BSIdesYXE 2024 - Michelle Eggers - Hunting for Crits on Adventure Mode

thank you hi everyone I'm Michelle thank you for bearing with me as I swap to actual presenter mode today we're going to discuss hunting for crits on Adventure Mode um please join me as we explore several different real world vulnerabilities that I discovered as a pentester that were uh uncovered with pretty simple techniques and resulted in one high and two different criticals all right so as a disclaimer I in fact have never played Minecraft though you will see some fun gifts and images to help support the story we're telling today yes all right so first of all what is Adventure mode for those of us including me who have not actually played Minecraft adventure mode is a

game mode specialized it gives the players a specific objective to follow okay and it has you know parameters in place like you can't put blocks anywhere you want uh you can't break the blocks things like this so it maintains the specific Integrity of experience uh in adventure mode now how does this relate to pen testing I promise it ties in so in the pent test that I conduct we have rules of engagement we have scoping we have uh different parameters we have boundaries for when we're testing there are certain actions we don't uh conduct because we're trying to be safe within the environment that the client is providing us with um so we have rules

that we follow in an ethical hacking space right so that's how it sort of ties to Adventure mode in the sense that yes we have a bit of free reign to sort of look for things to break or circumnavigate how to maybe get around some things but it's all within a well-defined scope we follow the rules all right so today we're going to go through a little intro really quick uh we're going to look at the S3 Bucket List as a finding that I uh uncovered that related to of course an Amazon web services environment and then the return of alpar this is Mainframe I do a lot of Mainframe testing um that's kind of my

bread and butter of what I do so I had to get a nice demo in there of a pretty sweet Mainframe finding that I got and then we have a a nice classic idor and to wrap it all up for us so who am I I'm Michelle Edgars uh with the tallest man in the world here I'm a security consultant with netspy uh I did a hard pivot from a background in accounting and finance that's my undergrad was accounting um sort of like Keith from the Cyber Mentor same type of thing I did work for a couple of tech firms before getting into the actual technical side for myself which I have loved I have a few less

meetings in a given week which I appreciate um I'm also a woman of color in a work in a space that you know there's low representation for folks like me um I've loved being in Saskatoon your diversity is fantastic so far um Oregon you know little hit and miss but uh here we are and I'm happy to be here so thank you for having me okay so before we get too far into it what even is a crit I'm sure a lot of you maybe have familiarity with what a critical finding is but as a bit of a background vulnerabilities are assigned to CVSs score based on a list of metrics such as exploitability how exploitable

is this vulnerability that we found what is the actual impact to your ca Triad your confidentiality your integrity your availability uh do you have to have local access do you need to be on site or already authenticated to the system or could this happen remotely uh are there available fixes already existing are there patches are there updates that can take care of the vulnerability that was found is it a zero day or not um and then exposure how widespread uh could this could this be how many systems environments you know vendors will it affect and then these are the actual little scoring metrics that you see down here critical and it's hard to see at

the back so it's at the very bottom with the way the screens are set up but criticals are vulnerabilities that can cause severe damage are easy to exploit typically and require immediate action all right so keep that in mind as we go through these findings so the first finding is this S3 bucket list finding it was an access control vulnerability a as a head start before we get into it some things you might want to do to get ahead of this type of finding apply the principle of lease privilege this is something we should be aware of something that we should always be doing if your user is required to get into payroll fine good but they don't need to

be everywhere else vice versa if this other user does not need access to the payroll they don't need it don't give them to them don't give them that access okay you can use prone URLs to provide temporary or limited access to environments and there are some cool tools shout out to net spy where you can check to see if unauthorized users have access to different S3 buckets okay just a few things to have uh in your toolkit okay also this is used in the finding so of course you probably know but HTT methods HTTP methods client talks to a server they use methods okay the methods are as follows get head put post and so on the most Commons one

you'll common ones you'll see are get requests you just retrieving data from the server next most common I would say would be a post request you're you're sending data to the server to make an update or change something and then a put you're actually just putting new data onto the server from the client okay so these are the methods that are used in your tcpip data Transmissions okay so now we're on to the finding all right so you authenticate to the non-production environment keep in mind the scoping of the engagement what is a non-product QA QA All the Way businesses usual so far you right click okay so you upload an image that's this down here

that's the old net spy logo please don't tell on me um you open the image in a new tab all you have to do is right click right nothing nothing complicated right no Advanced chain of attack here but when I opened it it gave me the URL for their production S3 bucket okay just by opening the image in in a new tab okay so well maybe we don't want that is it super dangerous uh I don't know was there more that happened yes yes there was so uh you access the proxy history using an intercepting tool you can use a network Tab and use something like burp suite and then right there you see it's

