It was a busy time during last few days but in the meantime I decided to install Checkpoint Gaia. Below you'll find few notes about it. Here we go...
We should start here:
I decided to install it on VMWare Workstation 15 Player (I used free version). When you are logged-in you should see a multiple tabs to configure your new installed VM
Button (marked with red tab) can be used to "'unlock' the admin's session" (we'll get back to that later).
Maybe I'm an old-school-pentester... but when I see 'schedule job here'-tab - I'm going there immediately ;) So:
Quick verification:
Checking if we can go out the target-VM:
Looks good so far. Next I decided to look for some oneliners to use (like I did before with few other VMs):
Great. Next:
:)
Intercepting this request with Burp:
When the time will come - we should see:
Ok. Done?
Maybe. But I decided "it's not a bug - it's a feature" ;) So I decided to dig a little bit deeper...
I was looking for some response(s) in Burp and this is how I found:
Checking next file:
Next I was here:
So - I decided it will be too easy to 'just login in and put a command to revshell' so I was wondering if Checkpoint VM enabled any-ssh-bf-protection:
Checking:
Looks like we received some response :) Checking:
I was looking for a proper command:
Modifying poc:
Checking our (one-shoot) poc:
So far - looks good ;> Let's modify it a little bit ('not a bug - feature' -> so attack scenario is:
- we're on the same LAN as the target-Checkpoint-Gaia
- no anti-bf protection so we can guess the password if it's simply enough
- add new job to receive a rootshell;
Checking:
Next:
...and...
*(yep, source of the 'poc' script published here contains a few bugs to "not run properly" - you should know why ;*)
Special thanks goes to my Patreon - Daniel.
You are AWESOME! ;)
See you next time!
P.S.
If you'll see any 'parsing' bugs here - please let me know. Blogspot applied new 'templates' so I'm still learning it ;) Thanks!
Cheers
Hi Cody ;]
OdpowiedzUsuńLong time no hear …
As CP is since long time my playground need to comment on this ;]
CP enabled on purpose this feature ( allow shell commands ) in scheduled tasks. So good that you name it as a feature ;] As CP run a base system linux - injecting a revers shell on a non secured unit it’s pretty easy. Now to complicate your testing please take into account following things:
• (job scheduler) It’s not a common feature that is used in normal operation work ;]
• Authentication is done using RADIUS, TACACS, SecureID. Even if you manage to break in with an user account you will get an own by CP CLI ( clish ). Commands are pre-defined so it’s not easy to do a privilege escalation into expert mode. In the past it was possible through ‘show fcd’ but an patch fix has resolved the problem.
• Access to CP is done usually from mgmt network which is isolated from users networks ( CP has a great anti-spoofing mechanism as also a protection against ssh brute force so forget about unlimited attempts ;] )
…. And few more mechanism which CP implemented to stay secure.
To be clear – I do not question your finding. You can inject a reverse shell as you showed but it’s not that easy in a fully configured evnviroment ;]
Old friend ;]
Thanks for watching. I appreciate it. ;)
OdpowiedzUsuń