 So, my name is Walter Cuestas and I'm from Peru in South America. I'm going to talk about a vector that is not very commented or used at red team exercises and this is about using applications as the initial compromise. The not-so-classic, who am I in this case, I want to point out that everything I'm going to explain is what we've learned with the team I'm belonging to. We are working together for several years doing pentesting and redeeming, actually in some cases for more than 12 years, so you will see some examples of our collective effort. And the question may arise, why two applications? There are several reasons. Because we believe that redeeming is not only about getting domain admin or root because not always having that power means you can access data. Not every application is integrated with Active Directory, for example. After some interaction with people in search of threat management and hunting, they are so concentrated on AD and Windows 7s. Organizations are not integrating application security yet in the report to enhance security. Also defenders are always pushed to be warned about social engineering attacks or how attackers are bypassing endpoint security or the last password spray technique to common services such as e-mail. Someone could say that applications today are in the cloud, but we are seeing that few companies are migrating their core to the cloud. They still keep it on premises and more applications just need to go down to the core. And finally, because as all of we know, remote access services are delivered through applications. One more reason, besides this happens in every other aspect of security, is that applications suffer of the same problems for a long time. As you can see in this image from ExploitDB, this is not only true for common applications but also for embedded ones. We can see Cisco device suffering from local file inclusion and a very old kind of vulnerability in the application field. We want to share this small framework. We develop a jazz to have an order in what we do during rectum exercises. I'm not going to cover every model, just some high level about information gathering and enumeration and more on initial compromise, of course. So let's talk about recognition and especially about OSINT. As you know, there are tons of tips, sources and how tos about OSINT. We want to focus in some aspects. Searching DNS information is crucial and it's important to know that we don't have to select just one tool for that task. Indeed, most of the time we have to aggregate the results from several of them. And search engines, these kind of search engines such as showdown sensors, for example, are most useful here because we don't have to touch our target at first step. And these engines keep current data most of the time. Also today, a good search on surface internet is better that going deep. And special attention must be on source code leakage in the most innocent and honest ways by developers and documents that you have to read very long documents. So we have a lot of tools and a lot of data. And let's talk about real world. There is no magic, neither perfect tool and there is no way to learn about our target organization without doing manual investigation, spending hours reading information and taking notes that we will share with the team. Another fun moment is when tool is not working as expected or we need more from it. That's when our developer skills are important and we start to feel happy. After a bunch of data, you need to give some form of order to this data to do your analysis and it could be very simple. Just use human readable names for direction files. I mean, not only for you, for the whole team. And you need to do a simple select to get data, including images. There are very good tools, but if you don't have time or just don't want to install them, Sculite is a very good option. Then, what after recon? For us, the most important role is not to underestimate your adversary. With your adversary, the blue guys, of course. We believe that not every admin is full and not every developer makes applications without security in mind and not every 200 is just looking for a DE event. That's all. And so, we are going after applications. There will be a moment to scam something in a very smooth way, not now, as Blue Team is expecting that. Also, we are going to use the same techniques and tools as in testing applications, but we have to forget about OWAS, for example, because this is not a pen test needed a both wanting. Let's start with initial compromise and a small note about these cases that came from real world. In one case, we were able to create the same scenario we found and another one not. The main reason is that we don't get the same applications, versions of the ones that we got during Red Team exercises. So, case one is here, we call it jumping, because we are going to jump several times. The scenario is like this. This is a very common scenario where an organization is using cloud for new applications. Hybrid cloud may be the right name. We have the front end of the application, the cloud, with a database, but it needs data also from the business core applications and data that are still on premises. We are looking for the secrets on that core because it's the most valuable information and as happens today, there are so many digital transformation projects and few security controls, everything is sales driving. I know that this seems like a hack the box case, but it's not. Our first security test for digital transformation projects show with us that there is no control over the initiatives coming from