A Poor Man's Pentest: Automating the Manual

already good morning hey you guys doing well read this is cool well thank you come and hang out come to my talk I don't I don't like to say like coming to my talk because that's under the premise that I actually succeed in delivering the talk to you so thanks for coming to hang out that's that's really the better move this is a poor man's penetration test or automating the manual it is titled that way intentionally because this is kind of a cheesy trick or technique that your mileage may vary with right I'll have a little showcase or demo or try to I'll give it a vessel or some means to actually showcase what this thing is but if you want to use

this in a real like all enterprise network big scale thing again I can't promise or tell you everything that might be particularly handy I think it's a simple unique thing we just dive into it yeah automate the manual so first of all obligatory introductory slide hi I'm John Hammond during the day my day job is a Red Team cyber operator so supposed to be pentesting and offensive security and cool stuff like that previously I was a cyber security instructor with the Department of Defense cyber training academy now I'm with the defense Threat Reduction agency so gubby military sort of stuff but the instructor side was a lot of fun and I hope helped with this sort of thing

hopefully I can keep you guys awake and we'll see if I end up asking you any questions or like hey this is a rhetorical thing like I want you to answer but forgive me if that's stupid or annoying that's just my instructor side coming out at night in my free time I like to do some capture the flag stuff I actually have a capture the flag event that's running happening right now here for b-sides Delaware that's been online since the start of yesterday and it's seemingly kinda nice and kind of fun if you guys want to play that's online accessible anywhere it's just that H digital i/o link and they'll be able to buy some

challenges some good stuff with that with that cybersecurity capsule flag flare I like you a lot of war games over the wire hack the box some training exercises stuff like that and I have a cheesy YouTube channel to showcase some of those like videos or walkthroughs or guys to do that you here's an agenda here's what I hope we can talk about and there are a lot of you so we'll see how we do first I want to kind of propose hack the box you guys heard of that I need you guys play like hack the Box stuff cool I want to use that as a driver and vessel really what I'm gonna showcase here first of all

because it gives us a really good like means to get some quick remote code execution I'm quick easy alright we're on a box we've got a victim we've got a target we can interact and flip and play with then obviously that's done with a reverse shell most often so I'll showcase how we can okay just quick get a call back now we're working with the machine will stabilize it and then I want to get into XT e and that is really the premise of really kind of what this talk is using that small utility that can help us automate some of the interactions that we have with our computer and that victim or that target

get to that when it comes but we'll talk about some regular pen test stuffs you will talk about enumeration we'll talk about exfiltration a little bit of examples for persistence what you could do I wanted to throw in some lateral movement it'd be cool to throw in some privilege escalation but we have so much time hopefully we can still make this worthwhile and obviously there's more you can do I leave it to you there's any kind of homework or extracurricular you're on the move for will open it for questions and if you want to reach me all good so box right what is this what am i doing to answer whatever IP address for a machine bashed and

that's a retired machine so you might need that VIP account to be able to reach it or play with it it's a Linux machine that's really going to be my target kind of my scope for this talk Linux machines I'm running a Linux machine I'm on Ubuntu right now just Ubuntu 1904 I know hey normally we'd want to just use Kali I tend to do stuff from my hosts which may be good and bad but it one two will be handy for our repositories and some of the tools and techniques we're just going to grab real quick so all I've done is added that bash machine give it a quick domain name threw it into my etcetera host file

so I can use bash htb to get to the machine real quick you will need to of course be using an Open VPN key to get in there so you make that connection make sure you can connect to it and you'll see hack the box on its web page here and there is that bash machine if you guys are interested or have you guys does anyone that has already compromised this machine is it totally easy or new for anyone

