Close

Writeup – HTB – Bashed

Now this was a fun change from the last one, and marks box #6 in my OSCP Prep. I had done this box some months ago and it was fun to play with again and re-remember how to do it.

Here’s the nmap scan:

Sweet! Only one port! Should be easy, right?

Browsing, we get a blog, and it mentions a php bash shell that arrexel developed on this very server! That has to be promising!

Kicking off a dirsearch, we indeed find some interesting directories.

A dev folder certainly looks promising!

And now we have a shell.

We quickly see that we can run commands as the user ‘scriptmanager’ with no password, and we can browse around. www-user is enough to get us into arrexel’s directory and find the user flag.

But how to get the pesky root flag? Well, let’s see what the scriptmanager user can do.

What’s that folder down there?

Of particular interest is this scripts folder in the root of the server. Looking inside the directory we find a test.py and a test.txt. Don’t forget to look in the directory as scriptmanager otherwise you won’t be able to see anything.

test.txt is only writable by root…
Here’s test.py

All the test.py script does it write to test.txt. But as you can see above, it must be doing it with root permissions as test.txt is only writable by root. It’s trivial to modify the python script to get the contents of root.txt and write them out for us.

Now just wait for the script to be run (cron job) and poof, you’ve got your root flag!

Easy day!

This was a fun box. I look forward to moving on to more! Video to follow shortly!

Writeup – HTB – Shocker

Writeup – HTB – Shocker

As the name would suggest, I learned about a vulnerability called ShellShocker doing this one. First things first, kick off an auto-recon and let’s take a look at the full nmap scan.

Only two ports. Should be easy, right?

Only port 80 and an SSH server running on a non-standard port. Let’s get after port 80.

Browsing to the page we don’t see anything exciting in the source, no robots, nothing there. So let’s see what else we can find with dirsearch. If you don’t have dirsearch, definitely get it. It’s a threaded version of dirb, dirbuster, gobuster, and it runs great.

Not much here.

Looking at this output, we have a couple directories. Maybe the cgi-bin has some scripts, so let’s run dirsearch again with some other extensions like .sh.

BINGO!

We found a .sh script inside of the cgi-bin on this server. Read more about this vulnerability here: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 , but then let’s get msfconsole up and running. Once you type ‘search shellshock’, you’ll want to use apache_mod_cgi_bash_env_exec , as that’s what we’re doing here.

Make sure to adjust your settings. Set your LHOST to your own IP address, and change the TARGETURI to the /cgi-bin/user.sh script we located. Additionally, set the RHOSTS to the ip address of the shocker VM in HackTheBox. Then try an exploit!

Options for ShellShock, minus LHOST

If all goes according to plan, we get a nice meterpreter session, like below:

Once here, drop into a shell with the ‘shell’ command, and poke around to find that user flag. Additionally, drop a sudo -l to see what our permissions are.

A few things from that picture above. You see how we don’t have a prompt? That doesn’t affect us on this box, but it will on future vms. Also, we see in shelly’s home directory the user flag, which is easy to submit at this point. Finally, we see that shell can run /usr/bin/perl with no password. Browse out to GTFOBins, at https://gtfobins.github.io/gtfobins/perl/ , and look at the sudo section.

Easy day to root!

And that makes short work of Shocker! As always, I’ll record a video walkthrough of this as well. Please consider subscribing to me on YouTube, and thanks for catching this walkthrough!

Writeup – HTB – Mirai

Writeup – HTB – Mirai

After adding this to my hosts file, I kicked off my autorecon and let it rip while I grabbed a drink. As the full nmap scan finished, we see Ports 22, 53, 80, 1615, 32400, and 32469 open.

Oh boy! Plex!

OpenSSH 6.7p1 is a pretty new version, so no real exploits there. The next step in enumeration is to start looking up the versions of the software on each port and see what we can find.

There’s a series of exploits available for dnsmasq 2.76, but none look like they’ll allow for Remote Code Execution, so on we go!

No luck with port 53? We shall see.

Browsing to port 80 on the web server we find that we are blocked by Pi-Hole. Pi-Hole is a dns blocker that runs on Raspberry Pis.

Blocked, but good info! It’s a Pi-hole!

Doing a search for Raspberry Pi default credentials lets us find credentials of pi:raspberry. This works for ssh!

And we’re in!

