infosecwriteups.com Open in urlscan Pro
162.159.152.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign In

Write


Sign up

Sign In


Published in

InfoSec Write-ups

Harpreet Singh
Follow

Jul 11, 2020

·
5 min read
·

Listen



Save








HOW I HACKED INTO A TELECOM NETWORK — PART 1 (GETTING THE RCE)

> TLDR; Red Team Engagement for a telecom company. Got a foothold on the
> company’s Network Monitoring System (NMS). Sorted reverse shell issue with
> tunneling SSH over HTTP. Went full-on Ninja when getting SSH over HTTP.
> Proxied inside the network to get for internal network scan. Got access to
> CDRs and VLR with SS7 application.

Hi everyone, this is my first post on Medium and I hope you guys enjoy reading
it! There is a lot of information that I had to redact because of the sensitive
nature of this info. (I’m apologizing in advance 😅 )



For detailed information, you can check out the following links:
Part 2 — Playing with Tunnels: TCP Tunneling
Part 3 — Playing with Tunnels: Stealthy SSH & Dynamic SSH Tunnels
Part 4 — Getting Access to CDRs, SS7 applications & VLRs




INTRODUCTION

So there I was doing a Red Team Engagement for a client a while back. I was
asked to get inside the network and reach to the Call Data Records (CDRs) for
the telecom network. People who don’t know what CDR is, here’s a good
explanation for it (shamelessly copied from Wikipedia) -

> A call detail record (CDR) is a data record produced by a telephone exchange
> or other telecommunications equipment that documents the details of a
> telephone call or other telecommunications transaction (e.g., text message)
> that passes through that facility or device. The record contains various
> attributes of the call, such as time, duration, completion status, source
> number, and destination number.

In all my other engagements, this holds a special place. Getting the initial
foothold was way too easy (simple network service exploitation to get RCE) but
the issue was with the stable shell.

In this blog post (not a tutorial), I want to share my experience on how I went
from a Remote Code Execution (RCE) to proxified internal network scans in a
matter of minutes.




RECONNAISSANCE

Every ethical hacker/penetration tester/bug bounty hunter/red teamer knows the
importance of Reconnaissance. The phrase “give me six hours to chop down a tree
and I will spend the first four sharpening the axe” sits perfectly over here.
The more extensively the reconnaissance is done, the better odds for
exploitation is.

So for the RTE, the obvious choices for recon were: DNS enumerations, ASN & BGP
lookups, some passive recons from multiple search engines, checking out source
code repositories such as GitHub, BitBucket, GitLab, etc. for something juicy,
doing some OSINT on employees for spear phishing in case there was no RCE found.
(Trust me when I say this, fooling an employee to download & execute malicious
documents is easy to do but only if you could overcome the obstacles — AVs &
Email Spam Filters)

There are just so many sources from where you can recon for a particular
organization. In my case, I started off with the DNS enumeration itself.

aiodnsbrute -v -t 7000 — no-verify -w dns-list.uniq.lst ******.com.** | grep -v
Timeout | grep -v Misformatted | grep -v exception



> Fun fact: The wordlist I used has 2.77 million unique DNS records.

Most of the bounty hunters will look for port 80 or 443 for all the sub-domains
found. The thing is, sometimes it’s better to perform a full port scan just to
be on the safe side. In my case, I found a sub-domain
e[REDACTED]-nms.[REDACTED].com.[REDACTED] and after a full port scan, I got some
interesting results.



The ports 12000/tcp and 14000/tcp were nothing special but 14100/tcp, let’s just
say this was my lucky day!!



J-Fuggin-Boss!!




REMOTE CODE EXECUTION

From here on, everyone who has exploited the infamous JBoss vulnerabilities
before knows how things will move forward. For newbies, if you haven’t had the
experience with JBoss exploitation, you can check out the following links to
help you out with the exploitation:

JBoss-Bridging-the-Gap-Between-the-Enterprise-and-You

hacking_and_securing_jboss

For JBoss exploitation, you can use Jexboss. There are many methods and
exploitation techniques included in the tool and it also covers the Application
and Servlet deserializations and Struct2. You can exploit JBoss using Metasploit
as well, though I prefer Jexboss.

Continuing with the engagement, once I discovered JBoss, I quickly fired up
Jexboss for the exploitation. The tool was easy to use.

./jexboss.py -u http://[REDACTED]:14100/



As we can see from the above screenshot, the server was vulnerable. Using the
JMXInvokerServlet method, I was then able to get the Remote Code Execution on
the server. Pretty straight forward exploitation! Right?



> You must be thinking, that was no advance level shit, so what’s different
> about this post?



Patience guys!

Now that I had the foothold, the actual issue arose. Of course like always, once
I had the RCE I tried getting a reverse shell.



and I even got a back connection!



However, the shell was not stable and the python process was getting killed
after a few seconds. I even tried using other reverse shell one-liner payloads,
different common ports, even UDP too, but the result was the same. I also tried
reverse_tcp/http/https Metasploit payloads in different forms to get meterpreter
connections but the meterpreter shells were disconnected after a few seconds.

