TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us.

Insecure VNC Server Leads to Unlocked LastPass Vault and Domain Admin Credentials

When it comes to finding different vulnerabilities or bugs, everyone has that one finding they will talk about years from now, and the first one I want to share today is mine. While working through findings in Nessus I discovered that several VNC servers did not require authentication. I worked through the list, and most machines were unremarkable except one. Logging into the VNC desktop, I was met with the Windows 10 desktop of a director-level IT employee with many open windows. One of these windows was Chrome, and the first tab opened with an unlocked LastPass vault.

Inside the vault was a treasure trove of information, including the default domain administrator password which was used in one of the paths of domain compromise in the engagement.

Everyone Group Has GenericAll on Domain Controller

Everyone Group Has GenericAll on Domain Controller

This one is straightforward. We compromised an account through an external phishing engagement, and I used those credentials to run Bloodhound-Python on the internal network. After digging through Bloodhound for a few seconds and checking the shortest paths to Domain Admin, I was met with the Everyone Group, and the blade saying GenericAll over the domain.

Using the compromised credentials, we were able to dump the NTDS on the domain with Secretsdump, as everyone had permission to do so.

Domain Administrator Accounts Sharing Passwords with Stepdown Accounts

I compromised several endpoints using mitm6 to relay through ntlmrelayx to gain SOCKS sessions on endpoints where some regular user accounts had excessive privileges on endpoints. I dumped credentials on some of those endpoints and found a couple that were running Windows Server 2008. Windows Server 2008 matters here as it’s still possible to dump LSASS in Task Manager. Doing so provided some step-down administrative accounts with slightly less privileges than domain administrator accounts.

The issue? The stepdown accounts I found also share the same password with their domain administrator-equivalent accounts. While the client was trying to utilize least privilege with their account handling, they allowed for administrative password reuse, resulting in domain compromise.

Mountable Network File Share Allows Downloading of Virtual Machines

During an internal penetration test, I found a file share that allowed anonymous users to mount it to their local file system. This isn’t unheard of, and usually results in accessing an empty file share that was forgotten about when setting up a new service.

This pentest, however, was different. The endpoint was a vCenter deployment, and the share contained all the endpoint’s virtual machines.

Mounting a network file share to download VMs.

The bigger problem here is that these can also be downloaded to the local file system and loaded into VMWare elsewhere. Which is what we did.

Choosing one of the smaller deployments for the sake of time, I pulled one of the virtual machines and loaded it into VMWare locally.

Cisco Command Line

More dangerously, however, is that Cisco allows you to change the password in the host terminal using the username ‘Restore-Password.’ Using the default admin name, it was possible to reset the admin password locally and log into the endpoint and view all the configurations for the controller. And the controller ended up being the main controller for an entire geographical region for the organization.

Cisco Terminal Restoring Password

Vulnerable Rack Attack Configurations Allow Bypass of Rate Limiting Protections

This last finding came from hunting CVEs on my down time. While testing open-source Rails applications using the Rack Attack library, I found that appending any junk characters to the end of protected API endpoints permitted bypass of 429 protections in the application. After digging into the issue for a while, I determined it was because the Rack Attack configuration being used required static API endpoints, and if the endpoint was tampered with in any way, the protections could be bypassed.

I started looking for other open-source Rails applications that used Rack Attack, and ended up finding several, with two notable, large-scale applications – Chatwoot and Mastadon. You can read more about those CVE’s and the findings entailed here

Chatwoot’s Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks vulnerability found in chatwoot (huntr.dev)

Mastadon’s Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks vulnerability found in mastodon (huntr.dev)