The Story of Blind SSRF leads to internal Host discovery.

Posted On // 3 comments

Background 

After reading a Lots of tweets on SSRF, I have decided to test for only SSRF for bug bounty. Generally I work on Synack platform due to precise scope and response time.  I Love Hackerone also  but due to limited resource and lack of automation I fails/hate to to do lots of discovery stuff. whether its a content discovery or assets discovery I hate both lol.  Because sometimes it take too long on my  intel Core i5 with 16 GB and 20MBPS connection just to discover a assest/content, Hence I prefer to have a defined scope for testing so that I can spend more time on  or sharpening the my testing skills than Discovery skills. 

Approach

Since on this platform also there are many targets and many skilled researcher hence you have to be very specific while selecting targets, its really hard to believe that the bug submitted after 20 Mins of target getting Live can be dup and the bug identifier says your  bug id is targetname-13 

I mean what..! 13 Bugs in 20 Mins, How can someone even open burp setup the target in 20 mins

     So that's different pain altogether. Also when selecting target on Synack you have to keep few things in mind which hurts a lot to  bug bounty hunters later you get used to it.. 
  •  " PoC || GTFO " if you use words like potential or which can be used, or attacker can later, this means your bug is rejected. 
  •  "Out Of Scope"  is much wider than that acceptance criteria.
  •  Low hanging fruits a best describe in one picture..


  • Don't get surprise if  bugs which pays nice $$$ on other platform gets rejected
  • Technology stack is extremely out of box... some times it takes too long to understand.
  • Scope... You have to be in scope. it doesn't matter whether you get RCE is on other subdomain or OOS endpoint ;)   

OOS Means OOS even if its RCE on diff endpoint 
So keeping all above things in mind I am almost sure every time that either I have to find out of box  or something  obvious which is missed by the our highly skilled Synack Red Team members.  

keeping  everything in mind,I always select target which is having Blitz 



because as you know you are going on war, where you are not sure that whether you can return or not then choose the toughest target to defeat.

Assessment

So i have selected the target which has blitz and the last vulnerability reported to that was 3 Month ago so I took this as a good luck and started. After  application mapping,content discovery, and complete enumeration of target i started fuzzing every parameter for SSRF sounds silly but yes only SSRF.  

  • First approach was SSRF via XXE  via File upload 
On this target there was an excel parsing so first thing came in mind is to achieve SSRF via XXE via file upload  so created a xls file with basic payload and uploaded to application and waited for few times but no luck, then multiple manipulated payloads was loaded and uploaded but still no luck..

   

Then gave up on this option.

  • second with irrespective of parameter and its purpose I started shooting  SSRF payload to every parameter i.e monkey testing


This also dint works as all the parameter were nicely sanitize.


Wait.. Something is there..


So when I was fuzzing the application with some not obvious values like -10. it was making a call to  /api/sentry.
 Hmmmm  lots and lots of parameters are here.. and smells something good here so request was looking like this.i have changed the parameter filename with my burp colab client id.


And i was Hopelessly looking at my colab client and what its unbelievable I saw the request from xxx.xxx.xx.xx to my colab clinet


so took the request in repeater and again played it but no luck then took again took many of the recent request to the repeater and tried to play again but no luck     

  • first  I though may be a sequence of request might be matter like first it was making OPTION request to /api/sentry and then it was doing post request so tried that but no luck
  • Then I think, Out of many sentry request  only few  request might have power to make SSRF, so again started from scratch and again i am able to see one request only after repeater again there is no SSRF.
  • Then i started comparing bit-by-bit in 2,3 requests  

And come to know that all request was being track by  "event_id"The moment i changed the character from event_id It again hit my colab client 

Setting the attack

I have sent the below request to Intruder.


Getting the Payloads

 Now click on burp and burp collaborator client it will open the collaborator window Click on number to generate change it to 50 and click on copy to clip board.

