tta1-r01 from 123456 on a stagingto a multimillion dollar ... · if its patched on the web...
TRANSCRIPT
SESSION ID:
#RSAC
Himanshu Sharma
FROM 123456 ON A STAGING TO A MULTIMILLION DOLLAR VC OWNED IN ~200 DAYS
TTA1-R01
Co-FounderBugsbounty.com
Aman Sachdev
Co-FounderBugsbounty.com
#RSAC
1. THE STAGING SERVER
Coupon management system – on a subdomain
#RSAC
BugsBounty.com 3
Simple login page
Tried SQL Injection
Tried bruteforce for 4 hours
Tried Voodoo
Tried Magic
#RSAC
BugsBounty.com
User: demo Password : 123456
4
#RSAC
BugsBounty.com 5
#RSAC
2. POST SHELL RECON
Network, files, configs, source code etc.
#RSAC
BugsBounty.com
A bug in the login logic:
7
On top of each page:If(! logged_in){Redirect back to login}
Rest of the code…….
#RSAC
3. MORE RECON…
This time on the prod
#RSAC
BugsBounty.com
A bug in the login logic:
9
On top of each page:If(! logged_in){Redirect back to login}
Rest of the code…….
#RSAC
BugsBounty.com
/etc/hosts
10
#RSAC
4. THE REDMINE FORUMInternal helpdesk for IT queries
#RSAC
BugsBounty.com
Searching for the keyword “password”
12
• We found a query – I forgot the password of my Gmail account. Can you reset it• Response – Hi, the password has been reset to the default one –
company_name@2016
#RSAC
BugsBounty.com
Searching for the keyword “password”
13
• We had the password but not the email, so we bruteforced• Scraped all Employee names from the forum• Tried a few patterns:
[email protected]@[email protected]> THIS WORKED!!
• We got into the official Gmail account of the person who requested reset• BONUS – 4 ACCOUNTS more seemed to be working but there was a problem
#RSAC
BugsBounty.com
Google detected a suspicious Sign-in
14
#RSAC
BugsBounty.com
Solution – More Recon
15
• Pulled up footprints wrt their names• Linkedin, Google, Yellow pages and of course Facebook
#RSAC
BugsBounty.com 16
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
Fetch Information from forum about different users
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
Vendor Details
#RSAC
BugsBounty.com
VPN Credentials
#RSAC
BugsBounty.com
Meanwhile testing other apps
#RSAC
BugsBounty.com
Following URL validate login with AUTH key
#RSAC
BugsBounty.com
Following URL generates auth key in the response
#RSAC
BugsBounty.com
Capture the AuthToken generation request and send it to Burp Intruder and generate 9999 tokens
#RSAC
BugsBounty.com
Step 4: Navigate back to the app, enter victim’s mobile number and press Submit.
#RSAC
BugsBounty.com
Step 7: For Auth token use the list saved earlier, and for the OTP use number list from 1000 to 9999
OBSERVATION
#RSAC
BugsBounty.com
Step 8: Start the bruteforce attack, you will notice the correct OTP as the request with the smallest response size. Example here the correct OTP is 8807, also, “You are logged in” message is displayed in the response.
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
POST /mics/j_spring_security_check HTTP/1.1 Host: XXX Referer: https://XXX/mics/login.jsp Connection: close Content-Type: application/x-www-form-urlencodedContent-Length: 48
j_username=x'and+concat('1','1')='1&j_password=p
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
40
#RSAC
BugsBounty.com
Payment Gateway bypass – Free orders – Yay!
#RSAC
BugsBounty.com
Normal ways:
Response change
Amount change in request
Negative values
IDORs
Parallel request confusions etc
None if these worked. But then something did.
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
Jenkins CI –Script Console
#RSAC
BugsBounty.com
Development Details
#RSAC
BugsBounty.com
/etc/passwd
#RSAC
BugsBounty.com
Other Sensitive Files
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
Redis KeyStore
#RSAC
BugsBounty.com
The remote host is running without any authentication. This gives complete Root access to the server including the configuration files.
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
Team found a file ‘.dockercfg’.
OBSERVATION
#RSAC
BugsBounty.com
BUSINESS IMPACT
#RSAC
BugsBounty.com
List of Dockers
#RSAC
BugsBounty.com
Another Redis
#RSAC
BugsBounty.com
history
#RSAC
BugsBounty.com
14 million records
#RSAC
BugsBounty.com
Amazon S3
Hunted for buckets Company-nameCompany-name-appnameCompanyname_images etc ..
