DEV Community: ayy lmao

TryHackMe's Advent of Cyber 12-13

ayy lmao — Wed, 27 Jan 2021 03:56:51 +0000

Task 12: Skilling Up

This task is pretty much just how-to-nmap-101.

For the first task, I used the command nmap -v -sT -p 0-1000 -A -T3 -oA outfile <myIP> which after a while gives me the following:

There's some other text above this, but basically it shows there are only three TCP ports open under 1000: port 22, 111 and 999. The answer to the first question is 3.

Using the -O flag to find the host operating system gave me a No exact OS matches for host from nmap, so instead I took at look at the services that were up. Googling RPCbind leads me to a linux man page for the service so I put in linux as the answer to the second question - which works. Honestly I didn't feel too good about this answer since I felt like I cheaped out somehow and didn't use nmap correctly. But an answer's an answer so I'll move on for now.

From the screencap above we can see that the ssh version running is OpenSSH 7.4, which is the answer for the third question.

Finally, I saw that a http service was running on port 999. I accessed this by visiting <myIP>:999 on my browser, bringing me to a dictionary listing with one file on it: interesting.file, the answer the the last question.

Not too much fanfare around this task.

Learned: nmap, TCP/UDP protocals

Task 13: Training

In this one, we do privilege escalation!

I actually have no idea on anything about privilege escalation, luckily the first question is sort of straightforward - use nmap to find out which port ssh is deployed on. Originally I just tried to hack together what little I knew about nmap to scan the whole range of ports with nmap <machine_ip> -p- -T0, but that turned out to be way too long. I cheated a little and seeing how the answer format is 5 character long (*****), just did 6 different scans of 10000 ports each from 10000 to 65535. After an annoying wait I found the open port on 65534. We have to tell ssh to connect to the nonstandard port with -p <port_number>

The next question asks us to read the contents of /home/igor/flag1.txt, which has its permission set as
-r-------- 1 igor igor, meaning only igor is able to read the file. No problem - I just modified the find / -user root -perm -4000 -exec ls -ldb {} \; command in the supporting doc with root replaced with igor and with all errors filtered to /dev/null, which gives us two binaries: /usr/bin/find and /usr/bin/nmap.

To make sure the first is actually ran by igor, I just created a dummy file and executed find <dummyfile> -exec whoami \;, which gives us igor, as expected. We can use a slightly modified command to read the contents of flag1.txt with find <dummyfile> -exec cat /home/igor/flag1.txt, giving us: THM{d3f0708bdd9accda7f937d013eaf2cd8}

For the third question I took the same approach as the second. Searching for all binaries with the SUID bit set gives us a huge list to go through:

To check if any of these were actually system binaries, I just used man <name of binary>. Any custom ones wouldn't bring up a man page. I skipped the ones that were in /snap/core (apparently used for Snap, a package manager) and any ones that I knew were system binaries such as mount, ping, su, etc. After a while I found system-control, which when executed lets me execute any command as root. From there it's a simple matter of doing printing out the contents of /root/flag2.txt to get THM{8c8211826239d849fa8d6df03749c3a2}

Pretty fun one! Didn't didn't know anything about SUID files or privilege escalation so everything was completely new. This one is obviously not super realistic (who's going to leave a binary like system-control out in the open?) but it's still pretty cool to poke around and see how everything works.

Learned: SUID, privilege escalation, -exec option for find

TryHackMe's Advent of Cyber 11

ayy lmao — Fri, 15 Jan 2021 08:03:04 +0000

Task 11: Data Elf-iltration

This task was pretty fun for me. To start off we're given a pcap file and need to find some bits of information that's been exfiltrated from the server.

The first question asks us to find information that's been exfiltrated by DNS. At first I didn't really know what I was looking for exactly and just clicked around on any of the 20-ish DNS packets in Wireshark and tried to look for information in the the many name:value pairs listed. After a while of this not getting anywhere, I re-read the supporting doc and did a little research to find this:

!alt Text

There's a lot of neat information in this blog post, but for our purposes all we need is the above image. Malware is able to send information (restricted to letters and digits) as a subdomain to an attacker's registered domain. I somehow missed this in the supporting doc because I didn't know what a subdomain was (it's the portion before the first period) and thought it was some field I could find in the DNS packets.

With this, I just went through every DNS packet in the pcap file and and eventually found packets 17 and 18 with a suspicious query to 43616e64792043616e652053657269616c204e756d6265722038343931.holidaythief.com. Run the subdomain text through a hex decoder to get Candy Cane Serial Number 8491, the answer to our first question.

