Saturday, February 25, 2017

Nightmare on Wallaby Street - Vulnhub Walkthrough

Here we are again doing some friday night hacking! I haven't posted in awhile (been crazy busy) so I wanted to unwind and relax with a good vulnhub box. I decided I'd work on Wallaby's: Nightmare. Let's dive right in.

This is the first page you see on the web server. Is this part of the CTF?

I decided to enter my name and see what happens...

Alright, well looking at the top of the page, it looks like it could have a LFI vulnerability. So, let's check...

Yup, definitely does, we can get /etc/passwd....can we get /etc/shadow?

DAMMIT. Ok, well...onto the next steps...Let's check the network scan again.

Looks like there is an open TCP port on 60080 (possibly HTTP because it ends with 80?) As you can see above based on poorly timed screenshots on my part, we found the new webserver.

After running dirbuster and getting nothing, I tried using the same path as the previous webserver and look! The same LFI vulnerability still exists!

Let's poke around the system and see what we can got banned...

So, now it's time to brute force this page parameter. I decided to use dirb and the syntax was super nice. The command I ran was: "dirb /usr/share/dirb/wordlists/big.txt" (no quotes). It returned the following pages.

And now we check them out! The contact page gives us a fake email address, the home and index page is the same home page, cgi-bin/ didn't work, and blacklist is the banned page I showed you earlier. The mailer page seems to hold some valuable information thought (in the comments).

Let's try these parameters in the HTML comment.

Oh hello there command injection! I messed around with the mail <name> "test" input and tried LFI (not seen above) and finally tried command injection and it worked. Let's use this to get a shell on the box. Using the php reverse shell provided by pentestmonkey on kali (/usr/share/webshells/php/php-reverse-shell.php) I was able to get a limited privilege shell on the target.

After a bit of research on the machine looking for privilege escalation opportunities, I found that sudo -l gave www-data opportunities to act as waldo using Iptables. 

So, let's see what we have to play with in Iptables. It looks like there is a rule preventing us from talking to ircd and if we remember from our port scan, port 6667 was filtered. So, now that we've deleted that rule, let's try and interact with the port.

We know port 6667 is IRC and we found an irssi script in waldo's home directory. So I installed irssi and used it to connect to the victim system. 

So now, we're going to play around on this irc chat and see what happens. We found a '/list' command that showed there is one chat room called 'wallabyschat' and we used '/join wallabyschat' to join that chat room.

It looks like wallaby has a bot in here. I don't remember seeing that on the box, so I'm going to go look back there again. After doing a quick search on the internet for IRC bots and searching in wallaby's home folder, I found the answer. Sopel.

Looking in the modules directory we find a module. It seems to allow us to run commands in the irc chat, but only if we're Waldo. 

As expected, we're not waldo and we aren't able to run commands. I apologize for the next section, I went through without taking screenshots so, you'll have to excuse the lack of pictures while I explain what needed to be done to be able to be waldo.

If you recall from the sudo listing, we could access iptables, but we could also access vim with a certain document. The certain document is important to allow anyone to use the sudo command, but there is nothing in the document we need to change. Vim has a feature that allows us to execute commands using :!<command>. So, we find the process that is running tmux from the script and we kill it. I believe it was 790, but don't quote me on it. After we kill that process, we are able to change our nickname on the irc chat to waldo and thus run commands.

Here we can see that the .run command worked in the irc chat.

Next we set up a local listener and use the python reverse shell to get a shell on the box as wallaby. We simply put the python command in the irc chat and catch the reverse shell connection with netcat and we're good to go!

Sudo seems to be part of this challenge so let's check the sudo permissions as wallaby.

Wallaby can use sudo with no password to do anything it wants, so we are basically done! We run one command to officially get us root and we can cat the flag. We run 'sudo su root' and enjoy our new root shell.

Now with our root shell, we cd to /root and cat the flag.txt and thus we are done!

This was a fun challenge and I really like the use of IRC to facilitate the privilege escalation. Thanks for writing it and I look forward to the second part!

Sunday, January 15, 2017

5 Fundamentals Every Hacker Must Master

Welcome to the new year! 2017 = 0x7E1 = 0111 1110 0001, just in case you were curious. So today, I wanted to discuss 5 fundamental skills that every hacker should master. I use the term hacker loosely because these apply to both offensive and defensive experts alike. I'm going to count down in reverse order, ready?