different teams in the semi-organization. So, our recognition found this exposed Jenkins administrative interface. In fact, it's exposed to the internet with the option to create an account which is not a default. This is not a surprise. This is a very well known issue. But what is bad is that by default, looking at users can do anything. Having this in mind, let's take a look at credential section where we found this case, one for SSH access and the other one to get access to the cloud. One is an Amazon access case, but this is not enough. We need also the secret access case, and as you can see, it seems this is properly secured. One of the things we learned from doing pen testing on applications is that client-side source code is something we always want to review. Just use developer or split mode and you will find not only HTML and common JavaScript, there are still developers that trust on client-side protections. And not exactly related comment for this slide. Today, JavaScript is very powerful at client-side, so there are more reasons to review that code. But as we can see, this case is encrypted. So let's move on and check the SSH case to gain remote access. But once again, this case is also encrypted. Now, Averik, today there are tons of information that we want and like, of course, to read, view, and listen. And when talking about Red Teaming, there are no magic scanner working for us, but there are several cases where you won't find any previous information, and this is when you get a research moment. Jenkins itself needs a way to decrypt that information in order to use it. And it has an option to run a script that we are going to use. As you can see, Jenkins provides all we need to do our job. And a simple script, we will do the magic, and we got our case decrypted. So we use them to access the cloud with the same privileges as these project Jenkins have. Will be them for production environment? Well, let's take a look. It seems clear that we are looking, for instance, as long as these credentials are used in an application project. We found information of an instance and the corresponding IP address. Let's check it. Well, it's obvious that this is not our target. Maybe we can use it for our first jump, but this is not what we are looking for. Let's try with the other kind of access. I mean, accessing by SSH. And we are to focus this time on searching source code and review this code. So we start using the SSH key we got. And we got access to the cloud by SSH. And start to search for code. And we found some problems here. The first element to search, or we are going looking for endpoint information, as long as they will show us some new patch, maybe credentials. And we got this config file. As I said, we can see that we got an endpoint and a set of credentials, username and pass. And of course, the API text means that we have information to access an API. And of course, it will be a RESTful API. Checking from inside the cloud. We use a cure. And we got an answer. So endpoint exists and could be working. Also, we got a redirection. And take a look that there is a cookie with a JSON ID. It smells to Java, besides the code analyzer was PHP. But we need to be more comfortable with a browser and other tools. So using this SSH connection as a proxy and configuring our browser, we can see that we identified it with the IP from the instance. Also, when browsing on AP URL, we got another application related directly to previous one. And the API. But we have no access to other databases. Only the API is exposed to the cloud instances, just from the cloud instances. Our target is some premises with the core applications, the legacy ones. And do you remember the JSON ID cookie? Well, in that and the app server listening at 8080 port seems pretty much like Tomcat. It's better to make regular traffic with a browser or cure to do banner grabbing. I mean, we are not going to use our end map, for example. And checking Tomcat related ports, we found 809 port open for the ApacheJServe protocol. This AGP is a binary protocol mainly used for reverse proxy between front end web server and backend application server, such as Apache and Tomcat itself. It is shorter, faster, and of course, vulnerable. Ghostcat was announced this year. And this vulnerability allows arbitrary file reading and Java server pages, JSP, processing. It means in real world command execution. And of course, there is a JSP shooter to split it. We're going to start using proxy chains as long as this tool is not proxy aware. And since now, we'll be searching for configuration files mainly. Finding an upload cell let doesn't mean everything is easy. Let's review that cell let source code. Again, getting the file with AJP shooter, we found the upload directory. And it has some security control. It accepts only JPG or PNGA extensions. So we are going to use a simple web shell to start. We don't want web shell with firewalls. First task on arrival is to change the image name station from JPG to JSP. And remember that Ghostcat allows for JSP processing, but you don't have to use that extension to ask a JP shooter to do that for you. Upload and execute our special image. Just a cure for the upload. And of course, a JP shooter for execution. This script accepts two parameters, read and eval. Eval is for processing the JSP. And as you can see at the bottom of the last image, the first command to execute is to rename the JPG to JSP. So we start doing enumeration. For example, we are using an account called Tomcat. It's a limited account, no high level privileges. But we can do some network enumeration. And we are