some susceptible files where we can now at least concentrate into.

Above are the files we were specifically looking into. We started reading the codes of the ISignIn.java  file. And within a couple of minutes we found something really interesting which took our attention and made everything clear about the Login mechanisms they were using and how they were Saving passwords to the databases at the back-end.

Lets look at the code and understand the mechanism.

Vulnerable Code which could allow us to take over Partner Accounts: 

@FormUrlEncoded
@POST("/ppapp/savepassword")
void getSavePassword(@Field("mobile") String str, @Field("password") String str2, @Field("confirmPassword") String str3, Callback<OTPModel> callback);

This particular function took our attention which were sending some form-collected data into the POST parameters to the endpoint /ppapp/savepassword. I was pretty sure the developers were using this function to set new passwords for the users.

But here the question arises. How we are going to exploit this vulnerability? If we look into the function, we can see the function getSavePassword takes three functions parameters in.

getSavePassword(@Field("mobile") String str, @Field("password") String str2, @Field("confirmPassword")

  1. `mobile` parameter
  2. `password` parameter
  3. `confirmPassword` parameter

We need to full fill the need of supplying three parameters to the function to make the request happen. You might have noticed they are changing the password of users putting mobile phone number as their uniquely identified kind a`key`.

The first priority here is we need to have a mobile number already registered with the company. And to full fill the need we started enumerating other files which might throw us some more details regarding users already registered.

While enumerating other files, we found another endpoint which seems to be related with the customer profile details or vice versa.

We started searching where and how this endpoint @GET("/getprofilejson") is working by looking at the source codes left with us.

We found that the endpoint @GET("/getprofilejson") is working with two HTTP GET parameters.

  1. `uri`
  2. `consumerId`

Enumerating the source codes more and more gave us the values which were fitting into these two parameters. The `uri` parameter is taking a `location` which in my case was %2Feast%2Fassam%2Fbongaigaon%2F and `consumerId` was of 6 digit integer value, so i just passed a random 6 digit integer value ‘123456’ But nothing happened.

I wrote a python script to bruteforce the `consumerId`.

The API endpoint was throwing data’s at ‘391149’ which holds a token value for ‘example_profile_id’ and meant to be supplied as HTTP POST  parameter on the endpoint @GET("/getprofilejson") as "example_profile_id=82f088332d0611e484950e2f866a9102" to get hold on the registered customer profile details.

Our goals are achieved. Now we have a registered customer’s phone number. It’s time to code a exploit and make it happen. Lets jump into the last section of exploitation.

 

EXPLOITING THE VULNERABILITY

A coded up exploit to account take over.

Response:

We finally coded a mass account take over exploit where the script grabs user’s phone number bruteforcing the `consumerId` and passing the token value retrieved from the response to get phone numbers of the users and finally the invoking the  @POST("/ppapp/savepassword") endpoint to directly changing the password.

 

That’s all we have for now. Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

Let’s act pro-actively.

Security Mis-configuration in the Corporate World!

It’s again a pleasure to look forward to the crowd that we’re gathering here at our blogs & an immense gratitude that i feel of the responses. With your support, we bring you another extraordinary tale of red teaming & penetration testing scenario where Defencely breaks all frontier barriers & escalates the ecstasy of pure bliss of Red Teaming!

This post is intentionally crafted to show how much our Client benefit from our Dedicated Services & how few short fall measures in security could lead to a larger sub-set (not to talk of the master set) risks involved with businesses, data & a paramount of reputation included all in one fine package.

Security Misconfiguration

A security misconfiguration can happen in any part of an application.

Today, We are going to discuss about how we owned a target using a similar misconfiguration which lead us to compromise the whole database system.

The screenshots used in the post will be intentionally created on our lab environment to reproduce the same scenerio and maintaining the security policy of the target company.

The process of reconnaissance took us to a IP. A simple NMAP scan throws the result:

So, there was something running at the PORT `8000`. When we took a look into the that – we found that:

The developers left the old config files lying that too on a publicly exposed server. We checked if any phpMyAdmin was running on the target host.

And we were in.

Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

How Defencely Popped a Shell to a Full Compromise of Top 10 Business Houses Across India

It’s again a pleasure to look forward to the crowd that we’re gathering here at our blogs & an immense gratitude that i feel of the responses. With your support, we bring you another extraordinary tale of red teaming & penetration testing scenario where Defencely breaks all frontier barriers & escalates the ecstasy of pure bliss of Red Teaming!

This post is intentionally crafted to show how much our Client benefit from our Dedicated Services & how few short fall measures in security could lead to a larger sub-set (not to talk of the master set) risks involved with businesses, data & a paramount of reputation included all in one fine package.

Contents

  • Introduction to Local File Inclusion.
  • Identifying a Local File Inclusion.
  • Escalating the simple file inclusion to spawn a shell.

Let’s get this started.

Introduction to Local File Inclusion –

Local file inclusion is critical level security vulnerability occurs when files are included without properly sanitizing the user controlled data, allows an attacker to include critical level system files through just a web browser.

Here is a example code which vulnerable to Local File Inclusion:

 

Identifying a Local File Inclusion –

We are using a Linux System here so we should try including some basic files to see if it’s getting included.

We tried including the “/etc/passwd” file which contains basics information about the users on a Linux system.

And we got this as a output:

Now we know that local files are getting included just by using some traversal characters going back to the directory and including the ‘passwd’ file.

Escalating the simple file inclusion to spawn a shell –

But this is not the end. We will try to escalate this to a command execution.

At this point, we have various ways to gain access to a shell using PHP wrappers or poisoning the log files which could be your good friend in that case. But we will use the classic method here where we will be reloading the environment variables to trigger our injected code to spawn a bash shell.

Let’s try including the “/proc/self/environ” system file which contains the environment of the process.

What’s the idea behind including the environ system file?

If you have noticed the above screenshot you can see that our HTTP_USER_AGENT variable displays our current USER AGENT.

We can actually tamper the User-Agent to some malicious PHP code to gain access to the shell. We tampered our User Agent to – <?php phpinfo(); ?>

And we got this as a output –

Now we have a code execution on server. We will escalate this from a Web shell to a Teletype shell.

What we did here is, we have downloaded webshell from the internet directly on the server using WGET with the help of the system(); function as we now have code execution on the server.

WebShell:

Teletype shell:

The Kernel was vulnerable to DirtyCow but we haven’t escalated this to the root as because this exploit overwrites the root account and makes the system unstable or may result in a crash so we haven’t took that risk to get the root privileges. This was a short one time shoot for a very highly confident Client of ours of which the risks involved were far beyond. Which is why, we keep it confidential.

Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.