5. Port Scanning

This is the bread-and-butter of compromising a computer. After you have completed your information gathering phase and determined which computers are 'in-scope' for your purposes then you need to figure out where the weak points of the computer are. Hint: it's the open ports. Ports can tell us so much about the computer we may not have gathered during the previous phase like, which operating system is running? which services are running? and sometimes tell us the overall use of that specific computer (Mail server, DNS server, employee desktop, etc.). Being able to scan ports effectively, quickly, and quietly is the BEST way to attack a computer. On the defensive side, making sure only the services you need running are running, making sure the services are up-to-date including patches if previous vulnerabilities were discovered, and being able to detect network scanning is paramount for the defense. NMAP is the big name in port scanning, but you should become familiar with other port scanning tools such as unicornscan, masscan, p0f, Angry IP Scanner, and hping3 as a couple of examples.

4. Networking Models

In general, networking models are an academic exercise, but they do serve one purpose while learning; a complete understanding of the interchange of information between computers. The Department of Defense (DoD) model is the most useful in my opinion. It has four layers (Network Access Layer, Internet Layer, Host-to-Host Layer, and Application Layer). The first layer (Network Access) takes into account the physical exchange of information across wires or via a wireless medium along with the transition from physical to virtual information. The next layer (Internet) is what connects computers together across the internet. The IP protocol is most commonly used nowadays and in order to use the IP protocol, IP addresses are assigned to each computer and routers are used to send information from one network to a new network based on IP addresses. The third layer (Host-to-Host) is about which language is used by each computer to communicate. There are two main options (TCP and UDP) and they can be likened to a civil conversation and a stock market trading floor. TCP is session-oriented and has reliable transmission so information is communicated effectively and completely at the expense of speed. UDP is almost the exact opposite, it yells things across the internet hoping the correct computer hears it and responds appropriately. Lastly, we have the application layer. This is where HTTP traffic, FTP traffic, SMB traffic, and all other types of application send data over TCP or UDP over IP (mostly) over wired or wireless mediums from one computer to another. Even if you don't understand the deep technical details of how each layer works, you should be familiar with how these work in general because in order to exploit (offensive) and prevent exploits (defensive) you need to understand how the information is communicated.

3. Programming from Assembly to Python

Programming is SO incredibly important! I cannot stress this enough. How are operating systems made? by programming. How are programs/software made? by programming. How are exploits made and used? by programming. Nowadays there are so many different ways to learn how to program from free online classes to free Android/iOS apps to youtube videos. In fact, here you go! I recommend learning the basics in a high-level language such as PHP, Java, or C#. Once you have mastered one of those languages move to Python because you will be using this language A LOT. Once you've mastered Python drop down to C and assembly. You can spend the rest of your life mastering C and assembly plus, I think they are the least intuitive for people learning to become hackers. If you're already familiar with programming in general focus on Python, C, and assembly. The understanding of these languages are what separates a good hacker from a great hacker.

If you're a purist or traditionalist, you can certainly go backwards. Start at assembly and understand what an Op Code is and what it does, you'll learn about registers and memory addresses and you can certainly expect your head to hurt afterwards, but everything you learn afterwards is just an abstraction on top of assembly. After assembly, you will learn to appreciate what C can do for you and if it can't do something you need, you can always force assembly upon it! Python will allow you to script things out instead of writing a program and compiling it every time. Use python to augment and script your C and assembly work.

Full disclosure: I did not recommend every program language that you could use and yes, these are the languages that I am personally biased towards. You could learn Ruby, you could learn Perl, you could learn C++ or ,Net or any other. Each have their benefits and you should be familiar with all of them, but you will end up enjoying a select few languages based on personal preferences.

2. Information Gathering

Even though this is the first step in the hacking methodology, it makes number 2 on our list and you'll see why. This step is so critically important because the more information you can gather the more likely you are to accomplish your goals. You need to find domains, IP addresses, email addresses, physical locations, what services they provide, what services the don't provide, can you exploit them technically, socially, or physically? After gathering all this information, the actual hacking becomes laying down one train track after another to connect yourself straight into your target. Lots of people skip this step (including myself sometimes) and later when the individual finally exploits their target, it's as a result of additional information gathering. You can never have too much information especially in this day and age where computers can store and process most of it for you. DO NOT SKIP THIS STEP.

1. Curiosity

The single best skill a hacker can have is curiosity. The insatiable desire to learn about the way something works. This is how hackers find zero-day exploits: they know your product better than you do. They learn about your product, study your product, use your product and then exploit your product. This curiosity does not stop at just exploitation. It also extends to offensive, if you're on defense and defense, if you're on offense. The only way to beat the adversary is to understand the adversary better than they understand themselves. If you're on defense you understand how an attacker tries to exploit systems and you harden them. If you're on offense, you understand how defense hardens systems and work around those patches, configurations, and hardening strategies. I would further posit that a true hacker is curious about all things and not simply what he or she knows best. Some of the best findings over the years have come from the intersection of previously unrelated notions, ideas, and fields of study. This skill must be mastered above all else. Be curious and if you're not curious about something, be curious about why you're not curious.