going to search for configuration files. After that, we realized that we need to use an improved web shell. So we upload this one. Searching through the configuration files, we found another endpoint and more credentials that are not from the cloud instance, neither the Tomcat server. You could ask MySQL in the core. Well, actually, it was Oracle, but MySQL was enough for regulation. We are going to connect to this database server. Hopefully, we will find the core secrets. Let's use the options of our improved web shell to connect to the database. And showing databases, we could see that this is not the precious secret we are looking for. Also, this account doesn't have enough privileges. So we have to try harder. Well, we tried harder and found another set of credentials in another configuration file for another application. Same endpoint, but different credentials. Let's try these credentials. And finally, we got the core secrets with maximum privileges. From here, we can dump data and exfiltrate it. We can modify, add, or delete database. We didn't know the domain. We don't need the database. So here are the secrets. Some questions and tips. I guess that someone is monitoring this kind of activity, maybe those application firewalls that are looking for injections or sophisticated malware, not this kind of normal traffic. When we do red teaming, we start with a couple of red teamers and add the extra ones as needed just to have people with enough skills and experience. And indeed, also during pen testing, reviewing source code is a must. Sometimes developers and admins follow guides strictly and keep some information that is not mandatory to do so. Maybe this is a new kind of for credentials, but we found case in sample code from how to in some applications production environment. Just one note. I was kidding when I say that this is normal traffic, but you understand that this is not a kind of sophisticated traffic that we read all the times in the news. And sometimes it works better because protection devices are waiting for that sophisticated traffic. So what's next? At least for us, main objectives are doing a red team exercise is to test the time to detect and time to mitigate. But let's face it, most organizations just want to have an almost real world experience with attackers, and real ones are looking for ways to get money from their attacks or some kind of power. So let's sing as them and elaborate ways to exploit the information. To keep everything organized, we have to add this initial compromise with our C2. My favorite one is push, of course. There are command execution in a couple of jumps. Maybe it could be useful for lateral movement. Let's move on to case two, dynamic duo. Remote access is required. Before COVID-19, it was needed, and after this, it's amassed. But how is this kind of service related to applications? Well, as long as these services use protocols like HTTPS, as long as the users and admins use their browser to do their thing, as long as these interfaces are using HTML, JavaScript, and running CGI and server scripting language, as long as they bleed also. I mean, they have common application vulnerabilities also. This is our scenario for this case. This company has two remote access servers. Y, migration, backup, both integrated with Active Directory, a perimeter with some good protection. They don't can work together. We are going to see how. By the way, this will be the traditional red teaming getting the main admin from the beginning. Let's find out what is the origin of these vulnerabilities, or when we realize that these vulnerabilities exist. Last year, these researchers saw what several vulnerabilities they discovered on SSL, VPN appliances. After that, exploits started to appear. But as every people that knows how to use a band, this is not just point and shoot. You have to know how your band works, how your tool works, and take care of your band of your tool. In the more traditional service, there are always better exit paths to command execution. So let's start with one of them. Pools Connect Secure. One of the vulnerable appliance saw it last year was this Pools Connect Secure. There are several versions affected. Again, we found an administrative interface posted to internet. We have several credentials to try coming from recognition. But maybe doing some kind of password display to this device could start the alerts. So maybe we shouldn't try them. And we are going to do some kind of special recognition in the way that we tested applications. And why don't we try with a proxy like Burp? As in case one, we keep updated reading viewing and listening a lot of information. Actually, we like that a lot. So checking if this device is vulnerable to pre-authentication, arbitrary file reading is as easy as to send a request. We are using Burp just because it's our favorite tool for applications security testing. And as we can see, this appliance is vulnerable. We are reading files like PassWD with a list of users and several other files, such as the one with a host registered manually in this file. So this device is vulnerable. And we are going to use an script, which of folks made a batch script to exploit this vulnerability. Also, we want to give us more recognition to all these young people helping others automating the exploitation. That's the reason of that small white message there. This script will download several files. Some are pure plain text, and some are data structured in another format. All contain critical information, case, user names, passwords, IP addresses, operating systems of users, and so on. For example, we