drsh0's llog

my learning log; notes on cybersec activities, ctfs, and ill-equipped cyber adventures. Consume responsibly.

Sharing some notes I recorded during @AletheDenis' OSINT CTF Strategy and Tactics II event back in September 2020. I hope it helps!

It covers some tips, strategies, and common mistakes to avoid in order to get the most out of OSINT CTFs.

#osint #ctf

Read more...

https://tryhackme.com/room/jack

Summary

  • exploit Wordpress web server
  • gain user shell
  • use Python to escalate to root

Tools Used

  • nmap, wpscan, python, pspy
Read more...

https://holidayhackchallenge.com/2020/

Updating this as soon as the event starts in mid-December 2020 πŸŽ„

Read more...

HackTheBox – Traverxec – Writeup

User

  1. port and version enumeration: nmap -sV -sC -oA traverxec.htb 10.10.10.165
  2. We see that the http server being used is nostromo 1.9.6. This is a vulnerable service as seen by https://www.exploit-db.com/exploits/47573
  3. We can run the metasploit module as per rapid7.
  4. This gives a shell with www-data.
  5. Running LinEnum.sh provides some interesting data, namely that we have a .htpasswd hash available.
  6. This hash is a md5crypt hash. We will use john htpasswd --list=/usr/wordlist/rockyou.txt to crack this.
  7. After cracking this hash, we need to find the http directory where we can use this password.
  8. Browsing /home/david/public_www we can find a protected area. The password cracked earlier works!
  9. Download the tar.gz file and extract using gunzip.
  10. We have some ssh key backups. The most important file here is id_rsa.
  11. Use ssh -i <key file> to try and connect to david@traverxec.htb.
  12. We need a passphrase. Let's try using ssh2john and pass it to john to brute force. We will use rockyou.txt once again.
  13. Passphrase found! Use this to connect via ssh.
  14. id = david
  15. cat user.txt

Root

  1. Use the shell script in home directory and see the commands being issued. Namely the use of sudo with journalctl.
  2. Copy the file elsewhere and execute. It still works.
  3. Add a && operator and issue /bin/sh at the end of the shell script.
  4. Run the script and you should be able to use !/bin/sh to get a shell via less with uid=0
  5. cat root.txt

#hackthebox #htb

Talks

John Strand, Keynote: A Hunting We Must Go

  • Interval, con time, data size.
  • Holes in an org are just as important to detect as threat actors.
  • Deception time + Reaction time < Time to perform attack.

Katie Knowles, How to (Holiday) Hack It: Tips for Crushing CTFs & Pwning Pentests

  • Recon –> ID Vuln –> ID Exploit –> Test –> New Info Integrate

1. Understanding the Problem

  • Drawing is a useful way to visualise a problem e.g.:

credit: Katie Knowles

2. Plan

  • Google things; look for other things that are similar.
  • Having a list of things that we've done and then ensuring all bases are covered in each step e.g. all ports checked, UDP as well?

3. Carry out the plan

4. Looking Back

  • Record your steps, useful links, wiki.

Snow, Santa’s Naughty List: Holiday Themed Social Engineering

Tools

#CTF #SANS #HolidayHack #KringleCon2019

Link: https://tryhackme.com/room/25daysofchristmas

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas

Day 1

  • cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
  • a new cookie can be created from Firefox dev tools > storage > cookies > add new

Day 2

  • check source pages
  • dir searching
  • github search for website

Day 3

  • for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
  • follow stream to export to txt
  • johntheripper can work on /etc/shadow without needeing /etc/passwd.

Day 4

  • to find text within all files: grep -Ril "text"
    • to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
  • It's wise to search for *.bak files in case some world readable backups exist : find / -name *.bak 2>/dev/null

Day 5

  • OSINT required creative google searches, social media, and the use of waybackmachine.

Day 6

  • Tools used:
    • wireshark-gtk
    • fcrackzip
    • steghide

Day 7

  • strange protocols running on weird ports are worth trying out via http.

Day 8

  • if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.:
find /home/igor -name flag1.txt  -exec cat /home/igor/flag1.txt \;
  • commonly used command to list all suid binaries:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Day 10: Metasploit

  • After a quick nmap scan, there seems to be a tomcat server running on port 80.
  • Version enumeration reveals that it may be prone to the struts2 vuln.
  • Let's use the struts2_content_type_ognl exploit via MSF and configure hosts, ports, and path (path = β€œβ€).
  • exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
  • SSH creds are available β€”> this is how we break out.

Day 11: Network Exploitation

  • nmap -A $IP -oA <filename>
  • We can see the following services open: ftp, nfs, mysql
  • Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials.

NFS

  • showmount -e $IP to check if NFS is present and directory path.
  • cd /tmp && mkdir thm-nfs-11
  • sudo mount $IP:/opt/files thm-nfs-11
  • thm-nfs-11 contains a file with the flag.

MySQL

  • I'll be using mycli to connect to the msql database.
  • mycli -h $IP -P 3306 -u root
  • show databases
  • use data
  • show tables
  • SELECT * FROM 'USERS'
  • Creds are now retrieved from the table.

Day 12

1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt to obtain decrypted note.

Day 14: AWS S3 Buckets

  • Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com
  • Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name

Day 15: Local File Inclusion

  • Webservers will often pull files from local locations to display on a webpage.
  • It's best to have a look at the HTTP requests and start crafting potential LFI that way.
  • Be sure to encode the / using %2F.
  • Example payload: http://host/get-file/%2fetc%2fpasswd

#writeups #ctf #tryhackme