These are the 5 fundamentals every hacker should master, offensive or defensive. Take these to heart and use them to better yourself.

-Hack Responsibly, Hack Professionally.

Saturday, January 14, 2017

Hackday: Albania Walkthrough

Here we are for a walkthrough of the Hackday: Albania and after booting it up in VirtualBox, I ran an NMAP scan that listed only port 22 open and a web server on port 8008. So when we browse to the webserver we are greeted with Mr. Robot...

I have no idea which language that is or what is says so throwing it in google translate gives us: "If I am, I know where to go," and it is in Albanian. Cool.

So, I check the source and there is a comment and I throw that into google translate as well, "Ok, Ok, but not here." Ok, the website is trolling me, ass. So I don't see anything useful from the source so I use dirbuster to see if there is anything else on this server. So, something came back a /js/ directory so I navigated to the page and found this...

The translation is loosely, "Is it right or is directory jerk." So, since /js/ is a directory, I decide to recurse on the /js/ directory with dirbuster and I find /js/external, /js/images/. /js/external has a directory /jquery/ which contains jquery.js and seems to be the external version of the jquery.js file if needed. /js/images has a list of icon sets in different colors. Could be something, but i'm not sure at this point. At this point, I'm kind of stuck so I decide to use another scanner, Nikto, and holy crap things appeared! Why? robots.txt. So I pulled it up on the web server...

A bunch of directories have been disallowed by the robots.txt file, however none of them are trivial to manually type, so I want to find a tool to that will scan these for me. I tried dirbuster and ZAP, but none seemed to do searches based off the robots.txt file. So, I google around and found wfuzz which seemed to do the trick. I had never used wfuzz before, so I fumbled through the usage and eventually saw this on the help file...

Which seemed to be exactly what I wanted (side note: I used wget to get a local copy of the robots.txt file and locally named it robots.txt). Then the results were...

This result is weird, so let's look at it. We found a new page!

So I navigated to /uni.../vulnbank and I see there is a client folder in the vulnbank folder. Again, I follow the path and end up at 'Very Secure Bank' client portal. Looks like some SQL injection is next. After trying some naive attempts at SQL injection, I decided that sqlmap would do this faster and better! Soooo here we go...sqlmap didn't give us great results, but username is vulnerable and it did get us the information that the back end database is MySQL. A good thing to know is that MySQL uses '#' as comments instead of '--' like I was using previously. So, I tried some more naive SQL injection attempts. Nothing worked. COME ON!

Since the username is vulnerable, I figured I'd try and brute force the username with "'#" (single quote, poundsign) appended to the end to trigger the SQL injection vulnerability. I searched kali and google for a good list of usernames and tried some to no avail. Finally, I resorted to the ol' faithful rockyou.txt. It worked. It found jeff and hobson as two users. So I tried both of their usernames appended with '# and they worked!

Ok, there is a submission form on the right side, let's submit a test case and see what happens. Once we submit a test case, we see the message "After we got hacked we our allowing only image files to upload such as jpg, jpeg, bmp etc...". I didn't try and upload an image yet, but obviously I need to try! I'm going to see if I can use the php shell in a jpg trick to get RCE.

AAAAnd boom! Meterpreter shell.

 Now that we have a shell, let's do some recon and escalate privs. First, I like to cat /etc/passwd and look for users...

So we found 'taviso', I decided to also check which groups he is in (meterpreter shell is not very stable but easily obtainable just by refreshing the ticket page in the web app) so I copied it to my local machine and I see the following...

He's in the sudo group! Awesome! So, continuing my reconnaissance, I realized I overlooked something about the /etc/passwd's world writable. what.

Well, that makes everything much easier then. I decided to add my own root user.

 First, I created a was 'password' as you can see. Next, I created the new user 'fabio'.

Since the file was editable, I simply said 'fabio' had a UID of 0 and a GID of 0, which means root privs!

Lastly, all I had to do was switch users to fabio...

This included getting TTY using python3 on the system. Now that I have root privs, let's finish this challenge.

There we go. I hope this helped you out! I realize there are many walkthroughs for this challenge and I hope mine gave you something you might not have received elsewhere while you were learning from this challenge. Full Disclosure: I had issues with meterpreter and getting running the 'shell' command inside of meterpreter because the VM had run out of memory. If you find you're running into a similar issue, try restarting the VM and it should fix that issue.

-Hack Responsibly. Hack Professionally.