Sunday, January 15, 2017

5 Fundamentals Every Hacker Must Master

Welcome to the new year! 2017 = 0x7E1 = 0111 1110 0001, just in case you were curious. So today, I wanted to discuss 5 fundamental skills that every hacker should master. I use the term hacker loosely because these apply to both offensive and defensive experts alike. I'm going to count down in reverse order, ready?

5. Port Scanning

This is the bread-and-butter of compromising a computer. After you have completed your information gathering phase and determined which computers are 'in-scope' for your purposes then you need to figure out where the weak points of the computer are. Hint: it's the open ports. Ports can tell us so much about the computer we may not have gathered during the previous phase like, which operating system is running? which services are running? and sometimes tell us the overall use of that specific computer (Mail server, DNS server, employee desktop, etc.). Being able to scan ports effectively, quickly, and quietly is the BEST way to attack a computer. On the defensive side, making sure only the services you need running are running, making sure the services are up-to-date including patches if previous vulnerabilities were discovered, and being able to detect network scanning is paramount for the defense. NMAP is the big name in port scanning, but you should become familiar with other port scanning tools such as unicornscan, masscan, p0f, Angry IP Scanner, and hping3 as a couple of examples.

4. Networking Models

In general, networking models are an academic exercise, but they do serve one purpose while learning; a complete understanding of the interchange of information between computers. The Department of Defense (DoD) model is the most useful in my opinion. It has four layers (Network Access Layer, Internet Layer, Host-to-Host Layer, and Application Layer). The first layer (Network Access) takes into account the physical exchange of information across wires or via a wireless medium along with the transition from physical to virtual information. The next layer (Internet) is what connects computers together across the internet. The IP protocol is most commonly used nowadays and in order to use the IP protocol, IP addresses are assigned to each computer and routers are used to send information from one network to a new network based on IP addresses. The third layer (Host-to-Host) is about which language is used by each computer to communicate. There are two main options (TCP and UDP) and they can be likened to a civil conversation and a stock market trading floor. TCP is session-oriented and has reliable transmission so information is communicated effectively and completely at the expense of speed. UDP is almost the exact opposite, it yells things across the internet hoping the correct computer hears it and responds appropriately. Lastly, we have the application layer. This is where HTTP traffic, FTP traffic, SMB traffic, and all other types of application send data over TCP or UDP over IP (mostly) over wired or wireless mediums from one computer to another. Even if you don't understand the deep technical details of how each layer works, you should be familiar with how these work in general because in order to exploit (offensive) and prevent exploits (defensive) you need to understand how the information is communicated.

3. Programming from Assembly to Python

Programming is SO incredibly important! I cannot stress this enough. How are operating systems made? by programming. How are programs/software made? by programming. How are exploits made and used? by programming. Nowadays there are so many different ways to learn how to program from free online classes to free Android/iOS apps to youtube videos. In fact, here you go! I recommend learning the basics in a high-level language such as PHP, Java, or C#. Once you have mastered one of those languages move to Python because you will be using this language A LOT. Once you've mastered Python drop down to C and assembly. You can spend the rest of your life mastering C and assembly plus, I think they are the least intuitive for people learning to become hackers. If you're already familiar with programming in general focus on Python, C, and assembly. The understanding of these languages are what separates a good hacker from a great hacker.

If you're a purist or traditionalist, you can certainly go backwards. Start at assembly and understand what an Op Code is and what it does, you'll learn about registers and memory addresses and you can certainly expect your head to hurt afterwards, but everything you learn afterwards is just an abstraction on top of assembly. After assembly, you will learn to appreciate what C can do for you and if it can't do something you need, you can always force assembly upon it! Python will allow you to script things out instead of writing a program and compiling it every time. Use python to augment and script your C and assembly work.

Full disclosure: I did not recommend every program language that you could use and yes, these are the languages that I am personally biased towards. You could learn Ruby, you could learn Perl, you could learn C++ or ,Net or any other. Each have their benefits and you should be familiar with all of them, but you will end up enjoying a select few languages based on personal preferences.

2. Information Gathering

Even though this is the first step in the hacking methodology, it makes number 2 on our list and you'll see why. This step is so critically important because the more information you can gather the more likely you are to accomplish your goals. You need to find domains, IP addresses, email addresses, physical locations, what services they provide, what services the don't provide, can you exploit them technically, socially, or physically? After gathering all this information, the actual hacking becomes laying down one train track after another to connect yourself straight into your target. Lots of people skip this step (including myself sometimes) and later when the individual finally exploits their target, it's as a result of additional information gathering. You can never have too much information especially in this day and age where computers can store and process most of it for you. DO NOT SKIP THIS STEP.

