- ctf hackthebox Carrier injection command-injection bgp-hijack nmap gobuster snmp snmpwalk pivot container tcpdump lxc lxd ssh
Carrier was awesome, not because it super hard, but because it provided an opportunity to do something that I hear about all the time in the media, but have never been actually tasked with doing - BGP Hijacking. I’ll use SMNP to find a serial number which can be used to log into a management status interface for an ISP network. From there, I’ll find command injection which actually gives me execution on a router. The management interface also reveals tickets indicting some high value FTP traffic moving between two other ASNs, so I’ll use BGP hijacking to route the traffic through my current access, gaining access to the plaintext credentials. In Beyond Root, I’ll look at an unintended way to skip the BGP hijack, getting a root shell and how the various containers were set up, why I only had to hijack one side of the conversation to get both sides, the website and router interaction and how to log commands sent over ssh, and what “secretdata” really was.
- ctf hackthebox Ethereal Windows AppLocker meterpreter metasploit Beryllium visualstudio .NET
On of the challenges in Ethereal was having to use a shell comprised of two OpenSSL connections over different ports. And each time I wanted to exploit some user action, I had to set my trap in place, kill my shell, start two listeners, and wait. Things would have been a lot better if I could have just gotten a shell to connect back to me over one of the two open ports, but AppLocker made that nearly impossible. IppSec demoed a method to bypass those filters using COR Profiling. I wanted to play with it myself, and get some notes down (in the form of this post).
- hackthebox Bastard ctf web Drupal Drupalgeddon2 Drupalgeddon3 droopescan dirsearch nmap Windows searchsploit nishang ms15-051 smbserver Devel Granny php webshell
Bastard was the 7th box on HTB, and it presented a Drupal instance with a known vulnerability at the time it was released. I’ll play with that one, as well as two more, Drupalgeddon2 and Drupalgeddon3, and use each to get a shell on the box. The privesc was very similar to other early Windows challenges, as the box is unpatched, and vulnerable to kernel exploits.
- ctf hackthebox Ethereal nmap pbox credentials injection hydra python shell dns-c2 nslookup openssl lnk pylnker LNKUp wfuzz ca msi Windows
Ethereal was quite difficult, and up until a few weeks ago, potentially the hardest on HTB. Still, it was hard in a fun way. The path through the box was relatively clear, and yet, each step presented a technical challenge to figure out what was going on and how I could use it to get what I wanted. I’ll start by breaking into an old password vault that I find on FTP, and using that to authenticate to a website. That site has code injection, and I’ll use that to get exfil and eventually a weak shell over DNS. I’ll discover OpenSSL, and use that to get a more stable shell. From there, I’ll replace a shortcut to escalate to the next user. Then I’ll user CA certs that I find on target to sign an MSI file to give me shell as the administrator. I’ll also attach two additional posts, one going into how I attacked pbox, and another on how I developed a shell over blind command injection and dns.
- ctf hackthebox Ethereal Windows dns-c2 python python-cmd python-scapy injection python-requests
For Ethereal, I found a DOS application,
pbox.exe, and a
pbox.datfile. These were associated with a program called PasswordBox, which was an early password manager program. To solve this box, most people likely just guessed the password, “password”. But what if I had needed to brute force it? The program was not friendly to taking input from stdin, or from running inside python. So I downloaded the source code, installed the FreeBasic compiler, and started hacking at the source until it ran in a way that I could brute force test 1000 passwords in 5 seconds. I’ll walk through my steps and thought process in this post.
- ctf hackthebox Ethereal Windows dns-c2 python python-cmd python-scapy injection python-requests
It would have been possible to get through the initial enumeration of Ethereal with just Burp Repeater and tcpdump, or using responder to read the DNS requests. But writing a shell is much more fun and good coding practice. I’ll develop around primary two modules from Python, scapy to listen for and process DNS packets, and cmd to create a shell user interface, with requests to make the http injections. In this post I’ll show how I built the shell step by step.
- granny ctf hackthebox webdav aspx webshell Devel meterpreter Windows ms14-058 local_exploit_suggester pwk cadaver
As I’m continuing to work through older boxes, I came to Granny, another easy Windows host involving webshells. In this case, I’ll use WebDAV to get a webshell on target, which is something I haven’t written about before, but that I definitely ran into while doing PWK. In this case, WebDav blocks aspx uploads, but it doesn’t prevent me from uploading as a txt file, and then using the HTTP Move to move the file to an aspx. I’ll show how to get a simple webshell, and how to get meterpreter. For privesc, I’ll use a Windows local exploit to get SYSTEM access.