Final Attack setup

Now navigate to our attack and select position window here select the two position one is filename parameter and second is event_id parameter. now it will looks like below
"filename":"https://§x422hnxyxutjb4dsi0yne38b72dt8hx.burpcollaborator.net§"

event_id":"§bd60122cedbd41728414a0f6400db3e1§"
And now move to payload window in payload set 1 select payload type simple list and paste the URLS which we got from collaborator client and in payload set 2 select bruteforcer in that Change minimum length from 4 to 32 and max length to 32

Payload For Filename Parameter

payload For event ID

And Now start The attack....

Love for 200OK

Boom Boom...

As soon as I did started the attack I got many request on my client




 After final analysis i came up with 25 Internal amazon IP address so from where the request was made.

So Looks nice I go ahead and reported this Bug to the platform, And Guess what this is declared as As OOS.


Then we have some small conversation over this is valid bug blah blah provided some references

But Finally Platform wins they categorize this into two part 
    1. Info disclose which is internal IP that was  low-impact 
   2. if we fires millions of request towards any target then its DDOS which is OOS.

SO then 



During the same time old report 3 Bugs which is having CVSS 9/10 got dups.. and then decided to stop hunting for a while and do other stuff. 

Happy hunting guys

Hope you love reading this....

-Kaustubh  

[Read more]

How to get Severity and CVSS Score on command line.

Posted On // Leave a Comment


Preface


HI All,

While working on some project, i face a challenge for obtaining CVSS score and severity for multiple CVE ID's.

So one thought was to obtain the same using lame method visiting mitre page and noting in excel but in future may be i have to perform this activity again. 

so I gave a try to write a script which will fetch the CVSS 2 and CVSS 3 score from the mitre and give it to terminal.

so here the journey began.  for cve2rating. 

Birth of cve2rating.py

  • cve2rating.py
A simple python script which shows the CVSS 2 and CVSS 3 Score on command line interface

Sample 

python cve2rating.py  CVE-2017-1337

('CVE Details for', 'CVE-2017-1337')
CVSS Score 3 for CVE-2017-1337
CVE score is: 
                                                8.1
                                            
Severity for is: High
 CVSS Score 2 for CVE-2017-1337
CVE score is: 
                                                4.3
                                            
Severity for is: MEDIUM

I am Looking for contribution for this tool,concept is pass the list of CVE ID's to the scirpt, like we pass ip list to nmap using iL flag. and expected output is below.

______________________________________________________________________
|CVE Details  | CVSS Score3 Score.   | CVSS Score2 Score     |
|  |                   |        |
|CVE-2017-1337  |   Severity |  CVSS Score   | Severity | CVSS Score |
|  |     High   | 8.1      | Medium   |      4.3   |           
|---------------------------------------------------------------------
 
  • cve2rating.sh Wrapper for cve2rating.py for running tool on multiple cves and obtaining the CVSS2 7 3 score
usage: ./cve2rating.sh cves.txt
Output: cat result.txt 
('CVE Details for', 'CVE-2016-1337')
CVSS Score 3 for CVE-2016-1337
CVE score is: 
                                                8.1
                                            
Severity for is: High
 CVSS Score 2 for CVE-2016-1337
CVE score is: 
                                                4.3
                                            
Severity for is: MEDIUM
('CVE Details for', 'CVE-2016-1338')
CVSS Score 3 for CVE-2016-1338
CVE score is: 
                                                6.5
                                            
Severity for is: Medium
 CVSS Score 2 for CVE-2016-1338
CVE score is: 
                                                8.0
                                            
Severity for is: HIGH
('CVE Details for', 'CVE-2016-1339')
CVSS Score 3 for CVE-2016-1339
CVE score is: 
                                                7.8
                                            
Severity for is: High
 CVSS Score 2 for CVE-2016-1339
CVE score is: 
                                                7.2
                                            
Severity for is: HIGH
('CVE Details for', 'CVE-2016-1340')
CVSS Score 3 for CVE-2016-1340
CVE score is: 
                                                8.4
                                            
Severity for is: High
 CVSS Score 2 for CVE-2016-1340
CVE score is: 
                                                7.2
                                            
Severity for is: HIGH
('CVE Details for', 'CVE-2016-1341')
CVSS Score 3 for CVE-2016-1341
CVE score is: 
                                                9.8
                                            
Severity for is: Critical
 CVSS Score 2 for CVE-2016-1341
CVE score is: 
                                                6.9
                                            
Severity for is: MEDIUM

root@B3astPad:/data/tools/cve2rating# cat cves.txt 
CVE-2016-1337
CVE-2016-1338
CVE-2016-1339
CVE-2016-1340
CVE-2016-1341
[Read more]

NullCON #ackIm CTF 2017 Write-UP(Web-1)

Posted On // 1 comment


we are always excited for #ackIm CTF.