the access code to get into hack the box yes yeah the VPN key if you need to on the left hand side there's an access tab that will let you download those VPN key connections has anyone done this Bosch machine before okay okay whatever no worries - machine is simple on their front-facing web page you know you do your typical and Matt scan to see what ports and services are open for ATS open so you've got apache or nginx running some webserver that says hey we've got a blog for you and there's PHP bash there's some nifty utility that this developer has created that helps a lot with pen testing and that it's just a simple web shell what

you could do and more of the route to compromise the machine is do some more enumeration okay can i brute force directories on that website can I run dirt Buster or go Buster or any of those things and you'll find one dev board slash dev like oh maybe the developer left some things on this machine and you can see that PHP bash actual script and utility that you left on there show you that here this PHP bash script is an interactive web show I could run LS or ID or Who am I or anything I wanted to it just immediately gave me code execution on the machine so super simple maybe not immediately applicable to real world but

a fine example and that's all the premise of this talk does that work is that cool

so if we had some code execution on that box just simply granted to us by that web shell what would we want to do maybe it's best to get a reverse shell or some better use of it than just that web shell there are a lot of different ways you could do this the language that you choose for a reverse shell can be anything that you actually have access to if this is the Linux machine running - maybe it has netcat use probably has Python we could use it's on a web server but we could use PHP if it will evaluate that and we know that it's doing that right now we actually see a directory

that we have rightt access in that uploads directory we could highlight that and say oh maybe that's maybe that's a location target we can move into

have you guys seen the pen test monkey reverse shell cheat sheet it's an awesome resource you guys haven't seen

awesome pentas monkey reverse shell cheat sheet if you're just google reverse shell cheat sheet you can pull this up again the syntax for different languages to actually get that reverse shell call back to you Barry's right depending if you're in bash or you're in Perl and Python or in Ruby or whatever the case may be but this cheat sheet gives you small super simple and compress one-liners you just copy and paste and slap right in I had been a gold with this for a little bit or some reason netcat wasn't coming out we could do the PHP web shell but the Python one seemed to work best so let's try that you do of course need a

listener on your own machine cally or a bun to somebody actually just stand by and catch that shell that comes back to you so let's jam with that

you

what am I doing here see it sorry yeah yeah what are those arguments do you guys know off the top of your head

I like to use n because it says don't deal with domain names sometimes in some exercise environments we had we would try and pull some virtual machines that just had the wrong IP address and things were way way broke I'm just gonna modify this a little bit so I can grab my IP address in here because we do need a supply of course our act the location the port that we're going to use I like to use 9001 greater than nine thousand the joke laughs that in and ideally fingers crossed we've got a shell on that box oh I could run things like LS and ID interact with it the same way that I would a regular show

and that's what we want to do as we're pen testers we're doing that thing we're offering on that machine but this is kind of janky you guys working with the reverse shell for right off the bat you might be trying to use some commands maybe you had a typo like OLS tak something and you move your arrow keys back to modify that or you want to hit up arrow to go to your history or maybe you want to catch some of the files that are in the current directory but your tab autocomplete doesn't work it's annoying and silly so you do that every single time you've got your reverse shell connection now you move on the same technique some of you

might know to stabilize that shell and you do that every single time you get on a machine usually if you're on Linux you want a stable shell you guys know this magic trick Python open up a PTY spawned in bash and you hit control Z bring yourself back to your host stty raw - echo sets your terminal in raw mode so keystrokes are happening immediately there's no buffering it won't echo that out your foreground to get back into your reverse shell and then you set a terminal environment variable this every single time so I thought in myself like well this is dumb it's it's just a little bit it's just like four lines of code right but if I miss type

