05-25, 17:20–18:00 (Europe/Stockholm), Main stage
What if we play with the ISP? In this talk I am going to tell you how one day, something that started as a simple SQL injection, going through LFI, RCE, ended up in a pwn of an internet provider in my country that affected more than 25 cities, being able to intercept user traffic and other stuff.
Description
First I will explain what Shodan is and how I found this server.
Then how was the login bypass with Sql Injection and how it works at code level. Once logged in, I will explain what can be done in the web application as Administrator, for example, get user information, modify the internet services, enable or disable contracts, modify or delete ISP nodes, etc.
After looking at the application level, I'll explain the Local File Inclusion and Remote Command Execution vulnerabilities, and also explain how to go from LFI to RCE using log files. With RCE, I will explain how to achieve persistence and a reverse shell using open source tools such as Weevely and Netcat.
With the shell we will do a privilege escalation to root. I will also discuss the configuration files of the modems that I found on the server and the characteristics of the local network where it is located.
The same machine where the web application is located also works as DHCP and DNS server of all the modems, obtaining with this the possibility of sniffing the traffic of the modems, changing routing tables, etc. Besides having access to the CMTS, being able to add CA certificates for different attacks.
The idea of the talk is to demonstrate that even in 2023 there are still important systems with many users and with "basic" vulnerabilities known for years. We must take the security of our systems seriously and ensure that all vulnerabilities are fixed in a timely manner. Computer security education and training are crucial to prevent attacks and protect our digital assets.
Outline
- Introduction
- Explanation of Shodan
- How the server was found
- Login Bypass with SQL Injection
- Explanation of SQL Injection
- Code level explanation of the bypass
- Administrator Privileges
- Explanation of what can be done as Administrator
- Examples of tasks that can be performed
- Local File Inclusion and Remote Command Execution Vulnerabilities
- Explanation of LFI and RCE
- How to go from LFI to RCE using log files
- Achieving Persistence and Reverse Shell
- Open source tools such as Weevely and Netcat
- Explanation of privilege escalation to root
- Configuration Files and Local Network Characteristics
- Discussion of modem configuration files found on the server
- Characteristics of the local network
- DHCP and DNS Server and Traffic Sniffing
- Explanation of the server's role as DHCP and DNS server
- Possibility of sniffing traffic and changing routing tables
- Access to CMTS and CA Certificates
- Explanation of access to CMTS
- Ability to add CA certificates for different attacks
- Conclusion
- QA
My name is Ignacio, I am 25 years old and I am from Río Cuarto, Argentina.
I am currently working as a Sr. Software Engineer.
I started to enter the world of infosec about 6 years ago.
My interests include code analysis, webapps security and cloud security
Speaker at Diana Initiative, Hacktivity Budapest, 8.8, Ekoparty
@Ignavarro1