Internal Pentest : The delay that helped migrate our Meterpreter session to meet the Domain Controller

Background

Last few months, our team were engaged to perform penetration testing against a medium size organisation. Their objective is to determine how far a threat actor could do if remote access has been compromised. They requested us to not use any advanced obfuscation techniques at the early phase of the testing as they would evaluate the security software that their company recently subscribed to protect their employees’ devices from unauthorised activities. Let us name that product T, the Endpoint Protection & Security.

Proposal

We proposed to conduct an internal penetration test where we included the following items:

• Standard vulnerability scanning using commercial and open-source tools. This is to cover known vulnerabilities and unpatched systems.
• Escalation assessment. This is where we determine to what extent the attacker could do in then event the remote access of an employee has been compromised.

Vulnerability scanning

We scanned using Nessus, Nmap and other tools. Boring but they are still helpful for our client to ensure their systems are well examined.

Escalation assessment

We were provided with a low-access domain user (user-R) after we were able to demonstrate one SQL Injection vulnerability that we discovered on one of their public assets which allowed us to get some of their employees’ valid credentials.

As usual, we started by gathering information and enumerating the network from the host that we were given access. It started getting interesting when some of our scripts were blocked and quarantined by the T software. We further investigated it and found that T only performed that when it detected the scripts or files originated from unknown sources. We were able to overcome this by fake-signing our Meterpreter executable file.

However, we noted other than that, it will as well quarantine the file when it detected suspicious process/activity being executed by that file.

While investigating T’s behaviours by planting our Meterpreter executable file, one of our team members noticed that there was actually a slight delay (3-4 seconds) before the file will be deleted once it has been executed. That looked odd. We utilised Meterpreter’s Post Manage modules, post/windows/manage/migrate to abuse this slight delay. Surprisingly, it worked and we managed to get a stable Meterpreter session!

At this stage, we managed to complete half of their objectives. Then, we further evaluated how extent the threat actor can do from there.

Path to DA

We ran Bloodhound to determine paths that we can use to compromise a domain administrator. From the map generated, we observed there were several users created with the domain administrator access. That was the shortest path as suggested by Bloodhound.

Through the Meterpreter session we obtained, we were able to compromise another user that has a local administrator access on its machine, user-E. We sprayed user-E credentials across the networks and observed that user-E was as well a local administrator on other several machines. Using crackmapexec, we dumped available credentials in the hosts’ memory and was able to gained a hash belonged to one of the domain administrator users.

Conclusion

Overall, this organisation’s security was pretty well hardened. Appropriate security measurements were in place and their small IT team did a great job plus helpful throughout our testing. This was their first time asking a company to conduct the escalation assessment and we were happy to receive good feedback from them.

We suggested the following to them to further increase their security posture:

• Revisit the T product manual and see if the delay can be removed and ensure stricter rules to be implemented. We felt that the vendor did not carefully configure the rules but instead leave the product run using its default settings.
• Consider to have monitoring team or subscribe to an external Security Operation Center (SOC) services.
• Improve their password policies.
• Prevent their users from reusing same password across their accounts
• Reduce the numbers of domain administrator users and ensure they are only assigned to IT security members when possible. As for their mid-size organisation, a few numbers of domain administrators are sufficient.

Memory forensic using Volatility

This article is a part of our program, #re:educate where we empowering cybersecurity students and beginners to share their understanding about anything related to offensive security. For more info, refer to this link RE:HACK - #re:educate

Author: Fatahillah bin Hashim
University: German-Malaysian Institute

Summary

Volatility is a tool that can be used to analyse a volatile memory of a system. We can inspect processes, look at command history, and even pull files and passwords from a system without even being on the system.

Prerequisite

• Volatility tool - https://www.volatilityfoundation.org/releases
• Memory dump samples - https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples, https://uupdump.net/, https://www.volatilityfoundation.org/26

tl;dr

# How to detect malicious files ?
./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 -D <Output_Location> -p <PID >malfind
# What type of dump am we are going to analyse ?
$ ./vol.exe -f Triage-Memory.mem imageinfo

# Which process are running
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile pslist
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile pstree
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile psxview

# List open TCP/UDP connections
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile connscan
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile sockets
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile netscan

# What commands were lastly run on the computer
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile cmdline
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile consoles
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile cmdscan

# Dump processes exe and memory 
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile procdump -p MyPid --dump-dir .
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile memdump -p MyPid --dump-dir .

