Saturday, February 25, 2017

Nightmare on Wallaby Street - Vulnhub Walkthrough

Here we are again doing some friday night hacking! I haven't posted in awhile (been crazy busy) so I wanted to unwind and relax with a good vulnhub box. I decided I'd work on Wallaby's: Nightmare. Let's dive right in.

This is the first page you see on the web server. Is this part of the CTF?

I decided to enter my name and see what happens...

Alright, well looking at the top of the page, it looks like it could have a LFI vulnerability. So, let's check...

Yup, definitely does, we can get /etc/passwd....can we get /etc/shadow?

DAMMIT. Ok, well...onto the next steps...Let's check the network scan again.

Looks like there is an open TCP port on 60080 (possibly HTTP because it ends with 80?) As you can see above based on poorly timed screenshots on my part, we found the new webserver.

After running dirbuster and getting nothing, I tried using the same path as the previous webserver and look! The same LFI vulnerability still exists!

Let's poke around the system and see what we can got banned...

So, now it's time to brute force this page parameter. I decided to use dirb and the syntax was super nice. The command I ran was: "dirb /usr/share/dirb/wordlists/big.txt" (no quotes). It returned the following pages.

And now we check them out! The contact page gives us a fake email address, the home and index page is the same home page, cgi-bin/ didn't work, and blacklist is the banned page I showed you earlier. The mailer page seems to hold some valuable information thought (in the comments).

Let's try these parameters in the HTML comment.

Oh hello there command injection! I messed around with the mail <name> "test" input and tried LFI (not seen above) and finally tried command injection and it worked. Let's use this to get a shell on the box. Using the php reverse shell provided by pentestmonkey on kali (/usr/share/webshells/php/php-reverse-shell.php) I was able to get a limited privilege shell on the target.

After a bit of research on the machine looking for privilege escalation opportunities, I found that sudo -l gave www-data opportunities to act as waldo using Iptables. 

So, let's see what we have to play with in Iptables. It looks like there is a rule preventing us from talking to ircd and if we remember from our port scan, port 6667 was filtered. So, now that we've deleted that rule, let's try and interact with the port.

We know port 6667 is IRC and we found an irssi script in waldo's home directory. So I installed irssi and used it to connect to the victim system. 

So now, we're going to play around on this irc chat and see what happens. We found a '/list' command that showed there is one chat room called 'wallabyschat' and we used '/join wallabyschat' to join that chat room.

It looks like wallaby has a bot in here. I don't remember seeing that on the box, so I'm going to go look back there again. After doing a quick search on the internet for IRC bots and searching in wallaby's home folder, I found the answer. Sopel.

Looking in the modules directory we find a module. It seems to allow us to run commands in the irc chat, but only if we're Waldo. 

As expected, we're not waldo and we aren't able to run commands. I apologize for the next section, I went through without taking screenshots so, you'll have to excuse the lack of pictures while I explain what needed to be done to be able to be waldo.

If you recall from the sudo listing, we could access iptables, but we could also access vim with a certain document. The certain document is important to allow anyone to use the sudo command, but there is nothing in the document we need to change. Vim has a feature that allows us to execute commands using :!<command>. So, we find the process that is running tmux from the script and we kill it. I believe it was 790, but don't quote me on it. After we kill that process, we are able to change our nickname on the irc chat to waldo and thus run commands.

Here we can see that the .run command worked in the irc chat.

Next we set up a local listener and use the python reverse shell to get a shell on the box as wallaby. We simply put the python command in the irc chat and catch the reverse shell connection with netcat and we're good to go!

Sudo seems to be part of this challenge so let's check the sudo permissions as wallaby.

Wallaby can use sudo with no password to do anything it wants, so we are basically done! We run one command to officially get us root and we can cat the flag. We run 'sudo su root' and enjoy our new root shell.

Now with our root shell, we cd to /root and cat the flag.txt and thus we are done!

This was a fun challenge and I really like the use of IRC to facilitate the privilege escalation. Thanks for writing it and I look forward to the second part!

Sunday, January 15, 2017

5 Fundamentals Every Hacker Must Master

Welcome to the new year! 2017 = 0x7E1 = 0111 1110 0001, just in case you were curious. So today, I wanted to discuss 5 fundamental skills that every hacker should master. I use the term hacker loosely because these apply to both offensive and defensive experts alike. I'm going to count down in reverse order, ready?