#RSAC
BugsBounty.com
S3 Buckets
#RSAC
BugsBounty.com
Personal Identification Documentss
#RSAC
BugsBounty.com
Customer Data – 3.2 Million
#RSAC
BugsBounty.com
Tricky SQLS
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
checkBooleanExpression("%d=%d" % (randInt1, randInt2))
if checkBooleanExpression("%d=%d" % (randInt1, randInt3)): # this must not beevaluated to TrueretVal = Falsebreak
elif checkBooleanExpression("%d=%d" % (randInt3, randInt2)): # this must not be evaluated to TrueretVal = Falsebreak
elif not checkBooleanExpression("%d=%d" % (randInt2, randInt2)): # this must be evaluated to TrueretVal = Falsebreak
elif checkBooleanExpression("%d %d" % (randInt3, randInt2)): # this must not beevaluated to True (invalid statement)retVal = Falsebreak
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
Another Case
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
Free transport !
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
What Driver sees
#RSAC
BugsBounty.com
The network
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
#RSAC
BugsBounty.com
BEST Process to Migrate to
#RSAC
BugsBounty.com
McAffee HIPS
#RSAC
BugsBounty.com
Mimikatz + psh
#RSAC
BugsBounty.com
Bonus Case Studies
#RSAC
BugsBounty.com
Wrapping Up
Found a Reporting Portal of VC
SQLi –> Admin Panel
Found a configuration panel with DB credentials
WIN ?
#RSAC
BugsBounty.com
Apply Slides – For Pentesters
#RSAC
BugsBounty.com
Enumerate Enumerate Enumerate – Throughout the VAPT exercise. Try not to leave any stone unturned. This will allow you to find more loopholes and assess greater damage
Always analyse/debug an exploit code before running it
Tools on default settings are not always efficient, go through each and every switch in the documentation and see how you cantweak the tools
If you feel a tool isn’t giving the intended response, debug it, intercept the requests with a proxy, understand what its trying to do
Default passwords still work, assess username and password patterns and use password generators and brute force. It works!
APIs in mobile applications, a lot of times, have authentication/authorization flaws. If its patched on the web interface, checkthe mobile app.
Think like a lazy developer/sysadmin what would you do to build a business logic in the laziest way, then think how can that be exploited
Try gaining access to data that will lead you to more data – example: email accounts, AD controllers, ACL panels, configuration panels, datastores etc.
Start incorporating a (safe) red-teaming approach while security testing. Standard VAPT is not so fruitful anymore.
95
#RSAC
BugsBounty.com
Apply Slides – For Developers, Sys Admins and Business Architects
#RSAC
BugsBounty.com
Run services with the least required permissions. Definitely not as root!
Deploy proper authentication and authorization with strong passwords on all services whether internal or external
Clear terminal histories after working on servers.
Stop sharing critical information sets together. For example, if you have to share login credentials, send passwords via SMS/ call and username via email. While sharing SSH key files, do not send passwords/server IPs via the same medium.
Just because no one knows about it, doesn’t mean no one will find it! Deploy IP Filtering, ACL and other authorization mechan isms on assets that are not supposed to be public.
Change all passwords, change them again, keep changing them. Never repeat passwords and especially make sure to change the default ones after installing a software solution that didn’t ask you to configure a custom password
Assume mobile apps as HTML code. No critical information like keys, passwords, tokens etc should be written in the Android/IOS code nor should any critical business logic like authentication, checksums, input filters, data validation etc be implemented via the front-end i.e. the mobile app.
2FA everywhere possible
SPM – Server Patch Management – Develop an infrastructure to document all assets, services running on them and their exact versions. Once that’s done, at regular intervals, check for CVEs for those versions and deploy patches. Maintain logs for the entire activity.
Put necessary alarm bells in place. Even if an attacker is able to get inside your infrastructure, he/she should not be able to move around without triggering any alerts. A simple example is enabling login alerts on all critical accounts and servers.
Initiate a BugBounty program if not done already because crowdsourcing is the ultimate form of security. Your security is as good as the best hacker that has tested you so make sure you try a good bunch of them out there.
97
#RSAC
BugsBounty.com
Always have 2-factor authentication on Emails
Never share passwords across emails
Never run DB service as root
Business logic process should be carefully tested
Use authentication on redis
Clear command history?
Company_name@2016 is definitely not a good password.
#RSAC
BugsBounty.com
Thank you !
[email protected]@bugsbounty.com
@himanshu_hax
0xhimanshuAmanSachdevv
amansachdev0xhimanshu
#RSAC
BugsBounty.com
Questions?