# Hive and Registry key values
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile hivelist
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile printkey -K "MyPath"

Capturing Windows Memory Using Winpmem

Winpmem is a part of the Pmem Suite, a suite of memory acquisition tools for Windows, Linux, and Mac OS. We can download the latest release of winpmem from here: https://github.com/Velocidex/c-aff4/releases

Run Winpmem

First, after we staged malicious activity, we downloaded winpmem version 3.3 RC3 onto the victim Windows machine. Then, we opened a command-line terminal and run the program:

C:\ winpmem_v3.3.rc3.exe --output memdump.raw --format raw --volume_format raw

The --output mem.raw option was used to name the output as memdump.raw. The --format raw and --volume_format raw options were used to output the memory in raw format (as opposed to something like aff4). Once the memory dump finished, we then transferred the raw memory file, memdump.raw, to our Kali Linux & Windows machine.

---

Analysing Windows Memory

Choosing the Right Profile

This part frustrates a lot of analysts. We can typically only analyse memory dumps that have a profile available in Volatility. Newer Windows 10 builds do not have compatible profiles in Volatility.

To find the right profile, type volatility --info to get a list of the available profiles. Look under “Profiles” in the output, we’ll see the following Windows 10 profiles:

Profiles
--------
[...]
Win10x64              - A Profile for Windows 10 x64
Win10x64_10240_17770  - A Profile for Windows 10 x64 (10.0.10240.17770 / 2018-02-10)
Win10x64_10586        - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393        - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x64_15063        - A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
Win10x64_16299        - A Profile for Windows 10 x64 (10.0.16299.0 / 2017-09-22)
Win10x64_17134        - A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11)
Win10x86              - A Profile for Windows 10 x86
[...]

Retrieve user’s passwords from a Windows memory dump

1. Identify the memory profile

First, we need to identify the correct profile of the system :

2. List the registry hive

With the correct profile, we can use the “hivelist” plugin in order to extract the list of registry hive in the memory dump :

3. Extract the hashes

Now, with the virtual offset of SYSTEM and SAM, we can extract the hashes :

.\Volatility.exe -f Triage-Memory.mem  - profile=Win2008R2SP1x64_23418 hashdump -y 0xfffff8a000024010 -s 0xfffff8a000e66010 > hashes.txt

4. Crack the hashes

Finally, we can process the hash using a local tool (like HashCat) or using a online tool like CrackStation :

Note: If the password is not available through the crackstation, you can use rockyou.txt for cracking this hash

Retrieve SHA1 hash (memory dump)

Just to check whether we downloaded the right file or not, we can use the following command in PowerShell.

Get-FileHash -Algorithm SHA1 .\Triage-Memory.mem

---

In most of the cases volatility suggests multiple profiles with the volatility framework. In order to select the best memory profile for further analysis a kdbgscan (https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan) is used.

.\Volatility.exe -f Triage-Memory.mem - profile=Win2008R2SP1x64_23418 kdbgscan

After selecting the correct profile it can be moved in to the next steps of analysis.

Analysing Processes

By using the following command, a list of processes can be obtained which were there within the memory.

.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 pslist

A parent-child relationship in between the processes can be obtained using the pstree ( https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#pstree) attribute

.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 pstree

Note : highlighted in green - child process of wscript.exe

Let’s run a last command before investigating deeper into these two processes. psxview will list processes that are trying to hide themselves while running on the computer, this plugin can be really useful.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 psxview

By identify processes seems hidden, if so you’ll see “False” in the first two columns (pslist and psscan).

In Linux, you can use dlllist plugin to view the list of loaded DLLs for each process.

volatility -f Triage-Memory.mem --profile=Win7SP1x64 dlllist|grep VCRUNTIME140.dll

All application running

Use the shimcache option to get a full list of all executed applications and execution times

.\vol.exe -f Triage-Memory.mem --profile=Win7SP1x64 shimcache > shimcache.txt

---

How to detect malicious files

In volatility, there exists an attribute named malfind. This is actually an inbuilt plugin and can be used for malicious process detection.