5. Port Scanning

This is the bread-and-butter of compromising a computer. After you have completed your information gathering phase and determined which computers are 'in-scope' for your purposes then you need to figure out where the weak points of the computer are. Hint: it's the open ports. Ports can tell us so much about the computer we may not have gathered during the previous phase like, which operating system is running? which services are running? and sometimes tell us the overall use of that specific computer (Mail server, DNS server, employee desktop, etc.). Being able to scan ports effectively, quickly, and quietly is the BEST way to attack a computer. On the defensive side, making sure only the services you need running are running, making sure the services are up-to-date including patches if previous vulnerabilities were discovered, and being able to detect network scanning is paramount for the defense. NMAP is the big name in port scanning, but you should become familiar with other port scanning tools such as unicornscan, masscan, p0f, Angry IP Scanner, and hping3 as a couple of examples.

4. Networking Models

In general, networking models are an academic exercise, but they do serve one purpose while learning; a complete understanding of the interchange of information between computers. The Department of Defense (DoD) model is the most useful in my opinion. It has four layers (Network Access Layer, Internet Layer, Host-to-Host Layer, and Application Layer). The first layer (Network Access) takes into account the physical exchange of information across wires or via a wireless medium along with the transition from physical to virtual information. The next layer (Internet) is what connects computers together across the internet. The IP protocol is most commonly used nowadays and in order to use the IP protocol, IP addresses are assigned to each computer and routers are used to send information from one network to a new network based on IP addresses. The third layer (Host-to-Host) is about which language is used by each computer to communicate. There are two main options (TCP and UDP) and they can be likened to a civil conversation and a stock market trading floor. TCP is session-oriented and has reliable transmission so information is communicated effectively and completely at the expense of speed. UDP is almost the exact opposite, it yells things across the internet hoping the correct computer hears it and responds appropriately. Lastly, we have the application layer. This is where HTTP traffic, FTP traffic, SMB traffic, and all other types of application send data over TCP or UDP over IP (mostly) over wired or wireless mediums from one computer to another. Even if you don't understand the deep technical details of how each layer works, you should be familiar with how these work in general because in order to exploit (offensive) and prevent exploits (defensive) you need to understand how the information is communicated.

3. Programming from Assembly to Python

Programming is SO incredibly important! I cannot stress this enough. How are operating systems made? by programming. How are programs/software made? by programming. How are exploits made and used? by programming. Nowadays there are so many different ways to learn how to program from free online classes to free Android/iOS apps to youtube videos. In fact, here you go! I recommend learning the basics in a high-level language such as PHP, Java, or C#. Once you have mastered one of those languages move to Python because you will be using this language A LOT. Once you've mastered Python drop down to C and assembly. You can spend the rest of your life mastering C and assembly plus, I think they are the least intuitive for people learning to become hackers. If you're already familiar with programming in general focus on Python, C, and assembly. The understanding of these languages are what separates a good hacker from a great hacker.

If you're a purist or traditionalist, you can certainly go backwards. Start at assembly and understand what an Op Code is and what it does, you'll learn about registers and memory addresses and you can certainly expect your head to hurt afterwards, but everything you learn afterwards is just an abstraction on top of assembly. After assembly, you will learn to appreciate what C can do for you and if it can't do something you need, you can always force assembly upon it! Python will allow you to script things out instead of writing a program and compiling it every time. Use python to augment and script your C and assembly work.

Full disclosure: I did not recommend every program language that you could use and yes, these are the languages that I am personally biased towards. You could learn Ruby, you could learn Perl, you could learn C++ or ,Net or any other. Each have their benefits and you should be familiar with all of them, but you will end up enjoying a select few languages based on personal preferences.

2. Information Gathering

Even though this is the first step in the hacking methodology, it makes number 2 on our list and you'll see why. This step is so critically important because the more information you can gather the more likely you are to accomplish your goals. You need to find domains, IP addresses, email addresses, physical locations, what services they provide, what services the don't provide, can you exploit them technically, socially, or physically? After gathering all this information, the actual hacking becomes laying down one train track after another to connect yourself straight into your target. Lots of people skip this step (including myself sometimes) and later when the individual finally exploits their target, it's as a result of additional information gathering. You can never have too much information especially in this day and age where computers can store and process most of it for you. DO NOT SKIP THIS STEP.