The next two questions are fairly straightforward. Exporting HTTP objects from Wireshark gives us two files: TryHackMe.jpg and christmaslists.zip. Using steghide, the hidden contents in the jpg file is written to christmasmonster.txt. Inside is a sort of poem:

After a little bit of digging it turns out to be an Request for Comments (RTF), which are usually used to describe methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems (Wikipedia). This particular one, RTF527 is an April Fool's play on the 1871 Jabberwocky poem from Lewis Caroll. RTF527 is also the answer to the third question.

Use fcrackzip on the zip file to get the password december. Use that to find this christmas list for timmy and the second answer: PenTester

Lots of cool information found in this one, learned about topics I never knew about and finished in not too bad of a timeframe. All in all not bad!

Learned: DNS Exfiltration, subdomains, steganography

TryHackMe's Advent of Cyber 9-10

ayy lmao — Fri, 15 Jan 2021 07:09:49 +0000

Task 9: Training

This challenge mostly focused on using basic Linux terminal commands to dig around a machine. Even though I thought I was mostly familiar with these commands already I had a decent amount of trouble with this and had to reach out to the discord for help.

First two question are pretty simple - use ls -a and cat file5 and you get the answers '8' and 'recipes' respectively.

Question 3 is also simple: grep password * (when current dictionary is the one with files1-8) will give you the answer file. The * is just a wildcard that searches through all files.

Question 4 was a bit more of a pain as it required knowledge of regex. Regex, or regular expression, is just a series of characters that define a search expression. There's some pretty neat things you can do with it, but in this I kept it simple and learned just enough to create a pattern to match an IP address. I learned mostly from this site and then used this site to practice. In the end I came up with this:
[0-9]+.[0-9]+.[0-9]+.[0-9]+
Which matches any string with 4 segments of 1 or more digit (the [0-9]+) separated by a period. You can tell how amateurish it is because I didn't even use character classes like \d or account for size limits (1000.0.0.0 is not a valid IP), but honestly whatever works works.

I tried pasting that sequence straight into the ssh session as grep '[0-9]+.[0-9]+.[0-9]+.[0-9]+' *, which gave me nothing.

After doing some digging, I was introduced to the world of different regex engines. Differences between the three most common ones: BRE, ERE and PCRE can be found here. For now, just know that grep uses BRE by default, and using the -E and -P flags switches over to the ERE and PCRE engines respectively. The reason I didn't get any results from my previous command is because the '+' symbol is treated as a symbol in BRE, so when grep sees [0-9]+ it looks for one digit followed by a '+' symbol. We could escape it with a backslash, or we could switch to ERE. In ERE the + gets treated as a 'one or more' modifier, however it also treats the period as any character, so instead of getting an IP we get the following.

Where it matches 4 different segments of digits separated by any character. Escaping the period with a backslash finally gets us what we want.

Question 5 is as simple as printing out the contents of /etc/passwd and counting the users that have a shell location that's not /sbin/nologin. In this case there are 3 users: root, ec2-user, and mcsysadmin.

Question 6 is just the output of sha1sum file8: fa67ee594358d83becdd2cb6c466b25320fd2835. Here's an interesting article I found about how SHA-1 is depricated

Question 7 pretty much asks you to look at the shadow file, but since we don't have any permissions for it we have to see if there's any backups they might've left it in. The following command: find / -name *.bak 2>/dev/null looks for any .bak (backup) files in all directories, and any errors (there's a lot of Permission denied errors) are filtered out. We find that there is a shadow.bak file in /var, which gives us the answer of $6$jbosYsU/$qOYToX/hnKGjT0EscuUIiIqF8GHgokHdy/Rg/DaB.RgkrbeBXPdzpHdMLI6cQJLdFlS4gkBMzilDBYcQvu2ro/:18234:0:99999:7:::

All in all this was one of the more challenging tasks that required me to dig around a lot more and even ask for help (got stuck on the last one). Getting through it gives me a pretty nice sense of pride and accomplishment though!

Learned: Regex, find command, standard linux dictionary structure

Task 10: Ho-Ho-Hosint

This is another one of of the tasks that doesn't require you to deploy and connect to a server, and this one's about OSINT! Very interesting.

The extra material here just gives a quick intro to what OSINT is (honestly just seems like a fancier term for googling). There's a link to the OSINT framework which we don't need for this. The rest is about three tools - Exiftool for image metadata, WayBack Machine, and Reverse Image search. It seemed pretty obvious that the task wants you to use the Exiftool on the downloaded grinch image, so I did:

Nothing too interesting here except the creator: JLolax1. The first result after searching that on google leads to a twitter page for the user Elf Lola, from which I got the first three answers DOB (December 29, 1900), occupation (Santa's helpers) and the phone she makes (iPhone).

If you follow the link to Lola's wordpress site, it just seems to be a pretty empty photographer's website. The woman in the pictures I recognized to be Ada Lovelace, world's first programmer - no reverse image search necessary :)

The second to last answer can be found by using the Wayback Machine on Lola's wordpress site. The earliest snapshot comes from October 23, 2019 and the site comes with a text celebrating Lola's 5 year photography anniversary, so the answer is 23/10/2014!