.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 -D <Output_Location> -p <PID >malfind

Analysing Network Connections

netscan . This plugin allows us to see the network connections on the machine at the time the memory was captured. We ran the plugin with volatility and directed the output to output_netscan.txt.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 netscan > output_netscan.txt

We can check running sockets and open connections on the computer. To do this we’ll use these different plugins: connscan, netscan and sockets.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 connscan

$ volatility -f cridex.vmem --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x02087620 172.16.112.128:1038       41.168.5.140:8080         1484
0x023a8008 172.16.112.128:1037       125.19.103.198:8080       1484
$ volatility -f cridex.vmem --profile=WinXPSP2x86 sockets
Volatility Foundation Volatility Framework 2.6
Offset(V)       PID   Port  Proto Protocol        Address         
---------- -------- ------ ------ --------------- --------------- 
0x81ddb780      664    500     17 UDP             0.0.0.0         
0x82240d08     1484   1038      6 TCP             0.0.0.0         
0x81dd7618     1220   1900     17 UDP             172.16.112.128  
0x82125610      788   1028      6 TCP             127.0.0.1       
0x8219cc08        4    445      6 TCP             0.0.0.0

The connscan plugin is a scanner for TCP connections, while sockets will print a list of open sockets and finally netscan (which cannot be used in our example due to the profile used) will scan a Vista (or later) image for connections and sockets.

Looking at Command-Line History

Using the cmdline plugin, we can see what commands were executed at the time that the memory was captured.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 cmdline > cmdline.txt

We can observe suspicious commands from there.

Dumping the infected process

.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 procdump -p 3496 - dump-dir dump-folder

We created the “dump-folder” to dump the information.

After dumping the process we can use PowerShell to find out the md5 hash value.

Get-FileHash -Algorithm md5 executable.3496.exe

Dump and capture flag memory written in notepad.exe

Once we obtained the PID of notepad.exe, use the memdump to dump the process memory then use strings command in Linux or a Hex Editor software to look through the data. For this example, we used strings from our Kali Linux.

.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 pslist

.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 memdump -p 3032 - dump-dir .

Then we use strings along with grep to search for flags. Since notepad stores text in 16-bit little-endian format, so we need to add -e & l switches to work. In Notepad, as in Windows software in general, “Unicode” as an encoding name means UTF-16 Little Endian (UTF-16LE). Similarly, “Unicode big endian” means UTF-16 Big Endian.

flag<REDBULL_IS_LIFE>

Finding short name of the file at file record (Managed file transfer)

.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 mftparser > mft.txt

Dump the VAD info ( memory protection constants )

vadinfo displays extended information about a process’s VAD nodes. In particular, it shows: The address of the MMVAD structure in kernel memory. The starting and ending virtual addresses in process memory that the MMVAD structure pertains to.

.\vol.exe -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt

The memory protection constant (permissions). Note there is a difference between the original protection and current protection. The original protection is derived from the flProtect parameter to VirtualAlloc. For example we can reserve memory (MEM_RESERVE) with protection PAGE_NOACCESS (original protection). Later, we can call VirtualAlloc again to commit (MEM_COMMIT) and specify PAGE_READWRITE (becomes current protection). The vadinfo command shows the original protection only. Thus, just because we see PAGE_NOACCESS here, it doesn’t mean code in the region cannot be read, written, or executed.

---

Reference :

• https://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html
• https://code.google.com/archive/p/volatility/wikis/LinuxMemoryForensics.wiki

TockenChpoken - a cookie manipulation attack in Oracle PeopleSoft

Background

There were times when our team performing a pentest and found several organisations that were using Oracle PeopleSoft for their Human Resources (majorly) purpose. In addition to the common weak/default accounts weakness, our team decided to look for other weaknesses. Thus we did a bit of reading about attack vectors that may be less known against this product and found a presentation by Alexey Tiurin at Hack in The Box 2015, Oracle PeopleSoft applications are under attacks!

One of the vulnerabilities shared in this presentation was a manipulation PS_TOKEN in the PeopleSoft application which could lead to a privilege escalation issue.