1. Curiosity

The single best skill a hacker can have is curiosity. The insatiable desire to learn about the way something works. This is how hackers find zero-day exploits: they know your product better than you do. They learn about your product, study your product, use your product and then exploit your product. This curiosity does not stop at just exploitation. It also extends to offensive, if you're on defense and defense, if you're on offense. The only way to beat the adversary is to understand the adversary better than they understand themselves. If you're on defense you understand how an attacker tries to exploit systems and you harden them. If you're on offense, you understand how defense hardens systems and work around those patches, configurations, and hardening strategies. I would further posit that a true hacker is curious about all things and not simply what he or she knows best. Some of the best findings over the years have come from the intersection of previously unrelated notions, ideas, and fields of study. This skill must be mastered above all else. Be curious and if you're not curious about something, be curious about why you're not curious.

These are the 5 fundamentals every hacker should master, offensive or defensive. Take these to heart and use them to better yourself.

-Hack Responsibly, Hack Professionally.

Saturday, January 14, 2017

Hackday: Albania Walkthrough

Here we are for a walkthrough of the Hackday: Albania and after booting it up in VirtualBox, I ran an NMAP scan that listed only port 22 open and a web server on port 8008. So when we browse to the webserver we are greeted with Mr. Robot...

I have no idea which language that is or what is says so throwing it in google translate gives us: "If I am, I know where to go," and it is in Albanian. Cool.

So, I check the source and there is a comment and I throw that into google translate as well, "Ok, Ok, but not here." Ok, the website is trolling me, ass. So I don't see anything useful from the source so I use dirbuster to see if there is anything else on this server. So, something came back a /js/ directory so I navigated to the page and found this...

The translation is loosely, "Is it right or is directory jerk." So, since /js/ is a directory, I decide to recurse on the /js/ directory with dirbuster and I find /js/external, /js/images/. /js/external has a directory /jquery/ which contains jquery.js and seems to be the external version of the jquery.js file if needed. /js/images has a list of icon sets in different colors. Could be something, but i'm not sure at this point. At this point, I'm kind of stuck so I decide to use another scanner, Nikto, and holy crap things appeared! Why? robots.txt. So I pulled it up on the web server...

A bunch of directories have been disallowed by the robots.txt file, however none of them are trivial to manually type, so I want to find a tool to that will scan these for me. I tried dirbuster and ZAP, but none seemed to do searches based off the robots.txt file. So, I google around and found wfuzz which seemed to do the trick. I had never used wfuzz before, so I fumbled through the usage and eventually saw this on the help file...

Which seemed to be exactly what I wanted (side note: I used wget to get a local copy of the robots.txt file and locally named it robots.txt). Then the results were...

This result is weird, so let's look at it. We found a new page!

So I navigated to /uni.../vulnbank and I see there is a client folder in the vulnbank folder. Again, I follow the path and end up at 'Very Secure Bank' client portal. Looks like some SQL injection is next. After trying some naive attempts at SQL injection, I decided that sqlmap would do this faster and better! Soooo here we go...sqlmap didn't give us great results, but username is vulnerable and it did get us the information that the back end database is MySQL. A good thing to know is that MySQL uses '#' as comments instead of '--' like I was using previously. So, I tried some more naive SQL injection attempts. Nothing worked. COME ON!

Since the username is vulnerable, I figured I'd try and brute force the username with "'#" (single quote, poundsign) appended to the end to trigger the SQL injection vulnerability. I searched kali and google for a good list of usernames and tried some to no avail. Finally, I resorted to the ol' faithful rockyou.txt. It worked. It found jeff and hobson as two users. So I tried both of their usernames appended with '# and they worked!

Ok, there is a submission form on the right side, let's submit a test case and see what happens. Once we submit a test case, we see the message "After we got hacked we our allowing only image files to upload such as jpg, jpeg, bmp etc...". I didn't try and upload an image yet, but obviously I need to try! I'm going to see if I can use the php shell in a jpg trick to get RCE.

AAAAnd boom! Meterpreter shell.