I was palying this CTF from 2k12. and This is the one of the best CTF I ever play.so lets not waste time and start the Journey.


When you login to Portal you find the below details.

Obliviously the first step Is to Hit the WEB challenge coz I assume that it will be easy but that assumption got killed bruatally.


So the challange was

Chris Martin wants to go home. Can you help him get there as soon as possible?
And the URL which ask for the username password.

after looking source code I notice that my scroll bar is too long




In The End i think I Found the Flag


And i think its easy but, it wasnt a flag.

it was base64  sting which gives the md5 hash

Base64 -->; MD5 -->; Coldplayparadise.


This Time I was sure that this must be username/password.


When i put this as username password.

It Gives me

Mismatch in host table! Please contact your administrator for access. IP logged.


A quick idea to add X-Forwded-For: 127.0.0.1 will give you the first flag.




And The Flag is




The flag is: 4f9361b0302d4c2f2eb1fc308587dfd6



Yay so Finally we did it. 

hope you understand that how my first assumption got brutally Killed.


[Read more]

diff alternative for window

Posted On // 1 comment
Dear all


Background :- you must wondering why i am writing this but believe me when you have only windows environment without internet access its hell lot of difficult to find the difference.

Scenario :- you have two csv/text/xls  that having more than 10k Lines and you need to find out the difference in between. condition is that you have only windows machine that too without internet access.

...So after googling on my cellphone i come up with command call fc which save my life ;) from performing too many manual check to automating whole task.


Example:-  We have two file with below data

                     File 1                                                                          File 2 

This data is same                                                                   This data is same
This data is missing


Now See how fc find the difference




Note :- White space make's hell lot of difference in result.





[Read more]

How to get registry value using cmd

Posted On // 1 comment
HI ALL,

While I was working on automation somewhere, I came across situation where I need registry value to validate in script. so hunt began guess simply typing reg command in cmd and wow the command return valid.

Reg /?

So after looking help I understand  that either export will help me or query

Task was to get the firewall setting firewall state of windows, so after googling  I got the below path

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\

Then running reg query path-to-query  got expected out output

C:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\Dom
ainProfile\

 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
    DisplayNotification    REG_DWORD    0x1
    DefaultInboundAction    REG_DWORD    0x1
    AllowLocalIPsecPolicyMerge    REG_DWORD    0x1
    AllowLocalPolicyMerge    REG_DWORD    0x1
    DefaultOutboundAction    REG_DWORD    0x0
    EnableFirewall    REG_DWORD    0x0



Simply using findstr will give us expected output 

C:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\Dom
ainProfile\ | findstr /i "Enable"

    EnableFirewall    REG_DWORD    0x0





So using reg query you can query any registry key  and using reg export you can export the key into specific files


Below is the quick powershell  script which checks  verify the key value

Script:




Sample Output:



-Kaustubh

[Read more]

How to verify Windows credential using command line

Posted On // 1 comment
HI All,

We were working on some assignment where we had requirement to verify the credential using command line

After fighting a lot with net command I came to conclusion that we can map a domain default share using net use command.

So simple script which try to authenticate with given credential to domain using net use.

Script:-



Note :- password is not masked in script.

Sample Output :-




-Kaustubh

[Read more]

How To Get Windows Audit Policy Using Command Line

Posted On // 2 comments
Hi All

A quick tip for windows cmd lovers

fetching audit policy is always a pain, many of us are not aware of the small utility by windows called as command auditpol.