- ctf Devel hackthebox webshell aspx meterpreter metasploit msfvenom ms11-046 ftp Nishang nmap watson smbserver upload Windows
Another one of the first boxes on HTB, and another simple beginner Windows target. In this case, I’ll use anonymous access to FTP that has it’s root in the webroot of the machine. I can upload a webshell, and use it to get execution and then a shell on the machine. Then I’ll use one of many available Windows kernel exploits to gain system. I’ll do it all without Metasploit, and then with Metasploit.
- Access hackthebox ctf mdbtools readpst mutt telnet runas cached-creds dpapi mimikatz pylnker
Access was an easy Windows box, which is really nice to have around, since it’s hard to find places for beginners on Windows. And, unlike most Windows boxes, it didn’t involve SMB. I’ll start using anonymous FTP access to get a zip file and an Access database. I’ll use command line tools to find a password in the database that works for the zip file, and find an Outlook mail file inside. I’ll read the email to find the password for an account on the box, and connect with telnet. From there, I’ll take advantage of cached administrator credentials two different ways to get root.txt. In Beyond Root, I’ll look at ways to get more details out of lnk files, both with PowerShell and pylnker.
- exploit CVE-2019-1003000 Jenkins Jeeves powershell Nishang Windows
Orange Tsai published a really interesting writeup on their discovery of CVE-2019-1003000, an Unathenticated remote code exeuction (RCE) in Jenkins. There was a box from HackTheBox.eu that ran Jenkins, and while the configuration wasn’t perfect for this kind of test, I decided to play with it and see what I could figure out. I’ll get the exploit working with a new payload so that it runs on the Windows environment.
- ctf Zipper hackthebox nmap zabbix api credentials path-hijack docker ltrace service-hijack exploit-db jq openssl php pivot ssh Linux Ubuntu
Zipper was a pretty straight-forward box, especially compared to some of the more recent 40 point boxes. The main challenge involved using the API for a product called Zabbix, used to manage and inventory computers in an environment. I’ll show way too many ways to abuse Zabbix to get a shell. Then for privesc, I’ll show two methods, using a suid binary that makes a call to system without providing a full path, allowing me to change the path and get a root shell, and identifying a writable service file that I can hijack to gain root privlege. In Beyond Root, I’ll dig into the shell from Exploit-DB, figure out how it works, and make a few improvements.
- ctf wizard-labs dummy Windows ms17-010 smb msfvenom Win7
I had an opportunity to check out Wizard Labs recently. It’s a recently launched service much like HackTheBox. Their user interface isn’t as polished or feature rich as HTB, but they have 16 vulnerable machines online right now to attack. The box called Dummy recently retired from their system, so I can safely give it a walk-through. It’s a bit of bad luck that I looked at this just after doing Legacy, as they were very similar boxes. Seems popular to start a service with a Windows SMB vulnerability. This was a Windows 7 box, vulnerable to MS17-010. I’ll use a different python script, and give the Metasploit exploit a spin and fail.
- ctf hackthebox legacy Windows ms08-067 ms17-010 smb msfvenom xp
Since I’m caught up on all the live boxes, challenges, and labs, I’ve started looking back at retired boxes from before I joined HTB. The top of the list was legacy, a box that seems like it was one of the first released on HTB. It’s a very easy Windows box, vulnerable to two SMB bugs that are easily exploited with Metasploit. I’ll show how to exploit both of them without Metasploit, generating shellcode and payloads with msfvenom, and modifying public scripts to get shells. In beyond root, I’ll take a quick look at the lack of whoami on XP systems.
- hackthebox ctf Giddy sqli sqlimap WinRM net-ntlmv2 responder hashcat UnifiVideo Defender Ebowla smbserver AppLocker
I thought Giddy was a ton of fun. It was a relateively straight forward box, but I learned two really neat things working it (each of which inspired other posts). The box starts with some enumeration that leads to a site that gives inventory. I’ll abuse an SQL-Injection vulnerability to get the host to make an SMB connect back to me, where I can collect Net-NTLMv2 challenge response, and crack it to get a password. I can then use either the web PowerShell console or WinRM to get a shell. To get system, I’ll take advantage of a vulnerability in Ubiquiti UniFi Video.
- snapd cve-2019-7304 hackthebox ubuntu exploit
A local privilege escalation exploit against a vulnerability in the snapd server on Ubuntu was released today by Shenanigans Labs under the name Dirty Sock. Snap is an attempt by Ubuntu to simplify packaging and software distribution, and there’s a vulnerability in the REST API which is attached to a local UNIX socket that allowed multiple methods to get root access. I decided to give it a run, both on a VM locally and on some of the HackTheBox.eu machines.
- Ypuffy hackthebox ctf ldap ssh ssh-keygen doas sudo certificate certificate-authority wireshark cve-2018-14665 python flask wsgi
Ypuffy was an OpenBSD box, but the author said it could have really been any OS, and I get that. The entire thing was about protocols that operate on any environment. I’ll use ldap to get a hash, which I can use to authenticate an SMB share. There I find an SSH key that gets me a user shell. From there, I’ll abuse my doas privilege with ssh-keygen to create a signed certificate that I can use to authenticate to the box as root for ssh. In Beyond root, I’ll look at the Xorg privesc vulnerability that became public a month or so after Ypuffy was released, and also explore the web server configuration used in the ssh auth.
