drsh0's llog

Jack – TryHackMe

December 1, 2020

https://tryhackme.com/room/jack

Summary

exploit Wordpress web server
gain user shell
use Python to escalate to root

Tools Used

nmap, wpscan, python, pspy

SANS Holiday Hack Challenge 2020

December 1, 2020

https://holidayhackchallenge.com/2020/

Updating this as soon as the event starts in mid-December 2020 🎄

User

port and version enumeration: nmap -sV -sC -oA traverxec.htb 10.10.10.165
We see that the http server being used is nostromo 1.9.6. This is a vulnerable service as seen by https://www.exploit-db.com/exploits/47573
We can run the metasploit module as per rapid7.
This gives a shell with www-data.
Running LinEnum.sh provides some interesting data, namely that we have a .htpasswd hash available.
This hash is a md5crypt hash. We will use john htpasswd --list=/usr/wordlist/rockyou.txt to crack this.
After cracking this hash, we need to find the http directory where we can use this password.
Browsing /home/david/public_www we can find a protected area. The password cracked earlier works!
Download the tar.gz file and extract using gunzip.
We have some ssh key backups. The most important file here is id_rsa.
Use ssh -i <key file> to try and connect to david@traverxec.htb.
We need a passphrase. Let's try using ssh2john and pass it to john to brute force. We will use rockyou.txt once again.
Passphrase found! Use this to connect via ssh.
id = david
cat user.txt

Root

Use the shell script in home directory and see the commands being issued. Namely the use of sudo with journalctl.
Copy the file elsewhere and execute. It still works.
Add a && operator and issue /bin/sh at the end of the shell script.
Run the script and you should be able to use !/bin/sh to get a shell via less with uid=0
cat root.txt

#hackthebox #htb

SANS KringleCon / Holiday Hack 2019

December 15, 2019

`Talks`

John Strand, Keynote: A Hunting We Must Go

Interval, con time, data size.
Holes in an org are just as important to detect as threat actors.
Deception time + Reaction time < Time to perform attack.

Katie Knowles, How to (Holiday) Hack It: Tips for Crushing CTFs & Pwning Pentests

Recon –> ID Vuln –> ID Exploit –> Test –> New Info Integrate

1. Understanding the Problem

Drawing is a useful way to visualise a problem e.g.:

credit: Katie Knowles

2. Plan

Google things; look for other things that are similar.
Having a list of things that we've done and then ensuring all bases are covered in each step e.g. all ports checked, UDP as well?

3. Carry out the plan

4. Looking Back

Record your steps, useful links, wiki.

Tools

rita – tool to check for beacons
Zeek
Url Crazy – typosquatting #socialengineering

#CTF #SANS #HolidayHack #KringleCon2019

TryHackMe | Advent of Cyber 2019

December 8, 2019

Link: https://tryhackme.com/room/25daysofchristmas

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas

Day 1

cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
a new cookie can be created from Firefox dev tools > storage > cookies > add new

Day 2

check source pages
dir searching
github search for website

Day 3

for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
follow stream to export to txt
johntheripper can work on /etc/shadow without needeing /etc/passwd.

Day 4

to find text within all files: grep -Ril "text"
- to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
It's wise to search for *.bak files in case some world readable backups exist : find / -name *.bak 2>/dev/null

Day 5

OSINT required creative google searches, social media, and the use of waybackmachine.

Day 6

Tools used:
- wireshark-gtk
- fcrackzip
- steghide

Day 7

strange protocols running on weird ports are worth trying out via http.

Day 8

if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.:

find /home/igor -name flag1.txt  -exec cat /home/igor/flag1.txt \;

commonly used command to list all suid binaries:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Day 10: Metasploit

After a quick nmap scan, there seems to be a tomcat server running on port 80.
Version enumeration reveals that it may be prone to the struts2 vuln.
Let's use the struts2_content_type_ognl exploit via MSF and configure hosts, ports, and path (path = “”).
exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
SSH creds are available —> this is how we break out.

Day 11: Network Exploitation

nmap -A $IP -oA <filename>
We can see the following services open: ftp, nfs, mysql
Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials.

NFS

showmount -e $IP to check if NFS is present and directory path.
cd /tmp && mkdir thm-nfs-11
sudo mount $IP:/opt/files thm-nfs-11
thm-nfs-11 contains a file with the flag.

MySQL

I'll be using mycli to connect to the msql database.
mycli -h $IP -P 3306 -u root
show databases
use data
show tables
SELECT * FROM 'USERS'
Creds are now retrieved from the table.

Day 12

1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt to obtain decrypted note.

Day 14: AWS S3 Buckets

Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com
Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name

Day 15: Local File Inclusion

Webservers will often pull files from local locations to display on a webpage.
It's best to have a look at the HTTP requests and start crafting potential LFI that way.
Be sure to encode the / using %2F.
Example payload: http://host/get-file/%2fetc%2fpasswd

#writeups #ctf #tryhackme