SAP Post-Exploitation - One script to 0wn 'em All

The topic here is this: Post-exploitation for SAP systens - not at application level, but at OS level..

Imagine a red-teamer gained acess to aadm user ID. Having SSH or RDP access. Whats next?
Well, theres a lot he/sehe can do. adm has the rights to go query DB directly. adm can access userkeystore. adm typically has the rights to read PSE files and keytabs. adm typically can access /sapmnt/trans of other SID within the landscape. adm can aslo access profiles, DEFAULT.PFL, etc, and insert a command line backdoor that will restart each time the application starts.

Watch this space. Am developing that script. :)

=============================
SECTION 1: The Possible Probe Points
=============================

- Get the SID via /etc/passwd or net users or service query or current user
- Identify possible PSE file location
- identfiy any possible cert dumps to get p12 format
- identify DB and kernel version
- identify connectivity and userstore - R3trans or sqlplus or hdbsql or sqlcmd etc..
- generic scan for interesting files
- OSS ids, etc..
- grab instacn eprofiels - DEFAULT J*/D* and*SCS
- identify agent for backup solution - possible Adminsitartor or root privilege at backup solution side..
- use hdblcm.. see the below footnotes

==========================
SECTION 2: Methods & Examples
==========================

Coming soon.

=================
SECTION 3: The script
=================

Coming soon.


SECTION 4: Backdooring Methods

1. Adding a persistent command via profilr
2. Manual create a new instamce, sapstart and sapstar generate default pass to add program cross client
3. Direct database SAP_ALL assignment


======= IGNORE BEYOND THIS LINE ========

[root@ayam /]# /hana/shared/HDB/hdblcm/hdblcm -help
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LC_CTYPE = "UTF-8",
        LANG = "en_GB.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_GB.UTF-8").
SAP HANA Lifecycle Management (hdblcm)
Copyright © 2000-2017 by SAP SE

Help:  hdblcm --help [--action=add_hosts|register_rename_system [--pass_through_help]
                      | --uninstall [--pass_through_help]]
              | --list_systems | --version

Usage: hdblcm [--action[=add_hosts|register_rename_system]] [--batch] [--configfile=]
              [--dump_configfile_template=] [--uninstall]

  --action[=add_hosts|register_rename_system]  Specifies the action to be performed [interactive, default value: 'exit']
  --batch                        -b            Runs the program in batch mode using default values for unspecified parameters
  --configfile=                      Reads parameters from the specified configuration file (parameters in command line
                                               take precedence)
  --dump_configfile_template=        Creates a configuration file with default values
  --help                         -h            Displays the help information
                                               For extended help, use with the parameter '--action' or '--uninstall'
  --list_systems                 -L            Shows installed SAP HANA systems
  --pass_through_help                          Adds special parameters of subprograms to the help information
  --uninstall                                  Uninstall system or components
  --version                      -v            Displays the version of hdblcm

The environment variable 'HDB_INSTALLER_TRACE_FILE=' enables the trace.
The environment variable 'HDBLCM_LOGDIR_COPY=' creates a copy of the log directory.
[root@ayam /]#

SAP HANA Database Installations:

DAA /usr/sap/DAA/SYS OTHERS
        SMDA98

J2E /sapmnt/J2E OTHERS
        J00
        SCS01

S4H /sapmnt/S4H OTHERS
        D00
        ASCS01

SMA /sapmnt/SMA OTHERS
        DVEBMGS00
        ASCS01

SMJ /sapmnt/SMJ OTHERS
        J02
        SCS03

WD1 /sapmnt/WD1 OTHERS
        W04

Already used instance numbers: 00 00 00 01 01 01 02 03 04 98
Next free instance number: 05

Also sample:

Waiting for stopped instance using: /usr/sap/HDB/SYS/exe/hdb/sapcontrol -prot NI_HTTP -nr 02 -function WaitforStopped 600 2

Starting instance using: /usr/sap/HDB/SYS/exe/hdb/sapcontrol -prot NI_HTTP -nr 02 -function StartWait 2700 2

More to=do:
E:\usr\sap\XXX\ASCS31\exe>attrib *.exe | more
A            E:\usr\sap\ XXX\ASCS31\exe\enqt.exe
A            E:\usr\sap\ XXX\ASCS31\exe\enrepserver.exe
A            E:\usr\sap\ XXX\ASCS31\exe\enserver.exe
A            E:\usr\sap\ XXX\ASCS31\exe\ensmon.exe
A            E:\usr\sap\ XXX\ASCS31\exe\esmon.exe
A            E:\usr\sap\ XXX\ASCS31\exe\gwmon.exe
A            E:\usr\sap\ XXX\ASCS31\exe\gwrd.exe
A            E:\usr\sap\ XXX\ASCS31\exe\krnlreg.exe
A            E:\usr\sap\ XXX\ASCS31\exe\ldappasswd.exe
A            E:\usr\sap\ XXX\ASCS31\exe\ldapreg.exe
A            E:\usr\sap\ XXX\ASCS31\exe\lgtst.exe
A            E:\usr\sap\ XXX\ASCS31\exe\msclients.exe
A            E:\usr\sap\ XXX\ASCS31\exe\msg_server.exe
A            E:\usr\sap\ XXX\ASCS31\exe\msmon.exe
A            E:\usr\sap\ XXX\ASCS31\exe\msprot.exe
A            E:\usr\sap\ XXX\ASCS31\exe\niping.exe
A            E:\usr\sap\ XXX\ASCS31\exe\ntscmgr.exe
A            E:\usr\sap\ XXX\ASCS31\exe\sapcar.exe
A            E:\usr\sap\ XXX\ASCS31\exe\sapccmsr.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapcontrol.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapcpe.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapgenpse.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapntchk.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapntkill.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapntwaitforhalt.exe
A            E:\usr\sap\XXX\ASCS31\exe\sappfpar.exe
A            E:\usr\sap\XXX\ASCS31\exe\saprouter.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapsrvkill.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapstack.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapstart.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapstartsrv.exe
A            E:\usr\sap\XXX\ASCS31\exe\sapwebdisp.exe
A            E:\usr\sap\XXX\ASCS31\exe\sldreg.exe
A            E:\usr\sap\XXX\ASCS31\exe\startsap.exe
A            E:\usr\sap\XXX\ASCS31\exe\stopsap.exe
A            E:\usr\sap\XXX\ASCS31\exe\wdispmon.exe


x:\usr\sap\XXX\ASCS31\exe>

dest='hostname:8101' URL='/msgserver/text/logon?version=1.2


//alak

Comments

Popular posts from this blog

SAP Backdoors {placeholder Post]

Fiori Apps Keep Calling Internal Hostname / Internal FQDN