- ctf Dab hackthebox flask python nginx wsgi memcached brute hydra wfuzz hashcat ssh ldd ldconfig re Ida
Dab had some really neat elements, with a few trolls thrown in. I’ll start by ignoring a steg troll in an open FTP and looking at two web apps. As I’m able to brute force my way into one, it populates a memcached instance, that I’m then able to query using the other as a proxy. From that instance, I’m able to dump users with md5 password hashes. After cracking twelve of them, one gives me ssh access to the box. From there, I’ll take advantage of my having root level access to the tool that configures how dynamic run-time linking occurs, and use that to pivot to a root shell. In Beyond Root, I’ll look at the web apps and how they are configured, one of the troll binaries, and a cleanup cron job I found but managed to avoid by accident.
- hackthebox tunnel Chisel SSF Reddish
Having just written up HTB Reddish, pivoting without SSH was at the top of my mind, and I’ve since learned of two programs that enable pivots, Chisel and Secure Socket Funneling (SSF). I learned about Chisel from Ippsec, and you can see his using it to solve Reddish in his video. I wanted to play with it, and figured I’d document what I learned here. I learned about SSF from another HTB user, jkr, who not only introduced me to SSF, but pulled together the examples in this post.
- pwk oscp pivot ssh tunnel sshuttle meterpreter
That beautiful feeling of shell on a box is such a high. But once you realize that you need to pivot through that host deeper into the network, it can take you a bit out of your comfort zone. I’ve run into this in Sans Netwars, Hackthebox, and now in PWK. In this post I’ll attempt to document the different methods I’ve used for pivoting and tunneling, including different ways to use SSH, sshuttle, and meterpreter, as well as some strategies for how to live from the host you are currently working through. Updated on 28 Jan 2018 to add references to two additional tools, Chisel and SSF.
- Reddish hackthebox ctf node-red nodejs tunnel php redis rsync docker
Reddish is one of my favorite boxes on HTB. The exploitation wasn’t that difficult, but it required tunneling communications through multiple networks, and operate in bare-bones environments without the tools I’ve come to expect. Reddish was initially released as a medium difficulty (30 point) box, and after the initial user blood took 9.5 hours, and root blood took 16.5 hours, it was raised to hard (40). Later, it was upped again to insane (50). To get root on this box, I’ll start with an instance of node-red, a javscript browser-based editor to set up flows for IoT. I’ll use that to get a remote shell into a container. From there I’ll pivot using three other containers, escalating privilege in one, before eventually ending up in the host system. Throughout this process, I’ll only have connectivity to the initial container, so I’ll have to maintain tunnels for communication.
- hackthebox ctf SecNotes xsrf second-order-sqli smb Windows-subsystem-for-Linux bash.exe winexe smbclient webshell
SecNotes is a bit different to write about, since I built it. The goal was to make an easy Windows box that, though the HTB team decided to release it as a medium Windows box. It was the first box I ever submitted to HackTheBox, and overall, it was a great experience. I’ll talk about what I wanted to box to look like from the HTB user’s point of view in Beyond Root. SecNotes had a neat XSRF in the site that was completely bypassed by most people using an unintentional second order SQL injection. Either way, after gaining SMB credentials, it allowed the attacker to upload a webshell, and get a shell on the host. Privesc involved diving into the Linux Subsystem for Windows, finding the history file, and getting the admin creds from there.
- ctf sans-holiday-hack
The Sans Holiday Hack is one of the events I most look forward to each year. This year’s event is based around KringleCon, an infosec conference organized by Santa as a response to the fact that there have been so many attempts to hack Christmas over the last few years. This conference even has a bunch of talks, some quite useful for completing the challenge, but others that as just interesting as on their own. To complete the Holiday Hack Challenge, I’m asked to enter this virtual conference, walk around, and solve a series of technical challenges. As usual, the challenges were interesting and set up in such a way that it was very beginner friendly, with lots of hints and talks to ensure that you learned something while solving. The designers also implemented several more defensive / forensic challenges this year, which was neat to see.
- responder MitM net-ntlmv2 hashcat llmnr wpad xp_dirtree
One of the authentication protocols Windows machines use to authenticate across the network is a challenge / response / validation called Net-NTLMv2. If can get a Windows machine to engage my machine with one of these requests, I can perform an offline cracking to attempt to retrieve their password. In some cases, I could also do a relay attack to authenticate directly to some other server in the network. I’ve run into an interesting case of this recently that were worth sharing. In this post, I’ll focus on ways to get a host to send you a challenge / response. If you’re interested in relaying, leave a command and I’ll consider that too.