I'm gonna have to use the arrow key again and that's gonna break everything and I'll hit control-c and I'll lose my shell how can I automate that the problem is we can't write a script because it's a new machine that we just broke into you'd be writing the same thing we literally do the act we do that exact thing bond that up real quick just so we're following along

you they don't fudge this you you

okay now I can tab autocomplete things now I can use the up and down ease to have my history I can hit ctrl C and I won't accidentally kill my fragile shell that's nice for us the issue is how can we do this every time without having to have to type that stupid thing over and over and over again so that's the premise of xt e and again this is cheesy let's see what you guys think xt e is a tool that comes with x automation and it's essentially letting you use your mouse and keyboard in a programmatic or scripted way so it's like you type that can me that you type the keys on the keyboard but you didn't

really you had your program do that it's like the visual basic script send keys then you guys know that old one so if you're on a bun too if you have it in your package managers you can sudo apt install X automation and then to get a simple string it's X to e STR and the string you want to type you can hit keys like the Enter key you can even hit control keys or shift keys or alt keys or super keys and you can kind of blend them with a keydown and keyup to maybe use a ctrl L or a control C or send those signals that we might want in our terminal

xee string LS it's automatically there as if I were to type it ride that xte return or any of those cases might hit the enter key that me maybe might not see you at that speed those are some small primitives that maybe we could build out scripting I've got a shebang line up front it was a shell script just defining some functions some convenience things that I might be able to pull down and use later another scripts or other code what does that command function do that dollar sign one that's the argument to that function type that wait just a half a second and run it if we're in the shell same thing with control maybe we take an argument

control owl or control Z you whatever we wanted to and then we'd send that right along small right simple kind of cheesy maybe it'll work for us maybe that'd be cool oh I have that in my functions Sh script that totally looks bad when I print it out sorry that's a mess like it run command ID it runs which is weird it's like a regular bash script but it bridges the gap between me running it on my actual computer and inside the reverse shell on the target computer so I could command LS I could control L it'll clear the screen for me roll C you can see that keystrokes automated for me for small primitives but now we could

probably expand to something cool like just that simple technique of stabilizing our shell

so here's a stabilized shell Sh script first thing I do is source what is that why do I use source

you

yep president working directory with some command substitution tells me where I am right now with all my other code that source command why wouldn't I just run like dot slash functions that Sh maybe yeah if I were to just dot slash functions on Sh it's gonna be in its own little bash encapsulated cage and I'm not happening in the current nope the source will run that in the current scope so I can actually use that command function with that control function I've got my little magic trick the Python using that command function so it types it out runs it Rosie as TTY Ramaiah Seco FG same recipe as before right you guys have any thoughts

is there so anything weird about this

you you that's a hope you one thing that I'm actually curious about now is it how can I run this script dot slash stabilized shell is that's gonna have to run on my machine that's where it lives but it's not going to have the focus of inside of the reverse shell I'm gonna have to focus what window I'm actually working in as I could run stabilized shell but stabilize my own show I need that to actually happen for the reversal let me uh kind of continue that so the solution that I want to present or at least an option is that utility called quake it's a terminal that's all it is it's a small simple a little

terminal emulator interesting thing is that it's a little heads-up display like it'll just kind of pop up at the top whenever you invoke it and no way you can toggle whether or not that terminal is visible or not whether or not you want to use it so if you were to install quake you could modify some of the keyboard settings that actually allow you to invoke the wake and bring it up have that heads-up display terminal shown you can toggle with a simple keystroke to hide it small utility but kind of handy and now if we could actually use that keyboard shortcut what's to stop us with xte run the script on our host I'd wake suddenly

take the focus of our reverse shell and run that as needed

well I set up my keyboard keystroke for Quake eyes shift to return so just real quick here's a terminal and a new scope but I could work with and run I can open and close that as needed so if inside of our functions that Sh script we made a simple as hi quake put it away run that key ship return shift enter and every time we had a script that were to actually do something useful for us stabilize a shell we could just hide quake before we do anything so it'll hop back to the focus of our reversal

if I can get another quick reverse shell for us

you

okay so now if I just had a reverse shell and I've created this stabilized shell script it will automatically type all those keys for us super simple I shall immediately hide wake run those commands and I'm just left at a new prompt where I have my tab complete where I have my command history right don't accidentally kill my shell that's kind of small kind of simple all we've really done is just bridge the gap between our host machine and the victim but what more could we do with that to step back and automate getting the reverse shell maybe that's a hiccup maybe you're like oh I have to know what my IP address is currently I need to