Interesting.

Discovery

Our team then started to look around on our customers’ assets and available bugbounty programs that have Oracle PeopleSoft as one of their in-scope target. We found several, but we tested few and one of them was vulnerable to this PS_TOKEN cookie manipulation dubbed, TockenChpoken.

The attack

In general, we need to perform the following in order to succeed in manipulating the token.

1. From an unauthorised user perspective or from a low-level user access, grab the PS_TOKEN

2. Obtain all necessary values plus with the signature from the base64 encoded cookie.

3. Brute-force the PS_TOKEN

4. If the brute-force is a success, then we can generate our own PS_TOKEN

We used a plugin for Burp Suite named, PeopleSoft Token Extractor to help us with collecting the token and extracting the necessary information.

We authenticated with a guest access user and captured the PS_TOKEN. The cookie was send to the PeopleSoft Token Extractor for the next steps.

From the tab, we decoded the content and this plugin helped us to extract the necessary information and generate the hashcat format that needs to be cracked.

The following image shows that the current cookie session was belong to a XXX-GUEST user.

The generated SHA-1 hash was then being brute-forced using our cracking-server that internally we called it as Crackcodile.

Crackcodile managed to crack the password within 5 minutes. Results may vary depending on the wordlist and server specifications.

Using the cracked value, we sent it back to the PeopleSoft Token Extractor tab and generated a new token for a new high privileged user in Oracle PeopleSoft such as the PeopleSoft SuperUser = PS.

With the new generated PS_TOKEN for the SuperUser account, we managed to access the restricted directories such as HRMS and etc.

Easy.

We were awarded a handsome amount for this.

This article is a part of our program, #re:educate where we empowering
cybersecurity students and beginners to share their understanding
about anything related to offensive security. For more info, refer to
this link RE:HACK - #re:educate

Author: Adrianus Tristan
University: First City University College

Wi-Fi Cracking with Aircrack-ng

Wireless (Wi-fi) penetration testing is a part of security testing which involves identifying and scrutinising the connections between devices connected to the wifi. This activity could help to identify vulnerabilities and threats within the network by analysing and gathering data about the network.

One of the tools to review the Wi-Fi network security is Aircrack-ng.

About WEP, WPA, WPA2, and WPA3 Security

1. Wired Equivalent Privacy (WEP)

WEP is the oldest (introduced in 1997) and most well-known Wi-Fi security standard. One of the goal of WEP is to ensure the data transmitted over the wireless networks is encrypted. This mainly to prevent Person-in-the-Middle attacks during that time.

Through this authentication, the access point receives an authentication request from the a client and responds by sending the requesting client a 128 bit random challenge in cleartext. The challenge is signed by the client and sent to the access point using the shared secret key. Using the shared secret key, the wireless access point decrypts the signed message and confirms the challenge it previously sent. Authentication is successful if the challenge matches, otherwise it is not.

However, no secret key is exchanged during the authentication process, and the authentication key was shared in cleartext, making it simple to be sniffed. Various vulnerabilities were discovered in WEP over the time due to the rapid changes in computing technology. In 2004, Wi-fi Alliance officially retired WEP. Thus, WEP is now considered obsolete.

Wi-Fi Protected Access (WPA)

WPA was introduced in 2003 to replace WEP. WPA uses the same RC4 encryption algorithm as WEP, but instead of utilising a static pre-shared key, the key was changed dynamically using Temporal Key Integrity Protocol (TKIP) encryption. The base key and IV are also hashed together before the encryption begin.

WPA has a longer key, it uses a 256-bit encryption key, which is a significant improvement over the WEP. However, even with these improvements, there are still weaknesses in the elements of WPA which can be exploited – thus led to intro WPA2.

Wi-Fi Protected Access 2 (WPA2)

WPA2 is the second generation of the WPA wireless security protocol launched in 2004. It is the most used Wi-Fi security protocol today. WPA2 is based on the Robust Security Network (RSN) mechanism and operates on two modes:

• Personal mode or Pre-shared Key (WPA2-PSK) – Usually is used in home environments or small office. It relies on a shared passcode or passphrase.
• Enterprise mode (WPA2-EAP) – What most businesses and organisations used in their Wi-fi network. It uses the implementation of the 128-bits key using Advanced Encryption Standard (AES) block cipher algorithm for encryption process.

