Napping is a machine I created where I wanted to highlight the exploit of Tab Nabbing. We use the Tab Nabbing attack to phish out some credentials from a administrator who happens to use the same credentials to SSH into the machine. Then we see that we can write to a Python script that is being executed every 2 minutes by another user. Then due to a sudo misconfiguration, we can elevate our privilege in order to gain root access to the machine.
Nmap
We first need to find the target’s IP address
- hostname -I to find our IP address
- sudo nmap -v –min-rate 10000 11.0.2.3-254 | grep open to look at our network
- Note that your IP address range might be different
Then we can do a full nmap scan with the command sudo nmap -v -sV -sC -oN nmap 11.0.2.5 -p-
And we have 2 ports open:
- Port 22 running OpenSSH
- Port 80 running Apache HTTP
We can’t do much with SSH so let us take a look at the Web Site.
Web Page
Checking out the webpage shows us a Login page:
Let’s go ahead and create an account with any username and password, I am choosing testuser and password as the username and password respectively. Once we log in, we are greeted with a free blog promotions site:
It looks like we can submit our link and when we do, it is displayed on the site for us to check out:
If we click on the link, it takes you to the page on a new tab:
If we review the source code, we see that this particular URL link functionality on the site is vulnerable to Tab Nabbing:
Tab Nabbing
A simple google search for this will point to Tab Nabbing:
So essentially, if we someone clicks on the link provided and they are sent to the new tab, their original page will be redirected to a link that is specified on your page if your page has this code snippet
Now the site indicates that the admin of the page will review our links so we can assume that he will be clicking on that link as well. If we can trick the admin into thinking that he got logged out then he will input his credentials again, but this time it will be on our page. So with that said, let’s build our payload.
Phished Credentials
First, let’s copy the login page:
Next, we build our malicious html payload:
This payload will work as well:
Now let’s see this in action:
- Submit the link pointing to our malicious html
- Then click on the link
- We will be go to our malicious html
- But the original tab will go to our index.html which will look exactly like the login page
- Make sure you have Python Server running on ports 80 and 8000
Author’s Note: Most modern browsers have patched up Tab Nabbing. I was able to get this working by installing an old version of Firefox, but this is purely optional. Nevertheless I still believe this is a great exploit to cover and show how it can be used by a malicious actor:
Now let’s repeat the process but let’s use netcat to host our index.html and if we wait about 2 minutes, we will catch the credentials:
The password for the user daniel is C@ughtm3napping123 which we can also use to SSH into the machine:
Author’s Note: If it has been more than 2 minutes and you haven’t gotten a response on your servers, just keep submitting the link. The way I built the Tab Nabbing exploit, is that it clears all submitted links every 5 minutes in order to avoid any connectivity issues from bad links.
Administrators
We see that daniel is part of the administrators group:
Using find we can look for anything interesting file we may have access to with the command find / -group administrators -type f 2>/dev/null
We find the query.py Python script which looks like it is checking the status of the Web Server and then writing it to a file site_status.txt:
The important thing to note here is that we have write access to the file as part of the administrators group and according to the site_status.txt file, it seems to be executed every 2 minutes:
So let’s go ahead and create a reverse shell bash script in the /dev/shm directory:
Then let’s go ahead an edit the python script to execute this shell:
And in about 2 minutes, we get a reverse shell:
Then we can upgrade our shell:
- python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ then press Ctrl+Z
- stty raw -echo;fg then press ENTER twice
- export TERM=xterm
Privilege Escalation
The command sudo -l shows that we can run vim as root without a password:
According to Gtfobins we can get root access with the command sudo /usr/bin/vim -c ‘:!/bin/sh’
And we are root ๐
Conclusion
I had a lot of fun making this machine, especially the Tab Nabbing part. I know the attack may seem like a silly thing to be tricked by but that’s what the theme of the machine is all about. Hope you enjoyed the machine and the write up!
Leave a Reply