know what port I'm gonna actually use sometimes that's stupid and annoying too like I've done this however many times we just have those ingredients with our shell with our shell script we need our IP address our attacker our victim or our packing machine we need that port that we want to listen on we can just carve that information out you guys might normally use like ifconfig right or IP at or all that gives you a bunch of output this regular expression gobbledygook will parse that out and just grab only your IP address in this case I'm using ton zero as my interface you might need to adjust that or change that for whatever you actually might be

using and in bash I can just get a random high port by taking random and adding some numbers to it random I think goes from 0 to like 32,000 or something so I just amped up a 3000 after that so we know we're in a clear port range

we have the exact same problem of focus to try and run a reverse shell maybe I wanted to spawn a new window a new terminal that would capture that reverse shell and catch it for me but we need to be able to switch back to our actual code execution vantage point so you can just make a small alt-tab function nice and easy literally exactly that it alt-tab and next to you will let you do that nice and easy for you which windows a small sample we could use that functionality again we know how we can grab our IP address in the scope of our own host scope of our attacker machine quickly grab a port to

use I'd wake because maybe we use that to invoke it and I like to use terminator because that way I can split my screen as needed to if I need to do some other operations give it just a little bit catch run my netcat listener switch back to the context of the actual RCE vector and maybe you could slap in that reverse shell code and now you can use those variables the Bosch figured out for you you don't have to hand jam it in like I did at the beginning of the talk again super super small but maybe that will speed you up some of the real things I notice this has a little bit of a

gimmick and limitation xte typing a really really really long string maybe it'll miss some characters so I haven't had as much success with the Python means but the netcat one is pretty simple and that's just the syntax from pen test monkey that reverse shell she she and I've also moved the IP address variable just grabbing that setting it I move that into the function status age because that might be handy for us we're probably going to end up using that and just about everything that we would build out but now we have a small

I would expect in some cases you might be able to grab it and just throw it into the actual vector on the machine that you're working with that Python one because it takes so long to type or X to e to type with it sometimes it doesn't work as well if I had code execution already in this case this is again just an educational proof of concept bear with me if I were to run that netcat reverse shell I would pop up a new window grab the listener wait for the connection and just in that other window now I have a new show automate that capability

you we've got some stuff built small tiny things that might speed us up how could we take that further how could we do real cool pen tests up with that like meterpreter has that nice upload and download functionality but in a regular reverse shell kind of doing it by hand you don't have that nice and easy we can build it now so we've got a reverse shell connection kind of packaged in a small script some poor man's means same thing with stabilizing our shell now what else could we do on that box have you guys seen the enum utility trying to sprinkle in some resources for you this is the script you can find on

github it's a little bash script we'll just do simple checks on the machine what's the hostname what's the kernel version what operating system is this is it connected to anything else what processes are running what services are there etc it's that rough so it would be cool is this is another thing on your checklist every time I get in a box I run this thing cool if we could just automate that run through it

course we need to get lynnium on the machine how do you guys normally transfer files between your host and your target as how many tried-and-true procedures that was awesome I heard a few protocols just thrown out I thought I heard SFTP if you've got that W get ya Carola just to download stuff the raw bare-bones stuff is just using netcat again right if you can if you've got some of those outbound connections available to you again I get suspended disbelief if we could create something that will grab our ports our power attacking IP address we already know maybe take a file name on our machine it'll listener reading in from that file that we specified and then automate on

the actual reverse shell pulling that down quick and simple upload functionality putting that together that tack q is for net cat you

you know when it hits an end-of-file yeah and a file that says wait however many seconds wait zero seconds so once you see the end of file just close it down we don't need that anymore quick on the fly what is a dev s hm

yeah sure memory to hide on a target or analytics machine maybe some quick spaces you got four slash temp that's always world writable it also have def s hm