I have experienced some situations like these before and I always questioned
what if I’m not able to get a reverse shell, how will I proceed?

Entering Bind shell connection over HTTP tunnel!

To be continued in part 2…


PROMOTION TIME!

If you guys want to learn more about the techniques I used and the basic
concepts behind it, you can read my books (co-authored with @himanshu_hax)

> Hands-On Red Team Tactics — Amazon, PacktPub



> Hands-On Web Application Penetration Testing with Metasploit — Amazon,
> PacktPub




211

211

1




211



1


SIGN UP FOR INFOSEC WRITEUPS


BY INFOSEC WRITE-UPS

Newsletter from Infosec Writeups Take a look.

By signing up, you will create a Medium account if you don’t already have one.
Review our Privacy Policy for more information about our privacy practices.

Get this newsletter


MORE FROM INFOSEC WRITE-UPS

Follow

A collection of write-ups from the best hackers in the world on topics ranging
from bug bounties and CTFs to vulnhub machines, hardware challenges and real
life encounters. Subscribe to our weekly newsletter for the coolest infosec
updates: https://weekly.infosecwriteups.com/

CyberSec_Sai

·Jan 14

Member-only


HOW TO FIND COMPROMISED CREDENTIALS ON DARKWEB?

How many of you often see messages and alerts saying “Your credentials are
compromised and found on darkweb”. In this article, let’s understand how your
credentials end up on dark web and how you can search for your compromised
credentials on the dark web. — Darkweb 101: The dark web is a part of the
internet that is not indexed by search engines and can only be accessed using
specialized anonymity tools such as the Tor network. It is often associated with
illegal activities such as the sale of drugs, weapons, and stolen personal data,
as well…

Cybersecurity

5 min read



Cybersecurity

5 min read




--------------------------------------------------------------------------------

Share your ideas with millions of readers.

Write on Medium

--------------------------------------------------------------------------------

Supakiad S. (m3ez)

·Jan 22


REFLECTED XSS LEADS TO 3,000$ BUG BOUNTY REWARDS FROM MICROSOFT FORMS

Microsoft Forms Vulnerability: Reflected Cross-site Scripting (XSS) Table of
Contents Introduction Background Details of the Vulnerability Proof of Concept
Disclosure Timelines Introduction In this blog post, I will discuss the details
of a reflected cross-site scripting (XSS) vulnerability in Microsoft Forms.
Additionally, in my last blog post, I disclosed a vulnerability report on
Microsoft…

Bug Bounty Writeup

3 min read



Bug Bounty Writeup

3 min read




--------------------------------------------------------------------------------

Mike Takahashi

·Jan 16

Member-only


TIPS FOR BAC AND IDOR VULNERABILITIES

Step-by-step guide for uncovering Broken Access Control and Indirect Object
Reference vulnerabilities for bug bounty hunters and pentesters. — Introduction
As bug bounty hunters and pentesters, one of the most rewarding vulnerabilities
to uncover are Broken Access Control (BAC) and Insecure Direct Object Reference
(IDOR). In this article, we’ll discuss what BAC and IDOR vulnerabilities are,
basic testing methodology, IDOR with UUID, Blind IDOR, and automating with the
Auth Analyzer…

Bug Bounty

5 min read



Bug Bounty

5 min read




--------------------------------------------------------------------------------

Satya Prakash

·Dec 8, 2022


HOW I FOUND 40+ DIRECTORY LISTING VULNERABILITIES OF SOURCE CODE DISCLOSURE VIA
EXPOSED WORDPRESS FOLDERS USING GOOGLE DORKS

I have found more than 40+ Directory Listing Vulnerabilities which contain
Source Code Disclosure via the Exposed WordPress Folders (/wp-admin & Others)
just by using Google Dorks as shown below 👇 Google Dorks: Index:Index of
/wp-admin

Google Dork

2 min read



Google Dork

2 min read




--------------------------------------------------------------------------------

Anton (therceman)

·Dec 23, 2022

Member-only


$350 XSS IN 15 MINUTES

Bug Bounty Writeup about DOM XSS via JSONP + Parameter pollution — Hello 👋 This
is my first and last Bug Bounty Writeup this year. 😀 I am sharing with you my
latest XSS finding, which I’ve found 2 weeks ago. This was the fastest and a bit
unusual flow that I normally do when I search for XSS. So let’s dive…

Cybersecurity

3 min read



Cybersecurity

3 min read




--------------------------------------------------------------------------------

Read more from InfoSec Write-ups

AboutHelpTermsPrivacy

--------------------------------------------------------------------------------


GET THE MEDIUM APP




HARPREET SINGH

173 Followers

Author | Pen tester | Otaku

Follow



MORE FROM MEDIUM

S12 - H4CK

RANSOMWARE WANNACRY



Mike Takahashi

in

The Gray Area

5 GOOGLE DORKS EVERY HACKER SHOULD KNOW



S12 - H4CK

in

Martian Defense Cybersecurity

HACKING XML — XML INJECTION



Bryan Ye

in

Better Humans

HOW TO WAKE UP AT 5 A.M. EVERY DAY



Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.