This task was a cakewalk compared to the others, was still pretty cool to learn about OSINT though.

Learned: OSINT

TryHackMe's Advent of Cyber 6-8

ayy lmao — Wed, 11 Nov 2020 04:16:22 +0000

Three month hiatus aside.
TryHackMe seemed like a better place to start off than HackTheBox, and someone recommended I start off with the Advent of Cyber room they got. Basically a box for beginners of any experience with 30 different tasks, designed for a task per day. Tasks 1-4 is Kali and VPN setup, the actual tasks start at 6

Task 6: Inventory Management

Fairly barebones website. Click on the register button to make a fake account, can be anything you like. Once you create the account log in and you'll be taken to the inventory submission page.
Bring up the inspector and find the cookies section. In this case there's only one: authid, which is also the answer to the first question.

The supporting material hints pretty strongly at a base64 encoding, so we can take whatever we get in the value field for authid and paste it into a base64 decoder. In this case I have "bG9naW52NGVyOWxsMSFzcw%3D%3D" as my input string which gets us "loginv4er9ll1!ss" as the output. Since "login" is my username, I'm assuming the rest is the fixed part of the cookie. It's also the answer to the second question.

The supporting material also hints at setting your own cookie values. Since the value for the authid cookie is username + "v4er9ll1!ss", I'm assuming the value for mcinventory would be "mcinventoryv4er9ll1!ss". Using the same site above to encode the string into base64 we get "bWNpbnZlbnRvcnl2NGVyOWxsMSFzcw==", change the authid cookie's value into that and reload the page, and we're met with the Christmas inventory Approval List. Here we can see that the third answer is "firewall"

Learned: cookies, base64 encoding

Task 7: Arctic Forum

To start off, here's what the page for this task looks like:

Unlike the last task, there's no register option. I also tried putting in some obvious user/pass combos (like 'username' and 'password') to see if they work, no dice.

The supporting material requires you to use DirSearch, a open-source python that allows you to comb through a website with a wordlist, which is also provided. Running the command takes a while, but eventually you end up with a list of pages that your tool managed to find, one of them being /sysadmin, which is the answer to the first question.

If you visit and take a look through the page, there's a comment telling you to visit the Arctic Digital Design github. Go and visit that, and it'll bring you to a page with the default username and password (2nd answer) for the page's software.
After logging with the default user/pass, the third answer is revealed: bring your own eggnog!

Also had a lot of issues connecting to THM during this (extremely annoying) , if anyone else is having connection issues just generate a new ovpn file.

Learned: dictionary brute forcing, default user/pass combos

Task 8: Evil Elf

Instead of a web server to deploy, this time all you have is a download button for a packet capture or pcap file. This one is more follow the instructions than the other tasks.
Open the pcap file with wireshark, then the then find packet number 998 and read the destination IP for the first answer.

Filtering the packets with telnet and following the TCP stream, you see that the source sent two commands to the destination and received text back. The first command puts 'ps4' into christmas_list.txt, which is the second answer.

The source also received text from the server from the second command - the shadow file. In this case we're only interested in buddy's password, and his hash is "$6$3GvJsNPG$ZrSFprHS13divBhlaKg1rYrYLJ7m1xsYRKxlLh0A1sUc/6SUd7UvekBOtSnSyBwk3vCDqBhrgxQpkdsNN6aYP1:18233:0:99999:7:::". The rest of the instructions can be found in the source material, but using Hashcat with the rockyou wordlist yields 'rainbow' to be the password.

This one was a pretty cool task, felt like I was doing something that had the 'essence' of security. Wonder what the non-user entries in the shadow file were though - seems like applications? Why do they require an entry here?

Learned: network capture, wireshark, shadow file

Fighting procrastination by (re)joining hackthebox

ayy lmao — Sun, 19 Jul 2020 06:24:02 +0000

I originally wanted to setup my tryhackme account and start doing some basic rooms this weekend, but apparently even setting up something meant for beginners can be a pain in the ass. Some stupid errors I had to deal with included virtualbox errors from not installing extentions, outdated virtualbox version, and not knowing how to connect to the THM vpn because I didn't know I had to download the openvpn configuration file from inside my virtual machine - felt really stupid about that one and by the time I got everything done I was more in the Apex Legends mood.

I'll feel really guilty if I don't do anything though, so I decided to do the invite challenge for hackthebox. I already had made an account with them, but that was over an year ago and I had help and by now forgot everything.

