DMZ Vulnerabilities
This is a simulated "peaking power plant" that supplies power to the city only during peak demand hours. Before the demand exceeds the supply, the generators must successfully complete their startup sequence and be up and running or there might be a power outage. Power outages are temporary, but permanent damage can also be done to the turbines if something goes wrong with the startup sequence.
Finding the IP of the attacker machine and discovering live hosts with ARP scan.
To find what ports are open on the hosts, make sure to use a ‘gentle’ nmap scan and specify the max-parallelism flag. This will increase the scan time.
nmap --max-parallelism 3 -v 192.168.90.6/24
For this lab, the main interest is in the .107 host.
Visiting the webserver reveals that it is a historian. Historians are ICS assets typically located in the DMZ continuously collecting data about the physical process, archiving it in a database, and providing reporting functions to users in the business network.
Some OSINT reveals a potential username for the historian.
Bypass the login with the password as ' OR 'a'='a
We now have access to the historian.
The historian reveals a potential admin user (ashley) , try the SQL injection as the ashely user.
Unfortunately admins require MFA.
The app is also vulnerable to XSS in the note parameter.
The admin function “clear data” has the id of cleardata. So the payload looks like this:
<script>
window.addEventListener("load",
function() {
document.getElementById("cleardata").click();
}
)
</script>Once the admin logs in, they will inadvertently clear the historian data.
Viewing the session_id cookie and decoding it reveals that it is just the username base64 encoded. Trying with the ashley user allows us to view the admin console.
Here is it possible to add another that can be used for persistence.
SSH Password Cracking
Logged into the historian as root and found some user accounts to crack.
Used unshadow and jtr to crack the hashes.
ARP Spoofing
To learn more about the network, conduct an ARP spoofing attack against the device that is sending information to the historian.
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof 192.168.90.107
OPC UA Exploration
While OPC UA does have some security options, this traffic was not encrypted or authenticated, meaning we were able to see the data inside the traffic and can send our own requests if we wanted.
Extracting Credentials From Remote Device
Trying to view the camera settings requires a password. In this scenario, other camera from the plant has been obtained and the memory has been dumped.
Returning strings that are 16 chars or longer from memory dump.
Looking for a hexadecimal value and save to a file to crack with john.
It is now possible to login to the camera and adjust the settings so the view is unusable.
Last updated