While WPA2 is widely being used, it still has flaws. As an example, WPA2 was told to be vulnerable to an attack known as Key Reinstallation Attacks (KRACK) which allows attackers to mimic a clone network and force victims to connect to a malicious network. However, this can be patched on the devices.

Wi-Fi Protected Access 3 (WPA3)

In January 2018, the Wi-Fi Alliance introduced WPA3. WPA3 uses 256-bit Galois/Counter Mode Protocol (GCMP-256) with SHA-384 Hashed Message Authentication Mode.

Simultaneous Authentication of Equals (SAE) exchange, a technique first introduced with IEEE 802.11s, also takes the place of the pre-shared key (PSK) exchange, resulting in a more secure first key exchange.

WPA3 devices became widely available in 2019 and are backwards compatible with devices that use the WPA2 protocol. Although it is more secure than WPA2, it hasn’t yet gained widespread adoption.

What is Aircrack-ng?

Aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA1/2 networks with some advanced methods or simply by brute force. The ‘NG’ in Aircrack-ng stands for “new generation”. Aircrack-ng is an improved version of the earlier Aircrack tool.

Aircrack-ng is not a single tool, but a whole collection of tools, each of which performs a specific function, which are:

• airbase-ng – Multipurpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.
• aircrack-ng – 802.11 WEP and WPA/WPA2-PSK key cracking program.
• airdecap-ng – Decrypt WEP/WPA/WPA2 capture files.
• airdecloak-ng – Remove WEP Cloaking™ from a packet capture file.
• airdrop-ng – A rule based wireless deauthication tool.
• aireplay-ng – Inject and replay wireless frames.
• airgraph-ng – Graph wireless networks.
• airmon-ng – Enable and disable monitor mode on wireless interfaces.
• airodump-ng – Capture raw 802.11 frames.
• airolib-ng – Precompute WPA/WPA2 passphrases in a database to use it later with aircrack-ng.
• airserv-ng – Wireless card TCP/IP server which allows multiple application to use a wireless card.
• airtun-ng – Virtual tunnel interface creator.
• packetforge-ng – Create various type of encrypted packets that can be used for injection

Aircrack-ng focuses on different areas of Wi-Fi security:

1. Monitoring: Packet capture and export of data to text files for further processing by third party tools
2. Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
3. Testing: Checking Wi-Fi cards and driver capabilities (capture and injection)
4. Cracking: WEP and WPA PSK (WPA 1 and 2)

How does it work?

Aircrack-ng uses (Fluhrer, Mantin, Shamir) FMS/KoreK method. The FMS/KoreK method incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing.

For cracking WPA/WPA2 pre-shared keys, only a dictionary method is used. When a client and an access point employ pre-shared keys, the client and access point establish keying material to be used for communication right away. Between the client and the access point, there is a four-way-handshake. Aircrack-ng replicates the four-way-handshake using input from a given wordlist to see if a certain entry in the word list matches the four-way handshake results. If it does, the pre-shared key has been found correctly.

For WPA handshakes, a full handshake is composed of four packets. However, aircrack-ng is able to work successfully with just 2 packets. EAPOL (Extensible Authentication Protocol Over LAN) packets (2 and 3) or packets (3 and 4) are considered a full handshake.

Installation on Linux

sudo apt install aircrack-ng

To see the overall manual, simply type aircrack-ng -h

Crack WPA2 Wi-Fi password

Verify that network adapter is recognised by Linux with: iwconfig

Check for any conflicting processes that might interfere the process and kill them using: sudo airmon-ng check kill

Enable monitor mode with airmon-ng: sudo airmon-ng start wlan0

Monitor mode is a data capture mode that allows using a Wi-Fi adapter in listening mode without connecting to the router or access point. You can start the wlan0 or depending on which interface you use.

Note: Not every Wi-Fi adapter support monitor mode. The adapter used in this demonstration was Realtek RTL8723BE 802.11. It can be used for monitor mode. If your adapter doesn’t support this, you might want to purchase an external USB Wi-Fi adapter that support monitor mode.