- Oz hackthebox ctf api sqli hashcat ssti jinja2 payloadallthethings docker container pivot ssh port-knocking portainer tplmap jwt
Oz was long. There was a bunch of enumeration at the front, but once you get going, it presented a relatively straight forward yet technically interesting path through two websites, a Server-Side Template Injection, using a database to access an SSH key, and then using the key to get access to the main host. To privesc, I’ll go back into a different container and take advatnage of a vulnarbility in the docker management software to get root access.
- Mischief hackthebox ctf cve-2018-18955 policykit
Since publishing my write-up on Mischief from HackTheBox, I’ve learned of two additional ways to privesc to root once I have access as loki. The first is another method to get around the fact the
suwas blocked on the host using PolicyKit with the root password. The second was to take advantage of a kernel bug that was publically released in November, well after Mischief went live. I’ll quickly show both those methods.
- hackthebox ctf Mischief ipv6 snmp snmpwalk enyx command-injection hydra filtering facl getfacl systemd-run lxc wfuzz xxd iptables color-print
Mishcief was one of the easier 50 point boxes, but it still provided a lot of opportunity to enumerate things, and forced the attacker to think about and work with IPv6, which is something that likely don’t come naturally to most of us. I’ll use snmp to get both the IPv6 address of the host and credentials from the webserver. From there, I can use those creds to log in and get more creds. The other creds work on a website hosted only on IPv6. That site has command injection, which gives me code execution, a shell as www-data, and creds for loki. loki’s bash history gives me the root password, which I can use to get root, once I get around the fact that file access control lists are used to prevent loki from running su. In beyond root, I’ll look at how I could get RCE without the creds to the website, how I might have exfiled data via ping if there wasn’t a way to see output, the filtering that site did, and the iptables rules.
Hackvent is a great CTF, where a different challenge is presented each day, and the techniques necessary to solve each challenge vary widely. Like Advent of Code, I only made it through the first half before a combination of increased difficulty, travel for the holidays, and Holiday Hack (and, of course, winning NetWars TOC) all led to my stopping Hackvent mid-way. Still, even the first 12 challenges has some neat stuff, and were interesting enough to write up.
- ctf sans-holiday-hack hackthebox jq waldo ja3 malware
jq is such a nifty tool that not nealry enough people know about. If you’re working with json data, even just small bits here and there, it’s worth knowing the basics to make some simple data manipulations possible. And if you want to become a full on jq wizard, all the better. In this post, I’ll walk through three examples of varying levels of complexity to show off jq. I’ll detail what I did in Waldo, show an example from the 2017 Sans Holiday Hack Challenge, and conclude with a real-world example where I’m looking at SSL/TLS fingerprints.
- ctf hackthebox Waldo docker php ssh rbash capabilities
Waldo was a pretty straight forward box, with a few twists that weren’t too difficult to circumvent. First, I’ll take advantage of a php website, that allows me to leak its source. I’ll use that to bypass filters to read files outside the webroot. In doing so, I’ll find an ssh key that gets me into a container. I’ll notice that I can actually ssh back into localhost again to get out of the container, but with a restricted rbash shell. After escaping, I’ll find the tac program will the linux capability set to allow for full system read, giving me full read access over the entire system, including the flag.
- ctf advent-of-code python
Advent of Code is a fun CTF because it forces you to program, and to think about data structures and efficiency. It starts off easy enough, and gets really hard by the end. It’s also a neat learning opportunity, as it’s one of the least competitive CTFs I know of. After the first 20 people solve and the leaderboard is full, people start to post answers on reddit on other places, and you can see how others solved it, or help yourself when you get stuck. I’m going to create one post and just keep updating it with my answers as far as I get.
- ctf hackthebox Active active-directory gpp-password gpp-decrypt smb smbmap smbclient enum4linux GetUserSPNS.py kerberoast hashcat psexec.py
Active was an example of an easy box that still provided a lot of opportunity to learn. The box was centered around common vulnerabilities associated with Active Directory. There’s a good chance to practice SMB enumeration. It also gives the opportunity to use Kerberoasting against a Windows Domain, which, if you’re not a pentester, you may not have had the chance to do before.
- oscp pwk enumeration smb nmblookup smbclient rpcclient nmap enum4linux smbmap
[Update 2018-12-02] I just learned about smbmap, which is just great. Adding it to the original post. Beyond the enumeration I show here, it will also help enumerate shares that are readable, and can ever execute commands on writable shares. [Original] As I’ve been working through PWK/OSCP for the last month, one thing I’ve noticed is that enumeration of SMB is tricky, and different tools fail / succeed on different hosts. With some input from the NetSecFocus group, I’m building out an SMB enumeration check list here. I’ll include examples, but where I use PWK labs, I’ll anonymize the data per their rules. If I’m missing something, leave a comment.
