IMF Enumeration and Exploitation

Jesse Kurrus, M.S., OSCP, CEH, Security+, Linux+, Network+, CISSP
A free video tutorial from Jesse Kurrus, M.S., OSCP, CEH, Security+, Linux+, Network+, CISSP
Senior Penetration Tester and Technical Trainer
4.4 instructor rating • 7 courses • 39,890 students

Lecture description

This lab will focus on the enumeration and exploitation of the intentionally vulnerable VM IMF, which is another Linux box you can find on VulnHub or my Google drive.

Learn more from the full course

Hands-on Penetration Testing Labs 3.0

Real technical skills from a professional pentester.

03:47:41 of on-demand video • Updated April 2020

  • Enumeration
  • Remote and Local Exploitation
  • Vulnerability Scanning
  • SQL Injection
  • Cross-site Scripting (XSS)
  • Reverse shells
  • Nmap
  • Metasploit
  • Nikto
  • Dirb
  • Remote and local buffer overflows
  • Burp Suite
  • Kali Linux
  • Privilege escalation
  • Custom exploit development
English [Auto] This lab will focus upon the enumeration and exploitation of the intentionally vulnerable VM IMF which is another Linux box you can find on bone hub or my google drive download it double click the obviated import it change the network's settings to host only and let's get started just real quick. Right click IMF settings go to network you see here they have it set to bridge. We're gonna set it to host only start it up. And after that go to your Cally Linux box. Now let's use net discover to find the ip address Okay got the IP address noted it within map all right. We have a limited attack service here only port 80 open Apache web server. So let's go open up Firefox and take a look at what we can find okay. Before looking at it I want to set up the proxy and open up burp suite. So like we did before opened the menu click preferences search for the proxy go to your proxy settings and you should already have that from the previous episode here's what it looks like. Port 80 80 IP address. Loop back no proxy for Box is clear. Just open up brb Suite by clicking the icon over here temporary project. Use brb defaults just gonna turn intercepting off for now okay. Now let's go to the IP address. Okay we're at a home page here showing the projects in the page source. Nothing. Interesting here. Back. Contact Us page here view the page source. See a flag here. It's encoded in base64. Copy that go to burp suite and go to the decoder tab and you can paste in that base64 encoded string. Now click decode as base64. You could also do in a command line but just showing you a different way to do it. So we have something all the files so that could be something we need to know later so just document that error back to the Web page here OK I noticed these three JavaScript files at first I thought that this was a base 64 encoded string by itself but it turns out that this is where it starts and this is where it ends. So you can just copy all that it's going to open a belief pad over here. Get rid of everything else other than the basics foreign coded strings so this is all split up into three sections. But this is the basics foreign code is string right here. So same thing. Okay. So it gives us another base64 encoded string. And that's the second flag. So we're going to copy that and put it up here. All right. Now we have the plain text. IMF administrator. So we have to decode strings all the files. And IMF administrator. So those can be web directories. Let's take a look. Back to Firefox for someone to try. All the files. OK that's not a web directory now IMF administrator. OK. So we get a log in page you the page source see if there's anything interesting. OK. We have a comment here. Says I couldn't get the Eskew out working so I hardcoded the password. It's still Matt secure. OK. So they mentioned desk. Well maybe there's an esky you all injection that we could use here. So let's try that out OK. So what I'm going to do here is turn on the burp sweep proxy intercept so you go to the proxy tab intercept is on. Now I'm just going to put in test test for the username and password or try Jesse test and click log in. So we had two parameters here the user and pass parameter that is what we're going to send over to the intruder and we are going to try to bypass the authentication using SQL injection. So clear all the parameters we're gonna set an injection point for pass. Now payloads have a little list here. Here here's some payloads that are going to attempt to bypass the authentication. So start the attack click OK let this thing run take a look the response so you get invalid user name and basically if it is able to bypass authentication we'll get a different response. I'm not sure what it is yet but this is not the response we're looking for. You can sorted by length. That'll show you if there is a positive result or you can manually look at them. But usually usually it'll have a different length if you if you succeeded OK. So after trying a good amount of best fuel injection for authentication bypass unsuccessfully I did some research