No yeah yeah that was awesome I hope I hope you're in the back just jamming through the CTF right now that was awesome cool any thoughts or questions on that simple technique that's just netcat right but we could use something with HTTP I heard W get we could do something with SMB we could use in packet help W get takes a little bit more work right let's set up a terminator or another terminal shell for us that's got a working directory where we currently are because we probably want to upload a file that it's just relative to us real quick and I'm going to use that Python simple HTTP server as you see that one often Python

to tack M is the capital S simple Apple HTTP capital S server on Python 3 which we all need to migrate to now 2020s common Python 3 we need to use HTTP server and specify a quick and easy random port for us machine get that down put it in debits hm but the poor man's means maybe we could have something to actually specify and we really want to put it in dentists hm we should let the scripts allow the user to choose where they want to put it's just an example what's that alt-tab control see the very very bottom can you tell what I'm doing I'm gonna switch back to that other Terminator that I just open and close

that down I don't need it

now that we have that small upload primitive push Lenny numb over there make it executable run the thing pipe it to T so I get some output so I want that log file I really want to know what it is and I want it I don't want to have to deal with running that again sometimes it takes a long time and now we have that file but we need to download it

I realize when I needed to download something that running out of just a quick local present working directory you've seen that variable over and over again it's tough to know where you want it to download to because you probably want it in your current working directory and if you have a project set up for that target well then you don't want to have all these other simple shell scripts that we've been building in there with that because you might have multiple projects you're playing hack to blocks just again that educational sense you've got a folder for different machines it's stupid to have all those duplicates there so I thought let's move these small tools into an actual location

that's that could be their home that can be their actual place to live and put that in our path so I use just opt I like to put my tools and opt and PMP for poor man's pen test I add that to my path put that in my - RC file and quick clue Jing some take these together because we ran that source command and all those scripts we just have to change that real quick if you were tinkering and let's bring them all into their home that hops now we can run them that dot slash because it's no longer in our current directory that was part of that path see my upload file and that cat in there

so our download file that's another little gimmick and gets to it because it needs to know the reverse shell the target machine needs to know our IP address and we don't have a good means to tell it that when a when do we need to run commands on it so I supplied that really has another argument or did I P address will be the targets IP right 10:10 68 in the case of this Bosch machine the filename that we actually want to pull on that it'll come to us

what is that pack w

I was struggling with this one because it does the exact same thing as tack cue seemingly but in the other direction tack cue was working yeah

we for just a second grab it spit it to another file

you okay now we again have small simple poor-man's primitives to do some of that quick and easy stuff that we might need else though now that we've got that download capability Oh we'd let's just grab its entry password real quick right off the bat let's check out the services let's see if there's any directories in the home what other users might have some sensitive files that maybe we can read right we haven't moved out of that dub-dub-dub data user in our example right now maybe some log files and I see a patchi's access log or error log are there any SSH keys that I could just up and read grab that pull that down figuration files etc

got milk Blagh and basic Linux or the distillation enumeration or resources this one isn't an automated script an automated tool like Lenny num is but if you're scraping the bottom of the barrel you're like man I don't know what to do I can't find a foothold it's worth it to look through this little showcase the hand jam commands processes etcetera that link is a log milk again Google simply got milk Linux privilege escalation

you but that's not all right there things that maybe we've learned about in our pen testing journeyman projectory in growth what if shellshock is in there what's that you guys seen that one which is like let you run code through some environment variable UID binaries things that will take the privileges of another process track those down lynnie Nam will do that Tandi for us PS aux checking out processes netstat and again there's another utility similar to Lenina the Linux projector that you could totally check that out with as well that one is a known as a Python script

so we could automate can offer our numeration automated the reverse shell we've automated stabilizing that shell we've automated pulling and downloading some files putting stuff on there spit that Linux proof checker on there