It’s always great when you see (ALL : ALL) ALL, and (ALL) NOPASSWD: ALL. Quickly do a ‘sudo su’, and we’re root. Now to find some flags!

user.txt on the Desktop!

One down, looking for the root flag though proves a little trickier!

How do I find a USB stick on Linux?

After some googling showing how to mount a USB stick into Linux, I checked the /media folder. Inside was a usbstick folder! Could it be too good to be true?

Yes – yes, it could be too good to be true.

However, if you go to /dev, and cat sdb, which is the second mounted device, you can filter through the wreckage and find the flag!

Obfuscated root flag above!

That’s all she wrote for this one! A bit trickier than my last boxes, but great teaching box! Thanks to HackTheBox!

Writeup – HTB – Blocky

Writeup – HTB – Blocky

Back to the hacking I go. Between the Masters program and three children all being home-schooled, it’s been a challenge for sure, but I’m back at it and happy to be doing it! This is a fun challenge to do as I work through the Linux boxes over at HackTheBox.

Initial full nmap from AutoRecon

First, we run Autorecon, and we find a few ports, 21, 22, and 80, all open. We also see what’s supposedly a minecraft server on a high port. Looking at the versioning for ports 21 and 22 we don’t see much. There is a File Copy exploit for vsFTPd 1.3.5, but it doesn’t suit us here as there’s nothing on the FTP server. So on to port 80!

Once AutoRecon finished with Gobuster, I popped open those results, and looked for anything out of place. There’s a few pages to look at here.

Snippet from gobuster

Of particular curiosity is the /phpmyadmin and the /plugins. Browsing to the plugins directory you’ll find some downloadable Java repository files, or .JAR files. Let’s get into those.

Extracting “BlockyCore.jar” leads you to find the file “BlockyCore.class”, in /com/myfirstplugin folder. Looking up how to open a .CLASS file led me to install jd-gui, and open the file with that. In doing so, you’ll find some awesome credentials to a SQL server database!

Remember what we learned from Beep? Users hate unique passwords.

However, trying to ssh into this machine with root / 8YsqfCTnvxAUeduzjNSXe22 doesn’t work. There must be more. Thinking about accessing SQL servers, there’s a web interface with phpmyadmin. Let’s check that out!

Sure enough, we can login with those credentials to phpmyadmin.

We’re in!

So looking around here, we see a wordpress database, with a hash of a password. We also see a username, notch, both in the wp_users table.

Maybe notch is a good username for the machine? Sure enough, using the same password we logged into phpmyadmin with and the user ‘notch’ gets us shell access!

We’re in!

First thing I always do is try running ‘sudo -l’, and in this case, we get some great news!

We can do -anything-!

Just run a quick ‘sudo su’ and you are now root!

I AM ROOT!

Thanks to everyone for checking out my blog. Please also check out my video walkthroughs, and remember, users like to re-use passwords!

OSCP Preparation – Day 3

This will be Day 3 of my OSCP Preparation. The mind-map linked in the previous post is what I’m still working on, but I just want to first take a moment out of discussing purely hacking to talk about how humbled I am. Veteran Security concluded their board elections a little over a week ago, and on June 1st, 2020, I took over as the Board Chair for the company. It’s an amazing organization owned and run by veterans for veterans transitioning into cyber security. We have some pretty awesome things planned, but that’s nothing compared to what the group has already done for so many, myself included. More than simply providing resources and guides to transition, Veteran Security (VetSec, Inc.) provides a much needed community – a place for veterans to discuss the issues that face our community and be there for one another.

Now then, Day 3 of OSCP. I have completed OverTheWire: Bandit through Level 23, and I have completed Wave 1 of the Zero to Hero blog for TryHackMe. Both platforms have been great for solidifying basic Linux command knowledge, establishing a solid methodology, and exposing me to many different vulnerabilities present in both Linux and Windows.

Much of what I’ve been done has been walkthrough style so far. I anticipate around next week (Day 10 OSCP or so) I will move into the lists of machines provided by TJ-Null and start working on VulnHub and HackTheBox machines. This is where it’ll get real.

I continue to make videos for my YouTube Channel, like this walkthrough of LazyAdmin on TryHackMe, and I continue to stream daily. This has been a great way for me to reinforce the knowledge I’ve gained by doing the same box a couple times.

Anyways, if you like following and learning along with me, keep checking out my YouTube and my Twitch and I’ll see you there!