and I found this was particle. It says that we can submit an array and the password parameter or pass in our case which is going to cause s.t. RCMP to think the password is null and allow us to bypass authentication so s.t. RCMP is basically a function that compares to strengths. Let's go back to brb suite and put this to the test. You've got to make sure that you're intercepting proxy is on it's going to put in Jessi and test got that right click anywhere here send to repeater OK. Now exactly what they told us to do at these two square brackets before the equal sign and pass OK that didn't work. Try different username interesting. So it's not working. We have to be a valid user OK. So it's not working with incorrect user names. Perhaps I need to use a valid user. I'm going to do a little bit more testing OK. So going back to the contact at BHP page I noticed that we have three potentially valid user names. We have our Michaels a Keith and E. Stone. So let's try all these and see if we can get through here first and try our Michaels OK now we've bypassed authentication. I see a flag here and it's going to point us to see him stop BHP page home home. So let's go first to this base64 encoded string. OK. Just says continue to see M.S. So that's what we're gonna do. I'm going to right click anywhere in here. Request in browser in original session. So we're just going to repeat this request in a browser it's clear this up a little bit all right now click this. All right. Earlier they said we couldn't get as working in the HCM l. So what I'm going to do now is intercept a request to this page and send it over to sequel map so we can run in a sequel map scan and see if there's any directly exportable single injection so we can dump the database SCO over here. Back to the proxy intercepting is on just reload that page to get a request going. Now we're going to use this page name equals home as the injection point. So I'm going to just go over here and what I'm going to do is place an asterix here in page. Name equals and that's where all the single injections are going to hit. All right so put the asterisks there right click anywhere. And we're going to copy to file. Just going to name it Eskew allied to go to a terminal OK. The command is going to be Eskew I'll map. I mean are we going to read the Eskew light to file and we just created a path risk 3 that's a Max I've been heightened level equals five. That's also the MAX I'M HOPING CBS we're going to be dumping the database if possible and that's going to say yes to everything. And we are going to give it multiple threading with 10 threads. Let's go. Very good. We have exploited an error based Eskew l injection vulnerability and have dumped the admin database. Now I see down here there's a link to a dot j G file. Let's just copy that location this for now back Firefox. So just right click and duplicated tab here for the IMF administrators web directory. And we're going to paste that in. OK. So let's just save that. All right so let's take a good look at this picture here. There's a little box in the bottom left corner and that is a QR code that can be decoded on my so I'm going to just open a tab here and Google QR code OK it looks like we're having some issues here. Probably due to burp sweep I'm going to have to show you how to fix that. So for you can access stuff on the Internet while you're running burps Wait you're gonna have to do this HDP Cohen for Slash for Slash burp we're gonna grab the sea a certificate save file go to menu here preferences in the search box here just type insert so bring you do these certificates that you have and under authorities you're going to click import and import that certificate that you just got from burp sweet trust trust click OK click OK. Now there's one more thing we need to do I'm just gonna open up another terminal here and just exit out of Firefox we're not to restart it anyway. So there's a bug when you're using job at 11:00 so we're gonna have to change it to Java 8 in order to get SSL working properly so update alternatives I've been having config Java and we're going to select two which is going to downgrade us to Java 8 All right restart burp sweet restart Firefox OK back to the IMF administrator location we're gonna have to run that are my goals and password trick again. So just intercept a request to it to put it into the repeater real quick and put those square brackets here in the pass parameter make sure it's working real quick. OK. So just request and browser in original session turn that proxy off so you just go right in. Good. All right OK. Let's try that again. So all I wanted to do is Google QR code and now we are able to do it those minor changes and I see this deep coder online for our code so let's go there first and see if that works OK. So what this does is it allows us to upload a image file which is going to then be analyzed automatically for the QR code. So just browse it go to your Downloads folder and we have whiteboard dot JP now submit query awesome. Right away we