 Now that we have a shell, let's do some recon and escalate privs. First, I like to cat /etc/passwd and look for users...

So we found 'taviso', I decided to also check which groups he is in (meterpreter shell is not very stable but easily obtainable just by refreshing the ticket page in the web app) so I copied it to my local machine and I see the following...

He's in the sudo group! Awesome! So, continuing my reconnaissance, I realized I overlooked something about the /etc/passwd's world writable. what.

Well, that makes everything much easier then. I decided to add my own root user.

 First, I created a was 'password' as you can see. Next, I created the new user 'fabio'.

Since the file was editable, I simply said 'fabio' had a UID of 0 and a GID of 0, which means root privs!

Lastly, all I had to do was switch users to fabio...

This included getting TTY using python3 on the system. Now that I have root privs, let's finish this challenge.

There we go. I hope this helped you out! I realize there are many walkthroughs for this challenge and I hope mine gave you something you might not have received elsewhere while you were learning from this challenge. Full Disclosure: I had issues with meterpreter and getting running the 'shell' command inside of meterpreter because the VM had run out of memory. If you find you're running into a similar issue, try restarting the VM and it should fix that issue.

-Hack Responsibly. Hack Professionally.

Monday, November 21, 2016

Over 1000 Page Views!

This is neither a professional development nor a security related post. I would like to thank everyone that has visited my blog and has benefited from my contributions to the infosec community! I am so excited that my blog has finally reached over 1000 lifetime page views and here is to the next 1000 page views! -Hack Responsibly, Hack Professionally

Vulnhub - SkyDogCon CTF 2016 Walkthrough

Welcome back, here's my walkthrough of the SkyDogCon CTF 2016 as posted on Vulnhub. My thoughts and comments are my own and do not represent anyone else's unless explicitly stated. So, without further ado, let's begin.

Of course, we start out with an nmap scan and get some decent results.

Now, let's check out the web server.

Looks pretty cool, one comment jumped out to me so I made note of it and decided to continue on with fuzzing web directories using dirbuster. I found a forbidden directory called /personnel and it accused me of not coming from an FBI workstation...the nerve...

Nikto didn't return anything useful so, let's check out this comment with a suspicious directory. This looks like a lot of javascript gibberish, but at the very top is a series of letters and numbers. none of the letters are bigger than f so this may be hexadecimal. So, I decode it and it's the first flag!

At this point, I have no other leads to go on for the next flag so, I decide to start investigation the suspicious port I found on my nmap scan. So I connect with ssh and boom! The next flag.

So let's see if we can't crack these two md5 hashes because otherwise I'm not sure what else to do at the moment. The first hash is the hash of the word 'nmap' how convenient, and the second hash is the word 'encrypt'. So I try it as the password and it fails. I then try it as the password for user 'frank' and it fails again. What the hell does 'encrypt' mean? I decided to re-assess every piece of information I had. Port 22 is is closed according to nmap. Port 80 is open and has a webserver. Port SSL...encrypted! I start immediately going through the webserver. The code is the exact same, so what should I be looking for? What makes SSL encrypted? Well, the encryption keys are stored in private keys and the private key isn't going to be available so the public key must be available and the public key is stored in a certificate! So I pulled up the certificate and holy crap, of course, there is the third flag.

After cracking the third flag it says personnel..HEY! We already found that page! So I pull up the personnel page again and reinvestigate it. Nothing on the source code. No cookies are being stored. It must have to do with my IP address, but i'm not sure what is considered an 'FBI' workstation. Man, how many times do I have to feel like I don't have enough information!

At this point I start clicking through every page I know about searching for 'FBI' and something comes up in the html5.js for temporary support for IE4 Workstations. It's odd that it's specifically IE4, could it be filtering on User-agent string? Let's try. So I found a IE4 user-agent string and added a browser extension to change my user-agent and up came a very different page...

