Errant Security

Get this.

Im working on a compliance assesment and i find myself on a RHEL server that i have comprmised a local administrator password to. Nothing fancy, guessed a password based on the name of the organzation. Shocker. Replacing letters with symbols and making the default password “company+password” isnt rocket science to guess. Even though this was pretty easy i still found myself in a weird predicament. Im stuck on an isolated portion of the network and im trying to exfil the files.</p>

I have view access to the ASA so I can see that almost all routes via the network are shut. I dont have physcial access to the server either. So I sit there racking my brain. i have two options. Try to comprmise the firewall or get creative. </p>

The smarter option would have been to comprmise the firewall. But to be honest i was a little intimdated by the thought of that and Ive always loved Mcgyvering a solution. Im about to drag out a whiteboard and look at all of the allows on the firewall and see if i can pivot through a printer vlan or locate a host that can talk between zones. When I see something I cant say ive ever thought of looking for when working in the SOC. With my comprmised credentials I decided to give it a shot. </p>

I pop open an terminal and ssh into the switch. Ive always been curious about switches and networking gear. My boss even asked me to get my CCNA once and I stalled until he forgot about it. I felt like a fish out of water but eventually I had a shell on the iOS enabled Cisco switch. So here came the tricky part, i had a psudeo linux terminal and I just couldnt get it to play nice. I imedialty tried the basics, nano, vi, vim, touch and all my tustyworthy tools were missing.</p>

A quick google search later and I stumbled upon something called Tclsh. The Tool Command Language Shell became my best friend for that moment. In true script kitty fashion i blindly copied some text off of Ciscos website and suddely i had a prompt waiting for text to be entered.</p>

Copy Files to a Router through Telnet

If your router supports Tool Command Language (Tcl), you can create a file in the Tcl Shell (Tclsh) interpreter, paste the text through a telnet session into a Tcl string, and write the text string to the file.

In order to do this, complete these steps:

    1. Start the Tclsh interpreter.
    2. Type puts [open "flash:filename" w+] { at the Tcl prompt.
    	Note: Do not press the ENTER key at the end of the line.
    3. Copy and paste the file contents into the field. Ensure that each curly bracket is paired correctly (no open-ended brackets).
    4. After the file contents are pasted, enter } into the field and press ENTER.
    5. In order to end the Tclsh session, enter the tclquit command.

Your text file should be on the router flash within the filename specified.

I base64d my files and pasted them into the editor and then hit save. The files were saved in the flash buffer of the switch. Not enough for exifiling terabytes of data but plenty for the current job.

I logged onto the switch from a less restertive zone and then scooped up the files. Was it truly a breath taking pivot? No. But for the moment I felt proud of my little workaround and satisified that noone would really think twice if they saw a server talking to the switch vice two servers talking between zones and a firewall log littered with unsucessful password attempts and briefly having new {or no} rules.

For the moment i could smile and take a sip of my coffee.


feature-top