As part of our ongoing efforts to spread cyber security awareness, we’ve taken measures to go an extra mile & bring you rich blog posts about tales & adventures at Defencely Lab. We are going to explain & demonstrate how we chained up critical information to gain access to millions of customer accounts in order to safeguard our valued clientele pro-actively.
Majority of our clienttele are major finance brokering companies & we’d like to add that as the industry is grooming under leadership of real time markets, it’s critical to retain the value accordingly & an online heist would certainly impact as part of financial loss to the growing company.
We are intentionally excluding the names of the target to stick to confidentiality clause which we’ve signed up. At this point, our readers should be able to have an analogy of the steps which are taken & mentioned in this post to get the complete picture of what’s happening.
We have been assigned the same target several times for serious security threats, we have reported some SQL Injection’s and some more serious security threats but the vendor was still not satisfied. This was time to escalate this more and make it more serious.
We started enumerating the target. While the enumeration process was going on, we got hands on a HTTP Service running on a port `8080`.
This was not any white-box – Pentest, we were not having any test credentials to check out the application. We don’t want to miss anything out this time, so we checked if these login parameter’s were properly sanitized. I tried breaking the Query – No errors thrown.
We were sure that this is a Time based Blind SQL Injection. We made the application sleep(20) for 20 seconds. Not wasting much of our time thrown the same to SQLMap. Exploitation process was quite slow, even after increasing the threads.
The application was built under ASP.NET framework – most probably written in C# with DBMS used was MSSQL. If you have used SQLMap before, you already know there’s a flag used for gaining os-shell if requirements meets & depending on the DBMS detected.
We gave this a try – this flag in SQLMap checked if the xp_cmdshell is enabled on the target system and luckily our target was having that enabled. SQLMap promoted us with this screen:
We were happy that we gained a not-a-proper shell but at least have command execution in there this time ..
As this is a Windows System .. i executed the some commands to make sure everything is working fine .. but the problem was no standard output was thrown our side. So were not able verify if everything is working that side and the commands are actually getting executed.
To make sure if the commands are getting executed i started capturing the ICMP packets on my side and tried pinging from the target system.
Pinging our system from the target:
Capturing the ICMP packets on our side:
We received several requests from a specific IP. Including an Web Address on the headers.
We opened up the website and it was of an ISP. Our target was at the TOP of their client list.
Now it was time to get a proper shell on the target. We were not sure if powershell was present there on the target. Simply typed powershell.exe on the os-shell prompt and it was a long delay and did a exit from the prompt. What we did is, created a file name ‘def.txt’ on our local and started the inbuilt Python HTTP Server and tried downloading the file on the target’s machine using powershell ..
We can see, it actually tried downloading the file from our created HTTP Server ..
Tried downloading netcat on the target machine to initiate a connection between both the target and my system. But there was some kind of firewall dropping my netcat connection every time i connect to the target ..
But a simple MSF reverse TCP did the work ..
That’s all we have for now. Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at email@example.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at firstname.lastname@example.org for inquiries.
We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.
Let’s act pro-actively.