 And if you look near the bottom, we get a flag! There is also a clue, "Clue = new+flag". We crack the flag and it's 'evidence'. Ok, i need evidence of whatever 'new evidence' is. So, looking through the webpage, there are certain numbers that are made bold, 'six, one, 7, 4, 6, 8'. Could this be new evidence? A directory doesn't exist with those numbers, let's try using the clue newevidence. Sure enough, I get a authentication required prompt. So I try hanratty:617468. Fail. I spell out the first two numbers. Fail. So, thinking back to doug.perterson from the html5.js, I don't know "Agent Hanratty's" first name, so I google 'hanratty'. At first I see some James Hanratty stuff, but as I scroll down I see 'hanratty catch me if you can'. Seriously? This is some obscure movie reference?? (I personally hate obscure movie references in CTFs because I have seen almost NO popular movies, my fault, still annoying). Things are making more sense now, I've seen the name Frank Abagnale and FBI and I learn that Agent Hanratty's name is Carl. So the username is probably carl.hanratty. I try this with the numbers still to no avail. Come ooonnnnn.

Now that I know this CTF is based on the movie and the flag name mentions dialogue, I decided to try and make a password list from the script. So I used cewl (which I have a post about on here as well to generate a list and decided to use that list with Burp Suite to attempt to brute force the login. This will take a good long while because of the degradation in service that Burp Suite provides as a feature for the free version.

I had to test the original list and I added all lowercase, all uppercase, and first letter capitalized to finally find the password, "Grace".

The fifth flag is "panam". There are two more links on this page. One shows an image and the other shows a pdf. The image is a picture of a river and a beach with some people, some houses and a small castle in the background. I downloaded it and ran exiftool against it, but nothing interesting came up. The pdf is an invoice from Hetzl and Associates for "Encryption Consultation Project" done for Agent Earl Amdursky of the FBI and some guy named Stefan Hetzl actually did the work. So after searching for "Stefan Hetzl encryption" on google, the tool StegHide comes up. *Lightbulb* the picture we downloaded has an embedded message with StegHide.

As you can see in the picture, I had to download steghide (apt-get install steghide) and then followed the man page to successfully extract the image. The passphrase was the previous flag "panam", makes sense in the context of this CTF. Interestingly enough, the flag is decrypted for us here and it says "ILoveFrance". This looks like a password to me, so i'm going to keep that in mind going forward. There is also a clue "iheartbrenda" all lowercase. Possibly a directory? Nope, not a directory. Neither is "ILoveFrance".

Ok, so, we now have what looks like a password or maybe two (because we know they're not directories) and the flag title references 'the fastest man alive'. Luckily, i know that's a reference to The Flash (comic book character knowledge ftw) and I decided to go through the script looking for 'fastest man alive' and nothing. So I googled 'fastest man alive the flash' and then it hit me, barry allen, his pseudonym. So I checked the script for 'barry allen'. Again nothing! So, back to the google AGAIN. I searched 'barry allen catch me if you can' and there were numerous references to the movie and Carl is convinced that Frank is named Barry Allen. Could this be a username and could we have a password for the SSH connection we've been waiting for???

I tried a few combinations of Barry Allen (barry, barry.allen, barryallen) (of course the last one worked) and the password was 'iheartbrenda' instead of the 'ILoveFrance'. Works for me!

The 7th flag is in the home directory as flag.txt and the md5 is 'theflash'.

So, there is also a file in the home directory. After running file on we can see it's a zip archive so, I scp it to my kali box to analyze it further. I am able to unzip and expand it, but now running file on it, it just says it's data. Next, I run strings on it and there seem to be a lot of Windows API calls. As I scroll through the output of strings I see well known outputs from the windows cmd.exe prompt and I realize the file is 1 GB in size and has a lot of windows functionality; this is probably a windows image!

I'm not great with volatility, but I decide to try my luck and use it to open up this potential windows image. First I run the imageinfo plugin and confirm that it is indeed a windows image. Then I run screenshot and I just barely see something in one of the pictures, it has 'code.txt' open in notepad and a cmd.exe prompt behind it.

So I immediately start looking for this code.txt and processes with cmd.exe. I found the processes, but I found something better quickly after! There is a notepad plugin for volatility that displays the text from a notepad.exe currently running. It's a series of hex values as you can see below:

xxd wasn't giving me all of the answer, but I knew the answer HAD to be in there so I tried a different hex convertor and sure enough, it prints out the last flag,

I would like to thank the author James Bower for creating this awesome CTF and anyone who helped him. I would also like to thank for hosting this. I hope you enjoy this walkthrough. -Hack Responsibly, Hack Professionally.