- hackthebox ctf hawk drupal ftp openssl openssl-bruteforce php password-reuse h2
Hawk was a pretty easy box, that provided the challenge to decrypt a file with openssl, then use those credentials to get admin access to a Drupal website. I’ll use that access to gain execution on the host via php. Credential reuse by the daniel user allows me to escalate to that user. From there, I’ll take advantage of a H2 database to first get arbitrary file read as root, and then target a different vulnerability to get RCE and a root shell. In Beyond Root, I’ll explore the two other listening ports associated with H2, 5435 and 9092.
- ctf hackthebox smasher bof pwntools timing-attack padding-oracle AES path-traversal
Smasher is a really hard box with three challenges that require a detailed understanding of how the code you’re intereacting with works. It starts with an instance of shenfeng tiny-web-server running on port 1111. I’ll use a path traversal vulnerability to access to the root file system. I’ll use that to get a copy of the source and binary for the running web server. With that, I’ll write a buffer overflow exploit to get a reverse shell. Next, I’ll exploit a padding oracle vulnerability to get a copy of the smasher user’s password. From there, I’ll take advantage of a timing vulnerability in setuid binary to read the contents of root.txt. I think it’s possible to get a root shell exploiting a buffer overflow, but I wasn’t able to pull it off (yet). In Beyond Root, I’ll check out the AES script, and show how I patched the checker binary.
- ctf hackthebox smasher gdb bof pwntools
There was so much to write about for Smasher, it seemed that the buffer overflow in tiny deserved its own post. I’ll walk through my process, code analysis and debugging, through development of a small ROP chain, and show how I trouble shot when things didn’t work. I’ll also show off pwntools along the way.
- hackthebox jerry ctf
Jerry is quite possibly the easiest box I’ve done on HackTheBox (maybe rivaled only by Blue). In fact, it was rooted in just over 6 minutes! There’s a Tomcat install with a default password for the Web Application Manager. I’ll use that to upload a malicious war file, which returns a system shell, and access to both flags.
- hackthebox ctf Reel malware rtf hta msfvenom rtfdump oledump scdbg powershell vbscript shellcode
I regularly use tools like msfvenom or scripts from GitHub to create attacks in HackTheBox or PWK. I wanted to take a minute and look under the hood of the phishing documents I generated to gain access to Reel in HTB, to understand what they are doing. By the end, we’ll understand how the RTF abuses a COM object to download and launch a remote HTA. In the HTA, we’ll see layers of script calling each other, until I find some shellcode loaded into memory by PowerShell and run. I’ll do some initial analysis of that shellcode to see the network connection attempts.
- hackthebox Reel ctf ftp CVE-2017-0199 rtf hta phish ssh bloodhound powerview active-directory metasploit
Reel was an awesome box because it presents challenges rarely seen in CTF environments, phishing and Active Directory. Rather than initial access coming through a web exploit, to gain an initial foothold on Reel, I’ll use some documents collected from FTP to craft a malicious rtf file and phishing email that will exploit the host and avoid the protections put into place. Then I’ll pivot through different AD users and groups, taking advantage of their different rights to eventually escalate to administrator. In Beyond Root, I’ll explore remnants of a second path to root that didn’t make the final cut, look at the ACLs on root.txt, examine the script that opens attachments as nico.
- powershell psreadline history
I came across a situation where I discovered a user’s PSReadline ConsoleHost_history.txt file, and it ended up giving me the information I needed at the time. Most people are aware of the
.bash_historyfile. But did you know that the PowerShell equivalent is enabled by default starting in PowerShell v5 on Windows 10? This means this file will become more present over time as systems upgrade.
- hackthebox Dropzone ctf xp tftp mof wmi stuxnet ads sysinternals
Dropzone was unique in many ways. Right off the bat, an initial nmap scan shows no TCP ports open. I’ll find unauthenticated TFTP on UDP 69, and use that access identify the host OS as Windows XP. From there, I’ll use TFTP to drop a malicious mof file where it will automatically compiled, giving me code execution, in a technique made well know by Stuxnet (though not via TFTP, but rather a SMB 0-day). This technique provides a system shell, but there’s one more twist, as I’ll have to find the flags in alternative data streams of a text file on the desktop. I’ll also take this opportunity to dive in on WMI / MOF and how they were used in Stuxnet.
- pwk oscp pivot ssh tunnel sshuttle meterpreter
That beautiful feeling of shell on a box is such a high. But once you realize that you need to pivot through that host deeper into the network, it can take you a bit out of your comfort zone. I’ve run into this in Sans Netwars, Hackthebox, and now in PWK. In this post I’ll attempt to document the different methods I’ve used for pivoting and tunneling, including different ways to use SSH, sshuttle, and meterpreter, as well as some strategies for how to live from the host you are currently working through.