1. Curiosity

The single best skill a hacker can have is curiosity. The insatiable desire to learn about the way something works. This is how hackers find zero-day exploits: they know your product better than you do. They learn about your product, study your product, use your product and then exploit your product. This curiosity does not stop at just exploitation. It also extends to offensive, if you're on defense and defense, if you're on offense. The only way to beat the adversary is to understand the adversary better than they understand themselves. If you're on defense you understand how an attacker tries to exploit systems and you harden them. If you're on offense, you understand how defense hardens systems and work around those patches, configurations, and hardening strategies. I would further posit that a true hacker is curious about all things and not simply what he or she knows best. Some of the best findings over the years have come from the intersection of previously unrelated notions, ideas, and fields of study. This skill must be mastered above all else. Be curious and if you're not curious about something, be curious about why you're not curious.

These are the 5 fundamentals every hacker should master, offensive or defensive. Take these to heart and use them to better yourself.

-Hack Responsibly, Hack Professionally.

Saturday, January 14, 2017

Hackday: Albania Walkthrough

Here we are for a walkthrough of the Hackday: Albania and after booting it up in VirtualBox, I ran an NMAP scan that listed only port 22 open and a web server on port 8008. So when we browse to the webserver we are greeted with Mr. Robot...

I have no idea which language that is or what is says so throwing it in google translate gives us: "If I am, I know where to go," and it is in Albanian. Cool.

So, I check the source and there is a comment and I throw that into google translate as well, "Ok, Ok, but not here." Ok, the website is trolling me, ass. So I don't see anything useful from the source so I use dirbuster to see if there is anything else on this server. So, something came back a /js/ directory so I navigated to the page and found this...

The translation is loosely, "Is it right or is directory jerk." So, since /js/ is a directory, I decide to recurse on the /js/ directory with dirbuster and I find /js/external, /js/images/. /js/external has a directory /jquery/ which contains jquery.js and seems to be the external version of the jquery.js file if needed. /js/images has a list of icon sets in different colors. Could be something, but i'm not sure at this point. At this point, I'm kind of stuck so I decide to use another scanner, Nikto, and holy crap things appeared! Why? robots.txt. So I pulled it up on the web server...

A bunch of directories have been disallowed by the robots.txt file, however none of them are trivial to manually type, so I want to find a tool to that will scan these for me. I tried dirbuster and ZAP, but none seemed to do searches based off the robots.txt file. So, I google around and found wfuzz which seemed to do the trick. I had never used wfuzz before, so I fumbled through the usage and eventually saw this on the help file...

Which seemed to be exactly what I wanted (side note: I used wget to get a local copy of the robots.txt file and locally named it robots.txt). Then the results were...

This result is weird, so let's look at it. We found a new page!

So I navigated to /uni.../vulnbank and I see there is a client folder in the vulnbank folder. Again, I follow the path and end up at 'Very Secure Bank' client portal. Looks like some SQL injection is next. After trying some naive attempts at SQL injection, I decided that sqlmap would do this faster and better! Soooo here we go...sqlmap didn't give us great results, but username is vulnerable and it did get us the information that the back end database is MySQL. A good thing to know is that MySQL uses '#' as comments instead of '--' like I was using previously. So, I tried some more naive SQL injection attempts. Nothing worked. COME ON!

Since the username is vulnerable, I figured I'd try and brute force the username with "'#" (single quote, poundsign) appended to the end to trigger the SQL injection vulnerability. I searched kali and google for a good list of usernames and tried some to no avail. Finally, I resorted to the ol' faithful rockyou.txt. It worked. It found jeff and hobson as two users. So I tried both of their usernames appended with '# and they worked!

Ok, there is a submission form on the right side, let's submit a test case and see what happens. Once we submit a test case, we see the message "After we got hacked we our allowing only image files to upload such as jpg, jpeg, bmp etc...". I didn't try and upload an image yet, but obviously I need to try! I'm going to see if I can use the php shell in a jpg trick to get RCE.

AAAAnd boom! Meterpreter shell.

 Now that we have a shell, let's do some recon and escalate privs. First, I like to cat /etc/passwd and look for users...

So we found 'taviso', I decided to also check which groups he is in (meterpreter shell is not very stable but easily obtainable just by refreshing the ticket page in the web app) so I copied it to my local machine and I see the following...

He's in the sudo group! Awesome! So, continuing my reconnaissance, I realized I overlooked something about the /etc/passwd's world writable. what.

Well, that makes everything much easier then. I decided to add my own root user.

 First, I created a was 'password' as you can see. Next, I created the new user 'fabio'.

Since the file was editable, I simply said 'fabio' had a UID of 0 and a GID of 0, which means root privs!

Lastly, all I had to do was switch users to fabio...

This included getting TTY using python3 on the system. Now that I have root privs, let's finish this challenge.

There we go. I hope this helped you out! I realize there are many walkthroughs for this challenge and I hope mine gave you something you might not have received elsewhere while you were learning from this challenge. Full Disclosure: I had issues with meterpreter and getting running the 'shell' command inside of meterpreter because the VM had run out of memory. If you find you're running into a similar issue, try restarting the VM and it should fix that issue.

-Hack Responsibly. Hack Professionally.