got the decode and it's the fourth flag and a base64 encoded string. So let's just copy that. We already have Burke's suite open so go to the decoder and paste that code as base 64 All right. Looks like we have a HP file maybe in other web directories so let's just copy that back to IMF and duplicate tab. Let's take a look OK. Intelligence upload for OK. So my first thought is upload a HP reverse shell. So let's go over to a terminal here and I'm going to use a really cool tool named Weasley that is going to generate a p HP backdoor and try to exploit it so let's go ahead and use that to OK. So to do this weekly generate. Then you pick a password. I'm going to name it Jesse. Then you pick a file name. I'm just gonna name it back towards that BHP guy. Here it is. Now let's try to upload that. I'm going to have burps we running so I can see how. See what it looks like we have browse having to my root directory and name it backwards up BHP. Here it is. So let's attempt to upload that and take a look at what transpires over the request. So I have a post request here content type of BHP. And here's the payload. See what happens. OK. It says invalid file type. So clearly they have some sort of filtering in place that does not allow BHP files to be uploaded. Let's try to bypass that real quick. Let's do the same thing we just did upload OK. Now down here at the content type it specifies that it is a P HP file. So I'm going to just change that and name it image JPEG to try to trick the security mechanism. All right. So that didn't work. We're going to have to find a different way to do it. OK. So let's go back to a terminal. I'm just in the directory where I created the PSP file. I want to change the name of it with the move command to backdoor that gif. So we're going to try to trick the upload mechanism to think that it is a file instead of BHP. So after we change the file extension it's going here with a text editor using V and I'm going to add a gif header with the hexadecimal value of Jeff header and that should allow us to successfully upload this file. So save that and we'll go back to the upload page try this again. Good. File successfully uploaded OK. Let's just view the page source real quick and I notice a value here in the comments. So it's a little bit confusing and counterintuitive but this value here is what the GIF file is renamed to after uploading it and it's also in a directory that is called uploads. So I will show you how to exploit this now. Alright so the command to directly exploit this is going to be another weasely command. So we have the IP address. IMF administrator uploads and that unique value that was generated that we found in the Asia email that gif right. So I need the password so whatever password you created with that BHP file. Every go good. All right so now we have a limited shell right away I see a flag. So I'm just going to catch that flag. Another base 64 encoded string. Copy that. If you still have Burke we'd open just pop that into the decoder OK. We have a string agent services all right. So maybe a clue as to what we need to find here and a file system. Now I'm going to use a fine command to search for the string agent and redirect the errors to Deb know which essentially blocks it from our view. So let's go to find forward slash hyphen name agent and this redirection to Deb Noel so we don't see all the errors okay. I see a binary right here for agents. Let me just run it real quick. Okay some custom binary and it is looking for an agent I.D. which we do not know. So some sort of reporting system. Go ahead and try to see what services are running add so net stat hyphenate and T. We're going to just take a look at B running services. We got my askew L as a sage port 80. We already know about that. But here's one we do not know about 7 7 8 8. Let's take a look at that. We can use net cat and the loop back address which is just the internal IP and then the 7 7 8 port. All right. So connecting to that port tries to access this binary this IMF agent reporting system which is the agent binary we saw earlier so we did not see that port running when we ran the MF scam. Now let's go to the user local bin directory see if there's anything else as useful here. That's where the agent binary is. OK. So I see the Asian binary and I also see a file called access codes. So I'm just gonna catch that real quick see what's in it. All right. We have three numbers separated with commas. I can only guess that these are port numbers they look like port numbers but it's actually a numbers sequence that can be utilized for Port knocking. So what is Port knocking. It's a methodology that allows us to access inaccessible ports by sending certain connection attempts. We can automate this with this tool. Knock that I'll get from GitHub and I'll show you where it is. So first of all let's just close out a birth suite. We don't need this anymore. I'm going to also turn off the proxy and just no proxy. All right. So here's the Github page for knock. I'm going to clone it. So just