- hackthebox Bounty ctf asp upload Nishang lonelypotato potato meterpreter ms10-051 ms16-014 web.config Sherlock Watson
Bounty was one of the easier boxes I’ve done on HTB, but it still showcased a neat trick for initial access that involved embedding ASP code in a web.config file that wasn’t subject to file extension filtering. Initial shell provides access as an unprivileged user on a relatively unpatched host, vulnerable to several kernel exploits, as well as a token privilege attack. I’ll show a handful of ways to enumerate and to escalate privilege, including a really neat new tool, Watson. When I first wrote this post, Watson wouldn’t run on Bounty, but thanks to some quick work from Rasta Mouse and Mark S, I was able to update the post to include it.
- ctf hackthebox TartarSauce tar diff
I always watch IppSec’s videos on the retired box, because even if I completed the box, I typically learn something. Watching IppSec’s TartarSauce video yesterday left me with three things I wanted to play with a bit more in depth, each related to the
backupererscript. First, the issue of a bash if statement, and how it evaluates on exit status. Next, how Linux handles permissions and ownership between hosts and in and out of archives. Finally, I was wrong in thinking there wasn’t a way to get a root shell… so of course I have to do that.
- ctf TartarSauce hackthebox WordPress wpscan php webshell RFI sudo tar pspy Monstra cron
TartarSauce was a box with lots of steps, and an interesting focus around two themes: trolling us, and the tar binary. For initial access, I’ll find a barely functional WordPress site with a plugin vulnerable to remote file include. After abusing that RFI to get a shell, I’ll privesc twice, both times centered around tar; once through sudo tar, and once needing to manipulate an archive before a sleep runs out. In beyond root, I’ll look at some of the rabbit holes I went down, and show a short script I created to quickly get initial access and do the first privesc in one step.
- ctf hackthebox DevOops xxe ssh git pickle deserialization Canape rss
DevOops was a really fun box that did a great job of providing interesting challenges that weren’t too difficult to solve. I’ll show how to gain access using XXE to leak the users SSH key, and then how I get root by discovering the root SSH key in an old git commit. In Beyond Root, I’ll show an alternative path to user shell exploiting a python pickle deserialization bug.
- pwk oscp smb impacket exfil upload
Moving files to and from a compromised Linux machine is, in general, pretty easy. You’ve got nc, wget, curl, and if you get really desperate, base64 copy and paste. Windows, is another issue all together. PowerShell makes this somewhat easier, but for a lot of the PWK labs, the systems are too old to have PowerShell. The course material goes over a few ways to achieve this, but they don’t cover my favorite - SMB. This may be less realistic in an environment where you have to connect from a victim machine back to your attacker box over the public internet (where SMB could be blocked), but for environments like PWK labs and HTB where you are vpned into the same LAN as your targets, it works great.
- oscp pwk enumeration smb nmblookup smbclient rpcclient nmap enum4linux
As I’ve been working through PWK/OSCP for the last month, one thing I’ve noticed is that enumeration of SMB is tricky, and different tools fail / succeed on different hosts. With some input from the NetSecFocus group, I’m building out an SMB enumeration check list here. I’ll include examples, but where I use PWK labs, I’ll anonymize the data per their rules. If I’m missing something, leave a comment.
- ctf hackthebox Sunday finger hashcat sudo wget shadow sudoers gtfobins
Sunday is definitely one of the easier boxes on HackTheBox. It had a lot of fun concepts, but on a crowded server, they step on each other. We start by using finger to brute-force enumerate users, though once once person logs in, the answer is given to anyone working that host. I’m never a huge fan of asking people to just guess obvious passwords, but after that, there are a couple more challenges, including a troll that proves useful later, some password cracking, and a ton of neat opportunities to complete the final privesc using wget. I’ll show 6 ways to use wget to get root. Finally, in Beyond Root, I’ll explore the overwrite script being run by root, finger for file transfer, and execution without read.
- hackthebox Olympus ctf zonetransfer Xdebug aircrack-ng 802-11 ssh port-knocking docker cve-2018-15473
Olympus was, for the most part, a really fun box, where we got to bounce around between different containers, and a clear path of challenges was presented to us. The creator did a great job of getting interesting challenges such as dns and wifi cracking into a HTB format. There was one jump I wasn’t too excited to have to make, but overall, this box was a lot of fun to attack.
- hackthebox python pickle couchdb ctf Canape flask pip sudo cve-2017-12635 cve-1017-12636 cve-2018-8007
Canape is one of my favorite boxes on HTB. There is a flask website with a pickle deserialization bug. I find that bug by taking advantage of an exposed git repo on the site. With a user shell, we can exploit CouchDB to gain admin access, where we get homer’s password. I went down several rabbit holes trying to get code execution through couchdb, succeeding with EMPD, succeeding with one config change as root for CVE-2018-8007, and failing with CVE-2017-12636. Finally, I’ll take advantage of our user having sudo rights to run pip, and first get a copy of the flag, and then take it all the way to root shell.