got local users that are active directory users if the appliance is integrated with that directory service. And also VPN logins that are user names with passwords all in plain text. Yes, 2020, there are still security appliances storing credentials in just plain or clear text. Also, we got SSH case, but we are not going to use them because external firewall is doing its job at least, it seems that it is doing its job very good. So we have another group of information. We got clear text credentials. And we get inside PoolsConnect secure with user-level credentials, just lose user-level. That's not too much to do with that. But some user names have a kind of active directory look and feel. And they weren't on clear text. We got the hashes of the passwords. So John the Ripper came and do its thing, cracked hashes. And after that, we got access as user. Also, not too much applications delivered for end users and admin. So doing more checks, there is integration with Active Directory enabled, as we can see with these authentication servers. And for that integration, of course, you need an account to access the Active Directory and administrator-level account for Active Directory. So we got to main admin. And yes, as you can guess, there is credential reuse in this organization also. But then this thing doesn't stop here because it's also vulnerable to command execution. So after doing some enumeration of users and testing if we can reach the domain controllers of this Active Directory, we went for command execution. For this, we need credentials. We have those credentials because this vulnerability is post-authentication. We can inject commands and execute. There is a public exploit. This is another exploit made in Python. And what it does is take credentials we got and do the magic to allow us to connect to the appliance by SSH. What it does is download our SSH case to the appliance. But there is a firewall, as I said. There isn't a lot to connect by SSH. So we have to do small modifications to the script in order to use it. As you can see, just comment some lines. And that parameter manipulation, plus we are going to use verb for the output. This script is proxy-aware for debugging purposes, so we don't have to add anything about that. And now we are executing commands on the appliance. So question arise is this enough? Well, as there is a rowing for every Batman or vice versa, we got pulse-connect secure. And it has C-tricks right by its side. That was perfect for us because having only one food inside is not enough. Guess what? Credential reuse is everywhere. We got access with same credentials as the ones in the other appliance. Of course, they are Active Directory integrated. And in this case, it has more applications deployed. And we started to check one by one. Special focus in traditional Windows applications delivered using distinct clients because there are several ways to escape to Windows common shell or PowerShell. So this application looks as the one we are looking for. As you can see, it loads an instance of Windows. This is the application starting. And this is the application logging pop-up. Escaping from C-tricks Yale has a long history from several years ago until today. At first, it is based on pressing some keys on the keyboard. For example, in this case, pressing Control plus, Alternate plus, Delete to the trick. In other cases, Windows Sticky Case pressing Shift five times or ICA case from C-tricks. To gain access to CMD or PowerShell, you can use dialogs such as File and Open or File and Newtas from Tasmania as you will see. There are more on these two bypass file restrictions. There are several documents. So how to do that? So Tasmania, Newtas, CMDXA, and we got CMD in action. From there on, we did some enumeration, classic Windows and AD enumeration. But more important, search for valuable information. To tell the truth, you can see that we found here some files with credentials and IP addresses. But in this case, we just confirmed that this kind of information was accurate and updated because we got this information in one repository on GitHub during our condition. After this, we are going to see the light in terms of infrastructure penetration. Because good network segmentation is still a dream. There are yet several exceptions, breaking ACLs. And in 2020, it's not true that only end users are good victims. We are going to try to shoot to developers internal and external ones, IT people and security people. Why? Because they have more power on their machines than end users. As simple as that. Some tips about this kind of initial compromise. We have two doors open. In that moment, it was important to warn the customer about that. The customer had to warn the sub guys. Also, the prevention, correlation, and event management solutions had to be warned. It's important to be as smooth as possible. But there are some cases that you cannot wait to end the routine exercise to warn the customer. Also, as part of these smooth actions, you should avoid to create accounts. At least they know the code level once. It's better to use a simple user account and give power to that account. In some situations, it won't be possible. So to that, create an account after several checks. Always keep logs in mind. Of course, delete entries belonging to your work. Remember to never underestimate your adversary. Be patient. This is not a game. And this is the reason why routine exercises has enough time. Have fun, of course. Finally, I want to thank Omar and all the crew already in village. They do an awesome job all the time. Just for giving back to the community.