grab the clone your l here. Just type get clone and paste in that you are l We just got from GitHub. Good. I'm just gonna go to that knock folder ok. So what we're gonna do here is run knock. We have the IP address of IMF and we have the three numbers that were retrieved from the access code files. So this should open port seven seven eight eight OK so let's verify that port seven seven eight eight is now open and map hyphen P seven seven eight eight and the IP address of IMF. Very good. So we've utilized port knocking to open port seven seven eight eight. Now I want to grab the executable. Ship it over to Carly Linux and find out how it works see if we can exploit it somehow. So first I want to download and install red deck which is a very cool. The compiler that's going to automate a lot of the analysis for us. I'm going to show you where to get it and how to install it. So let's go over to Firefox open up a new tab here to show you the github location all right. So get hub here it is and we're going to clone it same as before. So grab that clone you URL back to our shell I'm just going to go to my home directory and we are going to type get cloned and then the URL that was just copy OK. This first step says a couple of things we have to do here. It's going to take a little bit of time. So first I'm going to install the dependencies. I am going to show you that now and I'm going to also have all of these commands listed in the text file that's attached to this lecture. So let's just install all these dependencies. Yes to everything OK. First off we're going to change directories Reddick I'm going to make a directory called Build the change to that directory. And now we're going to prepare the make and install. So we have this is going to be the location for the installation which is home and red deck should be the same for you followed my tutorial here this whole process takes a little while. Now we're just going to run a make and make install OK. After that is finally downloaded installed. Let's go over to the weekly shell and we're going to use a command call and file underscored download. We're going to specify the location of the agent binary and also specify the location where we want to put it in Cally Linux. So I have here the red deck binary location where we're gonna run the binary against the agent binary so let's run that command. And now go back to Kelly Linux where it is downloaded. Here is the directory where I put it. Root Reddick been here it is OK. So now what we want to do is run the red deck D compiler which is right here. I'm just going to type in dot forward slash the name of the Python compiler. Then we're going to run and agent all right. So that has D comp. And now you see here. We have a bunch of files which were created as a result of the D compiler running against agent. So now I want to take a look at the contents of these files here. OK. Now I'm gonna run CAD agent store that's going to get all the files that start with the name agent and I'm gonna pipe that to less this hour switch to remove carriage returns and we will go down a couple lines here. OK I see the functions as take a look at this. Okay. So the agent I.D. is going to rely on this right here. This hexadecimal is where the Asian idea is hard coded. So let's take this string and we're going to decode that or convert it into decimal so we can do that on command line. We'll just exit out of that and I'm going to do echo dollar sign and close that OK. So we have the decimal representation of that string that was hardcoded into the Asian binary that we just compiled and I am now going to try to use that to enter in as the agent I.D. so to mod plus tax I'm going to make Agent executable. OK. Now it's asking us for the agent I.D. I'm just gonna plug in that value. Okay. Now we have authenticated into this binary. Now it has three different options. One of the options is to submit a report. Let's try that one. OK. And you just put input so it accepts input into this report function. Let's try sending a bunch of characters to it and see how it reacts we're going to create two hundred eight characters with a good Python code here. Print a times two hundred. So it's just going to create two hundred days all right. First of all we're going to enter in that age and I.D. and now submit report with the three option and I'm going to plug in those two hundred days. OK look down here we have a segmentation fault so if you're familiar with my past courses you know what this means we're going to have to create a custom buffer overflow exploit it since we have remote access to the service. We could potentially get a nice reverse shell with elevated privileges. First we're going to have to run a ruby script called pattern create to generate a unique pattern of 200 characters because that's how many characters it took to crash the application and we're going to find the extended instruction pointer or e IP which is going to tell the binary which command to execute next. And it is necessary information to exploit