Cybersecurity is the historical activity of NBS System, and we have a special place in our hearts for security services. It is indeed very important for a company to regularly test the security of its information systems (both in the “build-run-check” model or with continuous integration), using for instance penetration tests and audits.
NBS System’s experts thus advise many companies in securing their information systems. Sometimes, the tests or their results are unexpected, as we saw in a previous article, “Memoirs of pentesters“. Other times, they leave their mark because of the convoluted reasoning and bypassing needed for their success: a proof that the intrusion into an information system, whether for good or bad reasons, requires more than technical competences!
Our cybersecurity experts experienced one of these cases: discover with us how this test was done, and how the team finally managed to succeed.
Intrusion into an information system: first try
The client used an LDAP directory for all its applications, which contained the usernames and passwords of all its members. On one of the applications, our experts found a vulnerability enabling the use of an LDAP injection: a first entry point to the information system. Their goal thus became to use the directory to change the password of a member, and thus gain control over an administrator account.
To exploit this IT vulnerability, our pentesters created an account on the application, then iterated the following series of actions:
- LDAP injection test: the pentester fills its username in and, in the password field, uses fuzzing methods thanks to a malevolent entries dictionary.
- Connection test: the pentester tries to connect to his account, in order to check whether its connection information changed after the previous test.
After a few iterations, the connection became impossible, which proved that the password of the account was changed. Through this, our experts finally got control over an admin account: the one of a software called Moodle, installed on the client’s targeted server.
Control over a module… not enough!
The version of Moodle used by the client contains a known vulnerability (CVE-2013-3630) allowing to execute programs, which can be exploited through an administrator account. Our experts having control over one of these, they tried to exploit the flaw using a Metasploit module. Their goal was to obtain a shell on the client’s webserver.
The documented exploit was however impossible because Moodle had no writing rights on the platform. Nevermind, our experts used another way: they created a binary (executable file containing commands) enabling the opening of a connection between the server used by our team for their external security tests on the one hand, and the machine executing the file on the other hand.
Thanks to their admin account on Moodle, they launched a command for the software to get this binary and place it in its temporary file (/tmp). With a new command line, the file was executed and the connection was set up! At this time, our experts thus benefited from a reverse shell on the server; it did not have a root access, but mostly simplified the interactions with the server… which our team knew would turn out to be useful!
Getting a root access, the last step
Our experts’ goal was still to get a root account on the client’s webserver. By doing more cybersecurity tests on the server, they realized that Apache’s configuration files were accessible and editable by everyone. That means that our experts had the ability to modify this configuration through Moodle. The great thing is, the log process of Apache had a root access on the webserver…
The solution was then simple. The testers changed Apache’s configuration through their reverse shell on Moodle. Thanks to that, during the following log rotation, the Apache process executed the binary file that was in the /tmp file. That is how a connection was created between NBS System’s server and the client’s one, juste like what happened on Moodle. Our experts thus could enjoy a reverse shell with a root access on the server, which provided them with a total control over it.
A successful penetration test means a well-protected-to-be website
Thus, after having thought long and hard of ways to bypass the obstacles they met, our testers were able to give the client a detailed report of the vulnerabilities and sensitive points of their information system, a real cybersecurity audit. When a penetration test requires experts to go deep into the systems to find vulnerabilities, that is a good news for the client: it means that its security level is relatively high. There are indeed less secure sites on the web, which pirates can compromise with less efforts, for similar results. However, vigilance is called for, since no one is safe from an exception or a targeted attack! By putting themselves in the shoes of a hacker and going deep during the tests, our experts can cover all possibilities and efficiently secure our clients’ platforms.
Technical source: Julien Voisin