the get request method right and then take note of the response body here in the next little drop down it's got an e tag header typically those are used when it's like a stamp and time right for a file or a resource and it will change or update when a change has been made to that resource okay now at the bottom there's some different characters and things that show you it is indeed an image right not necessarily human readable but there's a few characters in there that tell you it is in fact an image you got jpeg down there okay all right so what did we do what did I do um let me click it here yep we changed it

to a put request added a Content length header at the bottom and a little bit of data real simple nothing crazy it's not a webshell it's not an executable it's just very basic data I sent it through here's the response the eag header updated okay well I didn't get the I didn't get the message back why well because it was a put request we didn't get it yet um but the tag header updated so that's an indication that perhaps I have made to change to their production S3 file um okay did it actually change let's find out H yes if you go back to the original unmodified get request and you compare it with the new get request you send

that original one again right you see the Eek header is changed and you see here's the message down there so the moral of the story on this finding is of course please keep your stuff uh properly segmented okay so I overwrote it with simply by changing the request method that was it adding a little bit of stuff to the bottom of the request not overly complicated this was a high score okay in the cbss metrics rating as was a basic access permission issue began with that leaked bucket location for the image within a non-production environment major cart was improper segmentation of prod versus non-prod environments end result you could overwrite whatever you wanted you know I

could have a numerated to other directories and changed other files I could have deleted entire stacks of data just with this very very simple technique um but restraint during the testing process following the rules of engagement being a responsible human right as a salaried pentester uh it stopped me from doing something that was more damaging than it needed to be I just had to provide our client you know with a valid proof of concept so that they could get in there and fix what needed fixing without me trying to prove a point right no need to belabor it just show them what's wrong okay so that's that one next up this is the main frame

I mentioned earlier that I love to discuss um this is a great little uh image here from TSO this is another Access Control vulnerability okay to get ahead of this type of vulnerability as we walk through it want to just really really harp on this one this is serious for me um Mainframe does not exist in a vacuum I'm sure everyone here has a credit card or a debit card in your wallet if you didn't use it yet today you used it yesterday you've been to a doctor at some point that data has all touched a Mainframe especially your credit card data the NASDAQ New York Stock Exchange they're running on Mainframe they have to for a lot of

reasons which that's another presentation I don't get to share today but I'd love to talk to you more about it later um so to get ahead of it pay attention to your network topology as a whole do not assume Mainframe is safe there's all kinds of Integrations with apis with cloud with web applications okay validate all your access queries Implement your MFA for Authentication as an additional layer protection this is just very common sense stuff and I know we can do it so all right quick quick quick history on Mainframe overview they are very fast specialized computers they have their own operating systems like zos or Linux on Z they're typically used by Industries as I

mentioned Finance government healthare Aviation okay they're relied upon for exceptionally fast transaction processing speed massive storage capabilities their input out output is unmatched right they literally do billions billions of transactions a day um they're not going to be incredibly complex transactions like you would see with Quantum Computing they're more simplistic transactions but they have to be very very fast occurring you know in in parallel to one another with no mistakes so and they have new capabilities all the time like the telum chip they're they're having a new one IBM's rolling out a new one I think next year and a new IBM box they're up to Z16 there's going to be a new one coming out

next that has real-time AI fraud detection capabilities so when you run your card it's not 5 minutes or 10 minutes later that you get a call from your bank hey did you just spend $800 in Legoland no no that wasn't me okay now we got to cancel your card and there's new possibilities where as your card is being processed in that initial transaction they can you know find markers for fraud okay and then logical partitions elars just so we have a little understanding they're just virtualized environments so you just think about you know you have a couple of different virtual machines on a main frame it's called an alpar logical partition um yep just distinct

environments within a single main frame so you know if you can authenticate to one you shouldn't be able to jump into another one you have to make sure that authentication is individualized for each of those Lars okay so this demo is pretty fun um it's sort of like live action recorded So you get to see me do these few things authenticate to the elar assume that the endpoints that I navigate to have already been previously enumerated um the access is restricted so the user I am authenticating with is not an admin level User it's just a regular level user okay uh is there another way to access some of the restricted data okay so when I click this it's going to jump