and one if we know what machine our machine we're working with what our attacking machine is maybe we could generate SSH keys real quick throw those on the box again your mileage may vary I thought you would do this to take advantage of some of that code that we've written through other things having an SSH key use ssh-keygen Tec F to create that file already no password and that that's that tak half an empty string and I was lazy I just threw yes why in there so I would overwrite stuff while I was testing and this is when our upload file limitation of not choosing the directory that might get in the way because it'll

automatically put it in Devas HM for us we would have to okay actually take the contents and move it ourselves that's that dog SSH authorized keys even we actually have right access to some users as a seiche key but we might we were able to do that enumeration with Lin enum and find a foothold in another account

thoughts on that one how do you guys like to do persistence or do you

violence it was always answer you

cool Rufe don't want to leave any artifacts maybe it'd be nice to have something like this that will automatically clear the logs for you or wipe your fingerprints we could totally scale that out why not maybe if you're on a new target you don't want to write that code over and over again that's kind of why I thought this would be a neat trick oh this would be a neat technique having a cron job I use a simple thing I set this variable F the stupid name doesn't not doesn't help us at all but maybe that's a file name maybe that's a folder I'm gonna use it as both I use an ellipses there a dot

dot dot what do you think I use that

yeah sure that's that works for me quick and easy to type in I like the first period does that mean it's going to be a hidden file and when you have an LS tack la output you always see a period a period period for the current directory and the parent directory maybe this will just maybe that'll sneak under someone's radar there's an extra period period period I don't care stupid but it might work and I make a little bash script where I include that reverse shell syntax with my IP address in port so I'm able to use these variables IP import when with the command function they're running within the context of the target

we've got IP import already pulled in from functions on Sh we know the scope but if we're typing out with xt e that whole command how come it's not typing literally dollar sign IP in dollar sign port

sing that up so let me just let me just give you the answer actual variable expansion within that string double quotes are going to evaluate that variable value before xte types it out so that way we have a quick means of handling our target this is our IP address this is our port that way we can use variables like that even though it's in the context or running on that other machine

you've been quick crontab runs a reverse shell every five minutes I think there are other user cron tabs right I think it's like bar spool their username this one you might need a heavy gun you might already need to be root - right - Petra crontab or we could do other things like a divine shell maybe that's something that might be worth while there are plenty of other means of persistence these are some use cases and these are some means to just whip that out so you don't have to deal with remembering it you've already got it written

what do you guys think anything for me you you last spoke here at besides Delaware so thanks for letting me come hang out again the talk was the 10 steps to build and lead cybersecurity or CTF team and I'd like to play CTF and that was a super or like high level soft talk like inspire people encourage people do good things but I wanted like let's do a technical talk let's do stuff that's on the keyboard oh my slides are literally bash code I hope that was okay I hope that was so cool I'm like github github forward slash Sean Hammond there is a poor-man's pen test repository where you can grab all this code I still need to add to read me

but all that code is in there if you want it for some reason and the slides are in there as well

you Thanks yeah yeah I hope that again it's kludgy and weird because you're using xte which sounds like a baby thing but because you have that fine comb as to what you want to run and you're so automating it with just I'm literally typing the command but not maybe that helps

you you

you pythons simple HTTP server is only HTTP you need to deal with some open ssl command and all that nonsense to quickly spin up a HTTP server there's documentation and guides to do it off the top of my head I hate open SSL syntax no the risk there is good question thank you

any other thoughts I'm yours yeah

you

right and that is a limitation right because we have the communication of our machine to the target we don't have communication from the target back to us we can't see from our shell the command output on that side without visibly looking at it with eyeballs so that's a programmatic hiccup again disclaimer your mileage may vary but maybe a technique just spit stuff there you got a test

even thought you guys stay awake we do we do job alright sweet thank you [Applause] we were right on time I think