Auditpol 

Auditpol is the simple command line utility which  give us the audit policy in windows 

Usage

auditpol


Auditpol give us complete detailed view of audit policy it follows the below syntax 

Auditpol command (get/set/list/backup/restore/clear/remove) Optional(user/domain)category, subcategory   

As the first time user we are not aware of category so first task is to find category 

auditpol /list /category  : This will give us the category present in server 
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System

Same way we can list the subcategory 

auditpol /list /subcategory:"Account Logon"

Now we will see how it will fetch the values of policy using auditpol 

Auditpol /get /category:"Account Logon","Logon /Logoff" 


Note :- You can list one or more categories using comma separated values 

Happy Auditing.. :)
[Read more]

OverTheWire Natas Solution Level 1-10

Posted On // 9 comments
After completing bandit I can not stop myself from playing NATAS. this is again beautiful game. so here we go.

Natas Level 0

Given :- 

Username: natas0 
Password: natas0 
URL: http://natas0.natas.labs.overthewire.org

Solution 
After Login to this page  you will get this 


Simply viewing the source you will get the password for next level


Password for natas 1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto


Natas Level 1

Given :

Username: natas1
URL:      http://natas1.natas.labs.overthewire.org


Solution 

After logging Here it show's right click is disable, as I don't use mouse i just click CTRL+U  


It give us password.


key is :- ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi 

Natas Level 2

Given 

Username: natas2
URL:      http://natas2.natas.labs.overthewire.org

Solution

After logging here it says Nothing is here, Next step is to view Code. 


hmm here I found something suspicious in /files/pixel i just list the contain in /files 
 
User.txt gives us the password.
 
NATAS Level 3

Given 
Username: natas3
URL:      http://natas3.natas.labs.overthewire.org

Solution
After login here It Says nothing. 

After viewing Source code it shows Even google cant find This First thing Click on my mind is robot.txt and its a correct guess


here You will get the path to key 




And the Key is here
key :- Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

NATAS 4

Given 
Username: natas4
URL:      http://natas4.natas.labs.overthewire.org

This level is fairly easy when you logged in with credential you will get this 
 
This clearly tells us to change the referrer to given url once you change the header you will get the key


key :-iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq


NATAS 5

Given 
Username: natas5
URL:      http://natas5.natas.labs.overthewire.org

In this level once you logged in with credential It Says you are not Logged in.
 
with little bit knowledge of webapp first thought came in mind is to check cookie and pointed it to right direction > ctrl+shift+i > alert(document.cookie) shows loggedin=0 simply changing this to 1 gives the key

key :- aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

NATAS Level 6
Given 
Username: natas6
URL:      http://natas6.natas.labs.overthewire.org

Solution

As level is getting high game is becoming more and more interested After logging in it ask to enter secret and the option which says view source code i clicked on that i got clue.



Source code clearly state that Secret is in includes/secret.inc

Entering that secret will give us key for next Level


Key :- 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

NATAS LEVEL 7

Given 
Username: natas7
URL:      http://natas7.natas.labs.overthewire.org

Solution
This level also follow same pattern but with Directory trivial Logging shows nothing
 
Then Source Code Gives the path to files 
Navigating to path Gives us key to next Level


key :- DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

NATAS 8

Given 
Username: natas8
URL:      http://natas8.natas.labs.overthewire.org

Solution
From here they Start making game lil bit tough  After logging the ask to enter the Secret 
When we glance on code it shows that secret is getting encode using php script so next step is to decode the same using same function copying that code and changing encode to decode will give us secret 
  
And that secret give key to LEVEL 9 

Key is :- W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas 9

Given 
Username: natas9
URL:      http://natas9.natas.labs.overthewire.org

Solutions 
The Real game begin here first hard task start here. it ask for find word contain  

looking at the code what we understand that Linux command execute without any Sanity  so lets make out hands dirty by rce simply entering keyword; ls /etc/ gives /etc/natas_webpass/



Further cat /etc/natas_webpass/natas10 gives us the key for next level



Key :- nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Natas 10

Given 
Username: natas10
URL:      http://natas10.natas.labs.overthewire.org

This time they add some sanity but the way is also cool to solve this


Code shows that it will not allow & and ; but here we got that it use preg_match so lets try searching this .* /etc/natas_webpass/natas11 and hurry we get key

Here is the key


Key  :- U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Cheers

Enough for today now will write remaining tomorrow....

Stay tuned



[Read more]