Here's the invite page challenge you see when load the page. If you open the console tab you're greeted with a jolly roger saying 'This page loads an interesting javascript file. See if you can find it :)'. Poking around in Sources there's a js file called inviteapi.min.js:

//This javascript code looks strange...is it obfuscated???
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0 3(){$.4({5:"6",7:"8",9:\'/b/c/d/e/f\',g:0(a){1.2(a)},h:0(a){1.2(a)}})}',18,18,'function|console|log|makeInviteCode|ajax|type|POST|dataType|json|url||api|invite|how|to|generate|success|error'.split('|'),0,{}))

the 'min' part of the filename reminds me of something called minifying, which as far as I know just compressed code. Unminifying the code however doesn't really do anything but add indents, so it's still this weird function(p,a,c,k,e,r) thingy. Some further googling and I find out that it's not minified but packed, which according to this uses Base62 magic to remap the source code. Donno how that works, and luckily I don't have to because there's also a javascript unpacker tool which turns the above into the following:

function makeInviteCode() {
    $.ajax({
        type: "POST",
        dataType: "json",
        url: '/api/invite/how/to/generate',
        success: function (a) {
            console.log(a)
        },
        error: function (a) {
            console.log(a)
        }
    })
}

The makeInviteCode() function is interesting, so that goes into the console, which outputs the following:

data: "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/vaivgr/trarengr"
enctype: "ROT13"

ROT13 is just a very basic cipher that maps A->N, B->O and so on, and luckily some helpful guy made a tool for that too:
In order to generate the invite code, make a POST request to /api/invite/generate

I don't feel like installing a wholeass extension just to do this. Luckily from firefox, you can hit ctrl-shift-e to bring up the network monitor. Select any entry from the list and there's an option to edit and resend on the top right. From there use POST for the method, hackthebox.eu/api/invite/generate for the url. I don't know what the request headers and body are (still don't know web basics lol) so I leave them as they are. I send and get a 403 response back. Click and there's a code ending in '=', which means it's probably base64. Using yet another decoding tool (thanks guys) you get the final invite code.

Writing this out took more time than the actual work. But I guess doing even something small is better than nothing. My idea is that by writing consistent entries I can guilt myself into doing something even when I don't want do. I really do have to get back to thm and do something more substantial tho...

I don't know where to start with hacking

ayy lmao — Fri, 17 Jul 2020 22:40:37 +0000

When I was in HS, I always wanted to learn about security and hacking but never had the discipline (or adderall) to sit down and learn it well. My hope is with this blog I can sort my thoughts out, document everything and consistently put work towards learning security.

Goal: Learn enough to collect the bounty on one(1) bug a year from now

Hacker101 CTF

Since the goal's a bounty from hackerone, why not start learning through hackerone?

A little something to get you started

Inspect element shows background.png being set as background in the styles tag. Appending that to the end of the url gives the flag, pretty straight forward

Micro-CMS v1

This one's where it started to get tricky, I had to play around a lot and ultimately rely on a writeup from another post on dev.to

Flag 0 - after you create a couple test pages, I noticed that there was gap in the pages (goes from 2 to 11). Visiting page/1-3 gives a 404 not found, but page/4 is forbidden. Using url naming convention to edit this page gives the first flag
Flag 1 - The home page contains a list of all the pages, with the page titles in text wrapped by anchor tags. When creating a new page the input isn't sanitized, so we can just put something simple like alert('test') for the title, save it then hit go home which reveals the flag in a popup followed by our own alert. I think this is basically what XSS is (I'm really new at this lol)
Flag 2-3 - Had to rely completely on writeups and walkthroughs for this. The first flag is found by adding a ' to the end of any edit page's url. I have no idea how tf this works. Apparently it's some sort of sql injection? I've tried sql injections before for smaller CTFs(never got too far past the beginner sections tbh) but they were mostly the cookie cutter username-password types. I have no idea how adding a tick to the back of the url breaks anything, or how urls relate to sql! Flag 3 (again, from writeup) is modifying the existing button so it has a onclick attribute set to some script (again, I used alert('test')). Save and click for another XSS, and the flag is in the source html

Thoughts:

This really knocked me down a peg since I didn't expect to have such a hard time on the second (first real) CTF challenge on hacker101. I realized there's a lot of gaps in my knowledge:

How URLs work and how it relates to SQL
How SQL itself works (have only done basic sites with html/css/js, no databases)
My html/css itself is REALLY rusty since I forgot buttons have onclick attributes
How sql injections work (wtf does that tick do???)

If I'm having so much trouble already on only the first one, I think the best course of action rn is to suspend hacker101 and spend some time on web fundamentals. Luckily I have a company sponsored udemy account so I can get this course for free. I think I'll simultaneously do that and some beginner friendly challenges from tryhackme (which I've heard is as beginner as it gets) AND build a webapp so I can get how that works. Hopefully that's not too much all at once, or the wrong way to go about things. Damn I'm really new at this.

Oh well, best thing to do is keep learning!