this binary. So we're gonna type in locate pattern underscore create. And here it is just plug that in. Specify a length of two hundred OK. Now I'm going to use a new debugger which is a command line debugger that is built into Cally Linux and I'm going to type an agent that's going to start the binary agent with a new debugger. Now we're going to run the binary and we know the agent I.D. now so we can go in there submit report and we're going to plug in that string of 200 characters here OK. So now we know the value with which the VIP was overwritten which is right here. So we need to document this information and keep on moving. Now we're going to use pattern offset to calculate the pattern offset which is going to be shown to you right now. Locate pattern underscore offset and we are going to use that value which was just discovered with the hyphen Q switch and it is going to calculate the pattern offset okay. We have a pattern match of 168. Armed with this necessary information let's continue our exploit development. First we're gonna have to create some malicious shell code with MSF then. So I had this command here. We're going to use a Linux reverse shell payload which is in the 32 bit architecture and we have our local host which is gonna be the clinic's IP and we have the local port which is going to be for full for 8 format of Python. And we are specifying some bad characters so we haven't actually searched for bad characters for this particular binary. However we know that the no character or x 0 0 is always bad and these are commonly bad which is the 0 a for a line feed in a zero D for carriage returns and we're just going to specify those as bad characters and create our malicious shell code with MSF venom. OK. Now what we're gonna do is use Obi J dump and try to find a vulnerable GMP or call to execute shell code at X. This is necessary. Otherwise we will not have an address to instruct the binary to execute our shell code. So what we're gonna do is type in LBJ dump in D name of the binary which is agent and we're going to pipe that to grep and search for GMP then pipe that to another grep searching for x. Ok. No luck there. Let's change the JLP to call. All right. We have an address here. Now we can use this address and reverse it and put it into byte code format in order to instruct our exploit to execute shell code at that specific address. I'm going to show you exactly how to do that. I've already written up a Python script which is on my github page so I'm gonna walk you through how to change that in order to get it to work for you. OK. So jump over to Firefox real quick. Here's my github page. I have a Python script called Agent split so I'm just going to view that in Raw. Copy that and we are going to make a new file agents boycott P Y pace then and there. Let's take a look at this so we have the 168 A's minus the length of the buffer. Go up a little bit. So you're going to have to replace this with the shell code that you have generated. And I already have the address here that was converted. They call you X address it was converted from the format that we discovered with object dump and it has been reversed. As you can see here and converted into byte code now we have some arguments which are going to be the server import so we can just specify the target and the port is going to be seven seven eighty eight and created some s connects here so as Connect we're going to it's first gonna ask us for the agent I.D. which I put here. So it's going to automatically enter the age and I.D. it's going to receive response which is going to ask us for which entry we want and that's going to be three to choose to submit a report and then it's gonna send the buffer or send the buffer overflow. And that should get us a reverse shell. But first obviously we need to have net cat running. So let's do that first actually going to have to replace the shell code because this is going to be different for me as well. I have a different IP address so I can use to get it all right. So just remove that and replace it with MSF venoms output save that else get another terminal going going to type in and see Ivan and LDP for 4 4 8 OK. So what want to do here. Python agents Floyd P Y IP address of the target and the port was seven seven eight eight. So this should exploit the buffer overflow exploit that we have done locally over the wire because now we have opened that port and port knocking and we had the listener over here. Let's see if it works. Perfect. So now we have a root shell let's go ahead and use our trusty Python code to make it to t y shell Oh interesting. So that did not work let's try that didn't work either. So it's given us some problems here. See fair enough we'll use that. So anyway let's go to root and we have our flag and something called the end not text. Very good. Just for fun let's see what is in this base64 encoded string you can just do that with command line Ghost Protocol. OK well we're done here. Got room privileges and we are ready to go on to the last lap.