- malware vba doc powershell dosfuscation olevba
Someone on an InfoSec group I participate in asked for help looking at a potentially malicious word doc. I took a quick look, and when I sent back the command line that came out, he asked if I could share how I was able to de-obfuscate quickly. In writing it up for him, I figured it might help others as well, so I’ll post it here as an example.
- malware pdf pdf-parser pdfid nanocore vbscript
Pretty simple PDF file was uploaded to VT today, and only 11 of our 59 vendors mark is as malicious, despite it’s being pretty tiny and clearly bad. The file makes no effort at showing any real cover, and could even be a test upload from the malicious actor. The file writes a vbs script which downloads the next stage, and then runs the script and then the resulting binary. The stage two is still up, so I got a copy, which I was able to identify as nanocore, and do some basic dynamic analysis of that as well.
- hackthebox ctf Poison log-poisoning lfi webshell vnc
Poison was one of the first boxes I attempted on HTB. The discovery of a relatively obvious local file include vulnerability drives us towards a web shell via log poisoning. From there, we can find a users password out in the clear, albeit lightly obfuscated, and use that to get ssh access. With our ssh access, we find VNC listening as root on localhost, and
- ctf Stratosphere hackthebox python struts cve cve-2017-9805 cve-2017-5638
Stratosphere is a super fun box, with an Apache Struts vulnerability that we can exploit to get single command execution, but not a legit full shell. I’ll use the Ippsec mkfifo pipe method to write my own shell. Then there’s a python script that looks like it will give us the root flag if we only crack some hashes. However, we actually have to exploit the script, to get a root shell.
- ctf SecNotes hackthebox
My first submission to HTB, SecNotes, went live today! I was aiming for an easy (20 pt) Windows box, but it released as a medium (30 pt) box. First blood for user just fell, 1 hour and 9 minutes in. Still waiting on root. I hope people enjoy, and if you do the box, please reach out to me on the forums or direct message and let me know what you thought of it, and how you solved it. I’d be very excited to hear if there were any unintended paths discovered.
- hackthebox Celestial ctf nodejs deserialization Aragog pspy cron
Celestial is a fairly easy box that gives us a chance to play with deserialization vulnerabilities in Node.js. Weather it’s in struts, or python’s pickle, or in Node.js, deserialization of user input is almost always a bad idea, and here’s we’ll show why. To escalate, we’ll take advantage of a cron running the user’s code as root.
On first finding this sample, I was excited to think that I had found something interesting, rarely detected, and definitely malicious so close to when it was potentially used in a phishing attack. The more analysis I did, the more it became clear this was more likely a testing document, used by a security team evaluating their employees or an endpoint product. Still, it was an interesting sample to play with, and understand how it does interesting things like C2 protocol detection and Sandbox detection.
- malware doc vba msbuild csproj dns document-variables encryption c# oledump
This word document contains a short bit of VBA that’s obfuscated using Word document variables to store the strings that might be identified in email filters and by AV. This seems to be effective, given the VT dection ratio. In fact, I came across this sample in conversation with someone who worked for one of the few products that was catching this sample. The VBA drops a Visual Basic C# project file, and runs it with msbuild, which executes a compilation Task. This code uses DNS TXT records to decrypt a next stage payload. Unfortunately, since the DNS record is no longer present.
- malware pdf pdfid pdf-parser powershell settingcontent-ms FlawedAmmyy
This is a neat PDF sample that I saw mentioned on @c0d3inj3cT’s Twitter, and wanted to take a look for myself. As @c0d3inj3cT says, it is a PDF that drops a SettingsContent-ms file, which then uses PowerShell to download and execute the next stage. I had been on the lookout for PDFs that try to run code to play with, so this seemed like a good place to dive in.
- Silo hackthebox ctf Oracle odat sqlplus Nishang aspx webshell volatility passthehash RottenPotato potato
Silo was the first time I’ve had the opportunity to play around with exploiting a Oracle database. After the struggle of getting the tools installed and learning the ins and outs of using them, we can take advantage of this database to upload a webshell to the box. Then with the webshell, we can get a powershell shell access as a low-priv user. To privesc, we’ll have to break out our memory forensics skillset to get a hash out of a memory dump, which then we can pass back in a pass the hash attack to get a system shell. That’s all if we decided not to take the shortcut and just use the Oracle database (running as system) to read both flag files.
- doc vba malware encryption phish wmi
This phishing document was interesting for not only its lure / cover, but also for the way it used encryption to target users who had a domain with certain key words in it. While brute forcing the domains only results in some potentially financial key words, the stage 2 domain acts as a pivot to find an original phish email in VT, which shows this was quite targeted after all.