forward so I have to jump back just as a heads up all right so this is the net spy alar here we go it's going to jump forward I jump back and it'll do it okay so this is the user logging in get my password in there I love main frame so much ispf now I'm going to navigate into the command line utility which is basically Unix like environment within the main frame so if you use Linux a lot uh even po shell to a certain degree you'll see some commands that are pretty familiar as I navigate with an omvs which is their command line utility okay so you see me I'm in my home in the username file I'm going to

opt secrets navigating to that I'm going to list out the contents in there okay we've got a readme.txt and an SSH key okay well let's cat out the readme.txt see what see what that says SSH private key you need to log on as an admin uh well what if we just cat the other the other file maybe we can just C it and see what it is oh permission denied game over right wrong so the IP that the lar is on you can navigate to that same IP over 880 which is the web browser I love this okay so you get in there you go to uh another endpoint that like I said was previously enumerated

right you're going to pop open your Dev tools you're going to inspect you're going to go to the network tab so you can look at the requests that are being made so this specific you know style of request uh it sends a post request to the main frame you get some data back right so let's look at that post request to the Mind view endpoint we're going to edit this and resend it see scroll down to the bottom there oh okay so it's it's it's just retrieving some files Okay Okay cool so what if we uh retrieve that file that was secret before that can I access just so you know I'm completely unauthenticated here this is the browser

no authentication has taken place whatsoever go to 200 okay that's promising okay so here's the end point again and uh let's see what the responses did we get yes we got the SSH key yeah very scary and so this is all a mockup environment that we made internally because I absolutely cannot show you the real client and the real data that we retrieved um but this is basically exactly what happened no authentication whatsoever very private data retrieved over the web because of that integration with the Mainframe the Mainframe was Secure the integration was not so scary scary scary stuff all right this was indeed a critical this was very much critical um exfiltration of private

Mainframe data was another access issue but again via an integrated app properly configured in the Mainframe app was not properly configured it was possible to retrieve very private data without authentication and all I had to do is modify the endpoint in the post request that's really all I had to do so remember when we talked earlier about how criticals can be very easy you don't necessarily need a very complex attack chain it can be something as simple as changing your request method or changing the endpoint right okay and then this is a note if you ever work with people who work with Mainframe um they're very conservative they're incredibly conservative they do not like people touching their

environments they do not like being tested um and one of the reasons for that is because they are so relied on for business critical uh functions so um but as we Illustrated here we have to test we have to keep looking even if people don't like it and it stresses them out uh it's incredibly important we find things like this we need to fix it all right so this next one is an idor we know about what idors are but we're going to kind of just refresh we're going to review right so I love this hacker with the hoodie always with the hoodie okay uh you got a URL you're accessing resource it has an identifier

on the end this example it's 1 2 3 4 they just modify it to 1 2 35 boom they retrieved information that wasn't theirs intentionally or unintentionally um another Access Control vulnerability to get ahead of this a few quick things maybe you implement some uu IDs universally unique identifiers for IDs when applicable they're less easy to uh enumerate right they're a little bit more complex it's not a fail safe right but if we want to implement things as as we can even if it's something simple like U ID instead of like a four digigit um you know ID it's it's better than it's better than nothing uh restrict your queries to Resource owners and perform your off checks server side not

client side typically client side things are a little easier to circumnavigate than the server side controls okay so here we go we're going to walk through it authenticate to the main business banking site as a valid user this is expected right I've just authenticated nothing weird yet here you select an account to view more details normal nothing scary yet right look at the balance in this account 0 so this is a test account cool right we're not scared yet in proxy history locate this post request it doesn't have to be burp site it can be even just a network tab I just have it saying burp site um anyway so in this request you've got an account

ID list at the bottom that's your parameter the associated value 9444 that was the right that's the identifier use for the specific account as the authenticated user that's one I'm supposed to be accessing correct yes it's only four digits that looks interesting not inherently unsafe but a little concerning so I'm going to look at that some more here's the response of course we expect we're going to get back all of the sensitive data it's a lot this is even truncated it was very long there's a lot of data that came back um you kind of look in there we see a bunch of zeros test account makes sense right we're good okay but uh what happens when we modify that request

to another number as expected this is an idore did it work what did we see okay we changed it to 9443 now we see at the bottom of the balance is just a hair over $80,000 that wasn't the test account whose account is this I didn't authenticate to another account so what what's going on uh I've absolutely in fact accessed another account and you could do this with the browser okay so all same it's the same right all I had to do is change the url and now I'm in this other business banking account uh you could also download all the transaction history okay you could also get all their check images their signatures all kinds of all kinds of

