Uncover the Secrets of Napping Penetration Testing

Napping is a machine I created where I wanted to highlight the exploit of Tab Nabbing. We use the Tab Nabbing attack to phish out some credentials from a administrator who happens to use the same credentials to SSH into the machine. Then we see that we can write to a Python script that is being executed every 2 minutes by another user. Then due to a sudo misconfiguration, we can elevate our privilege in order to gain root access to the machine.

Nmap

We first need to find the target’s IP address

  1. hostname -I to find our IP address
  2. sudo nmap -v –min-rate 10000 11.0.2.3-254 | grep open to look at our network
  3. Note that your IP address range might be different

findip-2

Then we can do a full nmap scan with the command sudo nmap -v -sV -sC -oN nmap 11.0.2.5 -p- nmapscan

nmapresults

And we have 2 ports open:

  1. Port 22 running OpenSSH
  2. Port 80 running Apache HTTP

We can’t do much with SSH so let us take a look at the Web Site.

Web Page

Checking out the webpage shows us a Login page: loginpage

Let’s go ahead and create an account with any username and password, I am choosing testuser and password as the username and password respectively. Once we log in, we are greeted with a free blog promotions site: mainpage

It looks like we can submit our link and when we do, it is displayed on the site for us to check out: submitlink

linkonpage

If we click on the link, it takes you to the page on a new tab: newtab

If we review the source code, we see that this particular URL link functionality on the site is vulnerable to Tab Nabbing: sourcehtml

Tab Nabbing

A simple google search for this will point to Tab Nabbing: tabnabbinggoogle

So essentially, if we someone clicks on the link provided and they are sent to the new tab, their original page will be redirected to a link that is specified on your page if your page has this code snippet badhtmlexample

Now the site indicates that the admin of the page will review our links so we can assume that he will be clicking on that link as well. If we can trick the admin into thinking that he got logged out then he will input his credentials again, but this time it will be on our page. So with that said, let’s build our payload.

Phished Credentials

First, let’s copy the login page: loginsource

buildingloginpage

Next, we build our malicious html payload: bloghtml-2

This payload will work as well: bloghtml-2

Now let’s see this in action:

  1. Submit the link pointing to our malicious html
  2. Then click on the link
  3. We will be go to our malicious html
  4. But the original tab will go to our index.html which will look exactly like the login page
  5. Make sure you have Python Server running on ports 80 and 8000

blogpage

fakelogin

Author’s Note: Most modern browsers have patched up Tab Nabbing. I was able to get this working by installing an old version of Firefox, but this is purely optional. Nevertheless I still believe this is a great exploit to cover and show how it can be used by a malicious actor: tabanimated

Now let’s repeat the process but let’s use netcat to host our index.html and if we wait about 2 minutes, we will catch the credentials: getblog

gotcreds

The password for the user daniel is C@ughtm3napping123 which we can also use to SSH into the machine: sshasdaniel

Author’s Note: If it has been more than 2 minutes and you haven’t gotten a response on your servers, just keep submitting the link. The way I built the Tab Nabbing exploit, is that it clears all submitted links every 5 minutes in order to avoid any connectivity issues from bad links.

Administrators

We see that daniel is part of the administrators group: groups

Using find we can look for anything interesting file we may have access to with the command find / -group administrators -type f 2>/dev/null foundfile

We find the query.py Python script which looks like it is checking the status of the Web Server and then writing it to a file site_status.txt: pythonscript

The important thing to note here is that we have write access to the file as part of the administrators group and according to the site_status.txt file, it seems to be executed every 2 minutes: 2minutes

So let’s go ahead and create a reverse shell bash script in the /dev/shm directory: shellscript

Then let’s go ahead an edit the python script to execute this shell: editedscript

And in about 2 minutes, we get a reverse shell: revshell

Then we can upgrade our shell:

  1. python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ then press Ctrl+Z
  2. stty raw -echo;fg then press ENTER twice
  3. export TERM=xterm

bettershell

Privilege Escalation

The command sudo -l shows that we can run vim as root without a password: sudol

According to Gtfobins we can get root access with the command sudo /usr/bin/vim -c ‘:!/bin/sh’ rootandflag

And we are root 😁

Conclusion

I had a lot of fun making this machine, especially the Tab Nabbing part. I know the attack may seem like a silly thing to be tricked by but that’s what the theme of the machine is all about. Hope you enjoyed the machine and the write up!

2 responses to “Uncover the Secrets of Napping Penetration Testing”

  1. does puravive really work Avatar

    I loved even more than you will get done right here. The overall look is nice, and the writing is stylish, but there’s something off about the way you write that makes me think that you should be careful what you say next. I will definitely be back again and again if you protect this hike.

  2. puravive Avatar

    It’s as if you read my mind; you seem to know so much about this that it’s as if you penned the book in it or something. Although, I believe you could use a few images to help drive home the point, other than that, this is an excellent blog. I will definitely be back for more.

Leave a Reply

Your email address will not be published. Required fields are marked *