- hackthebox Valentine ctf heartbleed tmux DirtyCow
Valentine was one of the first hosts I solved on hack the box. We’ll use heartbleed to get the password for an SSH key that we find through enumeration. There’s two paths to privesc, but I’m quite partial to using the root tmux session. The box is very much on the easier side for HTB.
- training review purple-team
I had the chance to take SANS SEC599, “Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses” last week at SANSFIRE. The class is one of the newer SANS offerings, and so I suspect it will be changing and updating rapidly. There are some things I would change about the class, but overall, I enjoyed the class, definitely learned things that I didn’t know before, and got to meet some really smart people.
- ctf Aragog hackthebox xxe ssh pspy WordPress cron
Aragog provided a chance to play with XML External Entity (XXE) vulnerabilities, as well as a chance to modify a running website to capture user credentials.
- hackthebox Bart ctf log-poisoning php webshell winlogon run_as
Bart starts simple enough, only listening on port 80. Yet it ends up providing a path to user shell that requires enumeration of two different sites, bypassing two logins, and then finding a file upload / LFI webshell. The privesc is relateively simple, yet I ran into an interesting issue that caused me to miss it at first. Overall, a fun box with lots to play with.
- hackthebox Nightmare ctf sqli sqlmap tamper second-order-sqli
Nightmare just retired, and it was a insanely difficult box. Rather than do a full walkthrough, I wanted to focus on a write-up of the second-order SQL injection necessary as a first step for this host.
internet explorer, it seems likely that this was a
.jsfile sent as a phishing attachment that acts as a downloader to get the next stage from the c2 server. I show how to use Process Hacker, ProcMon, ProcDot, and Windows loggings to observer the PowerShell commands, and thus determine what the mawlare was doing.
- hackthebox Nibbles ctf meterpreter sudo cve cve-2015-6967
Nibbles is one of the easier boxes on HTB. It hosts a vulnerable instance of nibbleblog. There’s a Metasploit exploit for it, but it’s also easy to do without MSF, so I’ll show both. The privesc involves abusing
sudoon a file that is world-writable.
- hackthebox Falafel ctf wfuzz sqlmap sqli type-juggling php file-upload webshell framebuffer /dev/fb0 debugfs
Falafel is one of the best put together boxes on HTB. The author does a great job of creating a path with lots of technical challenges that are both not that hard and require a good deal of learning and understanding what’s going on. And there are hints distributed to us along the way.
- hackthebox Chatterbox ctf msfvenom meterpreter AChat AutoRunScript Nishang
Chatterbox is one of the easier rated boxes on HTB. Overall, this box was both easy and frustrating, as there was really only one exploit to get all the way to system, but yet there were many annoyances along the way. While I typically try to avoid Meterpreter, I’ll use it here because it’s an interesting chance to learn / play with the Metasploit AutoRunScript to migrate immediately after exploitation, so that I could maintain a stable shell.
- hackthebox ssh tunnel
I came across a situation on a htb box today where I needed IE to get a really slow, older, OWA page to fully function and do what I needed to do. I had a Windows vm around, but it was relatively isolated, and no able to talk directly to my kali vm. SSH tunneling turned out to be the easiest solution here, and since I get questions about SSH tunneling all the time, I figured it would be good to write up a short description.
- emotet malware doc powershell invoke-obfuscation PSDecode
In my analysis of an emotet sample, I came across PSDecode, and, after some back and forth with the author and a couple updates, got it working on this sample. The tool is very cool. What follows is analysis of a different emotet phishing document similar to the other one I was looking at, as well as
PSDecodeoutput for the previous sample.
- malware doc vba powershell emotet invoke-obfuscation
Interesting sample from VT which ends up being a phishing document for the Emotet malware.
- ctf hackthebox CrimeStoppers php php-wrapper lfi Ida re
This is one of my favorite boxes on HTB. It’s got a good flow, and I learned a bunch doing it. We got to tackle an LFI that allows us to get source for the site, and then we turn that LFI into RCE toget access. From there we get access to a Mozilla profile, which allows privesc to a user, and from there we find someone’s already left a modified rootme apache module in place. We can RE that mod to get root on the system.
- ctf hackthebox FluxCapacitor waf wfuzz sudo
Probably my least favorite box on HTB, largely because it involved a lot of guessing. I did enjoy looking for privesc without having a shell on the host.
- ctf hackthebox Bashed php sudo cron
Bashed retired from hackthebox.eu today. Here’s my notes transformed into a walkthrough. These notes are from a couple months ago, and they are a bit raw, but posting here anyway.
- MacPro home-lab ESXi
Getting the hypervisor installed is the next step.
- Ebay MacPro home-lab
The benefits of a home lab are numerous to anyone into infosec, CTFs, and/or malware analysis. Here’s how I approached it on the cheap.
subscribe via RSS