data yes this absolutely happened um this is heavily redacted but this definitely happened um this was 100% a critical it was a textbook idore it was the same exact thing that we saw in the image that I pulled off Google right it's just not overly complicated sometimes business banking accounts were assigned simplistics sequential identifiers easy to enumerate off access to the accounts was not properly managed within the application on the server side uh straightforward compromise easy to steal data easy to transfer money right this is all performed in a production environment by the way so when they gave me this engagement I said I looked at it and I was like is this uh is this production or or non-production

like oh no no this is non-prod this is Q QA three different discussions we had are you sure this is nonpr yeah yeah yeah yeah yeah yeah this is nonpr this is nonpr it was 100% production data I super glad not just production data production environment it yes but I had I had a feeling I was like I don't believe you guys I didn't say that but I was like I I don't know so I didn't do any like I could have transferred an entire City's bank balance into a test account just to see if I could but I didn't need to do that and so I didn't do that right because remember we're hunting for crits

on Adventure Mode we're operating within a nice healthy realm of exploration within limits okay and not only that you probably already read this bottom line but it wasn't just the One Bank it was related to the API vendor remember we're talking about third parties it affected multiple Banks so I'm in in the readout I'm in the meeting afterwards and uh yeah don't get too stress but and there was there was a lot of arguing um between the other people I didn't have to say a whole lot um luckily a little bit scary very much heartburn but uh very real so I just want to say I know that we can do better right with the S3 file overwrite that we

saw manager allowed HTTP methods it's really simple to disallow put and post if it's only supposed to be a resource that you retrieve just only allow get is pretty straightforward never assume something is safe they could have been you know I'm I'm sure they were like oh oh it's just an image upload in our nonpr environment the pentesters well then I got their production S3 bucket URL their location and it just kind of blossomed from there so don't assume something is fine and you don't need to look at it you should always look at it use pre-sign URLs of course to help limit permissions um when someone does need access to something but on a you

know maybe a less extensive basis elar access investigate every corner of your topology right if it's Mainframe look at the API Integrations look at the cloud connectivity or their you know web applications that are talking to the Mainframe don't forget anything try not to please um ensure all your resources are inaccessible without proper authentication then the idor one where I have a little that's not on my screen so we'll just have to deal thank you um perform your a che server side right and Implement U IDs uh when applicable as an added layer of protection and then of course just in general be safe out there I'm I'm of course I'm I'm coming from the attack side so I I I'm not going to

be able to give you very very comprehensive defense techniques but based on what I see and some of these attacks that are pretty simplistic I know you can I know you can Implement some of these protections that are pretty straightforward and it will take you quite a long way in some regards um and conduct internal and thirdparty Pen testing on all resources do your audits audit your identity and access management tools if it's Mainframe it's going to be something like uh uh you're going to use rack F or you're going to use uh TSS right maybe using active directory whatever you're using for your IM am keep auditing that stuff and conduct yeah so for pentesting okay so I

love I love internal pentest teams you guys are so much closer to uh your Tech maybe you're rolling out a new tool you have to investigate it before you you're going live with it just do it on a recurring basis but I'm going to be biased as a third party pentester getting that fresh set of eyes is incredibly important so I work for consult SC that's all we do we just show up and try to gently break your stuff and help you with a report afterward with some like light advice on how to fix it um it's so helpful it's so helpful to have someone else just take a look that's not you and say did you

think about this did you miss this endpoint did you even know that endpoint existed yeah so final thoughts for today as an ethical hacker right you operate within defined Rules of Engagement scope scoping distinct parameters for your testing activities okay many compromises are disallowed we're not going to do denial of service in your environment why it's it's not going to be helpful we're not going to intentionally try to knock something down definitely don't want to overwrite your production data or or change it or delete things even in a non-prod environment for a nonpr test sometimes the client is going to reuse that same nonpr environment or in a week there'll be you know a a network test

and a web app test Maybe apis if they have a mobile so they're kind of using the same general environment just be be gentle right be be brave but also cautious at the same time be smart we're going to be smart out here as we're pentesting uh and then regardless of the restrictions in place there are always issues found I find some I find multiple things on virtually every single test I ever do ranging from low to I don't find criticals all the time but I do find criticals and we find highs frequently there's always of finding every single time so you don't have to be insane with how you do your testing to get these

good findings you can operate within your normal parameters and still get some pretty sick stuff so thank you again right I'm Michelle Edgars I'm a security consultant I do pent testing with netspy uh if you have any questions on some pent testing techniques or whatever I don't know how much time I have left but uh I'm done all right