Northwave has identified several vulnerabilities in Ivanti Secure Access VPN, previously known as Pulse Secure VPN :
About 4 min
It has been 4 years since I did some research about DLL Hijacking.
I used procmon.exe to identifiy missing DLLs on windows system.
I quickly found few of them, including in Teams.exe. Recently, I looked again into it and found that some of them are still present.
The ColorAdapterClient.dll is one of these sweet spots.
If Teams.exe is configured to run at startup, the code is running once the machine is up, there is no need for the user to unlock is session.
About 3 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL input_ip.txt -oA nmap_open_tcp_portsAbout 40 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsAbout 21 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 15:42 UTC
Nmap scan report for search.htb (10.10.11.129)
Host is up (0.097s latency).
Not shown: 65514 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-09 16:03:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
8172/tcp open ssl/http Microsoft IIS httpd 10.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49735/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 270.11 secondsAbout 26 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 110.16 secondsAbout 6 min
Scan
As usual, both a TCP and UDP port scan were done on the box. The TCP scan revealed that the following ports were open:
# Nmap 7.80 scan initiated Mon Aug 17 08:31:48 2020 as: nmap -p- -sV -A --open -Pn -oA nmap_all_tcp.txt 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.026s latency).
Not shown: 65527 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-17 19:44:27Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsAbout 5 min
Scan
A Masscan highlights the open TCP ports found on the box.
Then a nmap scan was conducted in order to try to identify the version of the services found opened.
User
RPC
RPC port is open, it might be possible to dump some information. It gives us the port and services that are listening.
About 7 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
The port TCP/88 is related to the Kerberos service. Founding it listening in addition to the TCP/53 port and other ports might let think that the machine is a Domain Controller. The result of the scan reveals that the Windows host belongs to the domain enum4linux -w cascade. local -a 10.10.10.182.
About 10 min
Recon
As usual, we start with a port scan on the machine. The TCP port scan revealed that the following ports are open:
User flag
Enumeration
Enum4linux was run in order to get some information about the machine with a null session.
About 3 min