Discover the access point or Wi-Fi network using airodump-ng: sudo airodump-ng wlan0

The command above will show a bunch of wireless networks with their BSSID, ESSID, channel used, and many more. Suppose the network we want to use is the one inside the red box. Detailed explanation of each parameter can be found here.

Then we can look into more detail on the network chosen with this command:
sudo airodump-ng wlan0 -d B0:95:75:53:F7:92

The -d option is to select the network followed by its BSSID. The figure above shows four clients that connected to the chosen network.

Capture the WPA2 four-way-handshake:
sudo airodump-ng -w captureFile -c 11 --bssid B0:95:75:53:F7:92 wlan0

The -w captureFile is the name of the file that we are going to store the captures in. The -c or channel that we are going to attack is 11. The BSSID is the MAC address of the Wi-Fi target. And the interface we use is wlan0.

Deauthenticate clients:
sudo aireplay-ng –deauth 0 -a B0:95:75:53:F7:92 wlan0

We need to deauthenticate clients from the network so that once the client reconnects again to the network, we can capture the handshake that happened between the client and the access point.

Before deauthenticate the clients, notice that the handshake inside the yellow box is empty. But as soon as we deauthenticate the clients and capture the handshake, it will appear.

Once handshake is captured, we can list out the file in our working directory. Notice that we have got the captured file and we can analyse it using Wireshark.

As you can see, we just found the WPA Key Data on the four-way-handshake packet that sent from a client to the access point, and that is what we are going to crack.

To crack the WPA2 password, we need to use aircrack-ng and run this command followed by the .cap file and a wordlist,
aircrack-ng captureFile-02.cap -w /usr/share/wordlists/rockyou.txt

In this example, I used rockyou.txt and able to crack the password - Trade123.

References

https://www.kali.org/tools/aircrack-ng
https://www.aircrack-ng.org
https://www.avast.com/c-wep-vs-wpa-or-wpa2
https://www.netspotapp.com/blog/wifi-security/what-is-wpa3.html
https://www.wifi-professionals.com
https://www.kaspersky.com/resource-center/definitions/wep-vs-wpa

PrintFriendly is a tool used by millions of people everyday to help them save paper and ink when they print and generate PDFs. The tool is available as a browser’s plugin (Chrome , Firefox and more) or as an external plugin for CMS such as Wordpress and Drupal

While performing security testing against one of our customers, we noticed that they were using PrintFriendly’s plugin to allow their users to generate PDFs from their website. We explored the functionality and found it to be simple. After clicking on the PrintFriendly button, the PDF of the desired page will be processed on https://www.printfriendly.com/ and a link to the generated PDF will be produced, for example, https://www.printfriendly.com/p/g/HyPaUT. The view looks similar to the following:

As we observed, the same thing happened on PrintFriendly’s browser extensions and through their preview tool on their main site.

Users can download the PDF file by clicking on the PDF icon at the top header, as shown in the screenshot above. As a result, a download link will be generated for the content, which can be retrieved as a PDF document.

As soon as we checked the requests in Burp Suite, we realised there might be a problem. The request showed that the PDF was generated by parsing the HTML content from the code and processed at the server-side.

We further explored the likelihood and noticed that the <script> tag was filtered and common JavaScript onevent handler did not work. We assumed there might be a denylisting enabled from the application side. Luckily, the <iframe> tag was possible. Using this tag, we could pointing the iframe’s source to the local file such as /etc/passwd. While attempting that, we noted that by simply pointing the src to the file:///etc/passwd was blocked. This was bypassed by supplying a URLencoded ? and then traversed it back to the passwd file.

<iframe src='file:///etc/%3F/../passwd' />

Timeline:
29 July 2022 : RE:HACK sent a brief discovery information to PrintFriendly team
29 July 2022 : RE:HACK received a reply from their technical person and was asked to provide detail POC
29 July 2022 : RE:HACK provided the POC
29 July 2022 : Their team received the POC and validated the issue
16 August 2022 : RE:HACK asked for a status update
18 August 2022 : Their team told the fix will be deployed on the 24th of August.
22 August 2022 : Their team emailed and informed the fix has been deployed.
22 August 2022 : RE:HACK requested to publish the writeup and was permitted. Published.