The exploitation of the Pulse VPN application to gain full control of the VPN server. Dumping credentials from the VPN server to spray across the Cloud services for pivoting and other on pr
Dear readers, this is DhaneshDhanesh Dodia on DhaneshDodia another side of the screen and I hope you’re doing good on your side of the screen. Sit tight for the next few minutes you’re gonna have fun😜. The company name is confidential so let’s call our target redacted.com and RTO (Red Team Operation).
Scope & Background: The Red Team engagement highlights real-world risks by simulating an attacker who is targeting an organization. Hence, the first week of activities was mostly conducted to identify the internet-facing assets by using multiple tools and approaches. As this Red Team engagement was conducted during the initial period of COVID it was performed remotely. The company literally belonged to a different country. In this RTO the goal was to get access to confidential business data and successfully exfiltrate it under the radar. During the Recon phase, I noted that the company was using a Hybrid Multi-Cloud model infrastructure, where few assets were present on the cloud and few on-premise servers. Hence, I decided to follow the ‘Cloud Matrix’ and the general ‘Matrix for Enterprise’ approach.
Approach: The RTO was carried out leveraging the standard MITRE ATT&CK framework and Cloud Matrix framework.
Cloud Matrix
Reconnaissance: During the first week, I started analyzing and verifying the information. I initiated active scans using the Red-Teaming-Toolkit on the confirmed scope and started figuring out the potential critical/high-risk vulnerabilities. During this phase, I found multiple critical vulnerabilities on vpn.redacted.com (Special shout-out to Orange Tsai 👏) that could allow me to gain access to the company’s internet-facing servers and employee systems. At this point, I had numerous options to proceed further, we chose the best method based on dependencies. The way I chose didn’t require the company’s employees to click a link or download software, and hence dependencies were taken care of. I decided to use vpn.redacted.com to be the first door of opportunity for us to gain access to the company’s infrastructure.
Exploitation: Choosing the shortest path I started an attack on vpn.redacted.com, the primary virtual private network of the target company. Having a known vulnerability in the Pulse VPN application, it was possible to gain complete access to the server. While the server was under our control, I decided to extract information such as User Credentials, Email Credentials, Outlook, SharePoint, Word, OneDrive, Microsoft teams, Microsoft 365, and other user credentials. Through some post exploitation tricks like session harvesting, I ended up having the Administrator’s account of the VPN application. Making use of the administrator account, I found all the credentials of each and every registered on the VPN.
Further based on the usernames found from the VPN application server and information gathered from O365, I brute-forced into ess.redacted.com, which was the HR portal, and revealed every single piece of information about the employees. At this point, I had enough access to perform any of the following actions on the company’s network infrastructure.
Access any user’s EmailAccess any user’s Microsoft 365 AccountAccess most of the User’s HR details such as Salary, Designations, etc. Send mail to anyone on behalf of the company’s employee Stop/ Delete/ Modify services on the VPN ServerModify VPN server in such a way that once any user tries connecting to the VPN, he allows us to gain access to his/ her system ultimately send Malware to other employees from a compromised account and much more.
Proof-of-Concept: During the passive reconnaissance phase, I found out that the Pulse Secure Virtual Private Network (VPN) service was hosted on the vpn.redacted.com domain.
This specific version of Pulse VPN had multiple known vulnerabilities which are quoted with their CVE (Common Vulnerabilities and Exposures) as follows:
1. Pre-Auth Arbitrary File Reading — CVE-2019–11510
2. Post-Auth Cross-Site Scripting — CVE-2019–11507
3. Post-Auth(admin) Command Injection — CVE-2019–11539
Using the Pre-Auth Arbitrary File Reading exploit we were able to read sensitive data present on the VPN server.
I ran the exploit multiple times during the day to collect credentials. Finally after sorting and saving the unique list that contained +50 credentials of different employees of that company. The list also contained Administrator credentials using which I was able to successfully log in. I made use of Post-Auth (admin) Command Injection — CVE-2019–11539 Vulnerability.
Encoded Command Injection Payload
/usr/sbin/tcpdump -d -r’$x=”ls /”,system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc /dev/null 2>&1
Decoded Command Injection Payload
tcpdump: $x=”ls /”,system$x#: No such file or directory
The about payload generates a valid .cgi at the page for us to execute our command setcookie.thtml.ttc and to execute the same I require to navigate to the /setcookie.thtml.ttc endpoint.
Boom !! At this point, I had full control over the VPN server 😸
Exploiting Office 365
Lateral Movement: As we had noted that the company is using O365 for mail communications, one drive, and share-point in their day-to-day work. We simply decided to brute force leveraging the collected credentials and utilized O365spray.
Further, I noted that the different employees reused similar passwords for their respective accounts and hence I decided to make a comprehensive list of emails and passwords to brute force. YES !!! that worked now I had access to +300 O365 accounts. At this point, I had access to the CEO, CTO, CRO, Network Admin, our SPOC, HR Admin so on and so forth.
Access to one of the employee’s O365 account
Moving ahead I already hold a lot of information about the company’s infrastructure and with that, I decided to break the HR portal. I navigated to the HR portal and noticed that the login fields expected ‘Employee-ID’ and ‘Password’. At this point, we were not aware of the Employee-ID, so I decided to have a look into the O365 mailbox of a few employees because generally, HR keeps sending emails to their employees. YES !!! I found a few Employee-ID’s and also understood the sequential pattern of Employee-ID. Again I created a comprehensive list of Employee-ID and passwords (Prior created password list was leveraged).
Successful Login Response
BOOM !!! 😸 I now had access to the Admin account and multiple other accounts with lots and lots of juicy information.
Key Learning & Final Thoughts: In this particular RTO there are a few key areas that are generic for all mid and small-sized companies:
Maintain an accurate list of asset inventory, identify internet-facing endpoints, and if any asset is added recursively add the same into the asset inventory list. Keep all the internet-facing assets up-to-date with security patches. Enable Two Factor Authentication and for stakeholders Multi-Factor-Authentication. Follow a strict password policy that forces the user to change the password every 45–60 days at least. Provide training to employees to keep them aware of general Cyber Crimes happening at an individual and at the organization level. Monitor your company’s brand across social media platforms, and monitor the company’s presence in data breaches.
If all this is taken care a proper timely basis then 70% of the problem is already solved. Yes, the rest of the problem could be an insider threat, and hence the RTO was continued for the internal network environment post government gave go-ahead guidelines to come out of the home. However, the internal part is not covered in this blog.
Thank you readers for holding patience and reading this long story, I hope you all liked it 😃