HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Response is an Insane Linux machine that simulates an Internet facing server of a company, which provides automated scanning services to their customers. An `SSRF` vulnerability in the public website allows a potential attacker to query websites on the internal network. One of those internal websites is a chat application, which uses the `socket.io` library. Using some advanced SSRF techniques the attacker can access the internal chat application and retrieve the source code. The source code of the internal chat application reveals that the authentication is performed through an `LDAP` server. The attacker can change the `LDAP` server used by the application to one that he controls thus, performing an authentication bypass. Now, the attacker is logged in as the `admin` user on the internal chat application. The employee `bob` is willing to share sensitive information with the `admin` user including the credentials for an internal `FTP` server. The employee, also asks `admin` to send him a link, which he will open in his browser. This allows the attacker to craft and host a malicious Javascript payload, which queries the internal `FTP` server with the provided credentials by leveraging `Cross-Protocol Request Forgery`. Since the `FTP` server uses the `active mode` by default, data can be exfiltrated from the server to the attackers local machine. This data includes credentials for the user `bob`, which now can be used to access the box via `SSH`. Once on the box the attacker can inspect the automated scanning engine of the company, which is basically a `bash` script using `nmap`. This script retrieves the IP address of the servers supposed to be scanned as well as the email address of the corresponding customer via `LDAP`. The scan result is converted to a `PDF` file, which is sent to the customer's email address. One of the used `nmap` `nse` scripts (`ssl-cert`) is slightly modified introducing a directory traversal vulnerability. This vulnerability can be used to read arbitrary files by creating a malicious `TLS` certificate with a directory traversal payload on the `State or Province Name` field, running an `HTTPS` server using this certificate and adding an `LDAP` entry for this server, so that it is scanned and the payload gets triggered. To receive the results of the scanning process an email address must be placed on the LDAP info for this server while setting up both a `DNS` and an `SMTP` server locally to resolve the DNS requests. With this setup, an attacker can leverage this vulnerability to acquire the `SSH` private key of the user `scryh`. The user `scryh` has access to a recent incident report as well as to all the related files. The report describes an attack where the attacker was able to trick the server `admin` into executing a meterpreter binary. The files attached to the report are a core dump of the running process as well as the related network capture. The attacker is able to combine all the clues to decrypt the meterpreter traffic and retrieve a `zip` archive. The archive contains the `authorized_keys` file of the `root` user as well as a screenshot, which shows the last few lines of the `root` private SSH key. By extracting the `RSA` values `N` and `e` from the `authorized_keys` file and the `q` value from the partial private key, the attacker can re-create the private key of `root` and use it to login as `root` through SSH.
Machine Matrix