Tag Archives: Exploitation

Red Team Revelations: Exposing and Addressing Vulnerabilities in Ivanti Workspace Control

In this blogpost I explain how me and my colleagues found two vulnerabilities during one of our Red Team engagements which allowed us to elevate our privileges and lateral move in the client’s network. It explains the vulnerabilities, and defensive and mitigating advice. 

It was a Red Team with an assumed compromise scenario where we entered the network through a VPN and had RDP access to one machine. From here we were very limited in the network. It was a small network with no significant misconfigurations in Active Directory, with no possibility to escalate our privileges. The customer did strict network segmentation which limited us from reaching other hosts in the network but a few. We started enumerating the few network shares that we did have access to and this is were it gets interesting. We found the installer for Ivanti Workspace Control 10.5.50.0 and a file called ‘WMDBConn.txt’.

Ivanti Workspace Control is a software solution that centralises the management of user workspaces across various platforms and devices. It allows IT administrators to control applications, user settings, and security policies to ensure consistent user experiences and optimise resource use. Continue reading

Pandora’s Box – Level 4

Level4, time for some crypto and reverse engineering.. Level 4 is a binary which decrypts encrypted files with a password, and of course an example binary and password are given. Putting some random data in a file and trying to decrypt that results in a message that the file is invalid or corrupt. This suggests that the binary has some kind of checksum algorithm to detect if the file is valid. Let’s take a closer look at the binary..  Continue reading

Pandora’s Box – Level 2

So! We got passed level1 and now have a basic shell. Whats next?! In the home directory of level1 we find two files: level2 and level2_readme.txt. The readme files tells us to run level2 with the command “socat TCP4-listen:53121,reuseaddr,fork EXEC:./level2” and connect to it using something like netcat. When connecting to it, we discover it’s some kind of note manager. We can store up to 10 notes and have some commands available to create/ write/ read and delete a note. Continue reading

Pandora’s Box

After c0ne build the vulnerable binary for the knock-knock challenge, he now made a complete boot2root VM with 5 levels: Pandora’s Box! I had the pleasure of being one of the testers for the vulnurable binaries, so I got a sneak peek for level 2 and 3 (after which level 2 changed quite a bit). I’l be splitting up the writeup per level and I’l only describe the final levels that ended up in the VM. Continue reading

Knock knock who’s there…

04d5615efd3f3b19aa2b9f7b6d5df849b75e02da7511ccd9f97e688f76514f2cKnock knock.. who’s there? Time for a new exploit challenge! This time the challenge is a VM created by zer0w1re on VulnHub. I got a tip from a friend who actually build the vulnerable binary in the VM so I gave it a go 😀 .

 

Beginning

After mounting the VM and doing an initial nmap scan to locate the VM I fired up a second nmap scan to get an indication what is running on the box. Nmap returned one port: 1337!

knock kock portscan

After connecting to the service on port 1337 we get three seemingly random numbers. Let’s start knocking! Continue reading

Pwnium CTF – Kernel land write-up

So.. My first CTF writeup! I participated with a few others in the Pwnium capture-the-flag. One of the challenges I looked at was the Reverse Engineering challenge “Kernel Land”. The challenge gave a link to a binary with the tip: “The third Tick gives you the answer ;)”. After a first peek it appeared to be a linux binary:

root@kalipwn:~/Downloads# file kernel
kernel: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped Continue reading